Microsoft Browser Patch Released, Serious Security Questions Raised
Major problems were almost instantly experienced by websites using HTTP 1.1 compression to speed up image downloads. The Explorer browser often failed when HTTP 1.1 kicked, and web-based applications from PeopleSoft, Siebel and Sage CRM had serious compatibility issues with the software.
Microsoft had released a handful of earlier announcements upon being informed of the problem. Officials promised that the issue does not affect users of Microsoft’s latest Service Pack 2 version of Windows XP. Those employing Internet Explorer 6 Service Pack 1 on Windows 2000 Service Pack 4 and Windows XP Service Pack 1 were affected.
Following this, Microsoft released a “hotfix” download to solve the problems. Ultimately the Microsoft brain trust decided problems were serious enough to rerelease the whole update, including the fixed patch. Further errors revealed in final testing made necessary a later released date – and programmers most likely working long long shifts.
Working long shifts, too, was eEye Digital Security, developer of endpoint security, network security and vulnerability management software, whose own employees became involved in the situation in order to protect certain unnamed firms under their protection. The oft-quoted line from eEye chief hacking officer Marc Maiffret went “The bad guys basically know about this and know that it’s an exploitable scenario.”
As a result, the eEye CTO himself pulled an overnight shift in working with Microsoft in investigating the parameters of the security problem. eEye’s interests were to issue an alert to clients, but security firms undertaking this sort of practice is highly unusual.
eEye then went to reporters under embargo to ensure that “corporate customers knew what to watch for with this patch and how to get the updated patch from Microsoft, or, barring that, how to mitigate exploitation simply.” Specifically, eEye revealed that simply disabling HTTP 1.1 functionality until application of the patch was a quick-fix solution.
So far, so good, felt eEye, until Microsoft’s own announcement that the public release of the patch would be delayed. The Microsoft release also detailed that “the issue lay with how SMS architecture handles .cab files and that the delay is to fix it so SMS can handle distribution.”
As one eEye Computer World blogger sardonically put it, “So, to recap, Microsoft writes a patch that causes another flaw, then delays releasing the patch (unless you call Microsoft support) and then releases the information needed to identify the vulnerability in [its] own advisory update.” The Computer World piece ultimately declares that “there is clearly a debacle going on, for the first time in a long time, Microsoft breaks the glass cabinet for emergencies.”
At present, aside from some troubleshooters at thousands of e-commerce and platform sites having drunk too much coffee over their subsequent weekend, no one seems to hold a grudge Microsoft for the inconvenience. eEye folks, though, are still up in arms and engaged in a war of the words over the definition of “responsible disclosure” and exactly who was responsible for what.
In fact, Microsoft went so far as to release another vaguely Orwellian-sounding PR statement “Microsoft continues to encourage responsible disclosure of vulnerabilities to minimize risk to computer users. Microsoft supports the commonly accepted practice of reporting vulnerabilities directly to a vendor, which serves everyone’s best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.” Few of these prescribed actions, some at eEye would contend, were practiced by Microsoft.
This matchup of what has been called “the mightiest software company on the planet” versus perhaps the world leader in digital security could well produce some serious aftermath.