Wow, Microsoft Sure Patched That One Quickly!

By Larry Seltzer  |  Posted 2006-01-09 Print this article Print

Opinion: Everybody's happy that Microsoft expedited the patching of the WMF flaw, but that aspect of the episode raises more questions than it answers. Why aren't one-week patch cycles S.O.P.?

This time two weeks ago, the security community was panicking over the potential damage caused by the WMF vulnerability. You can argue, as I did, that the mitigating factors were strong and it wasnt as serious an issue as some argued, but clearly the watershed event in getting past it was Microsofts prompt release of a patch last week. For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.
"Prompt release of a patch"—theres a phrase you dont hear referring to Microsoft very often. How was it possible for Microsoft to release a patch in about a week? This is unusual for the company.
How unusual? Consider the data that eEye, a security tool and research company, puts out about vulnerabilities it has reported to Microsoft. eEye has, as these things go, a long history of reporting severe vulnerabilities and getting credit when Microsoft finally discloses and fixes them. Youd think that Microsoft would take vulnerability reports from eEye seriously as a matter of course. But these are the dates of the current list of vulnerabilities that have been reported to Microsoft:
  • Oct. 17, 2005—Severity: High (Remote Code Execution)
  • Oct. 11, 2005—Severity: Medium (Denial of Service)
  • Aug. 1, 2005—Severity: High (Remote Code Execution)
  • June 27, 2005—Severity: High (Remote Code Execution)
  • May 5, 2005—Severity: High (Remote Code Execution)
Criminy! May 5? This is not exactly a prompt response. And yet its not unheard of, far from it. Microsofts explanation for this staggering lead time has generally been about the necessity of testing patches thoroughly and the companys need to release simultaneously in 20-something languages. Fair points all, as many other vendors and open-source efforts seem to view testing as something their users should be doing. But eight months? Before too long youll be able to test these patches with carbon-14 dating. And the response to the WMF unmasks the insufficiency of the whole process. Of course, it didnt need this episode to be unmasked; Microsofts slow response was well-known in the past. But never has it responded so quickly to a zero-day attack. If there is a certain amount of minimal overhead time built into the development and testing process for patches, clearly its not a large amount, and no larger than about a week. And not just any week: The WMF patch testing happened over a holiday weekend! Next page: The partly line.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel