Microsoft puts Mac users at risk with patch policy, says researcher
A security researcher has called foul on Microsoft for doing exactly what it has thrashed hackers over for years: revealing information that can be used to hijack computers before a patch is available.
Swa Frantzen, one of the analysts at SANS Institute's Internet Storm Center (ISC) criticized Microsoft for issuing patches yesterday that fix the Windows versions of PowerPoint while announcing that patches for the same flaws in the Mac editions would not be released until June.
"Microsoft is the one big company screaming loudest over 'responsible disclosure,'" said Frantzen in a post to the ISC blog late Tuesday. Responsible disclosure, a practice Microsoft has aggressively pushed, demands that researchers delay any disclosure until the bug has been patched. "They want an unlimited amount of time to release their patches before those who found the problem are allowed to publish," said Frantzen. "[But the] policy cuts both ways: You need to obey the rules yourself just as well as demand it from all others involved."
Microsoft, claimed Frantzen, broke its own rules of responsible disclosure yesterday by revealing that Office for Mac 2004 and Office for Mac 2008 contain three unpatched vulnerabilities, and by releasing information about the same bugs in Windows. The combination, he said, could be used by hackers to craft exploits targeting Macs.
"We all know from past experience [that] the reverse engineering of patches back into exploits starts at the time -- if not before -- the patches are released," said Frantzen. ",So in the end, Microsoft just released what hackers need to attack."
An online poll that Frantzen posted on the ISC site showed that 47% agreed Microsoft had been irresponsible in omitting patches for the Mac, while about 24% thought Microsoft made the best-possible decision.
John Pescatore, an analyst for Gartner who covers security, agreed with the minority. "I think Microsoft did the right thing here," he said in an e-mail. "I would much rather see solid, well-tested patches for the highest risk vulnerabilities -- which means first the ones where there are active exploits out -- come out first, rather than wait for all versions to be patched simultaneously, or to rush out immature patches quickly and require re-patching later."
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
patch
Powered by Twitter
jfruh
Apple syncing patent can't come soon enough
pasmith
New Twitter features borrow from 3rd party clients
Esther Schindler
Open Source Changes the Software Acquisition Process
mikelgan
How to set up continuous podcast play on the new iTunes
David Strom
Five important Windows 7 mobility features
sjvn
Guard your Wi-Fi for your own sake
Sandra Henry-Stocker
Grepping on Whole Words
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
