Microsoft first noticed the ANI flaw way back in December 2006, about 100 days before it released a patch. A list of operating systems affected by the flaw is located here (select your operating system here). The patch is not yet available on Windows Update; however, it can be downloaded from Microsoft (direct link to the Vista Update), see the previous link for a list of all affected Microsoft operating systems and their patch. It is highly advisable to download it immediately. There are those who are wondering why it took Microsoft so long to patch the ANI flaw and also why they did not catch it way back in 2005.
“Engineering a patch is a long complex process, we look at surrounding areas of code for similar vulnerabilities, and from our internal investigation, address as many as we can find,” said Mark Miller, director of the Microsoft Security Response Center.
A patch for it had been created late last year but was not made available because it was still undergoing testing and was very unstable and not ready for public distribution.
On March 28 many security firms noticed an increase in the number of sites taking advantage of this exploit and promptly notified the Security Response Center at Microsoft. Since a patch was already in the works, it was simple enough for them to put more resources into developing and releasing the patch early.
Let’s consider ourselves thankful that the patch didn’t really go public until this year but has been in existence since 2005. What should churn your stomach is that an outsider, not Microsoft found the flaw which should say something about their review process. On average it takes Microsoft 21 days to patch a flaw after it goes public.
In 2005 a very similar bug using the ANI flaw was found and patched 57 days after it went public, what isn’t clear is why they didn’t find this new one back then. “We’re doing an analysis of why we didn’t find it then,” said Mark Miller.
No comments:
Post a Comment