Microsoft Taking Longer to Fix Flaws

An anonymous reader writes "A look back at the last three years of security patches from Microsoft shows Redmond is taking at least 25 percent longer to issue patches for "critical" vulnerabilities, now averaging around 135 days to issue a fix. The exception appears to be with "full disclosure" flaws, for which Redmond issued fixes in an average of 46 days last year."

Meh

Seems as though the reason stems from the fact that Microsoft actually has to make sure their patches are compatible with the rest of the things they support. As they support more and more hard and software, the total can only go up.

Re:Meh

[varmittang]

So Linux doesn't? I mean, it runs on more hardware, PPC, SPARC, blah blah put your chip in here. Linux also has multiple languages and lots of programs that need to share the same libraries. Sure you are more likely to have something break in Linux after a patch, but usually a few hours or a day later you have a patch for the program that got broken so it works properly again, although I haven't had a program break due to a security patch yet on Linux but I have on MS. And Linux vendors have their patches out quicker than MS. So, again, why does MS take so long?

Re:Meh

[The+Angry+Mick]

So, again, why does MS take so long?

The legal department?

Do expoits speed up the fixing?

[chriss]

The most interesting result of Security Fix's study is that Microsoft took longer to fix a problem if the researcher waited to disclose the problem until after Microsoft published the patch.

I'd like to know if the time to issue a fix also depends on existing exploits, i.e. is Microsoft faster if there is already an exploit out there. If yes, than it seems obvious that Microsoft does not really put as much afford into fixing bugs as they claim, they're "motivated" by public pressure.

One explanation for additional delay in case of a not yet disclosed or not yet exploited problem may be more thorough testing, so it may not even be a bad thing. But I'm afraid that the delay is not really "in the best of the customers", more in the best of Microsoft. I have no prove, but it seems to be the general company policy.

Chriss

--
memomo.net - brush up your German, French, Spanish or Italian - online and free

Re:Do expoits speed up the fixing?

[innocent_white_lamb]

One explanation for additional delay in case of a not yet disclosed or not yet exploited problem may be more thorough testing, so it may not even be a bad thing.
 
The problem with this is simply that you can never know that a given exploit is NOT being taken advantage of somewhere. "It's safe for now; nobody knows about it." Meanwhile someone is quietly carrying the goods out of the back door somewhere.
 
Just because a flaw isn't being broadcast from the rooftops doesn't mean that it's not being quitely exploited.
 
That's my concern with the concept of "responsible disclosure." If I have a vulnerable system I want to know about it even if there is no current fix available. I can always make physical or software changes to avoid problems if I know about them, right up to pulling the plug if I have to. If I know about the problem. Otherwise I can be merrily carrying out my normal routine while someone is getting ready to pull the rug out from under me.
 
Tell me if there is a problem and I can deal with it or not as I choose. If I don't know about the problem, I don't have that choice.

Why is this a bad thing?

[esac17]

In the Linux world, the deployment of a bug fix and discovery of any potential bugs is part of the testing cycle. So you get a quick turn around time when a bug is reported.

When Microsoft has to issue a bug fix (and all jokes aside about not testing), I am sure they have a team devoted to testing it, then it has to get sent to all internal Microsoft employees and tested, and then probably even has some initial customer testing with the bigger companies to make sure nothing breaks, and then finally gets released to the public.

Hopefully 165 or 365 days .. whatever it takes to make sure it is tested is a GOOD thing. I don't want to be their beta tester :)

Re:Why is this a bad thing?

[randyflood]

You ask why it is a bad thing if the time between the discovery of a security vunerability and the time to relase a patch is increasing. You ackowlegde that in the Linux world, patches are fixed much faster due to their development model. So why is it a big deal if hackers can own your systems for longer without a patch being availiable? Isn't it obvious? HACKERS CAN OWN YOUR SYSTEM FOR LONGER BECAUSE A PATCH IS NOT AVAILIABLE. That is what the big deal is. They can use whatever development model they want. Releasing shoddy patches is only one solution that is available to them. The fact that they are able to cut the time it takes to release a patch in half if a working exploit has been publically released shows that it is more a matter of what resources they want to bring to bear on the problem rather than the minimum time to release a good patch. Or another way of stating this is, they are 25% less concerned with getting patches out in a timely manner than they used to be. So, the importance of security at Microsoft is decreasing.

Re:Why is this a bad thing?

[po8]

It's a bad thing because Linux's process—which involves having thousands of alpha and beta testers of the patch with direct access to the source code and the knowledge to make that access useful deploy it on their boxes—turns out to produce better patches faster. You, as a user who "doesn't want to be their beta tester", don't have to be. In 5-10 days (not 46 or 135) your distro vendor will have enough evidence that the patch is harmless and effective that they will make it available to you, and you will have enough evidence that you can make a rational decision about whether you want it.

Re:And this is bad why?

[kg4gyt]

Focusing on the exploits or not, 46 days is a long time to wait for a critical fix.

Does Full Disclosure Increase Eventual Harm?

[ThinkFr33ly]

While it is certainly interesting (if true) that Microsoft takes longer to release patches with no known exploits roaming around, I would find it far more interesting to see which causes more harm: the longer patch times or the full disclosure.

Just because Microsoft releases a patch quicker when full disclosure is used doesn't mean this results in less harm to users. It might take Microsoft 200 days to release a patch, but if the only people who know about the bug are the researchers who discovered it and Microsoft, then the end result is that little harm was done to the users.

If, however, an easily understandable exploit is posted before Microsoft has fixed the bug, those 45 days might be a lot more dangerous for those users than the 200 days in the previous example.

Of course, it's very difficult to know if the security researchers who discovered the bug are the only ones with knowledge of that bug. Could other people know about it and be actively using it to compromise machines? Maybe. But I would really like to see some data on this.

I suspect that the vast majority of major worms and viruses take advantage of well known exploits published on the Internet by usually well meaning security researchers. Certainly all of the major worms I can think of off the top of my head follow this pattern. (MYTOB, LOVGATE, NETSKY, SASSER, ZAFI, SOBER, BAGEL, etc.)

If so, people really are safer when the exploit is not published before Microsoft releases a patch despite the significant lag time for those fixes.

So I guess which approach you take depends on your goal. If your goal is the glory of a 0-day exploit, then post away. But if your goal is the security of the end user, maybe you should keep it to yourself for the time being.

Re:Does Full Disclosure Increase Eventual Harm?

[Todd+Knarr]

If so, people really are safer when the exploit is not published before Microsoft releases a patch despite the significant lag time for those fixes.

I'd counter that with the WMF vulnerability. The details of it were released with no Microsoft patch available. Now, once I know where the vulnerability is, I can protect myself immediately by unregistering the offending DLL and using my registry-monitoring tool to block any attempt by other software to re-register it. Or I can take advantage of a third-party patch. Either way, I'm protected during the window from disclosure to me until Microsoft releases a permanent fix. Without disclosure, I'm wide open during that window and I don't even know it.

That's the down-side of non-disclosure that the anti-full-disclosure people don't want to mention: non-disclosure may keep the bad guys from finding out about the problem, but it also prevents users from taking any prophylactic steps of their own like blocking firewall ports, disabling vulnerable services or removing the offending software pending a fix.

Re:And this is bad why?

[saleenS281]

when you're accountable to that many customers with so many "supported" configurations, it takes a while to test. They don't have the luxury of most linux distro's where if it breaks some obscure program they can go "whupps, well, tell the author to write a fix for his app".

Re:And this is bad why?

[Lifewish]

when you're accountable to that many customers with so many "supported" configurations, it takes a while to test. They don't have the luxury of most linux distro's where if it breaks some obscure program they can go "whupps, well, tell the author to write a fix for his app". And yet Debian manages to consistently not break stuff despite supporting more architectures than Microsoft could dream of.

Apart from that time a while back when they had to transition between GCC versions, that could have been better managed. I hold out hope that one day GCC will come out with some specification to ensure binary compatibility.

It would be more informative ...

If only they reported a MEDIAN time to fix rather than an AVERAGE.

Assuming that the more important repairs are done in under thirty days,
I'm willing to overlook the 365 day fixes that push the average way up.

How much would it cost?

[khasim]

when you're accountable to that many customers with so many "supported" configurations, it takes a while to test.

What is this "a while"?

Is it a day?
Is it a week?
Is it a month?

Doesn't Microsoft have enough money to maintain images of different configurations just for such testing?

Doesn't Microsoft have the people who could automate such testing?

Is the problem that they don't have enough money? Or that they don't have people who are smart enough? Or that they just aren't doing it?

Re:How much would it cost?

I think it's more along the line of how long does it take to build the binaries for the new components and run it through a battery of automated test scripts.

The software that we write at my current employer is a complex vector editing system and image RIPing. Our regression test suite can take up to 3 days to run. Whoops, that last fix broke something in abc.dll that depended on some behavior coming from def.dll. That will take a day to fix, 4 hours to build and rerun the test suite. Rince repeat until no more errors. An average fix may take us up to 10 days to code, test and deploy for patching.

The thought of regression testing on an entire OS gives me the sweats.

Doesn't seem too awful

[XMilkProject]

The timeframe doesn't seem entirely unreasonable. When you think that they are releasing a patch which will be automatically downloaded and installed on literally tens of millions of computers, most of which without any system administrator to aid in the process.

That is a daunting task, and I can imagine theres a very lengthy process a patch must go through.

To Microsofts credit, I can hardly remember a time that a patch was released which cuased any major problems, which in itself is a great achievement given the amazing variety of hardware and software the users may have. There was of course alot of hype over compatibility issues in SP2, but to the best of my knowledge any actual issues were understood ahead of time and due to compromises that were made intentionally for one reason or another.

Re:And this is bad why?

[freshman_a]

when you're accountable to that many customers

When who's accountable? The disclaimer included with the last MS security update I downloaded read as follows:

In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages.

Now, unless I misunderstood, it's telling me that if I install said security patch, and it breaks something, I can't hold MS accountable.

On Full Disclosure

[SHP]

A common argument of those who oppose full disclosure is that it does harm by allowing the development of worms, and provides infection vectors for Spyware. I personally think the widespread worms are a good thing. The act like wildfire clearing the underbrush of vulnerable machines.

What really concerns me is not some 14 year kid in Bulgaria playing "my botnet is bigger than yours" games. I'm concerned about hostile governments, terrorist groups, and organized criminals who already have a stable of zero day holes to attack my company's systems. These are the threats that keep corporate and government security teams awake at night. All the piddly little public nuisances are just ploys to get funding.

Yesterday, eEye released information about a Windows hole that they reported over 5 months ago. The WMF hole was known to Microsoft long ago, and has existed for YEARS! Does anyone really believe that the REAL bad guys don't have the knowledge to get inside any (at at least very nearly any) company in the world. The US military is getting hacked for God's sake.

I say full disclosure now. It won't make us less secure, it will only appear to.

-SHP

Re:And this is bad why?

[Lifewish]

Strictly from a customer-is-always-right point of view, what's their excuse? Not enough testors? Not enough programmers? Not enough managers?

I'd go with "not enough clearly-defined interfaces". If software producers are forced to use undocumented APIs to get their product working fast/well enough, it seems obvious that any behind-the-scenes changes are going to break a whole load of products.

Re:And this is bad why?

[Itchy+Rich]

Now, unless I misunderstood, it's telling me that if I install said security patch, and it breaks something, I can't hold MS accountable.

You may or may not be able to hold them accountable in court, but third party adjudication is not the only form of accountability.

If Microsoft didn't bother to test their patches carefully they'd risk upsetting their corporate customers, and hence their bottom line.

MS is a very lucky company.

[WhiteWolf666]

Why? Because the black hat community is very, very nice to MS.

I've never met a truly destructive worm or trojan. I don't mean one that disabled systems as a side effect of its operation. I mean one specifically designed to destroy data, and/or BIOS/CMOS/anything flashable.

A 4 month patch cycle. I imagine that if North Korea, or whoever felt angry about the global economy, decided to try and do something devestating that they could easily prepare some kind of trojan payload that would install itself, replicate for a week or so, and then destroy the system in question. Blow away the BIOS (won't be determined until a reboot), blow away the partition table, and then start writing loads of garbage all over the disk.

Such a worm would break MS. MS execs would be brought before a congressional hearing.

That is, after banks, airlines, and major companies managed to rebuild some kind of IT infrastructure.

MS is very luck that no black hats have decided to do such a thing. I guess its most likely because no one wants to bring THAT kind of heat down upon themselves.

Re:Not the WMF vulnerability

[jav1231]

"I guess it all depends on how serious the flaw is."
Or how much press they're getting for not having one.

Re:And this is bad why?

[Fruit]

Let's say MS releases a patch that ends up causing major problems for mission critical systems at a nonzero number of Fortune 500 companies. The next time those companies are looking at major systems overhauls, do you think they're going to seriously consider MS products?

Actually, yes. Just like they always have.

Re:And this is bad why?

[swillden]

Let's say MS releases a patch that ends up causing major problems for mission critical systems at a nonzero number of Fortune 500 companies. The next time those companies are looking at major systems overhauls, do you think they're going to seriously consider MS products?

Good point. Similarly, Let's say MS releases a product that ends up causing major problems for mission critical systems at nearly every Fortune 500 company, a product that requires them to spend exorbitant amounts of money and resources on keeping the systems free of malware, which occasionally gets through anyway, wreaking havoc on productivity. The next time those companies are looking at major systems overhauls, do you think they're going to seriously consider MS products?

Oh, wait...

Kind of Applogetic...

[EXTomar]

This would be akin to having the anology of cars without modern safety features. "Personally, I have NEVER had a serious injury while driving any car because I take simple preventative measures like buying seat belts, safety glass, and air bags." The question one should be asking is why does the user have to buy "seat belts, safety glass, and air bags" for their computer in the first place?? Shouldn't these things be standard features? Turning around responsiblity to the user is allowing MS off the hook. Users are using Windows as designed and getting sometimes serious malfunctions. It would be one thing if people were abusing their machines and breaking them. It is something else to be normally surfing the internet, reading email, or doing any other nominal activity and hitting a serious problem that leaves their system bare to the hackers. This is squarely Microsoft's problem not the users!!

I'm tired of this kind of applogetic excusing for Microsoft. As much as people want to blame the users, its still all in MS's lap since many of the problems stem from software doing things that it should never be allowed to do in the first place. AV software, hardware and software firewalls, malware scanners...its all a hack to stop users from breaking their machines doing normal operations because MS won't or can't engineer a system that disallows it.

Years of experience on other systems have shown that computers are complex machines with complex interactions all of which are prone to error and worst exploit if not carefully designed. On the other hand Microsoft sold most of the world on the promise that Windows is as easy to use as a VCR and requires just as much maintaince and look at where we are. We have to throw more and more money and time into work arounds while MS takes longer and longer to fix up things. Why aren't more people asking why does Windows work this way?

The Microsoft Effect

[SgtChaireBourne]

There's a lot of misdirection going on here. The day an exploit is made public is not the same as when the bug it uses is reported. Nor is that the same as when the bug is found, not is that the same as when MS acknowledges the bug.

We're dealing with a number of different dates, some of which are often months or years apart:

1. Date bug found by black hat
2. Date bug found by white hat
3. Date bug is reported
4. Date bug is made public
5. Date exploit is published
6. Date exploit is found 'in the wild'
7. Date MS acknowledges the bug
8. Date MS announces a patch
9. Date MS releases a patch
10. Date MS releases a patch that fixes the bug / repairs damage from first patch

Somehow, being a political movement / cult, MS becomes exempt from the rules of a normal business and from what customers expect. No other device or appliance has had even a fraction of the defects as MS' without going through a major product recall. Our dear Chairman Bill will go down in history as the man that made bad engineering acceptible aka the Microsoft Effect

Re:And this is bad why?

[pembo13]

You mean they will upset the companies IT department. I hardly think that would trouble management that much.