Random Entry: Six Dumbest Ideas in Computer Security
< Drivers License | Microsoft Patch Speed Inconsistencies >
Jan 12

Vendor Patch Speed

Masters No comments »
Masters Brian Krebs at SecurityFix has done some nice research into the turnaround from Disclosure to Patch of all critical Microsoft Patches for the last three years (2003-2005). The summaries can he found at: 2003, 2004, 2005.

He contacted the original researchers and Microsoft to verify the dates and times, and Steven Toulous of the MSSRC vetted his results. The summary is:

200320042005
Number of Critical Patches332937
Ave. Days from Report to Patch90.7134.5133.5
Ave. Days from Disclosure to Patch71.15546

This shows that Microsoft has been taking longer to fix 'responsibly' disclosed vulnerabilities, most likely due to their increased testing regime, and fixing publicly disclosed vulnerabilities which they were not previously notified of faster. The increase is understandable and the marginal increase in risk is justified if the risk from faulty patches is greatly decreased. The decrease is a good sign, but 46 days is still way too long, a skilled attacker doesn't need underground sploits if they have that long.

I am currently writing the vendor patch release policy of my thesis where I argue first that patch schedules only provide the intended benefits (increased patch quality and allowing end-users to schedule patch deployment) in cases where the vulnerability has been disclosed responsibly. In the case where the vendors find out about the vulnerability with the public, neither of these benefits accrue. In this situation, given the willingness of the community to participate, vendors should release beta patches publicly and call for help testing. Take the WMF vulnerability as an example, the community produced; and unofficial patch with an MSI version and scripts for large scale deployment, an FAQ in 17 different languages and vulnerability scanners to name a few. There is a lot more to this argument, but that's for my thesis.

OSVDB blog noticed how difficult it was for Krebs to obtain some of these dates and mentioned that "Steven Christey (CVE) and Chris Wysopal (VulnWatch)" have been pushing vendors behind the scenes to release this information so that vulnerability databases can include it allowing interesting stats like these to be examined more often.

Anyone want to do an analysis like this for Sun, Oracle and Apple? Particularly Sun and Oracle who have sat on vulnerabilities for years sometimes, Oracle more so.

Posted by Dominic White

Last modified on 2006-01-13 15:34

1 Trackbacks

Trackback specific URI for this entry
  1. Dominic White's .tHE pRODUCT
    01/13/2006 03:29:57 PM

    Microsoft Patch Speed Inconsistencies
    While going over the research on Microsoft's time to patch produced by Brian Krebs at SecurityFix, I noticed a few things which didn't add up. His calculations for the number of days from internal or full disclosure until patch release appeared wrong. O

0 Comments

Display comments as(Linear | Threaded)
  1. No comments

Add Comment


E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA