Microsoft had multiple chances to release a patch for the ANI (Animated Cursor) Exploit in the months of January, February, and March but failed to release any patches for the vulnerability that was originally disclosed privately to Microsoft on December 20, 2006. Now we're getting an emergency patch today, one week before the regular patch cycle, and Microsoft seems to think that this is a success story on its "quick" response to this zero-day exploit. Here's what an MSRC blog has to say:
"I’m sure one question in people’s minds is how we’re able to release an update for this issue so quickly"
Um, no not really; the question on my mind is why has it taken Microsoft three and a half months to patch a vulnerability that was disclosed to it in secret, wait until after the vulnerability was being exploited in the wild, wait until a third party came out with a third-party patch, and wait until after this became a public relations nightmare to come out with an out-of-band patch. This isn't the first time either. The last time Microsoft came out with an out-of-band patch was the WMF exploit, and that was under the same circumstances with massive negative press. But if it's just little old me complaining about Microsoft not patching a zero-day Internet Explorer flaw until the next scheduled cycle, it just falls upon deaf ears.
What's even more frustrating is that DEP (Data Execution Prevention) in Windows XP SP2 or Vista, when enforced with hardware NX/XD support, will stop this exploit. (I verified this in the lab.) But Microsoft won't turn it on for all applications by default, nor will it even mention it in its advisory. Almost all new PCs within the last year have been sold with NX/XD capability, and it's a simple switch to turn it on in Windows XP and Vista. Yet most people have it defaulted to off for everything except a few critical applications and services. There are only a few applications that are incompatible with DEP, and there are workarounds for them. The problem is that Microsoft doesn't want to deal with the technical support when those applications break, though the amount of breakage is far less than Vista UAC. The only applications I ran into with DEP incompatibility were Skype (though they fixed it in four days after I brought it up) and Microsoft Live Meeting (still not sure if they fixed it). But if Microsoft made DEP all-on the default setting in Windows Vista, more application vendors would be forced to fix their applications to use secure coding practices. I recommend to anyone who's reading this to go ahead and use DEP protection using this hardware and DEP configuration guide.
This isn't the only example of Microsoft ignoring imminent zero-day threats. It has treated Office zero-day exploits in the same casual "we'll patch it when it's ready" manner. That prompted me to write "Is MS Office becoming a zero-day liability all year long?" Back then, there were no Office 2007 vulnerabilities yet, and I figured Microsoft was just dragging its feet on older versions of Office (which is just as bad, since they're widely in use). But there was a zero-day exploit reported for Office 2007 on 2/27/2007, and Microsoft couldn't come up with a patch for 3/13/2007 to plug that hole, leaving it for at least another month. While there are some factors in Windows Vista that can mitigate some of the damage that can be done, we can't discount these vulnerabilities as extremely critical since user data is at risk of theft, deletion, or ransom though encryption, and Microsoft's users are massive targets.
The fact of the matter is that Microsoft has done a relatively good job auditing its code and keeping its exploit count to a minimum, but it seems hell-bent on perpetuating the perception that Microsoft is a joke when it comes to security. For example, there have been only four critical exploits for Windows Vista this year compared to Apple's 62 critical exploits in the same timeframe, but that doesn't really matter. Since Microsoft is the biggest target because of its market share, Microsoft users will get attacked first. It doesn't matter how much hard work Microsoft puts into the SDL (Security Development Lifecycle) and how successful SDL is if it won't patch its few remaining vulnerabilities in a timely matter. Microsoft's customers will still be victims of malware, and Microsoft's reputation will still be in the tank -- and frankly, it's mostly deserved if it won't take timely patches seriously.