How Long Is Too Long to Develop a Patch?

Two hundred days seems like a long time to develop a patch for a critical security issue, so what's a reasonable amount of time? It all depends on what you want to get done before you release the patch.

A disturbing pattern is emerging from the last couple of months worth of Microsoft security patches: Some of the critical vulnerabilities fixed had been reported to the company quite some time before, 200 days before the patch in one case.

I spoke with Firas Raouf, chief operating officer of eEye Digital Security, a vulnerability management software company, about the problem. eEye has reported a significant number of serious security problems to Microsoft, including many recent ones.

It started with the infamous ASN.1 bug fixed in the regular February patch cycle, a bug Microsoft had been informed of 200 days prior to its patch, Raouf said. Several of the issues patched in the recent April cycle were also more than 100 days old, and this trend concerns eEye.


eEye is concerned for its own Windows systems and those of its customers. Even though responsible companies like eEye keep such reports confidential until the patch is released, 200 days is a long time to sit quietly, knowing that there is a hole in your servers that could allow attackers to execute arbitrary code.

eEye says the feeling of helplessness was enough that it is developing an "endpoint protection product" along the lines of an intrusion prevention tool. The vast majority of attacks against Windows use a small number of techniques (such as buffer overflows), and eEyes tool, known as "Blink," will scan for these behaviors. It already detects many of the existing endemic attacks out there, like Blaster, and its a lot better than being wide open. Windows XP Service Pack 2 should overlap some of this functionality, but Raouf considers it only a good step in the right direction, not the solution to Windows problems.

But is 200 days really a lot of time? Instinctively of course it sounds like too much; however, in a sense its just an arbitrary number. I asked Stephen Toulouse, security program manager at the Microsoft Security Response Center, which runs the update release process, how it why it takes so long.

Next page: Quality is Microsofts main concern.