Feeds

Microsoft's delay to patch fuels concerns

Upto the month security policy

Protecting against web application threats using SSL

"The monthly schedule doesn't make the customers more secure," he said. "Microsoft is doing it more for customer convenience than for customer security."

Maiffret also said that fewer announcements of vulnerabilities means that Microsoft's operating system security is under the microscope less often, resulting in less pressure to get flaws fixed.

"Almost every other major software company is still able to produce a patch in a short time, but Microsoft takes six months or more," Maiffret said.

eEye keeps a running total of how long companies have known about certain vulnerabilities. Microsoft has mulled the vulnerability at the top of the company's list for almost six months, according to eEye's Web site. A Microsoft representative was not available for an interview. However, in his posting to the MSRC blog, Microsoft's Reavey said that large-scale testing meant that patches could sometimes be delayed.

"When we moved to a monthly release cycle almost two years ago, we planned for a significant focus on testing," Reavey stated. "That focus means that sometimes the testing process and our decision to only release quality updates might mean a month without any updates."

Other members of the security community lauded the regular schedule introduced by Microsoft, arguing that giving due notice means that patches are more likely to be applied and that makes for better security. "In my scheduled time with limited resources, I allocate a certain amount of time to patching systems," said another network administrator that posted to the DShield security mailing list. "I may not want to do an out-of-band or ad-hoc deployment of a critical patch that is not related to a virus outbreak or worm. I understand the day may arise where 0-day worms are created. However, until such time I am going to stick to my schedule."

The person who posted the comment did not immediately respond to requests for an interview.

Microsoft is not the only company to move to regularly scheduled security updates. Database maker Oracle has also made the move and has also, coincidentally, become the target of criticism for taking too long to produce fixes. In July, security researchers claimed that the company took almost two years to produce a security fix. An Oracle representative was not available for comment.

Such problems can hurt a company's bottom line, according to recent research that has statistically shown many software makers suffer a decline in stock price when vulnerabilities are announced. It's a debate that is unlikely to go away, said Bruce Schneier, chief technology officer for network protection firm Counterpane Internet Security and a well-known security expert.

"This is the Catch-22 for software vendors," Schneier said. "A badly written, badly tested patch would be worse than the attack. Microsoft has to get it right. The problem is that they also have to get it fast."

Copyright © 2005, SecurityFocus

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.