Fewer Patches Means More Testing For Microsoft

Microsoft’s monthly patch bundle was a lot lighter than usual, although that doesn’t mean the number of bugs and vulnerabilities has gone down.

The company just has a lot more quality assurance work to do.

Microsoft originally planned to release eight security bulletins covering Windows, Office and Visual Studio. However, the company cut that back to four bulletins, removing one related to Office and three related to Visual Studio.

In a roundabout way, a Microsoft  spokesperson said the company was still testing the fixes, noting that many factors impact the period between the discovery of a vulnerability and the release of a security update.

“Once the MSRC [Microsoft Security Response Center] knows the extent and the severity of the vulnerability, they work to develop an update for every supported version affected,” the spokesperson explained.

“Once the update is built, it must be tested with the different operating systems and applications it affects, then localized for many markets and languages across the globe. In some instances, multiple vendors are affected by the same or similar issue, which requires a coordinated release.”

In other words, they’re still testing the patches.

The fixes that were released cover vulnerabilities in Excel and Outlook as well as yet another Vector Markup Language (VML) problem. Problems have been found in VML before and fixed, but this is a new one.

In addition to the fixes, the Malicious Software Removal Tool has been update to add a new Trojan, Win32/Haxdoor. As is tradition, Microsoft will hold a webcast on Wednesday at 11 a.m. PST to discuss the fixes.

Amol Sarwate, manager of vulnerability research at security firm Qualys, thinks Microsoft was right to hold off on issuing patches that weren’t ready, even if that means there are still three Microsoft Word vulnerabilities left to be fixed.

“I think they realized they could not QA and make sure all these patches were ready to go today. So it’s a good thing we won’t have to re-patch systems for flawed patches,” he told internetnews.com.

The patches that were issued are fairly serious, and Sarwate said they should be installed quickly. He’s not surprised the problems are being found in applications and not the operating system.

“I think what we see here are a continuation of trends we saw late last year. One is an increase in zero day attacks, and the other is an increase in client-side application attacks,” he said.

News Around the Web