How Long Is Too Long to Develop a Patch?

By Larry Seltzer  |  Posted 2004-04-26 Print this article Print

Two hundred days seems like a long time to develop a patch for a critical security issue, so what's a reasonable amount of time? It all depends on what you want to get done before you release the patch.

A disturbing pattern is emerging from the last couple of months worth of Microsoft security patches: Some of the critical vulnerabilities fixed had been reported to the company quite some time before, 200 days before the patch in one case. I spoke with Firas Raouf, chief operating officer of eEye Digital Security, a vulnerability management software company, about the problem. eEye has reported a significant number of serious security problems to Microsoft, including many recent ones.

It started with the infamous ASN.1 bug fixed in the regular February patch cycle, a bug Microsoft had been informed of 200 days prior to its patch, Raouf said. Several of the issues patched in the recent April cycle were also more than 100 days old, and this trend concerns eEye.

eEye is concerned for its own Windows systems and those of its customers. Even though responsible companies like eEye keep such reports confidential until the patch is released, 200 days is a long time to sit quietly, knowing that there is a hole in your servers that could allow attackers to execute arbitrary code.

eEye says the feeling of helplessness was enough that it is developing an "endpoint protection product" along the lines of an intrusion prevention tool. The vast majority of attacks against Windows use a small number of techniques (such as buffer overflows), and eEyes tool, known as "Blink," will scan for these behaviors. It already detects many of the existing endemic attacks out there, like Blaster, and its a lot better than being wide open. Windows XP Service Pack 2 should overlap some of this functionality, but Raouf considers it only a good step in the right direction, not the solution to Windows problems.

But is 200 days really a lot of time? Instinctively of course it sounds like too much; however, in a sense its just an arbitrary number. I asked Stephen Toulouse, security program manager at the Microsoft Security Response Center, which runs the update release process, how it why it takes so long.

Next page: Quality is Microsofts main concern.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel