Experts unconcerned over Microsoft patch delay

The decision to delay to the latest Windows patch has been praised by the security industry

Security experts are largely unconcerned about the delay to Microsoft's latest critical security patch, as they believe hackers will struggle to exploit the vulnerabilities that the patch was meant to fix.

The patch was due to be released on Tuesday, but was pulled on Friday after Microsoft "encountered a quality issue that necessitated the update to go through additional testing and development before it is released", according to the company Web site.

Mikko Hyppönen, director of antivirus research at Finnish security company F-Secure, said as the bug existed in Microsoft software before the company announced a fix, there is no difference to the security risk facing Windows users today.

"There are not suddenly going to be hundreds of underground hackers just concentrating on finding this one security flaw, I think," Hyppönen said.

Hyppönen was glad that Microsoft had decided to not release a patch with bugs. "I prefer it this way," he said. "It would generate more problems if Microsoft released a buggy patch. Most exploits exploit an existing patch."

If a buggy patch that many users chose not to install were released, hackers could examine that patch to find the flaws in the original software, Hyppönen said, whereas "at the moment it's like shooting in the dark" for the hackers.

Graham Cluley, senior technology consultant at security company Sophos, agreed. "At the moment there's not much information on the vulnerability. It's better that Microsoft not roll out [the update] than roll it out flawed. Obviously we're keen to get the update, and [the announcement that no update would be available] was a bit up against the wire, but it's better that Microsoft stopped the release," he said.

"As long as no information leaks out from Microsoft, we don't think there's much risk to users. As far as we know there are no exploits out there for the current flaw," Cluley said.

"Obviously this will cause some embarrassment to Microsoft — they've said to us there will be an update, then turned around and said 'Whoops, not just yet', but we don't think there's much risk to users," he said.

As to when the patch would be released, Cluley said "Microsoft may decide to release the patch in a month, but hopefully they'll release it as soon as it's ready."

Hyppönen concurred. "They [Microsoft] might simply release it next month," he said.

All the experts questioned declined to speculate as to which part of Windows was addressed by the update. "There are so many potential holes I couldn't possibly guess which one it's for," joked Alex Shipp, chief antivirus developer for MessageLabs.