Brian Krebs at Security Fix did a report on the length of time Microsoft takes to get a vulnerability patched for Windows.
For many years, Microsoft has been criticized for taking too long to issue patches, especially when compared with patch releases for flaws found in operating systems or software applications maintained by the open source community, such as Linux or Mozilla’s Firefox browser. But I wanted to find out for myself just how long Microsoft takes on average to issue fixes for known software flaws.
Finding no such comprehensive research, Security Fix set about digging through the publicly available data for each patch that Microsoft issued over the past three years that earned a “critical” rating. Microsoft considers a patch “critical” if it fixes a security hole that attackers could use to break into and take control over vulnerable Windows computers.
Although, Microsoft has taken less time in recent years and the quality has improved, the most notable thing that Brian discovered is that despite Microsoft’s constant complaints about full disclosure, it takes them considerably less time to patch a vulnerability when the vulnerability is released to Microsoft and the public at the same time.
Here’s what we found: Over the past three years, Microsoft has actually taken longer to issue critical fixes when researchers waited to disclose their research until after the company issued a patch. In 2003, Microsoft took an average of three months to issue patches for problems reported to them. In 2004, that time frame shot up to 134.5 days, a number that remained virtually unchanged in 2005.
The WMF vulnerability that was released and fixed very quickly indeed – albeit in 2006 and not part of the 3 year span that Brian Krebs was reviewing – helped along with the trailblazing work done in the unofficial patch that Ilfak Guilfanov made widely available through Steve Gibson’s SecurityNow pages at GRC.com (developer of SpinRite and ShieldsUp! (NOTE: Steve Gibson has noted on his main page that MS has released the Official Patch now and steers folks there. (More info and interview with Ilfak Guilfanov in Episode #21 at Security Now!)
Brian had this to say about the WMF vulnerability:
I mention the WMF patch because earlier this week security researchers posted to the public Bugtraq software vulnerability list some exploit code for at least two more security flaws in the same WMF engine Microsoft patched last week. While those flaws (at least for now) are considered less dangerous than the problem Redmond fixed last week, it does raise questions about the Microsoft team charged with finding these problems. The vulnerabilities have apparently been present in the Windows operating system code dating back to Windows 3.0. Toulouse maintains that Microsoft had already flagged those glitches prior to the exploit code posting on Bugtraq, but because the company didn’t see them as a big security threat, it did not hold up the WMF patch to include fixes for them.
Very interesting, very interesting indeed.
Thanks to Klok for bringing this article to our attention.
EDIT: Great article with an interview with Ilfak Guilfanov. The article is by Robert Lemos entited Patching a broken Windows at SecurityFocus.