How Long Is Too Long to Develop a Patch? - ' Page Two ' (
Page 2 of 2 )
I didnt get an answer deep in specifics; the short version is that quality is Microsofts main concern in the patch process and that the company spends a lot of time testing. Toulouse said Microsoft could produce a patch in a shorter period of time, maybe a couple of weeks, but that if it causes a problem in even 1 percent of customer systems it could be millions of computers. Customers (which I assume means large customers) have insisted that Microsoft rigorously test patches.
For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.
The ASN.1 bug is a good example. Few people had heard of ASN.1 before this bug, but it is used by a large number of drivers and subsystems in Windows, not to mention third-party products. Toulouse, who made sure to thank eEye for its help and scrupulousness in maintaining confidentiality, is correct that any complete test matrix for it would be huge and complicated. Two hundred days, I dont know, but it would take a long time.
And its also true that if circumstances changed and a patch were necessary in a hurry, Microsoft could release one out of its normal patch cycle. The company did this in February with the URL log-on syntax change.
While I had Toulouse on the phone, I asked about the issue of cumulative vs. separate updates. Once again I got the usual "customers have asked us to do this" and perhaps thats true, but he also said that they grouped the patches in their cumulative updates based on the files and dependencies in them. In other words, the 14 individual patches in the MS04-011 cumulative patch made changes to the same group of files with similar dependencies. So the individual patches would not be substantially smaller.
I still think theres an argument for having individual patches as well, but Im more convinced of the argument for cumulative patches as the main vehicle for patch distribution. It could be far more efficient and therefore facilitate patching in general, which is a good thing.
I understand eEyes frustration, but its not clear to me that Microsoft is being irresponsibly slow in releasing patches. I dont believe for a second that the company would do so intentionally; it has no reason to do so. And I do believe Microsoft takes the issue seriously. But if it really does take months to properly develop and test patches of this type, then Microsoft needs to do more to explain its process.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
Check out eWEEK.coms Security Center at http://security.eweek.com for security news, views and analysis.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page: 
More from Larry Seltzer
