[ insider_reports_insider ]
Why The ANI Fix Took Three Months
David Utter
Staff Writer
2007-04-05
 Insider Reports RSS Feed
Microsoft's patch update process requires a lot of testing, but the urgency of the animated cursor flaw problem, where numerous websites are hosting attacks against it, led them to cut some corners.
 | | Why The ANI Fix Took Three Months |  |
No one has disputed Microsoft's knowledge of the animated cursor flaw, least of all the company itself. Microsoft's Mike Reavey said on their Security Response blog that security firm Determina properly submitted details of the vulnerability on December 20, 2006.
Microsoft has been roundly criticized for the delays in fixing the problem. A patch became available out of band for Windows users, a week ahead of their normal monthly update process.
Security pros and tech observers helpfully pointed out how Microsoft skipped issuing any patches in March.
Reavey wrote about the seemingly lengthy process, and described how such issues get patched on a routine basis:
Based on the severity of the initial report, we began driving for release right after we were able to verify the vulnerability reproduced. The level of priority that we assign to a vulnerability is based on the severity of the vulnerability and the risk to customers. The level of urgency and our willingness to "shortcut" steps in the process, such as quality testing, to release on a faster timeline is based on the actual risk to customers at that time.
Problems for the security engineers came as they realized the dependencies in play while trying to fix the flaw.
"For this issue in particular, the update modifies functionality that is pervasive and core to the operating system, both in graphics rendering, as well kernel mode operations," said Reavey.
While they caught many possible conflicts, the engineers reached the point where they had to release the patch.
One conflict that arose for users, with the RealTek Audio Control Panel application, required a separate hotfix to correct it as the patch broke the application.
"The result of our comprehensive testing is that at the time of release, only one minor quality issue was known and guidance as well as a hotfix was ready for customers at the same time of release," Reavey said. That turned out to be the RealTek issue.
The release of the patch fixed seven issues in Windows, three of which existed on the new Vista OS platform.
One of them was the critical animated cursor flaw.
Microsoft has long touted the improved security of the Vista platform, but it appears that legacy issues affecting older Windows editions, at least in this case, can still plagued the latest product.
---
Tags: Microsoft, Security, Patch, Animated Cursor
About the Author:
David Utter is a business and technology writer for SecurityProNews and WebProNews.
More insider_reports_insider Articles
Insider Reports RSS Feed
|
|
iEntry 10th Anniversary
RSS
Archive
