NEWPORT BEACH, Calif., Oct. 20, 2003 (PRIMEZONE) -- According to PivX Solutions, Microsoft just released several new patches, MS03-040 thru MS03-047, which render several IE vulnerabilities (`vulns') obsolete. "PivX has been extensively testing the efficacy of the vulns reported to be fixed and we can report that MS03-040 is doing the job it was intended to. Let's just hope users are diligent in applying the patches and implementing other appropriate layers of security," says Rob Shively, CEO of PivX.
"Recently, we have seen a sea change in Microsoft's commitment to rid its IE browser of the vulns that PivX Solutions and other third party researchers have identified," adds Shively. "Given Microsoft's recent positive actions, together with the current rise in attacks against IE, we have taken down our `Unpatched' page. This was done in both a spirit of cooperation and for the good of the Internet as a whole. As the ubiquitous browser that is utilized to access the Internet, we all depend on IE too much to have digital crooks, malcontents and hackers messing with our lifestyles and our livelihoods. Enough is enough!"
For the last two years, `Unpatched' was the pre-eminent place on the Internet where system administrators and independent third party security researchers from around the world came to review and share information about vulnerabilities in Internet Explorer. Information on the page included the severity of vulnerabilities, temporary fixes and workarounds, test cases, and proof of concepts. About 1 in 10 potential vulnerabilities submitted to PivX for review actually passed the test for suitable posting on the `Unpatched' page.
`Unpatched' achieved its initial purpose, says PivX's Larholm: "It was created, updated and maintained in an effort to raise awareness of some of the inherent and dynamic flaws that the security research community discovered in Internet Explorer. The end goal was to provide legitimate parties, including system admins, the knowledge of where they were vulnerable to attacks and to provide some temporary mitigation actions that they could take until Microsoft released a patch or a Service Pack."
PivX has made a significant investment in time and money on `Unpatched', and now that it has served its purpose of raising awareness of a problem and, given that it has helped to usher in many solutions, workarounds and a review of the status quo, the company felt it was time to re-evaluate the page's effectiveness. And, based on Microsoft's communications -- which included their willingness to create meaningful solutions and their recent actions to fix the current problems -- the company has taken the page down.
"It was entirely a PivX management decision to take `Unpatched' down," said Shively. "Look at the state of affairs, notably: the 25 days it took to create LovSan/MSBlaster, as compared to the 295-plus days or so it took to create Code Red; the 200-plus days for the creation of Nimda; and the 100 days it took to develop Slammer ... see a pattern here? The time that it takes to develop exploits against vulnerabilities has declined significantly over the last year. This gives vendors like MS even less time to develop and distribute patches and less time for system admins to deploy them before the vuln is exploited."
This move will allow MS time to develop and review its test cases, patches and Service Packs in a more normal, predictable and manageable manner. For those who depended on the information on the site, PivX is available to consult with system administrators to assist them in developing and implementing appropriate security policies and measures to mitigate the potential of security attacks.
Also, PivX has developed a mitigation utility tool that will act as a "Qwik Fix" to many of the IE vulns that MS is presently working on patching, and those that have yet be located. "This utility will buy Microsoft more time to develop, test and release patches," said Chief Technical Officer, Geoff Shively.
"We have taken this proactive step in an effort to be a larger part of a long-term solution. After all, this is a critical part of our business -- solutions. It's also part of our company name. So we are putting it into action to see if this will contribute in a meaningful way towards the solution of a problem," opines Thor Larholm, Senior Security Researcher at PivX and the man who has been responsible for the establishment and maintenance of the `Unpatched' page on a pro bono basis for the last two years.
With as many as 20,000 daily visitors to the `Unpatched' page, it has become an invaluable resource to system administrators worldwide who are trying to stay abreast of the security research that PivX and other third party researchers have done.
"The bad guys will have to find other ways to discover vulnerabilities that they think they can exploit in Internet Explorer. We are here to help make the Internet and our clients more secure, we are not researching to assist those attempting to compromise systems and to take the Internet down," said CEO Shively.
PivX hopes that this action will spur others in the security research community to join with them in being part of the solution and that this will usher in a new form of collaboration between responsible security researchers and Microsoft
To see the new 'Unpatched' go to: http://www.pivx.com/larholm/unpatched/