Microsoft may soon be taking the unusual step of issuing an out-of-band security update to address multiple weaknesses that stem from a Windows security flaw that the software giant tried to fix earlier this month, Security Fix has learned.
Last week, on its regularly scheduled Patch Tuesday (second Tuesday of the month), Redmond issued software updates to plug nine security holes. Among those was a patch for a flaw in Windows and Internet Explorer that hackers were exploiting to break into PCs. However, it soon became clear that Microsoft had known about this vulnerability since at least April 2008.
On July 9, noted security researcher Halvar Flake published a blog post suggesting that the reason Microsoft took so long to fix the bug may be because the flaw was caused by a far more systemic problem in Windows.
According to Flake, the problem resides in a collection of code that Microsoft uses in a number of places in Windows. This code "library" is also provided to third-party software makers to help them build programs that can leverage certain built-in features of Windows.
As a result, Flake concluded, Microsoft may have fixed only a subset of the problem on Windows with its patch this month.
"The bug is actually much 'deeper' than most people realize," Flake wrote. "MS might have accidentally introduced security vulnerabilities into third party products."
I reached out to Flake for additional information, but he told me that shortly after he published that blog post he received a 3 a.m. phone call from Microsoft asking him please not to comment further.
Microsoft has not officially responded to requests for comment about Flake's research. But a source within Microsoft said Redmond could issue an out-of-band update prior to next month's Patch Tuesday to address the outstanding flaws.
The decision over whether to do that or wait until next month's Patch Tuesday may hinge upon whether attackers begin exploiting these other vulnerable areas by using Microsoft's patch (and Flake's research) as a guide to locating the flaws. What's more, this bug is almost certain to be discussed at Black Hat and Defcon, the world's largest annual security conferences, being held next week in Las Vegas.