Headline Feeds
Microsoft (Nasdaq: MSFT) has broken its monthly cycle of security updates to plug a few holes in its Internet Explorer browser, including the Download.Ject scripting weakness that caused a widespread, Web-based attack scare in June.
The Download.Ject vulnerability and similar browser weaknesses prompted many security experts to recommend the use of alternative browsers, at least temporarily.
According to critics, the recent patch, which also addresses GIF and bitmap file processing weaknesses, took Microsoft too long.
Other security experts point out, however, that it takes a significant amount of testing to patch Explorer, which is tightly integrated with the Windows operating system. "It takes time to wade through it all," according to Ken Dunham, the director of malicious code intelligence for the computer security firm iDefense.
Critical Rerelease
Microsoft, which rated the Explorer update "critical," said the patch resolves several recently discovered vulnerabilities.
The company said that if a user was logged on with administrative privileges, an attacker who successfully exploited the most severe of the vulnerabilities could take complete control of an affected system and install programs, create new accounts with full privileges, as well as view, change and delete data.
Microsoft also said it had to correct the update, initially released last Friday, because the version for customers using the new Windows Update 5 did not contain the final release code for the vulnerabilities. The company recommended that customers apply the update immediately.
Breaking Cycle
Since last October Microsoft has followed a schedule in which it releases security updates on the second Tuesday of every month. The company, however, has been forced to break the cycle for critical fixes, particularly with Explorer.
While the company has been praised for providing a regular routine for system administrators, the constant pressure on Explorer has forced out-of-cycle patches, which nonetheless have been criticized as too slow.
IDefense's Dunham said system administrators have little choice but to patch systems as soon as possible.
"When [patches] come, you're glad to have them because you need them to protect your system," Dunham said.
Integration Issues
Richard Stiennon, vice president of the technology research firm Gartner (NYSE: IT), has been critical of Microsoft's speed on patches. He claims that much of the problem lies in Explorer's close integration with Windows, which allows Internet-based intrusions such as the Download.Ject problem.
"Explorer has way too many hooks, and it's way too closely tied to the operating system," Stiennon said.
The barrage of vulnerabilities, attacks and infections has caused some security organizations, including the federal government's Computer Emergency Readiness Team (CERT), to recommend the use of alternative browsers, which some surveys suggest have grown more popular in recent months.
Reducing Risk
CERT spokesperson Kelly Kimberland told TechNewsWorld that the group recommends security steps but does not recommend use of any particular software. In recent security notes, however, the group advised use of an alternate Web browser to avoid Explorer's vulnerabilities.
While it may be unreasonable for a large organization to switch browsers for security reasons, the cost could be viewed as an added expense of security, according to iDefense's Dunham.
He said security experts are hoping that the coming month is not as busy as August 2003, the worst virus month in history.
"We're in watch mode," Dunham said. "[T]he end of summer [is] generally when we see attacks ramp up for fall."
Talkback: 
