July 09, 2010
By Gregg Keizer | Computerworld
Microsoft said it will deliver four security updates next week to patch five vulnerabilities in Windows and Office, including the bug that a Google researcher took public a month ago.
As expected, the slate for next Tuesday is relatively short: Microsoft has been shipping alternating large and small batches of fixes, with the larger updates landing in even-numbered months. In June, for example, the company issued 10 bulletins that patched a record-tying 34 vulnerabilities. May's collection, meanwhile, amounted to just two bulletins that fixed two flaws.
"This month is light, and would have been even lighter if Tavis hadn't forced them to move faster than their norm [to patch his vulnerability]," said Wolfgang Kandek, the chief technology officer of Qualys.
While some security researchers criticized Ormandy for taking the bug public, others rose to his defense, blasting both Microsoft and the press -- including Computerworld -- for linking Ormandy to his employer, Google.
Last week, a group of anonymous researchers who called themselves the Microsoft-Spurned Researcher Collective (MSRC) -- a play on the acronym used by the Microsoft team bug-investigation team -- retaliated by releasing information about an unpatched vulnerability in Windows Vista and Server 2008. The group published its bug report because of what it said was Microsoft's "hostility toward security researchers," and cited the Ormandy incident as the most recent example.
"This shows that Microsoft can move very quickly when it's necessary," said Kandek of Microsoft's patching speed.
More at link