Microsoft’s speed to get security patches out



Brian Krebs at the Security Fix has done an interesting study related to how long it takes Microsoft to release a security fix for a problem, starting from the time they are notified of the security vulnerability. For the most part, 134.5 days has been the window between notification and vulnerability patching for the last 2 years from Microsoft. (That is for vulnerabilities that were submitted to Microsoft through the normal process…)


For vulnerabilities that were “full disclosure”, “why don’t you tell the whole world….” style, in 2004 they were fixed within 55 days and in 2005 within 46 days. Now, “full disclosure” of vulnerabilities is controversial, many times it comes with exploit code which means any script kiddie will soon have tools in their reach that can exploit the flaw, but those that support full disclosure of vulnerabilities think that vendors respond more quickly. The survey would seem to back that up.

What’s interesting to me is this…. one of the arguments for the traditional process and the closed code concept is. If I discover a vulnerability, the assumption is that I inform Microsoft of the issue and (within 135 days) they fix it. The assumption is that no one else knows about it. There’s an interesting quote though from eEye’s Marc Maiffret…

“You’d think that by taking that much longer on patches Microsoft is being more thorough, but that’s not always the case as we’ve seen,” Maiffret said. “The truth is that unpatched Windows flaws have a value to the underground community, and it is not at all uncommon to see these things sold or traded among certain groups who use them by quietly attacking just a few key targets. So, the longer Microsoft takes to patch vulnerabilities the longer they are leaving customers exposed.”

So, it almost makes me think, in spite of the risks of full-disclosure, it doesn’t seem to be THAT bad a solution after all. Updates seem to come out quicker (at least this study seems to show that) and EVERYONE is at least aware of the problem and can deal with workarounds if they choose. It puts the security of the system back in the hands of the administrator.

Related Posts

Blog Traffic Exchange Related Posts
  • Microsoft was aware of the WMF vulnerability "for years" Bugtraq has an interesting post which picks up on a note in Stephen Toulouse's latest entry on the WMF vulnerability. When I first read the post I was more interested in the way he was responding to allegations of the flaw being an intentional backdoor, but the above bugtraq post......
  • Firefox zero-day vulnerability (or is it?) I saw a comment somewhere else that zero-day was overused and in essense ANY previously unknown vulnerability in open source software is technically zero day... the intent here though is to use the word in this context.... "vulnerability has been released without giving the vendor an opportunity to patch..." Yes,......
  • Microsoft releases patch early for WMF exploit Microsoft has released the patch for the WMF vulnerability that's been all over the news early. It was released to http://windowsupdate.microsoft.com ahead of the previously announced January 10th "patch Tuesday". Congrats to Microsoft for getting this out the door early. That should go a long ways to blunting the attacks......
Blog Traffic Exchange Related Websites
  • Creating a Comprehensive Vulnerability Assessment Program for a Large Company Using QualysGuard An interesting paper by Tim Proffitt titled, "Creating a Comprehensive Vulnerability Assessment Program for a Large Company Using QualysGuard" Vulnerability Assessment, according to wikipedia.org, is the process of identifying and quantifying vulnerabilities in a system. Vulnerability assessment can be used against many different types of systems such as a home......
  • Alpine Meadows Ski Resort, Olympic Valley, CA Alpine Meadows Ski Resort is located in: Olympic Valley, CA Phone: (530) 583-4232 Website: http://www.skialpine.com/ History of the Resort: Alpine Meadows has a long history and for many people, it’s considered to be the premier place to ski in the Lake Tahoe area. Although accommodations are limited at the resort......
  • Microsoft to Improve User Access Control in Windows 7 I was just reading a Slashdot article about Microsoft improving User Access Control (UAC) in Windows 7. In the cited PC Pro article, Microsoft engineer Ben Fathi says: We've heard loud and clear that you are frustrated. You find the prompts too frequent, annoying, and confusing. We still want to......
www.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site