BNET UK
silicon.com
ZDNet UK

Home
News
Blogs
Reviews
Videos
Jobs
Resources
Community

Leader
Comment
White Papers
Downloads
Special Reports

Hardware
Software
Communications
Internet
Security
IT Management
Emerging Tech
Leader

Group Blogs
News Blog
Post Room
Rupert's Diary

Hardware Reviews
Software Reviews
Editors' Choice
Buyer's Guides
Tech Guides
Competitions

Dialogue Box
Security threats
Server platforms
Mobile devices
Application development
Full video index

Articles
White Papers
Downloads
Companies
Broadband Speed Test

People
Competitions
Post Room
FAQ

You are here: ZDNet UK > News > Software

Desktop platforms Toolkit

Why did Microsoft take so long?

Tags:
Windows,
Trustworthy Computing Initiative,
Patch,
Microsoft

Published: 13 Feb 2004 15:00 GMT

"Whatever time frame it takes to fix something, you could always argue that it could have been made somewhat shorter," said Chris Wysopal, vice president of research and development for security firm @Stake, which counts Microsoft as a client. "It is definitely in the multi-month category because of how many versions of the operating system and the big applications that they had to test."

The flaws exist in Microsoft's implementation of a basic networking protocol known as Abstract Syntax Notation One, or ASN.1. The code is shared by many Windows applications, and the vulnerabilities could let a remote user take control of a computer running a version of Windows that hasn't been patched, according to the advisory posted on Microsoft's Web site. Exploiting the flaw is much easier if the attacker can access a local network, the advisory noted.

Such widespread vulnerabilities are most tempting for the underground coders who create worms such as MSBlast -- also known as Blaster -- and Slammer, both of which took advantage of Windows flaws.

Stephen Toulouse, senior program manager of Microsoft's Security Response Centre, said the fix took so long to create because of the difficulties posed by such a pervasive technology.

"ASN.1 is really an extremely deep... technology in Windows itself," Toulouse said. "This investigation required us to evaluate several different aspects. This is an instance where we really had to do our due diligence."

Yet the complexity of the problem isn't necessarily an adequate reason for the delay.

Another ASN.1 flaw that affected many more companies and involved more research was made public in only five months. Although the decision to disclose information on the flaw was made after such information had already leaked out, many companies had fixes in place or quickly made them available.

That flaw made network devices using version 1 of the Simple Network Management Protocol (SNMP) -- a data language that allows network hardware to communicate over the Internet -- vulnerable to attacks aimed at causing instability, crashes or compromises.

1 2 3

Did you find this article useful?
165 out of 298 people found this useful

Share this article:
Digg
Slashdot
Del.ici.ous
Stumble
Reddit

Company/Topic Alerts

Create a new alert from the list below:

security,microsoft,patch,Trustworthy Computing initiative,windows

Video

Install Flash Player plugin

Find out more: From The Labs: A look at...

All videos
Most popular videos
Latest videos

Microsoft Windows 7 Special Report Special Report

How Microsoft can make Windows 7 a success

Comment Many businesses have given Vista a wide berth; Microsoft must focus on five areas to make sure Windows 7 doesn't suffer the same fate, argues TechRepublic's Jason Hiner