February 12th, 2009
Should Microsoft decouple IE from Patch Tuesday?
A security researcher wants Microsoft to follow the lead of other browser makers and start fixing Internet Explorer security problems outside of the Patch Tuesday cycle to help contain the Windows malware epidemic.
[ Microsoft: ‘Consistent exploit code likely’ for IE vulnerabilities ]
According to Wolfgang Kandek, chief technology officer at vulnerability management firm Qualys, IE’s dominant userbase and high risk profile exposes Windows users to a wide range of malicious hacker attacks but, despite years of warnings, business users are not rushing to install IE patches ahead of other critical updates (see chart below).
[ SEE: Hackers exploiting (unpatched) IE 7 flaw to launch drive-by attacks ]
The chart, powered by data collected by Qualys over the last six months, shows that critical IE patches are applied in very much the same speed as other high-priority updates.
I had a chat with Kandek about his findings and he was adamant that the risk presented by a critical IE vulnerability is higher than another critical flaw in another piece of software that doesn’t interact directly with the Internet.
- “Every month when Microsoft issues it security advisories we get asked what patch to apply first. Typically we are reluctant to elevate one vulnerability over the other, however looking at the 2008 data we agree that Internet Explorer vulnerabilities should be given the highest priority and patched first. The browser is the heaviest used software application that interacts with the Internet, the most likely source of malicious content. It is not only used for professional purposes but also in private interactions – e-commerce, social networking, private e-mail, etc. Browser patches are heavily tested by Microsoft and unlikely to break any existing functionality on the desktop.
Unfortunately, Kandek says the vulnerability data shows that companies treat browser patches just like all other patches — their deployment cycle correlates very closely with other critical patches.
The answer? Kandek argues that Microsoft should borrow from the Mozilla Firefox playbook and fit an automatic-update utility directly into IE to handle patching on the fly.
“Think about it. There’s a very big exposure area. Hackers are increasingly targeting the browser. Enterprises are on a tight patch schedule. If IE got moved out of Patch Tuesday, won’t it be better?” he added.
[ GALLERY: How to configure Internet Explorer to run securely ]
“Patches would be deployed faster and we would have a healthier IE population,” Kandek added, nothing that IE add-ons like Flash and other media players would benefit from an automatic update tool embedded in the browser.
The Qualys data was culled from 9.5 million IP scans per month.
* Hat tip to Gregg Keizer at ComputerWorld.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
| 02/12/09
