Microsoft Patch Delay Underscores Slow Fix Process - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

02:39 PM

Microsoft Patch Delay Underscores Slow Fix Process

Microsoft has withdrawn the single security patch once scheduled for Tuesday, saying that it needs more time to test the fix.

Microsoft has withdrawn the single security patch once scheduled for Tuesday, saying that it needs more time to test the fix.

On Thursday of last week, Microsoft released its usual Advance Notification of upcoming fixes, and at that time said it was planning on a single critical bulletin.

Friday, it scrapped the patch.

"Late in the testing process, Microsoft encountered a quality issue that necessitated the update to go through additional testing and development before it is released," said the Redmond, Wash.-based developer in a revised advance notification e-mailed to users and posted on its Web site.

"We felt it was in the best interest of our customers to not release this update until it undergoes further testing," wrote Mike Reavey, a member of Microsoft's Security Response Center, in a blog entry.

The recall of the bulletin means that the next patches for any Windows flaws won't appear until Oct. 11, and that a potentially dangerous bug goes unfixed for another 30 days.

The delay underscores the fact that Microsoft takes a long time to patch problems.

According to eEye Digital Security, just one of the security firms where researchers look for Windows bugs and report them to Microsoft nine unpatched vulnerabilities in Windows have been confirmed by Microsoft, eight of which eEye ranks as "High" because they allow for code to be executed by hackers. Seven of those vulnerabilities could let attackers execute code remotely.

eEye's Upcoming Advisories page is unique in the security research business because it not only lists reported vulnerabilities, but also shows how long it's been since Microsoft confirmed the bug. One vulnerability was acknowledged by Microsoft as far back as March 29, 167 days ago. Three others have slipped past the 100-day mark (130, 125, and 112 days, respectively).

That's not unusual, said Mike Puterbaugh, the director of product management at eEye.

"Two of the most critical vulnerabilities we've discovered and disclosed to Microsoft over the last few years -- LSASS and ASN1 -- took 188 and 200 days to patch, respectively," said Puterbaugh.

The LSASS vulnerability was acknowledged by Microsoft on Oct. 8, 2003, but not patched until April 13, 2004. Later that April, the flaw was exploited by the massive Sasser worm outbreak.

"The more critical, the more pervasive the vulnerability, the longer it takes Microsoft to patch," Puterbaugh said.

The March 29 bug, which affects Internet Explorer and Outlook, is, as eEye's minimalist description reads, "a vulnerability in default installations of the affected software that allows malicious code to be executed with minimal user interaction."

"With the recall of the September bulletin, it means that minimum, [that vulnerability] won't be patched until 197 days after we gave it to them," said Puterbaugh, "assuming it is patched in October. We have no idea if it will or not."

In fact, since eEye debuted its Upcoming Advisory page in February, 2004, Microsoft's patched only two bugs within the 60 days eEye give Microsoft before it labels the problem as "overdue."

"With us being in the security business, we understand the multitude of flaws [Microsoft] has at any time on its plate," said Puterbaugh in explaining why eEye gives Microsoft 60 days before the clock starts ticking.

"Everything else [patched] was in the hundred-days-or-higher," he added.

Of the 16 vulnerabilities that eEye has handed to Microsoft since early 2004, and which have been patched, the average time-to-patch, noted Puterbaugh, has been 132 days, "well over four months."

This is the second time that Microsoft reneged on providing a patch since the company began giving all customers a heads-up of its monthly bulletins late last year.

It's also the second month in a row that Microsoft suffered from some sort of patch snafu. In August, Microsoft initially rolled out a corrupted patch for Internet Explorer; users who downloaded it from the company's Download Center couldn't install the fix.

Although Puterbaugh didn't know what caused Microsoft to yank September's security bulletin -- the fix was not for one of the vulnerabilities that the Aliso Viejo, Calif.-based company has reported -- he had his suspicions.

"It's actually a pretty collaborative effort over the lifespan, so to speak, of a vulnerability between the discovering researcher and Microsoft," said Puterbaugh. "That may be the reason why this patch was pulled. One of the things that Microsoft does is provide a binary of the patch to the discovering agency, and maybe it found a problem with the patch [that Microsoft missed]."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
10 Ways to Transition Traditional IT Talent to Cloud Talent
Lisa Morgan, Freelance Writer,  11/23/2020
Top 10 Data and Analytics Trends for 2021
Jessica Davis, Senior Editor, Enterprise Apps,  11/13/2020
Can Low Code Measure Up to Tomorrow's Programming Demands?
Joao-Pierre S. Ruth, Senior Writer,  11/16/2020
Register for InformationWeek Newsletters
Current Issue
Why Chatbots Are So Popular Right Now
In this IT Trend Report, you will learn more about why chatbots are gaining traction within businesses, particularly while a pandemic is impacting the world.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll