A Closer Look

The Long and the Short of Microsoft's Patches

By Brian Krebs
Special to The Washington Post
Sunday, January 15, 2006

Microsoft Corp. has often been criticized for taking too long to issue security updates for its software, a shortcoming that critics say leaves customers dangerously exposed to online threats. I recently researched the past three years' worth of "critical" Microsoft patches -- those that mend flaws that hackers can use to take control over Windows computers -- and found that while that criticism may still be valid, Microsoft is making progress on a couple of key fronts.

In 2005, Microsoft took 50 percent more time to issue patches for critical software flaws than it did three years ago. In 2003, it took Microsoft an average of three months to issue patches for problems reported to it privately. The following year, that time frame shot up to 134.5 days, a number that remained virtually unchanged in 2005.

Microsoft seems to do better when outsiders take the controversial step of posting security flaws online for everyone to see. Advocates of this controversial "full disclosure" approach think companies tend to fix security flaws more quickly when their dirty laundry is aired publicly, and at least on the surface, that appears to be the case with Microsoft.

In 2003, when Microsoft learned of a flaw in its products through full disclosure, the company took an average of 71 days to release a fix. In 2004, it took 55 days, and in 2005, 46 days.

Despite the apparent success of the full-disclosure tactic, Microsoft does not like that approach and has persuaded more security researchers to hold off disclosing their findings until the company has issued a patch to fix the problem. In 2003, Microsoft learned of at least eight critical Windows vulnerabilities through full disclosure. Last year, this happened half as many times.

Stephen Toulouse, a security program manager at Microsoft, said that if Microsoft is taking longer to release patches, it is because the company has renewed focus on ensuring that the patch corrects the problem in all versions of the Windows operating system and that each fix does not introduce new glitches.

Toulouse said developing the patch is usually the easiest stage. Testing the patch to make sure it doesn't break other applications is the time-consuming part: If testers find a bug, the patch developers incorporate the fix into all relevant portions of the patch, and the testing must start again from scratch.

"We learned that it's far better for us to find those issues than for customers to run into them," he said.

Microsoft learned some important lessons when it tried to fix a critical flaw in Windows that was later exploited by the infamous "Blaster" worm. Microsoft produced a patch for that vulnerability in just 38 days, Toulouse said, due to level of concern within Microsoft "about the breadth and depth of the vulnerability."

Two days after Microsoft released the patch, researchers found the flaw in three other areas of the operating system that the initial fix did not address. Roughly two weeks after that, the Blaster worm infected millions of Windows PCs worldwide. Some security experts think the worm may have been aided by the initial Microsoft patch, which could have given the worm's authors a better idea of how to exploit the flaw.

"It was a conscious decision at the time to release that patch so quickly, but we later looked back and decided we really should have conducted a more thorough review process," Toulouse said.

Peter G. Allor, manager of the X-Force vulnerability research division at Atlanta's Internet Security Systems Inc., praised Microsoft for "doing a fantastic job over the past year and a half on the [quality assurance] side of patching. We're not seeing the recalls and reissues that we used to. What we're hearing in today's corporate environment is, 'Make sure you get it right the first time.' "

But Marc Maiffret, "chief hacking officer" for Aliso Viejo, Calif.-based eEye Digital Security, noted that the longer a patch is in the works, the longer customers remain unprotected.

"The truth is that unpatched Windows flaws have a value to the underground community, and it is not at all uncommon to see these things sold or traded among certain groups who use them by quietly attacking just a few key targets," Maiffret said. "So, the longer Microsoft takes to patch vulnerabilities, the longer they are leaving customers exposed."

Brian Krebs is a staff writer forhttp://washingtonpost.com. For a more in-depth look at the numbers behind this analysis, read his Security Fix column athttp://www.washingtonpost.com/technology.

© 2006 The Washington Post Company