| FRONTPAGE | DOWNLOADS | ABOUT ME | TERMS & CONDITIONS |

SA Security Bloggers

link SensePost
link Haroon Meer
link Matt Erasmus
link Andrew Mohawk
link Junaid Loonat
link Barry Irwin
link Tom Wells
link Allen Baranov
link Jock Forrester
link IT Security Pubcast
link Telspace
link ISGAfrica
link Ralfe Poisson

Popular Entries

Articles
link Vulnerability Life Cycle - threat modelling
link Web Hacking 2.0
link Why Exploit Markets are Bad
link Ettercap-NG Workings and Defence
link The Zotob Summary

How-To's
link Linux SSH Jail with pam_chroot
link Firefox Privacy & Security Extensions

Papers
link Managing Patching, my MSc Thesis
link Risk Analysis of Monthly Patch Schedules

Tools
link Automated Vodacom SMS (VodaSMS)
link RSS 2 SMS
link DShield Hack Detection

Neologisms
link Encryption principles
link Zoolander's Law

Syndicate This Blog

SSL

Certificate fingerprints:

SHA1: 61 13 45 4B 4C F9 89 9B B7 87 C8 78 F7 38 12 CB 07 E2 60 BF
MD5 : DA 53 7B 50 E4 3A 2C 6C A1 17 53 C1 A0 5E CB 89

HTTPS version.
You can find an explanation here.

License

Creative Commons License - Some Rights Reserved
Original content in this work is licensed under a Creative Commons License

Disclaimer

This blog and its contents are in no way affiliated with, or endorsed by my employer.
Random Entry: Keeping Busy
< Vendor Patch Speed | Patch Time Graphs >

Friday, January 13. 2006

Microsoft Patch Speed Inconsistencies

Masters

While going over the research on Microsoft's time to patch produced by Brian Krebs at SecurityFix, I noticed a few things which didn't add up. His calculations for the number of days from internal or full disclosure until patch release appeared wrong. On double checking it seems they were. The calculations for 2005 were particularly bad with a total of 118 days going missing or being added. There are many off by one errors and in one case the disclosure date was listed after the patch release date, once the year was changed from 2003 to 2002 it made sense. For both 2003 and 2004 the number of patches were counted incorrectly! Given that the information was vetted by Stephen Toulouse of Microsoft, it is strange they they both missed this. The other possibility is that I have missed something, anyone care to double check my calculations? Brian has since seen this post and linked to it.

A spreadsheet is available with my calculations next to Krebs. In my corrected days column I have italicized and centered the days where my results and his disagree. I used Open Office's DAYS() function I just do a normal subtraction to calculate the difference in the days.

While the errors were sometimes quite large, the average calculations are not badly affected as the days were sometimes higher, and othertimes lower than they should be. The dates are still hugely useful, and all sorts of interesting information can be derived from them (eg1, eg2), it would be nice to have the same info for other vendors. Thus, the new summary is:

200320042005
Number of Critical Patches342837
Ave. Days from Report to Patch90.7136134
Ave. Days from Disclosure to Patch73.65546

UPDATE: added link to SecurityFix's follow-up post and Dan Geer's work

Posted by Dominic White in Masters at 15:13 | Comments (2) | Trackback (1)
Last modified on 2006-01-14 21:33

Trackbacks
Trackback specific URI for this entry

Patch Time Graphs
After fiddling with Brian Kreb's work yesterday, I decided to take it a step further and draw some pretty graphs. Here the patches were sorted into chronological order based on the date of the original report. It is interesting to note that Microsoft pa
Weblog: Dominic White's .tHE pRODUCT
Tracked: Jan 14, 14:01

Comments
Display comments as (Linear | Threaded)

There's a mistake in your Excel spreadsheet that prevents the number of days from displaying. The formula you used in OpenOffice to calculate the number of days -- =DAYS(D2;E2) -- does not exist in Excel. The correct formula is =E2-D2 ; the result needs to be formatted for 0 decimal places.
#1 jmsimons on 2006-01-13 20:11 (Reply)
Thank you very much. I just exported straight to Excel and didn't check. It has been corrected.
#1.1 Dominic White (Homepage) on 2006-01-13 21:43 (Reply)

Add Comment

E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA
 
 

Quicksearch

Security Blogs

* ha.ckers.org web application security lab: Browser Differences, Minutia Et Al…

* terminal23: writing compensating controls

* deep inside | security & tools: WASC Threat Classification 2 - Wordle

* Schneier on Security: UAE Man-in-the-Middle Attack Against SSL

* terminal23: incomplete thoughts: dreamy aspects of a solid security posture

* terminal23: incomplete thoughts: 5 of my security pet peeves

* terminal23: incomplete: a better representation of risk and compliance

* terminal23: incomplete: shmoocon podcaster's meetup interesting topics

* terminal23: incomplete: fundamental cultural changes caused by the internet

* terminal23: incomplete: leveling up your security career wow-style

* terminal23: incomplete thoughts: really changing the game?

* Schneier on Security: Successful Attack Against a Quantum Cryptography System

* terminal23: thoughts on the 2010 verizon dbir

* Security Vulnerability Research & Defense: The Enhanced Mitigation Experience Toolkit 2.0 is Now Available

* terminal23: housekeeping - decompression

* terminal23: kidney punches from the windows dll hijacking vuln

* Justice League: Remediation – The Game

* Schneier on Security: Cyber-Offence is the New Cyber-Defense

* ha.ckers.org web application security lab: Throttling Traffic Using CSS + Chunked Encoding

* ha.ckers.org web application security lab: Pyloris and Metering Traffic

(c) Dominic White 2010