MS Response to Animated Cursor Vulnerability Shows Problems in IT Depts.
Microsoft is responding to the animated cursor vulnerability (MS Advisory 935423) with an out of cycle patch. According to
the MS Security Response Blog, the patch should be out tomorrow. The quick response is do in part to the increasing need for it (the vulnerability is being actively exploited) and the fact that MS has had time to work on this. From the MS blog we hear:
I’m sure one question in people’s minds is how we’re able to release an update for this issue so quickly. I mentioned on Friday that this issue was first brought to us in late December 2006 and we’ve been working on our investigation and a security update since then. This update was previously scheduled for release as part of the April monthly release on April 10, 2007. Due to the increased risk to customers from these latest attacks, we were able to expedite our testing to ensure an update is ready for broad distribution sooner than April 10.
This highlights a problem that is easy to forget. Software vendors, at any time, may have a number of vulnerabilities to correct and they have to prioritize. A mid-level priority vulnerability one day can be a top priority the next. The same is true for IT departments.
We need to have flexible patch and change management to respond. Unfortunately, without the right tools, this is difficutl, especially in the compliance-obsessed environment we're now in. How many will have to choose to be out of compliance because they side step a long change management procedure or being out of compliance because they left a known vulnerability unpatched while plodding through out-of-date change management procedures.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
