The exploit affected all Windows users running IE versions 5.5 or 6.0, and potentially those using Outlook or Outlook Express. It enabled hackers to gain access to users' computers by luring visitors to a booby-trapped Web page.

Soon afterward, Microsoft's "moderate" rating decision came under attack by the tech community, led by postings to the Bugtraq mailing list by Thor Larholm, a consultant at security firm PiVX Solutions, detailing the flaw's serious nature. "I definitely thought they were downplaying the severity of [the flaw] quite extremely," Larholm told NewsFactor.

"Not even two weeks before that patch was released, they released another critical patch, also for Internet Explorer," Larholm added. "The entire public image of having to release two critical patches on almost a weekly basis, that's bad."

Microsoft Backpedals

Microsoft relented December 6th, issuing a follow-up patch to the original fix, this time listing the flaw as "critical." The company said it had not foreseen the scenario posted by Larholm and others, and the new information warranted the change in rating.

"Information posted to NTbugTraq shortly after the release of MS02-068 prompted an investigation that uncovered a previously unknown exploit scenario," Steve Lipner, director of security assurance at Microsoft, told NewsFactor in a statement. "The newly discovered exploit scenario -- still based on a vulnerability fixed in MS02-068 -- could allow a malicious user to run code on a user's computer via a specially crafted Web site or e-mail message -- thus warranting a severity rating of critical."

Larholm acknowledged that Microsoft did respond and correct the severity rating, saying he hopes the company will be more aware in the future that people are watching its bug ratings.

"They're good at responding when you start bashing them in public," Larholm said. "They can be a bit slow sometimes when you write them privately."

Microsoft Ratings Change

Just last month, Microsoft altered the way it rates security threats by adding an "important" rating between "moderate" and "critical." According to this new system, the IE bugs in question initially rated lower on the severity scale than they would have a month earlier.

Such ratings are often decisive factors in determining whether -- and when -- an organization chooses to implement a patch, according to Giga Information Group vice president of IT services Julie Giera. When making a severity rating, "the vendor usually looks at the severity of the problem and the size of the customer audience that it would affect," she told NewsFactor.

For smaller organizations, the rating may be one of the only factors used to distinguish between patches that must be deployed and others that need not be.

"If you look at some of the patches, say, MS02-068, it's really hard to figure out what it does. I would think a lot of people would look at that and not know if they need to apply it or not," Yankee Group senior analyst Eric Ogren told NewsFactor.

Offensive Line

Although they consume an IT department's time and resources to test and deploy, patches are among the best responses to threats. A recent Gartner study shows that through 2005, 90 percent of all cyberattacks will involve known vulnerabilities for which a patch or solution already exists.

"More than 95 percent of all the incidents reported to us are things we knew about," Marty Lindner, team leader for incident handling at the Computer Emergency Response Team (CERT) Coordination Center, told NewsFactor. "There are very few things that happen that are new and innovative."

But as organizations face a steady stream of patches, coupled with shrinking IT budgets and increased demands on IT staff, patch application often can be pushed to the bottom of the priority list.

Patch Flood

"It's a never-ending burden," Ogren said, noting that among the enterprises he speaks with on a regular basis, "Every day, either from an OS vendor or application vendor, there is a list of patches to update. And … they have to evaluate [each one] in a test lab before they deploy it, because sometimes patches have side effects and break things."

The number of security incidents skyrocketed this year, according to CERT, which reported more than 73,000 incidents in the first three quarters of 2002. That figure represents a nearly 40 percent jump from about 52,000 incidents in 2001.

Critics argue that the amount of software released with bugs has increased, accounting for the greater number of security incidents and subsequent patch releases.

At the same time, Giga's Giera said, vendors are getting better at communicating the severity of security flaws in their software, and offering patches (continued...)

1  |  2  |  Next Page >