Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    How Long Is Too Long to Develop a Patch?

    By
    Larry Seltzer
    -
    April 26, 2004
    Share
    Facebook
    Twitter
    Linkedin

      A disturbing pattern is emerging from the last couple of months worth of Microsoft security patches: Some of the critical vulnerabilities fixed had been reported to the company quite some time before, 200 days before the patch in one case.

      I spoke with Firas Raouf, chief operating officer of eEye Digital Security, a vulnerability management software company, about the problem. eEye has reported a significant number of serious security problems to Microsoft, including many recent ones.

      It started with the infamous ASN.1 bug fixed in the regular February patch cycle, a bug Microsoft had been informed of 200 days prior to its patch, Raouf said. Several of the issues patched in the recent April cycle were also more than 100 days old, and this trend concerns eEye.

      eEye is concerned for its own Windows systems and those of its customers. Even though responsible companies like eEye keep such reports confidential until the patch is released, 200 days is a long time to sit quietly, knowing that there is a hole in your servers that could allow attackers to execute arbitrary code.

      eEye says the feeling of helplessness was enough that it is developing an “endpoint protection product” along the lines of an intrusion prevention tool. The vast majority of attacks against Windows use a small number of techniques (such as buffer overflows), and eEyes tool, known as “Blink,” will scan for these behaviors. It already detects many of the existing endemic attacks out there, like Blaster, and its a lot better than being wide open. Windows XP Service Pack 2 should overlap some of this functionality, but Raouf considers it only a good step in the right direction, not the solution to Windows problems.

      But is 200 days really a lot of time? Instinctively of course it sounds like too much; however, in a sense its just an arbitrary number. I asked Stephen Toulouse, security program manager at the Microsoft Security Response Center, which runs the update release process, how it why it takes so long.

      Next page: Quality is Microsofts main concern.

      Page Two

      I didnt get an answer deep in specifics; the short version is that quality is Microsofts main concern in the patch process and that the company spends a lot of time testing. Toulouse said Microsoft could produce a patch in a shorter period of time, maybe a couple of weeks, but that if it causes a problem in even 1 percent of customer systems it could be millions of computers. Customers (which I assume means large customers) have insisted that Microsoft rigorously test patches.

      /zimages/3/28571.gifFor insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.

      The ASN.1 bug is a good example. Few people had heard of ASN.1 before this bug, but it is used by a large number of drivers and subsystems in Windows, not to mention third-party products. Toulouse, who made sure to thank eEye for its help and scrupulousness in maintaining confidentiality, is correct that any complete test matrix for it would be huge and complicated. Two hundred days, I dont know, but it would take a long time.

      And its also true that if circumstances changed and a patch were necessary in a hurry, Microsoft could release one out of its normal patch cycle. The company did this in February with the URL log-on syntax change.

      While I had Toulouse on the phone, I asked about the issue of cumulative vs. separate updates. Once again I got the usual “customers have asked us to do this” and perhaps thats true, but he also said that they grouped the patches in their cumulative updates based on the files and dependencies in them. In other words, the 14 individual patches in the MS04-011 cumulative patch made changes to the same group of files with similar dependencies. So the individual patches would not be substantially smaller.

      I still think theres an argument for having individual patches as well, but Im more convinced of the argument for cumulative patches as the main vehicle for patch distribution. It could be far more efficient and therefore facilitate patching in general, which is a good thing.

      I understand eEyes frustration, but its not clear to me that Microsoft is being irresponsibly slow in releasing patches. I dont believe for a second that the company would do so intentionally; it has no reason to do so. And I do believe Microsoft takes the issue seriously. But if it really does take months to properly develop and test patches of this type, then Microsoft needs to do more to explain its process.

      Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

      /zimages/3/28571.gifCheck out eWEEK.coms Security Center at http://security.eweek.com for security news, views and analysis.
      Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page: http://us.i1.yimg.com/us.yimg.com/i/us/my/addtomyyahoo2.gif

      More from Larry Seltzer

      Larry Seltzer
      Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×