He contacted the original researchers and Microsoft to verify the dates and times, and Steven Toulous of the MSSRC vetted his results. The summary is:
| 2003 | 2004 | 2005 | |
| Number of Critical Patches | 33 | 29 | 37 |
| Ave. Days from Report to Patch | 90.7 | 134.5 | 133.5 |
| Ave. Days from Disclosure to Patch | 71.1 | 55 | 46 |
This shows that Microsoft has been taking longer to fix 'responsibly' disclosed vulnerabilities, most likely due to their increased testing regime, and fixing publicly disclosed vulnerabilities which they were not previously notified of faster. The increase is understandable and the marginal increase in risk is justified if the risk from faulty patches is greatly decreased. The decrease is a good sign, but 46 days is still way too long, a skilled attacker doesn't need underground sploits if they have that long.
I am currently writing the vendor patch release policy of my thesis where I argue first that patch schedules only provide the intended benefits (increased patch quality and allowing end-users to schedule patch deployment) in cases where the vulnerability has been disclosed responsibly. In the case where the vendors find out about the vulnerability with the public, neither of these benefits accrue. In this situation, given the willingness of the community to participate, vendors should release beta patches publicly and call for help testing. Take the WMF vulnerability as an example, the community produced; and unofficial patch with an MSI version and scripts for large scale deployment, an FAQ in 17 different languages and vulnerability scanners to name a few. There is a lot more to this argument, but that's for my thesis.
OSVDB blog noticed how difficult it was for Krebs to obtain some of these dates and mentioned that "Steven Christey (CVE) and Chris Wysopal (VulnWatch)" have been pushing vendors behind the scenes to release this information so that vulnerability databases can include it allowing interesting stats like these to be examined more often.
Anyone want to do an analysis like this for Sun, Oracle and Apple? Particularly Sun and Oracle who have sat on vulnerabilities for years sometimes, Oracle more so.
While going over the research on Microsoft's time to patch produced by Brian Krebs at SecurityFix, I noticed a few things which didn't add up. His calculations for the number of days from internal or full disclosure until patch release appeared wrong. O
Tracked: Jan 13, 13:29