There was a surprise buried in Microsoft's monthly security bulletins. It turns out that Microsoft had quietly slipped out one of the February fixes just days before its Jan. 30 Vista launch.
The fix was for a bug in Microsoft's Malware Protection Engine, used by products like Windows Defender, Antigen, and One Care to scan for malware. Microsoft had found out that the engine could possibly be tricked into running unauthorized code if it scanned a specially crafted PDF file.
Nobody has ever actually launched such an attack, but since these products are always automatically scanning for malware in the background, the vulnerability could have led to some huge exploits.
Still, it's strange that Microsoft waited so long to notify its customers of the patch.
It's rare for Microsoft to release one of these out-of-cycle updates, but since it adopted its monthly patch process back in October 2003, it generally lets the users know about them as soon as they apear.
Microsoft's Mark Griesi said that the company decided to send out the malware engine fix as soon as it was ready on January 26 and that this kind of rapid fix is usual practice with most security software. But he said there was no particular reason why the company decided to wait until February 13 to tell people about it.
Microsoft just hasn't been in the position of having to patch its security software since rolling out the monthly patch process. "It was one of those first-time situations: 'Should we say something now or should we just wait,'". "This time we decided to wait. We won't do it again."
From a PR perspective, it wasn't a bad move. Microsoft has touted Defender as one of the top three Vista security features. It wouldn't have been much more fun to be talking about a major security flaw in the product just days before the Vista launch.
Home
Contact Us
