Microsoft’s speed to get security patches out



Brian Krebs at the Security Fix has done an interesting study related to how long it takes Microsoft to release a security fix for a problem, starting from the time they are notified of the security vulnerability. For the most part, 134.5 days has been the window between notification and vulnerability patching for the last 2 years from Microsoft. (That is for vulnerabilities that were submitted to Microsoft through the normal process…)


For vulnerabilities that were “full disclosure”, “why don’t you tell the whole world….” style, in 2004 they were fixed within 55 days and in 2005 within 46 days. Now, “full disclosure” of vulnerabilities is controversial, many times it comes with exploit code which means any script kiddie will soon have tools in their reach that can exploit the flaw, but those that support full disclosure of vulnerabilities think that vendors respond more quickly. The survey would seem to back that up.

What’s interesting to me is this…. one of the arguments for the traditional process and the closed code concept is. If I discover a vulnerability, the assumption is that I inform Microsoft of the issue and (within 135 days) they fix it. The assumption is that no one else knows about it. There’s an interesting quote though from eEye’s Marc Maiffret…

“You’d think that by taking that much longer on patches Microsoft is being more thorough, but that’s not always the case as we’ve seen,” Maiffret said. “The truth is that unpatched Windows flaws have a value to the underground community, and it is not at all uncommon to see these things sold or traded among certain groups who use them by quietly attacking just a few key targets. So, the longer Microsoft takes to patch vulnerabilities the longer they are leaving customers exposed.”

So, it almost makes me think, in spite of the risks of full-disclosure, it doesn’t seem to be THAT bad a solution after all. Updates seem to come out quicker (at least this study seems to show that) and EVERYONE is at least aware of the problem and can deal with workarounds if they choose. It puts the security of the system back in the hands of the administrator.

Related Posts

Blog Traffic Exchange Related Posts
  • Firefox zero-day vulnerability (or is it?) I saw a comment somewhere else that zero-day was overused and in essense ANY previously unknown vulnerability in open source software is technically zero day... the intent here though is to use the word in this context.... "vulnerability has been released without giving the vendor an opportunity to patch..." Yes,......
  • Microsoft was aware of the WMF vulnerability "for years" Bugtraq has an interesting post which picks up on a note in Stephen Toulouse's latest entry on the WMF vulnerability. When I first read the post I was more interested in the way he was responding to allegations of the flaw being an intentional backdoor, but the above bugtraq post......
  • WMF patch from Microsoft expected January 10th The Microsoft security bulletin on the WMF vulnerability has been updated to indicate that Microsoft expects to release an update for the issue in their regular patch release on January 10th. The first couple paragraphs strike me as a bit defensive. Explaining about their immediate mobilization of Incident Response and......
Blog Traffic Exchange Related Websites
  • Feb Edition of Hackin9 - Network Security Another exciting edition of Hackin9 is out and you can download it here.  Information about this edition is located below: ·  Wuala – Secure Online Storage There are a lot of online storage/backup solutions available nowadays and it is hard to find differences between them, but I think Wuala from......
  • Creating a Comprehensive Vulnerability Assessment Program for a Large Company Using QualysGuard An interesting paper by Tim Proffitt titled, "Creating a Comprehensive Vulnerability Assessment Program for a Large Company Using QualysGuard" Vulnerability Assessment, according to wikipedia.org, is the process of identifying and quantifying vulnerabilities in a system. Vulnerability assessment can be used against many different types of systems such as a home......
  • Microsoft to Improve User Access Control in Windows 7 I was just reading a Slashdot article about Microsoft improving User Access Control (UAC) in Windows 7. In the cited PC Pro article, Microsoft engineer Ben Fathi says: We've heard loud and clear that you are frustrated. You find the prompts too frequent, annoying, and confusing. We still want to......
www.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site