The Spokesman-Review Newspaper
The Spokesman-Review Newspaper The Spokesman-Review
Spokane, Washington  Est. May 19, 1883
Current Temperature
50°F
Current Conditions
Broken clouds
View complete weather report
Subscribe now

When the solution can’t wait

Johannes Ullrich, technology officer with the SANS Institute, recognizes that Microsoft needs time to build patches but believes the company can more quickly release a
Allison Linn Associated Press
Johannes Ullrich, technology officer with the SANS Institute, recognizes that Microsoft needs time to build patches but believes the company can more quickly release a

SEATTLE — When Microsoft Corp. researchers learned recently that a software flaw had been made public and could prompt Internet attacks, the company ordered a team to devote all its time to fixing the flaw and making the repair work with other products.

Microsoft argues that’s the approach customers want and expect, but some security experts complained that the software company’s traditional method, which could take days or weeks, wouldn’t help people fast enough.

So for the second time in three months, outside programmers took matters into their own hands by quickly releasing their own fixes, days ahead of the official Microsoft patch for its market-dominant Internet Explorer browser.

Microsoft doesn’t endorse such third-party fixes, warning it can’t vouch for whether they will work smoothly with Microsoft products and other applications. But those providing them argue they have a responsibility to protect users from attacks.

“It’s kind of like having the cure and not sharing it with anybody,” said Marc Maiffret, chief hacking officer with eEye Digital Security Inc. of Aliso Viejo, Calif., which last week released such a fix.

Rather than replacing Microsoft’s own patch, Maiffret says he is hoping to provide a bandage for the interim.

The security expert also doesn’t fault Microsoft for taking time to finalize an official patch because it can be difficult to make sure that repairing one part of the complex Windows operating system, which includes Internet Explorer, doesn’t cause problems elsewhere.

He also realizes that a patch like this can cause any of the thousands of non-Microsoft applications running on Windows machines to stop working, crippling businesses and frustrating home users.

But Maiffret argues that Microsoft should be the one providing the type of temporary treatment his company was able to quickly pull together in response to what the industry refers to as “zero-day” problems — vulnerabilities that attackers can immediately use to try to infiltrate other people’s computers.

Johannes Ullrich, chief technology officer with the security research organization SANS Institute, also recognizes that Microsoft needs time to build patches but believes the company can more quickly release a “beta” patch so users would have temporary — if not perfect — protection in the interim.

“The real problem is that Microsoft leaves that opening,” Ullrich said.