Sep 09 2003

Crystal Ball time

Published by Martin at 12:37 pm under Microsoft

Okay, it’s time to look in my crystal ball: I foresee that within the next month there will be a wave of virulent new malware (virus or worm) that targets one of the five vulnerabilities that Microsoft released last week. The malware will affect the legions of servers and workstations that have not been updated with the latest patches and affect thousands, if not millions, of systems worldwide. My vote is for MS03-037, a flaw in Visual Basic for Applications (VBA), but one of the other Microsoft Office application flaws may be the first victim.

I know that this isn’t going out on a limb on my part. I’m really getting sick of the ‘Windows Vulnerability of the Week’ game. And five vulnerabilities in one day was a little excessive.


The amount of time between when a vulnerability such as any of these being disclosed and an exploit being released in the wild is growing shorter and shorter. It used to be that the time between the release of a vulnerability and the release of the malware taking advantage of the vulnerability could be measured in months; now it can be measured in weeks, soon to be days.

Microsoft patches are notoriously buggy, and most administrators aren’t willing to go with the ‘load and pray’ method of patching. They have to be tested, which can take time. Time that may not be available. We can no longer point the finger at the administrator who hasn’t patched a six month old vulnerability. The last wave of worms came out just over a month after the vulnerability was disclosed, which is not enough time to do the testing needed in a enterprise-class shop. So which is it: take your chances with the patch or take your chances with the malware?

I have two requests for Microsoft, which I know won’t happen. Quit making such bug-prone software and test your patches. I hate the feeling that I’m beta-testing a system; don’t release the software until it is really ready for prime-time. Microsoft is touting their “Trustworthy Computing” initiative, but so far this year it has proven to be nothing but hot air.

On the other hand, I do have to thank Microsoft for providing me a continuing source of employment as a security practitioner. Without them, I would have a lot less to do on a daily basis, and a lot less to complain about.

:->

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments are closed at this time.