Microsoft's Tying IE Changes In Security Patch Sparks Backlash

By packaging a functionality change for Internet Explorer with a needed security update, Microsoft has alienated some IT pros.

April 12, 2006

4 Min Read
Network Computing logo

By packaging a functionality change for Internet Explorer with a needed security update, Microsoft has alienated some IT pros, security vendors complained Wednesday.

Along with the 10 patches in Tuesday's MS06-013 security bulletin, Microsoft bundled changes to IE's handling of ActiveX controls. Those changes, which were prompted by a 2003 $521 million judgment against Microsoft in a patent lawsuit brought by Eolas Technologies Inc. and the University of California, will require users to manually activate controls on some sites.

"Microsoft often bundles non-security-related code in security updates," said Mike Murray, director of research at vulnerability management vendor nCircle. "Little optimizations and that kind of thing. But I don't remember them ever bundling a functionality update or, as in this case, removing functionality, with a security bulletin."

The inclusion of the ActiveX changes "makes everything a mess" for companies deploying and testing Microsoft's monthly patches, Murray said. "I've talked to some of our customers, and they're at the point where they're pulling out their hair.

Instead, Microsoft should have separated the IE ActiveX changes from the security fixes. "They easily could have deployed it as a separate patch or rolled it into a service pack," said Murray.In late March, Mike Nash, Microsoft's head of security, gave administrators a heads-up that the ActiveX changes would be coming April 11 and would be blended with the security update. At that time, his explanation for the bundling was that " in order to reduce the complexity of updates and to improve quality, we ship all IE updates as cumulative updates."

On Wednesday, a Microsoft spokesman went into more detail.

"While Microsoft tries to minimize the amount of non-security updates that go out with the regularly scheduled security updates, occasionally changes are permanently made to the Windows source code and therefore are picked up in the subsequent security update that installs the affected files," he said. "This particular change falls in that category."

He also hinted that the decision to roll the change into the security update was made in consultation with customers and partners, and after talking with them, the company concluded that this approach was the easiest to implement.

"Microsoft has been working with its customers and partners on the IE ActiveX update since early December 2005, and has been actively soliciting customer feedback on how to make this process as easy as possible," he said.Microsoft has posted a "compatibility patch" to delay the court-mandated changes to IE until June 13, that month's scheduled bulletin release date, when the changes will be made permanent.

"To help enterprise customers who need more time to prepare for the update, Microsoft is releasing a Compatibility Patch," said the company spokesman.

If enterprises follow Microsoft's advice -- deploy MS06-013 and its ActiveX changes first, then follow up by installing the compatibility patch -- they'll be faced with a secure, but possibly-broken browser, at least temporarily, said nCircle's Murray.

To compound the problem, it's crucial that companies deploy the IE security fixes in MS06-013 ASAP, another security vendor said Wednesday.

In an alert to users of its DeepSight Threat Management System, Symantec advised enterprises to either update or consider dropping IE.

"The DeepSight team strongly encourages system administrators to apply the fixes in this update as soon as possible," the alert read.The large number of vulnerabilities covered by the bulletin precludes any finesse in mitigating against attack, Symantec concluded, and instead recommended that one option for companies unable to install the fixes is to "disable Internet Explorer until patches can be rolled out." Other advice included setting the browser's security settings to "High" and/or restricting browsing to corporate intranet and other trusted sites.

Symantec and other security companies raised the alert in part because 3 of the 7 critical flaws described in the bulletin are either currently being exploited or have been the target of published proof-of-concept code.

The "createTextRange" vulnerability, now patched, has been used by hundreds of Web sites for three weeks to secretly download spyware, adware, and other malicious programs to IE users' machines.

The createTextRange bug, in fact, was thought serious enough to generate a pair of unsanctioned, third-party patches weeks before Microsoft released its fix. One of those patches was created and distributed free of charge by Aliso Viejo, Calif.-based eEye Digital Security, which on Tuesday announced that more than 150,000 people had downloaded the patch in the two weeks it was available.

"Disabling Active Scripting [a workaround suggested by Microsoft] and waiting 14 days for Microsoft to issue a patch was not a viable option for many organizations," said eEye's co-founder Mark Maiffret in a statement. "This vulnerability needed to be dealt with immediately."Details on the fixes applied in the MS06-013 patches can be found here, while the ActiveX delay patch can be downloaded for Windows XP and Windows Server 2003 from here.

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights