“Microsoft can’t afford to break things”, he said. “A security update that breaks something is worse than no security update at all.”
Sometimes, admitted Ness, “we hear about vulnerabilities at the same time as everyone else. We know we have to act fast, but we can’t do so at the risk of releasing an untested update”.
Ness quoted the old case-study of the update released for the SQL Slammer as a “lesson learnt by Microsoft.” It wasn’t un-installable, and manual steps were required by administrators. As a consequence, “Admins didn’t deploy it in mass.” The lesson learnt, recalled Ness, is to ensure that updates work in those channels and are easy to deploy.”
The short-term solution between discovery and update, Ness said, is a Microsoft ‘fix it’. “This acts as a workaround to protect against zero-day threats before an update is tested and released.” Fix-it offers the customer both ‘Enable this fix’ and ‘Disable this fix’ options.
This week, Microsoft advised customers to use the Fix it available in Security Advisory 2719615 to protect against the reported zero-day vulnerability in Microsoft XML Core Services.
The amount of very critical vulnerabilities being addressed by Microsoft is decreasing. In 2011, 32% of vulnerabilities were rated as very critical, as opposed to 60% in 2006/2007. “We’re seeing fewer vulnerabilities, and those we do see have lower severity ratings and harder to exploit.”
Finally, Ness’ advice to security professionals was this: “Ask if software has undergone SDL; keep all software up to date to close the window of vulnerability; and deploy EMET to protect legacy applications.”