Microsoft Patch Delay Underscores Slow Fix Process - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

02:39 PM

Microsoft Patch Delay Underscores Slow Fix Process

Microsoft has withdrawn the single security patch once scheduled for Tuesday, saying that it needs more time to test the fix.

Microsoft has withdrawn the single security patch once scheduled for Tuesday, saying that it needs more time to test the fix.

On Thursday of last week, Microsoft released its usual Advance Notification of upcoming fixes, and at that time said it was planning on a single critical bulletin.

Friday, it scrapped the patch.

"Late in the testing process, Microsoft encountered a quality issue that necessitated the update to go through additional testing and development before it is released," said the Redmond, Wash.-based developer in a revised advance notification e-mailed to users and posted on its Web site.

"We felt it was in the best interest of our customers to not release this update until it undergoes further testing," wrote Mike Reavey, a member of Microsoft's Security Response Center, in a blog entry.

The recall of the bulletin means that the next patches for any Windows flaws won't appear until Oct. 11, and that a potentially dangerous bug goes unfixed for another 30 days.

The delay underscores the fact that Microsoft takes a long time to patch problems.

According to eEye Digital Security, just one of the security firms where researchers look for Windows bugs and report them to Microsoft nine unpatched vulnerabilities in Windows have been confirmed by Microsoft, eight of which eEye ranks as "High" because they allow for code to be executed by hackers. Seven of those vulnerabilities could let attackers execute code remotely.

eEye's Upcoming Advisories page is unique in the security research business because it not only lists reported vulnerabilities, but also shows how long it's been since Microsoft confirmed the bug. One vulnerability was acknowledged by Microsoft as far back as March 29, 167 days ago. Three others have slipped past the 100-day mark (130, 125, and 112 days, respectively).

That's not unusual, said Mike Puterbaugh, the director of product management at eEye.

"Two of the most critical vulnerabilities we've discovered and disclosed to Microsoft over the last few years -- LSASS and ASN1 -- took 188 and 200 days to patch, respectively," said Puterbaugh.

The LSASS vulnerability was acknowledged by Microsoft on Oct. 8, 2003, but not patched until April 13, 2004. Later that April, the flaw was exploited by the massive Sasser worm outbreak.

"The more critical, the more pervasive the vulnerability, the longer it takes Microsoft to patch," Puterbaugh said.

The March 29 bug, which affects Internet Explorer and Outlook, is, as eEye's minimalist description reads, "a vulnerability in default installations of the affected software that allows malicious code to be executed with minimal user interaction."

"With the recall of the September bulletin, it means that minimum, [that vulnerability] won't be patched until 197 days after we gave it to them," said Puterbaugh, "assuming it is patched in October. We have no idea if it will or not."

In fact, since eEye debuted its Upcoming Advisory page in February, 2004, Microsoft's patched only two bugs within the 60 days eEye give Microsoft before it labels the problem as "overdue."

"With us being in the security business, we understand the multitude of flaws [Microsoft] has at any time on its plate," said Puterbaugh in explaining why eEye gives Microsoft 60 days before the clock starts ticking.

"Everything else [patched] was in the hundred-days-or-higher," he added.

Of the 16 vulnerabilities that eEye has handed to Microsoft since early 2004, and which have been patched, the average time-to-patch, noted Puterbaugh, has been 132 days, "well over four months."

This is the second time that Microsoft reneged on providing a patch since the company began giving all customers a heads-up of its monthly bulletins late last year.

It's also the second month in a row that Microsoft suffered from some sort of patch snafu. In August, Microsoft initially rolled out a corrupted patch for Internet Explorer; users who downloaded it from the company's Download Center couldn't install the fix.

Although Puterbaugh didn't know what caused Microsoft to yank September's security bulletin -- the fix was not for one of the vulnerabilities that the Aliso Viejo, Calif.-based company has reported -- he had his suspicions.

"It's actually a pretty collaborative effort over the lifespan, so to speak, of a vulnerability between the discovering researcher and Microsoft," said Puterbaugh. "That may be the reason why this patch was pulled. One of the things that Microsoft does is provide a binary of the patch to the discovering agency, and maybe it found a problem with the patch [that Microsoft missed]."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Study Proposes 5 Primary Traits of Innovation Leaders
Joao-Pierre S. Ruth, Senior Writer,  11/8/2019
Top-Paying U.S. Cities for Data Scientists and Data Analysts
Cynthia Harvey, Freelance Journalist, InformationWeek,  11/5/2019
10 Strategic Technology Trends for 2020
Jessica Davis, Senior Editor, Enterprise Apps,  11/1/2019
Register for InformationWeek Newsletters
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll