Microsoft's Mike Reavey defended the timing of the security advisory. He claimed that the team had received some questions from customers about when it got the first report of this vulnerability and how long the investigation has taken relative to the outbreak of attacks against this vulnerability.
Reavey said: “The key thing I want customers to understand is that this is an issue that was responsibly reported to us and we have been driving in our standard process towards a security update.
“While in the middle of that process, attackers found this same vulnerability and began attacks against it. We were far enough in the process that we could provide information that customers can use to protect themselves in the interim while we complete that investigation and deliver a security update that you can deploy broadly with confidence.”
He claimed that a report was received from Ryan Smith and Alex Wheeler at IBM ISS X-Force in early Spring of 2008. This led to an investigation that found that the ActiveX control that ships with Windows did expose an exploitable vulnerability that could be exploited by malicious websites.
Reavey said: “In the case of this particular issue, part of our investigation showed other interfaces were vulnerable, in this ActiveX Control, not only the one seen used in attacks.
“Another thing our investigation showed is that there was no known use for these interfaces in Internet Explorer. In fact, as part of our security work on Vista, these interfaces had been disabled in Internet Explorer.
“Based on this, the engineering teams felt the best approach to protect customers would be to prevent any interfaces with no known use in Internet Explorer from loading in Internet Explorer in earlier versions of Windows.”
He claimed that disabling or removing functionality is a more radical step than updating code to address an unchecked buffer, as when functionality is disabled or removed, more research and testing has to be engaged to ensure that the steps can be taken and that more harm is not caused by inadvertently ‘breaking' applications.
Reavey said: “For something like this, we have to ensure not only our applications but also major third-party applications are not hurt by this. Otherwise, if our update ‘breaks' a major application, customers won't deploy the update but the bad guys will have information about the vulnerability that they can use to attack it.”
Eric Schultze, CTO of Shavlik Technologies, said: “Since the control doesn't serve any purpose within Internet Explorer, we agree with Microsoft's recommendation to set this kill bit immediately. Corporations and some end-users may be protected via their anti-virus solutions, depending on the solution they are using.”
Meanwhile Microsoft has announced that it will be releasing a total of six security bulletins on the next Patch Tuesday, 14th July. This will consist of three critical updates affecting Windows, one important update affecting Publisher, one important update affecting internet security and acceleration (ISA) server and one important update affecting Virtual PC and Virtual Server.
Writing on the security response centre blog, Jerry Bryant claimed that two of the critical updates will concern a vulnerability in DirectShow. He claimed that the company was aware of ‘limited active attacks' and were working aggressively to get a quality update shipped to customers.