- It's the applications, stupid
- Will a whitelist save personal computing?
- Thousands of Web sites under attack
- To solve the unsolvable problem
- Re-thinking the security of virtual machines
- Security Development Lifecycle trumps code complexity
- Is your Web site FIPS compliant?
- Computer security: Why have least privilege?
- Strategic security: Get a handle on authentication
- Control user installs of software
June 03, 2006 | Comments: (0)
Microsoft's OneCare blocks zero-day MS-Word bug
Microsoft provides early protection against latest zero-day bug through OneCare.
The zero-day MS-Word bug referenced in MS Security Advisory 919637 http://www.microsoft.com/technet/security/advisory/919637.mspx
is blocked by Microsoft's OneCare program. This is great news and probably a sign of things to come. I expect more and more vulnerabilities to be blocked in real time by Microsoft and other anti-malware vendors before the official patches are released.
Official patches take time to create, test, and release. Blocking in real-time before the patch occurs is a smart approach, and is not an approach invented by Microsoft. If anything, they are late to the game, but I welcome the new addition in Microsoft's arsenal. I've heard rumors of this sort of mechanism from Microsoft for at least three years from internal sources, and I had wondered what had happened to the project. It's been shoved into OneCare, I guess.
I'm sure I'll have people write to tell me that Microsoft will start to delay the official patch just to sell more OneCare subscriptions, but I don't buy that conspiracy theory. For one, anti-malware companies already routinely offer the same protection, so patching delays would only serve to enrich all vendors and not just Microsoft.
People asking why Microsoft is in the malware business at all in the first place since their software is the software with the vulnerability, ask a more valid question. I know the arguments and responses on both sides, and it isn't a flame war I want to get into...but it is a rationale debate question. I understand both sides.
For now, I'm glad that more vendors are focusing on real-time blocking of zero-day code.
I'm even getting ready to review a new IPS vendor solution that specifically blocks zero-day exploits prior to the patch being released. IPSs have always blocked zero-day exploits before they are patched, but this particular solution focuses primarily on zero-day stuff.
Posted by Roger Grimes on June 3, 2006 07:42 AM
RATE THIS ARTICLE:
-
- COMMENTS
