Controversial fixes have Microsoft on defensive

COMMENTARY: Microsoft has issued its planned monthly set of security updates, but this month the updates are more serious and controversial than usual.

One of the fixes, rated as critical, applies to "an extremely deep and pervasive technology in Windows" that attackers can compromise to take over PCs, but the flaw was discovered seven months ago and fixed only this week.

Security experts describe the flaw as one of the most devastating ever, and Microsoft recommends that all users download and install the patch for this problem as soon as possible.

The timing couldn't be worse for the company: Microsoft chairman and chief software architect Bill Gates recently alleged that Windows is more secure than any OS alternatives because the system has been so thoroughly tested in the real world through constant attacks.

So why did Microsoft take so long to fix the flaw, leaving Windows users open to potentially devastating electronic attacks?

"This is one of the most serious Microsoft vulnerabilities ever released," Marc Maiffret, chief hacking officer and cofounder of eEye Digital Security, the company that discovered two of the Windows flaws Microsoft revealed this week, said.

"The breadth of systems affected is probably the largest ever. This is something that will let you get into internet servers, internal networks -- pretty much any system." Alarmingly, eEye discovered the flaws last July and agreed to keep quiet until Microsoft could fix them. But Maiffret described the lag time between eEye's discoveries and Microsoft's fixes as "totally unacceptable."

Microsoft defends the seven months it took to fix the flaws as necessary because the company needed to ensure that a patch to such central Windows components didn't break software or cause other problems. "We really took the steps to make sure our investigation was as broad and deep as possible," Microsoft security program manager Stephen Toulouse said.

The critical security flaw exists in a Windows component called the ASN.1 library, which interacts with multiple Windows features, including file sharing and digital certificates. The flaw affects every Windows version from Windows NT 4.0 to Windows Server 2003, and includes all desktop and server variants of these systems.

Interestingly, attackers can compromise the flaw with a simple buffer-overrun attack, a common type of attack that Microsoft has wrestled with since its Trustworthy Computing code review two years ago.

Both XP Service Pack 2 (SP2), due midyear, and Windows 2003 SP1, due in late 2004, will include new memory-protection features designed to thwart most buffer-overrun attacks. You can learn more about the patch on the Microsoft website, but Windows users should use Automatic Updates or Windows Update to download and install each of the security patches Microsoft issued this month.