Although it must have been a painful moral blow to Microsoft’s security team, issuing the company’s first and only out-of-band security patch of 2011 late last week may actually bring some optimism for the entire Microsoft IT community heading into the new year.
In case you missed it while traveling back and forth between holiday parties, Microsoft administered an unscheduled patch on Dec. 29, a critical patch dubbed MS11-100, to address a vulnerability in the .Net framework that researchers Alexander Klink and Julian Walde publicly exposed on Dec. 28. Issued with just two days left in 2011, the patch was the first of the year not to come as part of Microsoft’s infamous Patch Tuesdays. Even worse, MS11-100 was the company’s 100th on the year, pushing its total out of the sentimentally valuable double digits.
Klink, who works for German security consultancy n.runs, and Walde, who attends Darmstadt Technical University, put the impetus on Microsoft by shining a light on a vulnerability affecting web apps based on .Net. The two researchers explained that the hash tables on many .Net web app frameworks do not feature a randomized hash function and don’t recognize attacks that use multi-collisions. This allowed hackers to target .Net-based web apps with denial-of-service attacks quite easily, flooding them with data with just a single HTTP request.
Having been called out, Microsoft responded and issued the patch just one day later.
So that’s how, with two outs in the ninth inning, Microsoft gave up its first hit. But it doesn’t answer one important question: Why not wait to address it?
By rushing a patch out on Dec. 29, Microsoft sent two very subtle but very important messages. The first was that the company took the particular exploit seriously and wanted to eradicate it as quickly as possible. For this, Microsoft’s efforts did not go unnoticed, as Qualys CTO Wolfgang Kandek wrote in a company blog post that “Microsoft tested and finished MS11-100 in record time.”
However, as Kandek pointed out later in the blog post, Microsoft had already been working on a .Net “fix that was already scheduled for January 2012,” presumably for its first Patch Tuesday of 2012.
Here, Microsoft had itself a problem. The company could have stayed on schedule for the patch, waiting until the second Tuesday in January and in the meantime cashing in on the publicity of a year with fewer than 100 patches and none issued off-schedule. Especially after one of the most high-profile years in IT security, the win would have been a big one.
But instead, the company threw those milestones away, along with the multitude of headlines and tweets that accompany them, and swiftly resolved the issue. In doing so, the company told the security community that it was more important to protect against a DoS attack on .Net-based web apps than the otherwise meaningless accolades for security improvement they would have gotten only after, ironically, ignoring a security gaffe.
Microsoft may have been merely covering itself, taking into account the increased likelihood of a DoS attack after a couple of German researchers showed off the vulnerability at an industry conference. The vulnerability had actually been known to Microsoft since 2003, according to the researchers’ own notification. In that regard, the move may have been an even safer one, as news of an attack of a vulnerability Microsoft knew about would only make for a public relations nightmare.
But at the same time, the company did see improvement in 2011. Its total number of patches sent, 100, is down from 106 in 2010, as is the rate of those rated “critical,” which at 32 percent is the lowest since Microsoft began issuing monthly patches in 2004. And with much of this success attributable to risk mitigation improvements in Windows 7 and Internet Explorer 9, it’s not a stretch to predict this to carry over into 2012.
So, for now, the Microsoft security team didn’t get its “perfect game.” But there’s always next year.