Microsoft has this week issued a patch for a bug in the system used to develop active web pages
. In a change from the company's normal procedures, the update had already been made available for manual downloading before testing was complete.
The bug affected ASP.NET (Active Server Pages), a Microsoft system for creating dynamic rather than static web pages. That could cover a journey planner site that created custom results for the reader, as opposed to a page simply listing bus timetables. Passwords Exposed by Flaw
flaw meant hackers could bypass encryption and see information about the page that was stored on the website server. In some circumstances, the hacker could even tamper
with the data, which in some cases included user names and passwords.
Two independent researchers discovered the bug in September and presented their findings at a security conference. Microsoft then issued a temporary workaround and began working on a more permanent fix. Manual First, Automatic Later
The company did issue an update this past Tuesday but, surprisingly, given that it was a security fix, only made it available for manual download from its security site. At the time, it promised a full automatic update would soon follow. (Source:eweek.com
Microsoft's reasoning for this move was that it had evidence the security flaw was being actively exploited by hackers. However, by Tuesday it hadn't yet fully completed its standard testing program for patches sent out to every Windows computer
. It decided that in the meantime it should make the patch available to those who most needed it, specifically people running ASP.NET-based sites. Administrators Agitated
Despite the logic of such a move, the situation has not been ideal for tech administrators.
Many have a carefully designed policy for installing patches from the automatic update system across their entire network, a policy that doesn't cover manually visiting Microsoft's site and actively downloading patches. There have been reports of numerous enquiries to
Microsoft from administrators uncertain whether they need to get patches and, if so, exactly which to get. (Source:computerworld.com
Microsoft then sent out the patches through Automatic Updates on Thursday. To some that's a good sign, showing the Redmond firm rapidly responding to the problem. To others, it's a sign that the company could probably have got away with waiting a couple of extra days, using only the Automatic Updates, and avoiding any confusion.
As always, it comes down to the balance between security and convenience, a balance that may always prove a point of contention.
Source: http://www.infopackets.com/news/security/2010/20101001_microsoft_explains_unusual_approach_to_re cent_security_update.htm