< Vendor Patch Speed | Patch Time Graphs >
Jan 13

Microsoft Patch Speed Inconsistencies

Masters 2 Comments »
Masters

While going over the research on Microsoft's time to patch produced by Brian Krebs at SecurityFix, I noticed a few things which didn't add up. His calculations for the number of days from internal or full disclosure until patch release appeared wrong. On double checking it seems they were. The calculations for 2005 were particularly bad with a total of 118 days going missing or being added. There are many off by one errors and in one case the disclosure date was listed after the patch release date, once the year was changed from 2003 to 2002 it made sense. For both 2003 and 2004 the number of patches were counted incorrectly! Given that the information was vetted by Stephen Toulouse of Microsoft, it is strange they they both missed this. The other possibility is that I have missed something, anyone care to double check my calculations? Brian has since seen this post and linked to it.

A spreadsheet is available with my calculations next to Krebs. In my corrected days column I have italicized and centered the days where my results and his disagree. I used Open Office's DAYS() function I just do a normal subtraction to calculate the difference in the days.

While the errors were sometimes quite large, the average calculations are not badly affected as the days were sometimes higher, and othertimes lower than they should be. The dates are still hugely useful, and all sorts of interesting information can be derived from them (eg1, eg2), it would be nice to have the same info for other vendors. Thus, the new summary is:

200320042005
Number of Critical Patches342837
Ave. Days from Report to Patch90.7136134
Ave. Days from Disclosure to Patch73.65546

UPDATE: added link to SecurityFix's follow-up post and Dan Geer's work

Posted by Dominic White

Last modified on 2006-01-14 21:33

1 Trackbacks

Trackback specific URI for this entry
  1. Dominic White's .tHE pRODUCT
    01/14/2006 02:01:33 PM

    Patch Time Graphs
    After fiddling with Brian Kreb's work yesterday, I decided to take it a step further and draw some pretty graphs. Here the patches were sorted into chronological order based on the date of the original report. It is interesting to note that Microsoft pa

2 Comments

Display comments as(Linear | Threaded)
  1. jmsimons says:
    01/13/2006 08:11:10 PM

    There's a mistake in your Excel spreadsheet that prevents the number of days from displaying. The formula you used in OpenOffice to calculate the number of days -- =DAYS(D2;E2) -- does not exist in Excel. The correct formula is =E2-D2 ; the result needs to be formatted for 0 decimal places.

  2. Dominic White says:
    01/13/2006 09:43:54 PM

    Thank you very much. I just exported straight to Excel and didn't check. It has been corrected.

Add Comment


E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA