It's rare to witness an event which forces a company to break old habits, but the recent Internet Explorer zero-day security hole was enough for Microsoft to do it.
As Microsoft Australia's strategic security advisor Stuart Strathdee said: "We pulled all the stops to get this patch out". The "out of band" patch released by Microsoft at 5am Sydney-time yesterday was an unusual event indeed, according to Strathdee. The company usually patches monthly.
We pulled all the stops to get this patch out
Microsoft's Stuart Strathdee
"Out of band updates are a fairly rare occurrence. We did have one earlier this year. Without access to exact numbers, I think we only do one or two a year," Strathdee told ZDNet.com.au.
In October this year, Microsoft was forced to release a patch for its Windows Server software outside the monthly Tuesday patch cycle. Microsoft considered a flaw in its Windows Server 2000, Windows XP, and Windows Server 2003 software critical enough to do what it did yesterday at 5am.
The patch released yesterday was rushed through within eight days of the zero day's discovery — a feat which Australia's Computer Emergency Response Team's (AusCERT) general manager Graham Ingram earlier this week said would be "Herculean"; even without the eight-day turn-around time that Microsoft has achieved.
"I would not like to be working for Microsoft at this point in time," he told ZDNet.com.au at the time.
According to Strathdee, it wasn't such a pleasant time. After Microsoft completed its risk assessment on the threat, he said, "We decided it was something that we had to go 24/7 on."
"From the development team's [perspective], even though [they] have the core code for IE, going through all those permutations of different combinations of service packs and operating systems obviously opens up the matrix of testing," he said. "It was a big task."
Meanwhile, AusCERT, which knew that it might cop flack — not just from Microsoft but large corporations that have locked-down computers — had cautiously advised organisations to "consider" using alternative browsers until a patch was released.
Strathdee said this advice was "drastic". "Particularly in this instance, the risk to Australian users has been so minimal, that recommending alternate browsers — that really is a very drastic recommendation," he said.
And Strathdee's following comment can't be denied by other browser makers, such as Google, Apple, Opera and Mozilla.
"The other side of that is that if you are going to switch to an alternate browser, you need to consider the vulnerabilities that those browsers have in terms of exposure," he said.
The code is as good as we can make it based on the urgency that we had here
Microsoft's Stuart Strathdee
All have experienced serious flaws of some nature over the past year and all are under attack. On the other hand, none besides Firefox — and only at a consumer level — are anywhere near as widely used as Internet Explorer. The question is, which browser is next in line? On the advice of some fairly reliable sources, the answer is likely Firefox.
But in Microsoft's defence, Strathdee said: "We're not trying to back away from the fact this was a serious issue. That's why we've pulled out all the stops."
Despite the rushed nature of the patch issued yesterday, Strathdee said it was "quality". "Even though we've rushed it, we've done a lot to ensure that it is a quality update and the code is as good as we can make it based on the urgency that we had here," he said.
Microsoft typically tests its patches against application environments of between 250 to 300 organisations besides itself, according to the executive.
Despite the panic and hype caused by this zero-day flaw, Strathdee said it wasn't time for organisations that only supported Internet Explorer to start supporting other browsers.