IE patch: Microsoft's eight days of hell

IE patch: Microsoft's eight days of hell

Summary: It's always funny watching an event force a company to break old habits and this IE zero day was enough for Microsoft to do it. As Microsoft Australia's strategic security advisor Stuart Strathdee said "we pulled all stops to get this patch out".

SHARE:
TOPICS: Security, Browser
11

It's rare to witness an event which forces a company to break old habits, but the recent Internet Explorer zero-day security hole was enough for Microsoft to do it.

As Microsoft Australia's strategic security advisor Stuart Strathdee said: "We pulled all the stops to get this patch out". The "out of band" patch released by Microsoft at 5am Sydney-time yesterday was an unusual event indeed, according to Strathdee. The company usually patches monthly.

We pulled all the stops to get this patch out

Microsoft's Stuart Strathdee

"Out of band updates are a fairly rare occurrence. We did have one earlier this year. Without access to exact numbers, I think we only do one or two a year," Strathdee told ZDNet.com.au.

In October this year, Microsoft was forced to release a patch for its Windows Server software outside the monthly Tuesday patch cycle. Microsoft considered a flaw in its Windows Server 2000, Windows XP, and Windows Server 2003 software critical enough to do what it did yesterday at 5am.

The patch released yesterday was rushed through within eight days of the zero day's discovery — a feat which Australia's Computer Emergency Response Team's (AusCERT) general manager Graham Ingram earlier this week said would be "Herculean"; even without the eight-day turn-around time that Microsoft has achieved.

"I would not like to be working for Microsoft at this point in time," he told ZDNet.com.au at the time.

According to Strathdee, it wasn't such a pleasant time. After Microsoft completed its risk assessment on the threat, he said, "We decided it was something that we had to go 24/7 on."

"From the development team's [perspective], even though [they] have the core code for IE, going through all those permutations of different combinations of service packs and operating systems obviously opens up the matrix of testing," he said. "It was a big task."

Meanwhile, AusCERT, which knew that it might cop flack — not just from Microsoft but large corporations that have locked-down computers — had cautiously advised organisations to "consider" using alternative browsers until a patch was released.

Strathdee said this advice was "drastic". "Particularly in this instance, the risk to Australian users has been so minimal, that recommending alternate browsers — that really is a very drastic recommendation," he said.

And Strathdee's following comment can't be denied by other browser makers, such as Google, Apple, Opera and Mozilla.

"The other side of that is that if you are going to switch to an alternate browser, you need to consider the vulnerabilities that those browsers have in terms of exposure," he said.

The code is as good as we can make it based on the urgency that we had here

Microsoft's Stuart Strathdee

All have experienced serious flaws of some nature over the past year and all are under attack. On the other hand, none besides Firefox — and only at a consumer level — are anywhere near as widely used as Internet Explorer. The question is, which browser is next in line? On the advice of some fairly reliable sources, the answer is likely Firefox.

But in Microsoft's defence, Strathdee said: "We're not trying to back away from the fact this was a serious issue. That's why we've pulled out all the stops."

Despite the rushed nature of the patch issued yesterday, Strathdee said it was "quality". "Even though we've rushed it, we've done a lot to ensure that it is a quality update and the code is as good as we can make it based on the urgency that we had here," he said.

Microsoft typically tests its patches against application environments of between 250 to 300 organisations besides itself, according to the executive.

Despite the panic and hype caused by this zero-day flaw, Strathdee said it wasn't time for organisations that only supported Internet Explorer to start supporting other browsers.

Topics: Security, Browser

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

11 comments
Log in or register to join the discussion
  • Proof of the need for more than one browser installed

    This near-disaster was near copy-book proof as to why organisations need to have more than one browser (or browser/OS combo) available.
    anonymous
  • Typical spokesperson for company spouting spammy, self interested bs advice...

    This 'Strathdee' man is a joke!!! Is he for real in the following quote!?!

    Despite the panic and hype caused by this zero-day flaw, Strathdee said it wasn't time for organisations that only supported Internet Explorer to start supporting other browsers.

    OF COURSE IT IS TIME to SUPPORT OTHER BROWSERS!!!

    See:
    Firefox
    Opera
    Google Chrome

    MAKE A DECENT BROWSER Microsoft, Or just DISCONTINUE you cancerous plague that is 'Internet Explorer'

    That's my opinion anyway. Cheers
    anonymous
  • You sir's (first 2 posts) are idiots

    So, let me get this straight. All the other browsers have more security flaws than IE and yet you epouse that organisations should support the alternatives? What absolutely stupid and naive statements.
    anonymous
  • Days of hell

    0 days of hell for me. But I dont use Microsoft, the walmart software company.
    anonymous
  • But Firefox has/had just as many problems as IE!!

    The really funny thing about people suggesting to use other browsers; for example Firefox, is that Mozilla released three CRITICAL patches for Firefox 3 the day before Microsoft released its patch for IE.

    TWO of the security holes in Firefox 3 (that the patches fixed) allowed exactly the same style of drive-by infection that IE experienced.

    Even worse? NO ONE was publically advised by Mozilla that these ALSO wide open security holes existed!!! While at least Microsoft announced the issue, advised of workarounds and then provided a resolution.

    So much for all the cries of IE is crap, Firefox is brilliant...

    For the record, I *AM* a Firefox user... BUT I believe Microsoft did incredibly well with this patch. While the media reported yet another end of the world situation.
    anonymous
  • More Rubbish

    Patch Tuesday, exploit Wednesday!
    More rubbish. Windows runs games therefore it's a toy operating system.
    anonymous
  • Which security flaws are you refering to?

    MOZ, What makes my comments about using alternatives to Explorer

    'absolutely stupid and naive statements.' ???

    RE: 'All the other browsers have more security flaws than IE'

    That is a generalisation, with no supporting evidence either.

    Google's chrome for example is OPEN SOURCE unlike IE so patches and fixes for identified problems can be worked on by a team of intelligent people worldwide... And it will only get more and more secure over time, and I think you will find much quicker than IE.

    and Internet explorer has spread HOW many viruses and worms, as opposed to percentage of others?

    I personally only ever use IE to see how badly it has rendered the perfectly valid HTML CSS and XHTML page I just made, and if I will have to make YET ANOTHER work-around to support that rubbish excuse for a browser.

    But yes MOZ, if you are going to call me stupid and naive, fine... IMO you are also naive.

    Any good reason I should use internet explorer for anything by the way?

    It is slower to load, most targeted by malware designers, and doesn't render valid code properly... Why would I use it at all? Enlighten me.

    Those are my points and I am not interested in a flame war but please... Also use your own intelligence a little more if you are going to attack people.
    Liam
    anonymous
  • IE has more security flaws.

    Some of the other browsers (Firefox & others) have been engineered, from the ground up, with security in mind; & do not treat external data from untrustworthy sources as 'safe' by default.

    OTOH, Microsoft's original "we get the web" architecture was to bring HTML and the web, into and inside your computer -- as tightly integrated as possible.

    This entailed "running" HTML pages as executable code, rather than safely viewing them.. any idea where the abortions known as 'Active Desktop' and ActiveX came from?

    The Microsoft Java VM, perhaps?

    Their whole strategy was (& still is) based on "integrate and subvert".

    When you have that many marginal programmers & incompetent managers struggling to meet underhand targets, guess how far down the list "security" gets pushed.

    MS also has fundamental differences in how it bundles & aggregates security fixes, to reduce their apparent number.

    My last analysis was, that IE is vastly less secure -- this was 3 months ago. I believe this still, to be the case.
    anonymous
  • IE is unreliable

    Many websites in the world contains virus which may destroy IE and steal your personal information, especially the sex websites. I've used Firefox for more than 3 years and never get crush or affected by the virus. This is why other browsers are more reliable.
    anonymous
  • Nup, I can't keep biting my tongue...

    So, you've found that your personal information is safe from those nasty sex websites now you're using other browsers, then? :)
    anonymous
  • so is this blog dead

    19 days and it will have been two months since this blog has been updated. Are you trying to say that there have been no security issues since 19 December 2008!
    anonymous