Microsoft Explains Unusual Approach To Recent Security Update

Microsoft has this week issued a patch for a bug in the system used to develop active web pages. In a change from the company's normal procedures, the update had already been made available for manual downloading before testing was complete.

The bug affected ASP.NET (Active Server Pages), a Microsoft system for creating dynamic rather than static web pages. That could cover a journey planner site that created custom results for the reader, as opposed to a page simply listing bus timetables.

Passwords Exposed by Flaw

The security flaw meant hackers could bypass encryption and see information about the page that was stored on the website server. In some circumstances, the hacker could even tamper with the data, which in some cases included user names and passwords.

Two independent researchers discovered the bug in September and presented their findings at a security conference. Microsoft then issued a temporary workaround and began working on a more permanent fix.

Manual First, Automatic Later

The company did issue an update this past Tuesday but, surprisingly, given that it was a security fix, only made it available for manual download from its security site. At the time, it promised a full automatic update would soon follow. (Source: eweek.com)

Microsoft's reasoning for this move was that it had evidence the security flaw was being actively exploited by hackers. However, by Tuesday it hadn't yet fully completed its standard testing program for patches sent out to every Windows computer. It decided that in the meantime it should make the patch available to those who most needed it, specifically people running ASP.NET-based sites.

Administrators Agitated

Despite the logic of such a move, the situation has not been ideal for tech administrators.

Many have a carefully designed policy for installing patches from the automatic update system across their entire network, a policy that doesn't cover manually visiting Microsoft's site and actively downloading patches. There have been reports of numerous enquiries to Microsoft from administrators uncertain whether they need to get patches and, if so, exactly which to get. (Source: computerworld.com)

Microsoft then sent out the patches through Automatic Updates on Thursday. To some that's a good sign, showing the Redmond firm rapidly responding to the problem. To others, it's a sign that the company could probably have got away with waiting a couple of extra days, using only the Automatic Updates, and avoiding any confusion.

As always, it comes down to the balance between security and convenience, a balance that may always prove a point of contention.