Microsoft has released the emergency security update MS08-078 to patch Internet Explorer.

 

Mike Reavey, director of the Microsoft Resource Centre claimed that they had verified that this update meets the quality, deployment and application compatibility criteria. He described it is a high-quality update that is ready for broad release, and he encouraged customers to test and deploy it as quickly as possible.

 

In a blog posting, he acknowledged claims that the update may be misleading, as it is over 300 distinct updates for over six versions of Internet Explorer that apply to over 50 different languages. He said that despite the huge number of distinct updates, they are all being offered to customers automatically, regardless of their specific Internet Explorer configuration.

 

Microsoft had been accused of failing to act quicker to patch the vulnerability, however Reavey claimed that they first learned of the attacks on the 9th December and ‘activated off our Emergency Response process to monitor the threat environment, fast track the product development and testing and to deliver guidance to customers'.  

 

A security advisory was published the next day that listed workarounds that blocked all known attacks. He said: “Over the course of the next eight days, this advisory was updated five times, adding newer workarounds and mitigations. In total, over eight different options were available to customers to block attacks.”

 

All of the workarounds were listed in the advisory, according to Reavey, and contained even more context around how the workarounds blocked the attacks, and why they were effective. Detailed information was also shared with partners in the Microsoft Active Protections Program and Microsoft Security Response Alliance that allowed protections to be created for over 24 different security partners' products.

 

Reavey said: “This is further validation of our commitment to ‘community based defense' and means customers that hadn't yet applied the workarounds, and maybe weren't even using Microsoft products, were also protected from known attacks.

 

“Along with this information sharing, we also continually monitored the threat environment, noting when the attacks began to change in nature and scope. In fact, the folks in our MMPC published detailed blogs both last Thursday and over the weekend discussing this changing threat environment to ensure customers were aware of the evolving risk.”

 

David Harley, director of malware intelligence at ESET, said: “The threat is not from the vulnerability itself, so much as from malware that exploits it. There is a great deal of that, right now. In principle, however, ‘traditional' anti-virus/anti-malware doesn't necessarily detect vulnerabilities - in fact, a scanner that detected vulnerabilities as comprehensively as it does blacklisted malware would be rather different to what we're accustomed to.

 

“As it happens, we are addressing detection of the vulnerability, so that detection isn't restricted to known malware. However, it isn't enough just to detect the vulnerability, because (a) that doesn't guarantee that the end user will apply the patch (b) an attempt to exploit the vulnerability may not always trip a coarse-grained heuristic. So we're also detecting specific threats that attempt to use this vulnerability.

 

“Nevertheless, there is a wider issue here. No reputable anti-malware company is going to ignore a security problem because it's basically a problem with someone else's application. However, it's not safe to rely on anti-malware to fix an application vulnerability, especially when there's a patch hot off the presses. Good patching practice is an essential part of a defense-in-depth strategy.”