Microsoft’s speed to get security patches out



Brian Krebs at the Security Fix has done an interesting study related to how long it takes Microsoft to release a security fix for a problem, starting from the time they are notified of the security vulnerability. For the most part, 134.5 days has been the window between notification and vulnerability patching for the last 2 years from Microsoft. (That is for vulnerabilities that were submitted to Microsoft through the normal process…)


For vulnerabilities that were “full disclosure”, “why don’t you tell the whole world….” style, in 2004 they were fixed within 55 days and in 2005 within 46 days. Now, “full disclosure” of vulnerabilities is controversial, many times it comes with exploit code which means any script kiddie will soon have tools in their reach that can exploit the flaw, but those that support full disclosure of vulnerabilities think that vendors respond more quickly. The survey would seem to back that up.

What’s interesting to me is this…. one of the arguments for the traditional process and the closed code concept is. If I discover a vulnerability, the assumption is that I inform Microsoft of the issue and (within 135 days) they fix it. The assumption is that no one else knows about it. There’s an interesting quote though from eEye’s Marc Maiffret…

“You’d think that by taking that much longer on patches Microsoft is being more thorough, but that’s not always the case as we’ve seen,” Maiffret said. “The truth is that unpatched Windows flaws have a value to the underground community, and it is not at all uncommon to see these things sold or traded among certain groups who use them by quietly attacking just a few key targets. So, the longer Microsoft takes to patch vulnerabilities the longer they are leaving customers exposed.”

So, it almost makes me think, in spite of the risks of full-disclosure, it doesn’t seem to be THAT bad a solution after all. Updates seem to come out quicker (at least this study seems to show that) and EVERYONE is at least aware of the problem and can deal with workarounds if they choose. It puts the security of the system back in the hands of the administrator.

Related Posts

Blog Traffic Exchange Related Posts
  • Monad will not be in Windows Vista I wrote earlier about "proof of concept" viruses that targeted Monad, the next generation command shell from Microsoft. There had been talk that Monad would ship with Windows Vista and so some people were saying these "proof of concept" virii were the first to target Vista. Well, according to the......
  • Microsoft releases patch early for WMF exploit Microsoft has released the patch for the WMF vulnerability that's been all over the news early. It was released to http://windowsupdate.microsoft.com ahead of the previously announced January 10th "patch Tuesday". Congrats to Microsoft for getting this out the door early. That should go a long ways to blunting the attacks......
  • Lotus Notes WMF vulnerability This is really the same zero-day wmf vulnerability, but there is a twist. It's been found that Lotus Notes v. 6.x and up are vulnerable to the Windows Meta File (WMF) exploit that's making the rounds. Probably not surprising given that there are reports of many vectors of attack, not......
Blog Traffic Exchange Related Websites
  • Bristol Mountain, Canandaigua, NY Bristol Mountain Resort is located in - Canandaigua, NY US Phone - (585) 374 6000 Website: http://www.bristolmountain.com/ About the Resort - Bristol Mountain offers the tallest vertical drop among all ski areas between the Adirondacks and the Rocky Mountains, and the longest run is more than two total miles long.......
  • The Canyons Ski Resort, Park City, UT The Canyons Ski Resort is located in: Park City, UT Phone: (435) 649-5400 Website: http://www.thecanyons.com/ About the Resort: The Canyons is one of the nicest ski resorts in the Park City area, and although the fees are a bit high, especially during peak periods and on weekends, you do get......
  • Microsoft Security Bulletin Summary for September 2010 - Issued: September 14, 2010 ******************************************************************** Microsoft Security Bulletin Summary for September 2010 Issued: September 14, 2010 ******************************************************************** This bulletin summary lists security bulletins released for September 2010. The full version of the Microsoft Security Bulletin Summary for September 2010 can be found at http://www.microsoft.com/technet/security/bulletin/ms10-sep.mspx. With the release of the bulletins for September 2010, this......
www.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site