computerwoche.de

Archiv

Microsoft exec defends monthly patch cycle

23.05.2006
Bret Arsenault, Microsoft Corp.'s chief security advisor and general manager of U.S. enterprise security, talked Tuesday with Computerworld aboout why Microsoft doesn't plan to release an out-of-cycle fix for an unpatched vulnerability in Word for which an exploit is already available. Excerpts from the interview follow:

What are Microsoft's plans to address the flaw? The plan right now is to release a patch on June 13 as part of the regular update. We are monitoring the number of infections and what the impacts to the customers are. At this point, we recognize the seriousness of the issue. We are going through our regression testing which is, of course, to make sure that we have the right fix and it is of the right quality. The worst thing to do is to install something out of band and then having to redo it again the second or third time. So we balance that with what the current threat level is.

I believe if you look at what the virus vendors' current reading of the issue is, it is low to moderate because of the current infection rate.

This is not the first time that an exploit has become available for an unpatched Microsoft vulnerability. Is it causing you to review your patch-release cycle? We don't want to release an inferior-quality product. We always have to balance the timeliness of the patch with what the current threat is to the customer base. I don't think we want to change that balance. If the threat level becomes severe enough, we will release something out of that. But we try to limit our out-of-band [releases] because what our customers have asked us to do is to be predictable.

In this particular scenario, you should know we are not happy with the process this went through. We have an outreach program for vulnerability finders. We work very hard to do responsible vulnerability disclosure, and by somebody not reporting this to the vendor, it is the customers who are paying the price.

What do you think of the role that third parties have played in releasing interim patches for these sort of flaws? Is that putting pressure on Microsoft to release fixes quicker? I don't think there is any more pressure than protecting our customers. I don't really have a comment on what others do as far as providing patches is concerned. They can do what they want to. The important thing is for customers to evaluate if the patches have been tested for all the platforms they run and if it is of the same quality they want it to be.