Monday, August 18, 2008

439 Days to Patch

There's one thing many users of Microsoft products can agree with - their patch teams release untested - or at least insufficiently tested - patches too often. These patches cause all manner of serious issues with Microsoft's operating systems and applications around the world and generally causae IT administrators to lose hair, cuss at Microsoft and wonder why they didn't either a) deploy Linux systems or b) take up a career in rose tending. :)

Anyway, Microsoft has one other tendency regarding their patches - they take forever to actually release them. A classic example of this is the MS08-050 patch in the August '08 Black Tuesday patch release. This was first disclosed to Microsoft on 31 May, 2007 and Microsoft responded to Haifei Li of Fortinet’s FortiGuard Global Security Research Team on the same day. Then, after much delay, Microsoft finally publicly disclosed this vulnerability when they released the patch - 439 days after being informed of it.

For more information on this patch, have a read of CVE-2008-0082.

I wonder, should vendors also be required to post their initial notification date on their vulnerability/patch announcements so we can all see how quickly they are reacting to vulnerabiliity notifications found by third parties?


The Outspoken Wookie

No comments: