Microsoft’s speed to get security patches out



Brian Krebs at the Security Fix has done an interesting study related to how long it takes Microsoft to release a security fix for a problem, starting from the time they are notified of the security vulnerability. For the most part, 134.5 days has been the window between notification and vulnerability patching for the last 2 years from Microsoft. (That is for vulnerabilities that were submitted to Microsoft through the normal process…)


For vulnerabilities that were “full disclosure”, “why don’t you tell the whole world….” style, in 2004 they were fixed within 55 days and in 2005 within 46 days. Now, “full disclosure” of vulnerabilities is controversial, many times it comes with exploit code which means any script kiddie will soon have tools in their reach that can exploit the flaw, but those that support full disclosure of vulnerabilities think that vendors respond more quickly. The survey would seem to back that up.

What’s interesting to me is this…. one of the arguments for the traditional process and the closed code concept is. If I discover a vulnerability, the assumption is that I inform Microsoft of the issue and (within 135 days) they fix it. The assumption is that no one else knows about it. There’s an interesting quote though from eEye’s Marc Maiffret…

“You’d think that by taking that much longer on patches Microsoft is being more thorough, but that’s not always the case as we’ve seen,” Maiffret said. “The truth is that unpatched Windows flaws have a value to the underground community, and it is not at all uncommon to see these things sold or traded among certain groups who use them by quietly attacking just a few key targets. So, the longer Microsoft takes to patch vulnerabilities the longer they are leaving customers exposed.”

So, it almost makes me think, in spite of the risks of full-disclosure, it doesn’t seem to be THAT bad a solution after all. Updates seem to come out quicker (at least this study seems to show that) and EVERYONE is at least aware of the problem and can deal with workarounds if they choose. It puts the security of the system back in the hands of the administrator.

Related Posts

Blog Traffic Exchange Related Posts
  • Firefox Security Vulnerabilities. In the spirit of a fair look at Mozilla Firefox (after doing a bit of a roasting of IE's security), I've taken a look at Secunia's analysis of Firefox. Currently there are 3 unpatched vulnerabilities on Firefox. This is the summary graphic for what has been addressed since 2003. I......
  • Workaround for the critical WMF zero-day exploit The Windows Meta File (WMF) zero-day (0-day) exploit is apparently, VERY nasty, no user intervention required (unless running firefox or opera). Just VISITING a malicous site (viewing a malicious email with image...) would be enough to get the system owned. It sounds as though a FULL reinstall is the best......
  • Monad will not be in Windows Vista I wrote earlier about "proof of concept" viruses that targeted Monad, the next generation command shell from Microsoft. There had been talk that Monad would ship with Windows Vista and so some people were saying these "proof of concept" virii were the first to target Vista. Well, according to the......
Blog Traffic Exchange Related Websites
  • How to Refinish Furniture When it comes time to replace your furniture, you may be able to save money and refinish the piece of furniture. What that entails is to remove the old finish, prepare for the new finish, and then apply the new finish. A little bit of effort can save you a......
  • The Canyons Ski Resort, Park City, UT The Canyons Ski Resort is located in: Park City, UT Phone: (435) 649-5400 Website: http://www.thecanyons.com/ About the Resort: The Canyons is one of the nicest ski resorts in the Park City area, and although the fees are a bit high, especially during peak periods and on weekends, you do get......
  • Creating a Comprehensive Vulnerability Assessment Program for a Large Company Using QualysGuard An interesting paper by Tim Proffitt titled, "Creating a Comprehensive Vulnerability Assessment Program for a Large Company Using QualysGuard" Vulnerability Assessment, according to wikipedia.org, is the process of identifying and quantifying vulnerabilities in a system. Vulnerability assessment can be used against many different types of systems such as a home......
www.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site