RealTime IT News

Microsoft Sticks to Patch Cycle

Microsoft confirmed it's investigating three reported security vulnerabilities in its Internet Explorer browser. But a spokesperson denied there are plans to deliver patches outside of the normal monthly cycle.

In a report released on Nov. 2 and updated on Nov. 18, security firm Secunia warned of a vulnerability is caused by a boundary error in the handling of certain attributes in the IFRAME, FRAME, and EMBED HTML tags. The flaw in Internet Explorer 6.0 allows remote attackers to execute arbitrary code.

A Microsoft spokesperson noted that users of Windows XP who had installed Service Pack 2 were protected from this vulnerability. Windows Server 2003 users also are protected.

She said the company's Security Response Center was working on a patch for users of earlier Windows operating systems, but it must be tested to make sure it doesn't cause more problems than it solves.

"The most important thing in security responses is that, if you come out with a fix, it will be a quality fix that won't break applications or introduce more problems," she said. "How Microsoft's Security Response Center determines when a fix will be released is a function of testing. It requires a balance between time and testing."

After patch testing is completed, she said, Microsoft will decide whether to issue the patch out of cycle or wait until the second Tuesday of the month, the scheduled date for Microsoft's patch releases.

The spokesperson said the Security Response Center team would consider whether customers were being attacked through the vulnerability, as well as how severe the vulnerability was when deciding whether to patch out-of-cycle.