December 17th, 2008
Microsoft's incredible IE patch turnaround
Guest post by Eric Schultze
Microsoft’s latest Internet Explorer out-of-band patch release needs to be installed right away. The number of infected websites is growing at an alarming rate — even people visiting legitimate websites are getting hacked with this exploit.
Patch it now - just do it. Why did this come out as an emergency release?
[ SEE: As attacks escalate, MS readies emergency IE patch ]
It looks like Microsoft was informed of the IE zero day at the same time as everyone else – namely, last Tuesday (Patch Tuesday). Based on Microsoft MSRC blog posts, starting on Tuesday, Microsoft studied the exploit and reviewed source code and determined that it impacted all versions of IE. From that point on, it can be assumed that Microsoft has been working quickly on a patch for all versions of IE.
Microsoft had to determine how serious the issue was – as that gave them guidance as to whether or not to release an out of band patch or wait until the next monthly cycle. By late last week, Microsoft was aware that this issue was starting to infect user’s systems at a faster rate than they’ve seen with past zero day exploits. Specifically, attackers were loading the exploit on legitimate websites so that even users who visit only non-nefarious websites might also get infected. Based on this level of data, it’s my belief that Microsoft decided the issue warranted an out-of-band patch release.
[ SEE: Hackers exploiting (unpatched) IE 7 flaw to launch drive-by attacks ]
Researching, fixing, testing, and releasing a security patch within an eight day window is an incredible feat — especially given the need to support all versions of IE across all platforms and languages. This is an ‘all hands on deck’ response from Microsoft – I don’t think we’ll see this as the norm for less critical patches in the future as it is quite disruptive to their own processes.
Now, it’s equally as important for customers to roll out this patch to all of their systems as soon as possible.
I’d bet you a cookie that many companies can’t get it rolled out as quickly as Microsoft got it built.
* Eric Schultze is chief technology officer at Shavlik Technologies, a vulnerability management company.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
