Microsoft Sticks to Patch Cycle

Microsoft confirmed it’s investigating three reported security
vulnerabilities in its Internet Explorer browser.
But a spokesperson denied there are plans to deliver patches outside of the normal monthly cycle.

In a report released on Nov. 2 and updated on Nov. 18, security firm Secunia
warned of a vulnerability is caused by a boundary error in the handling of certain
attributes in the IFRAME, FRAME, and EMBED HTML tags. The flaw in Internet
Explorer 6.0 allows remote attackers to execute arbitrary code.

A Microsoft spokesperson noted that users of Windows XP who had installed Service
Pack 2 were protected from this vulnerability. Windows Server 2003 users also are protected.

She said the company’s Security Response Center was working on a patch for users
of earlier Windows operating systems, but it must be tested to make sure it doesn’t
cause more problems than it solves.

“The most important thing in security responses is that, if you come out with a
fix, it will be a quality fix that won’t break applications or introduce more problems,”
she said. “How Microsoft’s Security Response Center determines when a fix will be
released is a function of testing. It requires a balance between time and testing.”

After patch testing is completed, she said, Microsoft will decide whether to
issue the patch out of cycle or wait until the second Tuesday of the month, the
scheduled date for Microsoft’s patch releases.

The spokesperson said the Security Response Center team would consider whether
customers were being attacked through the vulnerability, as well as how severe the vulnerability
was when deciding whether to patch out-of-cycle.

News Around the Web