By ALLISON LINN, AP Business Writer
When Microsoft Corp. researchers learned recently that a software flaw
had been made public and could prompt Internet attacks, the company
ordered a team to devote all its time to fixing the flaw and making
the repair work with other products.
Microsoft argues that's the approach customers want and expect, but
some security experts complained that the software company's
traditional method, which could take days or weeks, wouldn't help
people fast enough.
So for the second time in three months, outside programmers took
matters into their own hands by quickly releasing their own fixes,
days ahead of the official Microsoft patch for its market-dominant
Internet Explorer browser.
Microsoft doesn't endorse such third-party fixes, warning it can't
vouch for whether they will work smoothly with Microsoft products and
other applications. But those providing them argue they have a
responsibility to protect users from attacks.
"It's kind of like having the cure and not sharing it with anybody,"
said Marc Maiffret, chief hacking officer with eEye Digital Security
Inc. of Aliso Viejo, Calif., which earlier this week released such a
Rather than replacing Microsoft's own patch, Maiffret says he is
hoping to provide a bandage for the interim.
The security expert also doesn't fault Microsoft for taking time to
finalize an official patch because it can be difficult to make sure
that repairing one part of the complex Windows operating system, which
includes Internet Explorer, doesn't cause problems elsewhere.
He also realizes that a patch like this can cause any of the thousands
of non-Microsoft applications running on Windows machines to stop
working, crippling businesses and frustrating home users.
But Maiffret argues that Microsoft should be the one providing the
type of temporary treatment his company was able to quickly pull
together in response to what the industry refers to as "zero-day"
problems -- vulnerabilities that attackers can immediately use to try
to infiltrate other people's computers.
Johannes Ullrich, chief technology officer with the security research
organization SANS Institute, also recognizes that Microsoft needs time
to build patches but believes the company can more quickly release a
"beta" patch so users would have temporary -- if not perfect --
protection in the interim.
"The real problem is that Microsoft leaves that opening," Ullrich
Such problems are relatively rare. In most cases, Microsoft learns
about flaws in its systems confidentially from security experts, who
hold off on making their findings public -- and alerting potential
attackers -- until Microsoft can release an official patch.
But occasionally, reports of a vulnerability leak out before Microsoft
has time to build a fix, creating a dangerous situation in which
attackers can take advantage of the flaw while users have little
When Microsoft faced such a problem a few months ago, SANS recommended
that users download the third-party fix because of the unusual
severity of the threat. This time, Ullrich said the flaw appears to be
less worrisome, so SANS is recommending that people either disable
part of Internet Explorer or temporarily use an alternative browser,
such as Firefox or Opera.
Microsoft says it is hoping to release a patch for the most recent IE
flaw by April 11, its normal time of month for issuing security
updates, and sooner if possible.
In the meantime, Stephen Toulouse, a program manager with Microsoft's
Security Response Center, said the company is working with other
security companies to help guard against attacks, and helping to shut
down the Web sites that exploit the flaw.
Toulouse said the company also is trying to find ways to create and
test its patches faster -- for instance, by conducting tests in tandem
rather than one after another.
But Microsoft, he said, cannot risk releasing a patch that causes
problems for even a small number of users because people may decide
not to use the fix at all if they hear it's problematic.
"The huge responsibility we have is that we have to answer to our
customers, and our customers represent potentially hundreds of
millions of different configurations," Toulouse said.
Third-party fixes also create the potential for a malicious person to
release a pretend fix that is really an attack, much like the
occasional e-mail falsely attributed to Microsoft and others, masking
as legitimate communications but really luring users to malicious Web
Even well-meaning programmers have the potential to wreak havoc.
Meanwhile, Microsoft will likely have to keep grappling with this
problem, despite all the security improvements the company has made in
the past few years. It takes only a few programming mistakes -- amid
millions of lines of code -- to expose Windows users to potential
"Even if they're doing everything right," Maiffret said, "there's
going to be four to five mistakes a year, and those four to five
mistakes are going to lead to the same things you're seeing now."
Copyright 2006 The Associated Press.
NOTE: For more telecom/internet/networking/computer news from the
daily media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra/more-news.html . Hundreds of new
articles daily. And, discuss this and other topics in our forum at