Microsoft's welcome change of course over the weekend reflects the beginnings of a balance in the patch delivery process between the competing goals of easing routine deployment and quick response in emergency situations. Out-of-band releases do not inherently undermine scheduled delivery, particularly when justified by severe threat conditions like those posed by the Animated Cursor attacks.
Hindsight is, of course, 20/20, and we all wish Microsoft would've released the patch in February or March, before the zero-day attacks became more widespread.
That fact notwithstanding, Microsoft made the right choice. When attacks based on a vulnerability are widespread, the announcement of a patch can do virtually no harm to the risk picture, and can potentially be of great benefit. Those who are able to apply the patch immediately will do so, and those who are not can wait without facing much, if any, additional risk. Patch releases in cases of widespread active exploitation create virtually no risk for unpatched parties; malicious individuals are already aware of the vulnerability and they'll be trying to attack you with it whether you're patched or not.
Microsoft should consider the out-of-cycle option viable in any case of active exploitation, and it should be utilized without hesitation in the event that exploitation becomes widespread. What's more, Microsoft should expedite its notoriously slow patch testing processes for privately-reported exploits such that today's "responsible disclosure" is not tomorrow's zero-day attack. Private disclosure is only responsible if it protects customers.
Hindsight is, of course, 20/20, and we all wish Microsoft would've released the patch in February or March, before the zero-day attacks became more widespread.
That fact notwithstanding, Microsoft made the right choice. When attacks based on a vulnerability are widespread, the announcement of a patch can do virtually no harm to the risk picture, and can potentially be of great benefit. Those who are able to apply the patch immediately will do so, and those who are not can wait without facing much, if any, additional risk. Patch releases in cases of widespread active exploitation create virtually no risk for unpatched parties; malicious individuals are already aware of the vulnerability and they'll be trying to attack you with it whether you're patched or not.
Microsoft should consider the out-of-cycle option viable in any case of active exploitation, and it should be utilized without hesitation in the event that exploitation becomes widespread. What's more, Microsoft should expedite its notoriously slow patch testing processes for privately-reported exploits such that today's "responsible disclosure" is not tomorrow's zero-day attack. Private disclosure is only responsible if it protects customers.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/newsbriefs/474/1877#1877