A disturbing pattern is emerging from the last couple of months worth of Microsoft security patches: Some of the critical vulnerabilities fixed had been reported to the company quite some time before, 200 days before the patch in one case.
I spoke with Firas Raouf, chief operating officer of eEye Digital Security, a vulnerability management software company, about the problem. eEye has reported a significant number of serious security problems to Microsoft, including many recent ones.
It started with the infamous ASN.1 bug fixed in the regular February patch cycle, a bug Microsoft had been informed of 200 days prior to its patch, Raouf said. Several of the issues patched in the recent April cycle were also more than 100 days old, and this trend concerns eEye.
eEye is concerned for its own Windows systems and those of its customers. Even though responsible companies like eEye keep such reports confidential until the patch is released, 200 days is a long time to sit quietly, knowing that there is a hole in your servers that could allow attackers to execute arbitrary code.
eEye says the feeling of helplessness was enough that it is developing an “endpoint protection product” along the lines of an intrusion prevention tool. The vast majority of attacks against Windows use a small number of techniques (such as buffer overflows), and eEyes tool, known as “Blink,” will scan for these behaviors. It already detects many of the existing endemic attacks out there, like Blaster, and its a lot better than being wide open. Windows XP Service Pack 2 should overlap some of this functionality, but Raouf considers it only a good step in the right direction, not the solution to Windows problems.
But is 200 days really a lot of time? Instinctively of course it sounds like too much; however, in a sense its just an arbitrary number. I asked Stephen Toulouse, security program manager at the Microsoft Security Response Center, which runs the update release process, how it why it takes so long.
I didnt get an answer deep in specifics; the short version is that quality is Microsofts main concern in the patch process and that the company spends a lot of time testing. Toulouse said Microsoft could produce a patch in a shorter period of time, maybe a couple of weeks, but that if it causes a problem in even 1 percent of customer systems it could be millions of computers. Customers (which I assume means large customers) have insisted that Microsoft rigorously test patches.
The ASN.1 bug is a good example. Few people had heard of ASN.1 before this bug, but it is used by a large number of drivers and subsystems in Windows, not to mention third-party products. Toulouse, who made sure to thank eEye for its help and scrupulousness in maintaining confidentiality, is correct that any complete test matrix for it would be huge and complicated. Two hundred days, I dont know, but it would take a long time.
And its also true that if circumstances changed and a patch were necessary in a hurry, Microsoft could release one out of its normal patch cycle. The company did this in February with the URL log-on syntax change.
While I had Toulouse on the phone, I asked about the issue of cumulative vs. separate updates. Once again I got the usual “customers have asked us to do this” and perhaps thats true, but he also said that they grouped the patches in their cumulative updates based on the files and dependencies in them. In other words, the 14 individual patches in the MS04-011 cumulative patch made changes to the same group of files with similar dependencies. So the individual patches would not be substantially smaller.
I still think theres an argument for having individual patches as well, but Im more convinced of the argument for cumulative patches as the main vehicle for patch distribution. It could be far more efficient and therefore facilitate patching in general, which is a good thing.
I understand eEyes frustration, but its not clear to me that Microsoft is being irresponsibly slow in releasing patches. I dont believe for a second that the company would do so intentionally; it has no reason to do so. And I do believe Microsoft takes the issue seriously. But if it really does take months to properly develop and test patches of this type, then Microsoft needs to do more to explain its process.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page:
More from Larry Seltzer