Sydney Microsoft chairman Bill Gates defended the company's handling of security patches Monday following widespread attacks on the Internet by suspected Russian organized crime gangs.
Last week's attacks used unpatched vulnerabilities in Internet Explorer to deploy a Trojan horse program on the victim's machine, which could capture the user's Internet banking passwords. The SANS Institute's Internet Storm Center reported the attacks were launched through a large number of websites, some of them "quite popular," which had been penetrated and modified to deliver malicious code.
Two of the Internet Explorer vulnerabilities exploited in the attacks were discovered in active use on June 6th, and have not yet been patched by Microsoft, according to an analysis by IT security company Symantec. [Symantec publishes SecurityFocus]. The attacks also used a controversial Internet Explorer feature that permits local HTML documents to create or overwrite files on a user's computer. Though not a bug in and of itself, security researchers warned as early as last August that the feature becomes a serious attack vector when used in conjunction with Internet Explorer holes.
Still, speaking at a press conference here Monday, Gates told journalists that Microsoft's patching process compares well with competitors'. "You know, the time - the average time - to fix on an operating system other than Windows is typically ninety to a hundred days," said Gates. "Today we have that down to less than forty-eight hours."
Asked by SecurityFocus about the Russian hacks of last week, Gates hinted that the attacks wouldn't have been possible if administrators had installed a security patch Microsoft made available for its IIS Web server product last April.
"The Russian exploit that just came this weekend, that's [MS04-11]," said Gates, referring to the April update. "Believe me, there's been no six month wide open thing that has been there. We pull through Windows update as soon as we see something as being visible and serious."
But the open Internet Explorer holes can be exploited with or without unpatched Web servers, counters security researcher "Http-equiv," who specializes in IE vulnerabilities. "This is... completely irrelevant to the attack and was merely a novel method to extend the reach in a somewhat anonymous fashion," he wrote in an email interview. "It could have just as easily been setup on a regular free hosting service provider with one of many methods to direct the victims there."
Even so, Http-equiv agrees with Gates' claim that Microsoft is getting better at churning out fixes. "I have three confirmations to this effect for three issues I have found over the years, where they were quickly, and silently, patched in record time," the researcher said.
Security researcher Drew Copley, of eEye Digital Security, says Microsoft still has some work to do in its patching process, but there's no reason the company can't achieve good turnaround times "if they got their act together".
"The only reason they can not is because their system is not set up that way," says Copley. "It moves slowly, like a behemoth. They need to change their whole way of fixing security issues," he added.
Despite the claimed 48-hour production capability, the software giant would not commit to a guaranteed patch turnaround time. Gates would only say he is looking to speed up the process. "We can't say that... we'll have it fixed in an exact period of time," he said. "We will guarantee that the average time to fix will continue to come down."
Gates lauded Microsoft's recent handling of its security patching processes. "We have several hundred people who are on 24-hour availability to do this work. It is a phenomenal thing," he said. "If you track how we have improved over this last twenty four months, you'll see that we are absolutely doing our best."
Convincing its customers to turn on automatic security updates is one thing Microsoft has to do to make an impact on its users' security, he added.