Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Information-Security-News
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ISN] Viruses exploit Microsoft patch cycle

from [InfoSec News] Network Security [Permanent Link]
Subject: [ISN] Viruses exploit Microsoft patch cycle
Date: Thu, 11 Nov 2004 03:39:42 -0600 (CST) 
http://news.com.com/Viruses+exploit+Microsoft+patch+cycle/2100-7349_3-5446624.html

By Munir Kotadia 
Special to CNET News.com
November 10, 2004

The creators of the latest MyDoom variant, which exploits a recently 
discovered iFrame vulnerability in Internet Explorer, may have timed 
the release of the viruses to throw Microsoft's monthly patch cycle 
into disarray, security experts say. 

In its latest monthly update on Tuesday, Microsoft was not able to fix 
a serious vulnerability in the Internet Explorer browser because the 
flaw was discovered only a few days before the company's regular 
update was due. The two variants of the MyDoom virus were released 
earlier this week, leaving the software giant without any option but 
to ignore the problem--for now. 

Sean Richmond, senior technology consultant at Sophos Australia, told 
ZDNet Australia that it would have been impossible for Microsoft to 
create and test a reliable patch in four days--the time between the 
vulnerability being published and Tuesday's patch update.

"To release a stable patch for IE would be impossible (in that time) 
because they want to test it thoroughly before it goes out," Richmond 
said. "The monthly patch cycle was designed to make it easier for 
system administrators to schedule their updates, but a few days is 
just not enough time for Microsoft create and test a patch."

 Ben English, security team leader at Microsoft Australia, told ZDNet 
Australia that Microsoft advocates a process of responsible disclosure 
and is "very keen" to discover any vulnerabilities before they are 
made public.

"The reasons are very obvious. We would not disclose any info about a 
vulnerability till we have mitigation in place," English said. "The 
worst scenario for us is that we release an update which has quality 
problems. We believe the downstream problems of releasing patches too 
quickly are even more serious than not putting in the quality that 
they deserve."

English would not comment on whether Microsoft thought the timing of 
the worm's and the vulnerability's disclosure was malicious, but he 
said that if the problem were serious enough, the company would break 
its patch cycle to plug the gap.

"In terms of the timing, I have no comment on whether there is 
malicious intent," he said. "But in a sense, it is academic because if 
this is a serious vulnerability and we have a patch available, we will 
release it out of cycle."

The MyDoom virus, also referred to as a worm, has been dubbed Bofra by 
some antivirus firms.


Munir Kotadia of ZDNet Australia reported from Sydney.



_________________________________________
Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - 
http://www.osvdb.org/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [ISN] Viruses exploit Microsoft patch cycle, InfoSec News <=
Previous by Date:  [ISN] Ex-cybersecurity chief calls on feds to step up efforts, InfoSec News
Next by Date:  [ISN] My summer of war driving, InfoSec News
Previous by Thread:  [ISN] Ex-cybersecurity chief calls on feds to step up efforts, InfoSec News
Next by Thread:  [ISN] My summer of war driving, InfoSec News
Indexes:  [Date] [Thread] [Top] [All Lists]