Wow, Microsoft Sure Patched That One Quickly!

Opinion: Everybody's happy that Microsoft expedited the patching of the WMF flaw, but that aspect of the episode raises more questions than it answers. Why aren't one-week patch cycles S.O.P.?

This time two weeks ago, the security community was panicking over the potential damage caused by the WMF vulnerability.

You can argue, as I did, that the mitigating factors were strong and it wasnt as serious an issue as some argued, but clearly the watershed event in getting past it was Microsofts prompt release of a patch last week.

/zimages/1/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

"Prompt release of a patch"—theres a phrase you dont hear referring to Microsoft very often. How was it possible for Microsoft to release a patch in about a week? This is unusual for the company.

How unusual? Consider the data that eEye, a security tool and research company, puts out about vulnerabilities it has reported to Microsoft.

eEye has, as these things go, a long history of reporting severe vulnerabilities and getting credit when Microsoft finally discloses and fixes them. Youd think that Microsoft would take vulnerability reports from eEye seriously as a matter of course.

But these are the dates of the current list of vulnerabilities that have been reported to Microsoft:

  • Oct. 17, 2005—Severity: High (Remote Code Execution)
  • Oct. 11, 2005—Severity: Medium (Denial of Service)
  • Aug. 1, 2005—Severity: High (Remote Code Execution)
  • June 27, 2005—Severity: High (Remote Code Execution)
  • May 5, 2005—Severity: High (Remote Code Execution)
Criminy! May 5? This is not exactly a prompt response. And yet its not unheard of, far from it.

Microsofts explanation for this staggering lead time has generally been about the necessity of testing patches thoroughly and the companys need to release simultaneously in 20-something languages.

Fair points all, as many other vendors and open-source efforts seem to view testing as something their users should be doing. But eight months? Before too long youll be able to test these patches with carbon-14 dating.

And the response to the WMF unmasks the insufficiency of the whole process. Of course, it didnt need this episode to be unmasked; Microsofts slow response was well-known in the past. But never has it responded so quickly to a zero-day attack.

If there is a certain amount of minimal overhead time built into the development and testing process for patches, clearly its not a large amount, and no larger than about a week. And not just any week: The WMF patch testing happened over a holiday weekend!

Next page: The partly line.