There was a little surprise buried in Microsoft's monthly security bulletins Tuesday. It turns out that Microsoft had quietly slipped out one of the February fixes, just days before its Jan. 30 Vista launch.
The fix was for a bug in Microsoft's Malware Protection Engine, used by products like Windows Defender, OneCare and Antigen to scan for malware. Microsoft had discovered that the engine could possibly be tricked into running unauthorized code if it scanned a specially crafted PDF file.
Nobody has actually launched such an attack, but since these products are always automatically scanning for malware in the background, the vulnerability could have led to some pretty nasty exploits.
Still, it's strange that Microsoft waited so long to notify its customers of the patch.
It's rare for Microsoft to release one of these out-of-cycle updates, but since they adopted their monthly patch process back in October 2003, they generally let people about them as soon as they're released.
Microsoft's Mark Griesi told me that they decided to send out the malware engine fix as soon as it was ready on January 26 and that this kind of quick fix is standard practice with most security software. But he said there was no particular reason why the company decided to wait until February 13 to tell people about it.
Microsoft just hasn't been in the position of having to patch its security software since rolling out the monthly patch process, he added. "It was one of those first-time situations: 'Should we say something now or should we just wait,'" he told me. "This time we decided to wait. We won't do it again."
From a PR perspective, it wasn't a bad move. Microsoft has touted Defender as one of the top three Vista security features. It wouldn't have been much fun to be talking about a major security flaw in the product just days before the Vista launch, would it?