Viruses Exploit Microsoft Patch Cycle

The creators of the latest MyDoom variant, which exploits a recently discovered iFrame vulnerability in IE, may have timed the release of the viruses to throw Microsoft's monthly patch cycle into disarray


The creators of the latest MyDoom variant, which exploits a recently discovered iFrame vulnerability in Internet Explorer, may have timed the release of the viruses to throw Microsoft's monthly patch cycle into disarray, security experts say.

In its latest monthly update on Tuesday, Microsoft was not able to fix a serious vulnerability in the Internet Explorer browser because the flaw was discovered only a few days before the company's regular update was due. The two variants of the MyDoom virus were released earlier this week, leaving the software giant without any option but to ignore the problem--for now.

Sean Richmond, senior technology consultant at Sophos Australia, told ZDNet Australia that it would have been impossible for Microsoft to create and test a reliable patch in four days--the time between the vulnerability being published and Tuesday's patch update.

"To release a stable patch for IE would be impossible (in that time) because they want to test it thoroughly before it goes out," Richmond said. "The monthly patch cycle was designed to make it easier for system administrators to schedule their updates, but a few days is just not enough time for Microsoft create and test a patch."

Ben English, security team leader at Microsoft Australia, told ZDNet Australia that Microsoft advocates a process of responsible disclosure and is "very keen" to discover any vulnerabilities before they are made public.

"The reasons are very obvious. We would not disclose any info about a vulnerability till we have mitigation in place," English said. "The worst scenario for us is that we release an update which has quality problems. We believe the downstream problems of releasing patches too quickly are even more serious than not putting in the quality that they deserve."

English would not comment on whether Microsoft thought the timing of the worm's and the vulnerability's disclosure was malicious, but he said that if the problem were serious enough, the company would break its patch cycle to plug the gap.

"In terms of the timing, I have no comment on whether there is malicious intent," he said. "But in a sense, it is academic because if this is a serious vulnerability and we have a patch available, we will release it out of cycle."

The MyDoom virus, also referred to as a worm, has been dubbed Bofra by some antivirus firms.