Feeds

Microsoft's delay to patch fuels concerns

Upto the month security policy

The Power of One eBook: Top reasons to choose HP BladeSystem

"The monthly schedule doesn't make the customers more secure," he said. "Microsoft is doing it more for customer convenience than for customer security."

Maiffret also said that fewer announcements of vulnerabilities means that Microsoft's operating system security is under the microscope less often, resulting in less pressure to get flaws fixed.

"Almost every other major software company is still able to produce a patch in a short time, but Microsoft takes six months or more," Maiffret said.

eEye keeps a running total of how long companies have known about certain vulnerabilities. Microsoft has mulled the vulnerability at the top of the company's list for almost six months, according to eEye's Web site. A Microsoft representative was not available for an interview. However, in his posting to the MSRC blog, Microsoft's Reavey said that large-scale testing meant that patches could sometimes be delayed.

"When we moved to a monthly release cycle almost two years ago, we planned for a significant focus on testing," Reavey stated. "That focus means that sometimes the testing process and our decision to only release quality updates might mean a month without any updates."

Other members of the security community lauded the regular schedule introduced by Microsoft, arguing that giving due notice means that patches are more likely to be applied and that makes for better security. "In my scheduled time with limited resources, I allocate a certain amount of time to patching systems," said another network administrator that posted to the DShield security mailing list. "I may not want to do an out-of-band or ad-hoc deployment of a critical patch that is not related to a virus outbreak or worm. I understand the day may arise where 0-day worms are created. However, until such time I am going to stick to my schedule."

The person who posted the comment did not immediately respond to requests for an interview.

Microsoft is not the only company to move to regularly scheduled security updates. Database maker Oracle has also made the move and has also, coincidentally, become the target of criticism for taking too long to produce fixes. In July, security researchers claimed that the company took almost two years to produce a security fix. An Oracle representative was not available for comment.

Such problems can hurt a company's bottom line, according to recent research that has statistically shown many software makers suffer a decline in stock price when vulnerabilities are announced. It's a debate that is unlikely to go away, said Bruce Schneier, chief technology officer for network protection firm Counterpane Internet Security and a well-known security expert.

"This is the Catch-22 for software vendors," Schneier said. "A badly written, badly tested patch would be worse than the attack. Microsoft has to get it right. The problem is that they also have to get it fast."

Copyright © 2005, SecurityFocus

Designing a Defense for Mobile Applications

More from The Register

next story
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.