The first point is that more zero-days are being released on, or right after, Patch Tuesday. This is no doubt a tactic designed to maximize the shelf life of the exploit. I fully expect this trend to increase, especially as more software vendors publish software security updates on a standard schedule. I still think this practice reaps more benefit than harm: without it, there would be more zero-day attacks and we'd be patching our systems every week. That drains enterprise resources.
Second: Microsoft had to release this patch because the vulnerability was being exploited, and users could get attacked just by visiting a Web site -- even so-called trusted Web sites. It was getting nasty.
As was explained to Thomas Claburn in this story:
"The browser flaw had been disclosed roughly one week ago as a zero-day vulnerability, and active exploits have been around the Internet for that time frame as well," Qualys CTO Wolfgang Kandek said in an e-mailed statement. "The workarounds provided by Microsoft were very technical and quite cumbersome to implement, making it imperative for Microsoft to release a fix as quickly as possible."
That sums it up well. The workarounds were quite kludgey.
However, I have to take partial issue with this take from Roel Schouwenberg, senior antivirus researcher with Kaspersky Lab, Americas, on what this flaw's lack of wormability, and subsequent out-of-band patch, means:
"[That] shows that the wormability of a vulnerability is no longer a good indicator of the seriousness of a threat and that these Web-based threats are now much more dangerous than network worms," said Roel Schouwenberg, senior antivirus researcher for Kaspersky Lab, Americas, in an e-mailed statement.
I see his point, and actually agree that Web-based threats are both more prevalent and more dangerous (in many scenarios I can think of) than network worms. However, "worm ability" is still a strong indicator of the seriousness of a threat.
And we will see more Web-based worms in the future. Why? Because they're more profitable than network worms. The age of network worms died largely because there's more profit to develop exploits that can make a buck: not worms that essentially cause widespread denial-of-service situations.
Wormable or not. Whether Microsoft should have gone out-of-band with this one, or not. You need to patch MS08-078.
Eric Schultze, CTO at Shavlik Technologies, e-mailed me an interesting wager: "I'd bet you a cookie that many companies can't get it rolled out as quickly as Microsoft got it built."
I'll bet he's right.