Why Did Microsoft Delay IE Patch?By Ryan Naraine | Posted 2006-08-23 Email Print
Sources say a problem with the way Microsoft's proprietary patch management tools handle compressed files caused the delay in the re-release of a critical browser patch; MS and a security researcher exchange sharp words over the issue of responsible disclMicrosoft has temporarily delayed the re-release of a critical Internet Explorer browser patch because of problems with the way its proprietary Systems Management Server handles cabinet (.cab) files, according to sources familiar with the matter.
The Redmond, Wash., software giant markets SMS as a business tool for simplifying patch management, but because of a bug in the way the SMS architecture handles certain compressed files, the company temporarily cancelled the patch release originally scheduled for Aug. 22.
Microsoft delays software updates typically because of quality assurance concerns, but this is the first time the company has made it known that a kink in its distribution mechanism is the cause for the temporary cancellation of an important patch.
The decision is not sitting well with Internet security experts.
eEye Digital Security, the private research outfit that blew the lid on the exploitable nature of the vulnerability after Microsoft described it as a simple browser crash, says a flaw in SMS is no reason to leave customers at risk of code execution attacks.
"[Microsoft is] delaying a security patch, not because there is a problem with their patch, but a problem with their proprietary distribution engine," said eEye Chief Executive Ross Brown, in Aliso Viejo, Calif. "Auto Update works and a million other patching vendors should be able to handle it, but because SMS is flawed, they are leaving customers unsecured?"
In an entry posted to his personal blog, Brown bristled at Microsoft's contention that eEye acted irresponsibly when it announced its discovery that the browser crash could be used to plant malicious code on fully patched Windows systems.
He offered a chronology of the events that led to the Aug. 22 decision to delay the patch, arguing that Microsoft's own security advisory "tells the bad guys exactly where the vulnerability is."
"So, to recap, Microsoft writes a patch that causes another flaw, then delays releasing the patch (unless you call Microsoft support) and then releases the information needed to identify the vulnerability in their own advisory update," Brown said.
On the official MSRC (Microsoft Security Response Center) blog, program manager Stephen Toulouse described the decision to delay the IE patch as "difficult but necessary."
"Providing the update in its current state would have resulted in customers being unable to deploy the update," Toulouse said. He did not elaborate on this or confirm that the SMS issue was the cause for the delay.
Read the full story on eWEEK.com: Why Did Microsoft Delay IE Patch?