Microsoft Delay Of Patch Underscores Slow Fix Process

security patch

On Thursday of last week, Microsoft released its usual Advance Notification of upcoming fixes, and at that time said it was planning on a single critical bulletin.

Friday, it scrapped the patch.

"Late in the testing process, Microsoft encountered a quality issue that necessitated the update to go through additional testing and development before it is released," said the Redmond, Wash.-based developer in a revised advance notification e-mailed to users and posted on its Web site.

"We felt it was in the best interest of our customers to not release this update until it undergoes further testing," wrote Mike Reavey, a member of Microsoft's Security Response Center, in a blog entry.

Sponsored post

The recall of the bulletin means that the next patches for any Windows flaws won't appear until Oct. 11, and that a potentially dangerous bug goes unfixed for another 30 days.

The delay underscores the fact that Microsoft takes a long time to patch problems.

According to eEye Digital Security, just one of the security firms where researchers look for Windows bugs and report them to Microsoft nine unpatched vulnerabilities in Windows have been confirmed by Microsoft, eight of which eEye ranks as "High" because they allow for code to be executed by hackers. Seven of those vulnerabilities could let attackers execute code remotely.

eEye's Upcoming Advisories page is unique in the security research business because it not only lists reported vulnerabilities, but also shows how long it's been since Microsoft confirmed the bug. One vulnerability was acknowledged by Microsoft as far back as March 29, 167 days ago. Three others have slipped past the 100-day mark (130, 125, and 112 days, respectively).

That's not unusual, said Mike Puterbaugh, the director of product management at eEye.

"Two of the most critical vulnerabilities we've discovered and disclosed to Microsoft over the last few years -- LSASS and ASN1 -- took 188 and 200 days to patch, respectively," said Puterbaugh.

The LSASS vulnerability was acknowledged by Microsoft on Oct. 8, 2003, but not patched until April 13, 2004. Later that April, the flaw was exploited by the massive Sasser worm outbreak.

"The more critical, the more pervasive the vulnerability, the longer it takes Microsoft to patch," Puterbaugh said.

The March 29 bug, which affects Internet Explorer and Outlook, is, as eEye's minimalist description reads, "a vulnerability in default installations of the affected software that allows malicious code to be executed with minimal user interaction."

"With the recall of the September bulletin, it means that minimum, [that vulnerability] won't be patched until 197 days after we gave it to them," said Puterbaugh, "assuming it is patched in October. We have no idea if it will or not."

In fact, since eEye debuted its Upcoming Advisory page in February, 2004, Microsoft's patched only two bugs within the 60 days eEye give Microsoft before it labels the problem as "overdue."

"With us being in the security business, we understand the multitude of flaws [Microsoft] has at any time on its plate," said Puterbaugh in explaining why eEye gives Microsoft 60 days before the clock starts ticking.

"Everything else [patched] was in the hundred-days-or-higher," he added.

Of the 16 vulnerabilities that eEye has handed to Microsoft since early 2004, and which have been patched, the average time-to-patch, noted Puterbaugh, has been 132 days, "well over four months."

This is the second time that Microsoft reneged on providing a patch since the company began giving all customers a heads-up of its monthly bulletins late last year.

It's also the second month in a row that Microsoft suffered from some sort of patch snafu. In August, Microsoft initially rolled out a corrupted patch for Internet Explorer; users who downloaded it from the company's Download Center couldn't install the fix.

Although Puterbaugh didn't know what caused Microsoft to yank September's security bulletin -- the fix was not for one of the vulnerabilities that the Aliso Viejo, Calif.-based company has reported -- he had his suspicions.

"It's actually a pretty collaborative effort over the lifespan, so to speak, of a vulnerability between the discovering researcher and Microsoft," said Puterbaugh. "That may be the reason why this patch was pulled. One of the things that Microsoft does is provide a binary of the patch to the discovering agency, and maybe it found a problem with the patch [that Microsoft missed]."