Microsoft’s speed to get security patches out



Brian Krebs at the Security Fix has done an interesting study related to how long it takes Microsoft to release a security fix for a problem, starting from the time they are notified of the security vulnerability. For the most part, 134.5 days has been the window between notification and vulnerability patching for the last 2 years from Microsoft. (That is for vulnerabilities that were submitted to Microsoft through the normal process…)


For vulnerabilities that were “full disclosure”, “why don’t you tell the whole world….” style, in 2004 they were fixed within 55 days and in 2005 within 46 days. Now, “full disclosure” of vulnerabilities is controversial, many times it comes with exploit code which means any script kiddie will soon have tools in their reach that can exploit the flaw, but those that support full disclosure of vulnerabilities think that vendors respond more quickly. The survey would seem to back that up.

What’s interesting to me is this…. one of the arguments for the traditional process and the closed code concept is. If I discover a vulnerability, the assumption is that I inform Microsoft of the issue and (within 135 days) they fix it. The assumption is that no one else knows about it. There’s an interesting quote though from eEye’s Marc Maiffret…

“You’d think that by taking that much longer on patches Microsoft is being more thorough, but that’s not always the case as we’ve seen,” Maiffret said. “The truth is that unpatched Windows flaws have a value to the underground community, and it is not at all uncommon to see these things sold or traded among certain groups who use them by quietly attacking just a few key targets. So, the longer Microsoft takes to patch vulnerabilities the longer they are leaving customers exposed.”

So, it almost makes me think, in spite of the risks of full-disclosure, it doesn’t seem to be THAT bad a solution after all. Updates seem to come out quicker (at least this study seems to show that) and EVERYONE is at least aware of the problem and can deal with workarounds if they choose. It puts the security of the system back in the hands of the administrator.

Related Posts

Blog Traffic Exchange Related Posts
  • Workaround for the critical WMF zero-day exploit The Windows Meta File (WMF) zero-day (0-day) exploit is apparently, VERY nasty, no user intervention required (unless running firefox or opera). Just VISITING a malicous site (viewing a malicious email with image...) would be enough to get the system owned. It sounds as though a FULL reinstall is the best......
  • WMF patch from Microsoft expected January 10th The Microsoft security bulletin on the WMF vulnerability has been updated to indicate that Microsoft expects to release an update for the issue in their regular patch release on January 10th. The first couple paragraphs strike me as a bit defensive. Explaining about their immediate mobilization of Incident Response and......
  • Monad will not be in Windows Vista I wrote earlier about "proof of concept" viruses that targeted Monad, the next generation command shell from Microsoft. There had been talk that Monad would ship with Windows Vista and so some people were saying these "proof of concept" virii were the first to target Vista. Well, according to the......
Blog Traffic Exchange Related Websites
  • Low Cost Computing for a Baby Boomer Lifestyle I rely heavily on personal computers for work and home activities. So do you. One of my objectives over the past couple of years has been to reduce the cost of computing in the one area where cost-control is easiest: software. I have found many free software applications that work......
  • Bristol Mountain, Canandaigua, NY Bristol Mountain Resort is located in - Canandaigua, NY US Phone - (585) 374 6000 Website: http://www.bristolmountain.com/ About the Resort - Bristol Mountain offers the tallest vertical drop among all ski areas between the Adirondacks and the Rocky Mountains, and the longest run is more than two total miles long.......
  • Alpine Meadows Ski Resort, Olympic Valley, CA Alpine Meadows Ski Resort is located in: Olympic Valley, CA Phone: (530) 583-4232 Website: http://www.skialpine.com/ History of the Resort: Alpine Meadows has a long history and for many people, it’s considered to be the premier place to ski in the Lake Tahoe area. Although accommodations are limited at the resort......
www.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site