When Microsoft issued an emergency patch for a critical Windows bug six weeks ago, it warned that attacks were in progress and told users to patch immediately.
The message didn't sink in, a security company claimed today.
[ Related: Check out Microsoft's plans to fix eight bugs in the year's final Patch Tuesday. And learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]
Based on scans of between 200,000 and 300,000 Windows PCs owned by its customers, Qualys concluded that the patching pace for the October update -- which Microsoft released "out-of-cycle," or outside its normal monthly schedule -- was similar to the rate at which users fixed flaws that the company disclosed several weeks later on its usual Patch Tuesday.
"When Microsoft releases a patch out-of-cycle, we tend to think, 'Wow, why are they doing this? There must be a reason,'" said Wolfgang Kandek, Qualys' chief technology officer. "But it doesn't look like people pick up on that."
Over a six-week span, Qualys tallied the machines vulnerable to the MS08-067 vulnerability Microsoft patched off-schedule in October and counted the PCs vulnerable to a pair of patches released on Nov. 11, tagged MS08-068 and MS08-069. "We counted them, and normalized them against the scan numbers," said Kandek.
The result was surprising. "While we saw reductions in the number of [vulnerability] occurrence found every week, they are fairly even and in line with normal patching distributions we have seen before," said Kandek.
Only in the last week or so did Qualys' data show a sudden drop in the number of machines not yet patched with MS08-067.
Kandek had a ready explanation. "We saw it move [down] when Microsoft and Symantec and Trend Micro said last week, 'We found a worm, here it is and it's spreading,'" he said, referring to the reports this week and last of a worm, dubbed "Conficker.a" by Microsoft and "Downadup" by Symantec, that was aggressively exploiting the MS08-067 vulnerability.
Monday, Trend Micro's researchers said that the worm was a key component in the build-up of a massive botnet, and had already hijacked half a million machines.