Microsoft defends 100-day ANI patch process

Microsoft first learned of the animated cursor flaw in Windows in December 2006, more than 100 days before it released an emergency patch. The release marked just the third time in more than two years it has released an out-of-cycle security update. The head of the company's security research lab defended the time spent investigating, […]

Microsoft first learned of the animated cursor flaw in Windows in December 2006, more than 100 days before it released an emergency patch. The release marked just the third time in more than two years it has released an out-of-cycle security update.

The head of the company's security research lab defended the time spent investigating, developing and testing the fix. "Engineering a patch is a long, complex process," director of the Microsoft Security Response Center (MSRC), Mark Miller, said. "We look at surrounding areas of code for similar vulnerabilities and, from our internal investigation, address as many as we can find."

Microsoft was alerted to the ANI file bug on December 20 by Alexander Sotirov, a vulnerability researcher at Determina. By mid-March, when Microsoft skipped its usual second-Tuesday-of-the-month updates, the investigation had been completed and a patch created, Miller said. "But it was still undergoing testing," he said, explaining why the patch wasn't released then.

View: Full post

Microsoft, Windows, Defend, ANI, Patch, Process