Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Long Does it Take Vendors to Release Patches?

Posted by Cliff on from the anyone-got-a-stopwatch dept.

MasterMynd asks: "In the IT field I'm frequented with questions regarding security updates of the OS's that we use. In my IT department we use a real mixture of OS's for desktops in addition to our many NOS's. More often then not I don't have an answer as to the routine question of how soon a security patch will be available. Normally I give "It should be done in about a week" as my answer. But truth remaining I don't have any answer as to when it will be available because vendors aren't forthcoming about such info. Rumours and anecdoes abound in how long it normally takes to get a patch. Are there any current reports anywhere showing a comparison of how much time it takes to produce a patch or workaround from the time it's discovered until it's available for download, from the major NOS & Desktop vendors?" Ask computer security becomes more and more important, such resources will become invaluable. Any clues as to where such may be found?

6 comments

  1. easy by DrSkwid · · Score: 1

    it's one day for each inch in this piece of string I have here in my desk drawer!

    --
    There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
  2. Honesty is the best policy by Anonymous Coward · · Score: 1, Insightful
    More often then not I don't have an answer as to the routine question of how soon a security patch will be available. Normally I give "It should be done in about a week" as my answer. But truth remaining I don't have any answer as to when it will be available because vendors aren't forthcoming about such info.

    How about a more honest "I don't know because the vendor hasn't announced a schedule." Or, "I'll install the patch as soon as it is available."

  3. Even MS has a good track record here.... by Anonymous Coward · · Score: 0

    Please note NIMDA and CodeRed* were patched a month or more before they were exploited. The weakness here is usually admins, not the vendors. So patch those boxes!!!!!!!

  4. Securityfocus study by pthisis · · Score: 2

    Securityfocus did this sort of study.

    I can't find the whole thing, but there's
    a summary at linux weekly news, and googling for "days recess security focus microsoft linux" or similar might help (days of recess is a measure of response time).

    Sumner

    --
    rage, rage against the dying of the light
  5. Patch vs. disclosure by ezs · · Score: 1

    My own view is that the software vendor should release 'timely' patches - in many cases less than one week is good going (Apple patches OSX); in other cases a major architectural change may be required which would lead to a 'workaround' until fixed. I suppose this really comes back to the key question of how security defects/exploits are reported - to the vendor in a responsible manner, to the vendor under a "less open" mechanism (ahem - see /. past, present and future) or directly to the net at large.

    --
    Evil ZEN Scientist
  6. Depends if it is a windows bug by Anonymous Coward · · Score: 0

    if it is a windows bug, and it is annoying to a minority of people (ie moving a public folder from the primary exchange 5.5 server to the 2ndary and tring to remove all referneced from the first one without using raw delete coz your retiring that server), or a fundamental design flaw (ie iis4/iis5), then you will be forced to purchase the next release of the software, because it doesnt make sense to fix those bugs in this release. It just doesnt make $$ sense.