Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

Some Security Experts Criticize Microsoft For Patch Process

Feb 13, 2004 12:30PM PST

A critical vulnerability first found in July wasn't fixed until more than seven months later, and some say that's too much time.

Microsoft is taking hits from security experts and other analysts over the long lag time between knowing about a major Windows vulnerability and releasing a patch to fix the problem.

The vulnerability in question is one of two noted as critical by Microsoft on Tuesday, when it released February's monthly fixes. Hackers could exploit flaws in Windows's usage of Abstract Syntax Notation, a language for defining the syntax of data messages shared between applications and computers. If attackers successfully created exploits, they could clandestinely destroy data, steal information, or compromise network security.

The bug has been characterized as one of the most serious ever due to its widespread use in many of the Windows operating system's security subsystems, including Kerberos and NTLM authentication, and in numerous server and desktop programs, such as Exchange and Internet Explorer.

The ASN vulnerability was first identified on July 25, 2003, by eEye Digital Security--but not fixed until more than seven months later.

http://www.informationweek.com/story/showArticle.jhtml?articleID=17700169

Discussion is locked