How long does MS sit on Patches before releasing them?

[kurttrail]

http://www.reuters.com/newsArticle.jhtml?type=technologyNews&storyID=7876004

And probably the more pertinent question is why does MS sit on releasing
critical updates to begin with?!

--
Peace!
Kurt
Self-anointed Moderator
microscum.pubic.windowsexp.gonorrhea
http://microscum.com/mscommunity
"Trustworthy Computing" is only another example of an Oxymoron!
"Produkt-Aktivierung macht frei"

 

[Steve N.]

http://www.reuters.com/newsArticle.jhtml?type=technologyNews&storyID=7876004

And probably the more pertinent question is why does MS sit on releasing
critical updates to begin with?!

Cost vs. profit analysis.

Steve

 

[kurttrail]

Cost vs. profit analysis.

Yeah. That's what I thought. Though if security was really job 1 at
MS, getting them out ASAP, would make more sense, and leave less of a
window of vulnerability for the world's network security.

But MS is a bottom-line focused business, and security is just an
after-thought in comparison.

--
Peace!
Kurt
Self-anointed Moderator
microscum.pubic.windowsexp.gonorrhea
http://microscum.com/mscommunity
"Trustworthy Computing" is only another example of an Oxymoron!
"Produkt-Aktivierung macht frei"

 

[Shawn Morgan]

From what I understand they don't sit on update/patches, they do however
distribute them only once a month unless they are deemed very high
priority. Before it was chaos in our IT department trying to deploy all of
these patches every time they come out. Now we can schedule when they are
to come out and know about them in advance, usually.

Shawn.

 

[kurttrail]

From what I understand they don't sit on update/patches, they do
however distribute them only once a month unless they are deemed very
high priority. Before it was chaos in our IT department trying to
deploy all of these patches every time they come out. Now we can
schedule when they are to come out and know about them in advance,
usually.

Shawn.

I much prefered the old method of deploying one or two patches at a
time, instead of 10 like last month.

But in the article MS is gonna release patches to the gov't a month
prior to the rest of us, so that is at least one month that the rest of
us will go with holes open, and a month for the malware scum to come up
with something before the patch is released to the general public.

--
Peace!
Kurt
Self-anointed Moderator
microscum.pubic.windowsexp.gonorrhea
http://microscum.com/mscommunity
"Trustworthy Computing" is only another example of an Oxymoron!
"Produkt-Aktivierung macht frei"

 

[Torgeir Bakken \(MVP\)]

(snip)
But in the article MS is gonna release patches to the gov't a month
prior to the rest of us, so that is at least one month that the rest
of us will go with holes open, and a month for the malware scum to come
up with something before the patch is released to the general public.

Hi

If exploit code was found in the wild, I am very sure Microsoft would
release the update to the public instantly, disregarding the usual once
a month release schedule (and having a clause for this in the agreement
with the U.S. government).

 

[kurttrail]

If exploit code was found in the wild, I am very sure Microsoft would
release the update to the public instantly, disregarding the usual
once a month release schedule (and having a clause for this in the
agreement with the U.S. government).

But by the time some malicious code is found in the wild, it may just be
too late.

I know that is always a possibility, but becomes more likely the longer
a vulnerability is left un-patched. The Zero-day virus scenario is just
a theory, but one I'd rather not test unnecessarily.

--
Peace!
Kurt
Self-anointed Moderator
microscum.pubic.windowsexp.gonorrhea
http://microscum.com/mscommunity
"Trustworthy Computing" is only another example of an Oxymoron!
"Produkt-Aktivierung macht frei"

 

[Oli Restorick [MVP]]

It depends on the vulnerability, really. If the vulnerability is obscure
(i.e. it's not likely to be found and exploited quickly) and person who
discovered it has worked closely with Microsoft in responsibly reporting the
problem, then making sure the patch is of the highest quality and is fully
tested is very important.

If the vulnerability is a potential denial of service problem and Microsoft
(or any vendor for that matter) rushes out a patch without testing, there is
a risk that the patch will do more damage than any exploit ever would.

So, it's a balance where the seriousness of the vulnerability, the chance of
exploit, and the risk of the patch causing issues in itself all come into
play.

Oli

 

[kurttrail]

It depends on the vulnerability, really. If the vulnerability is
obscure (i.e. it's not likely to be found and exploited quickly) and
person who discovered it has worked closely with Microsoft in
responsibly reporting the problem, then making sure the patch is of
the highest quality and is fully tested is very important.

If the vulnerability is a potential denial of service problem and
Microsoft (or any vendor for that matter) rushes out a patch without
testing, there is a risk that the patch will do more damage than any
exploit ever would.
So, it's a balance where the seriousness of the vulnerability, the
chance of exploit, and the risk of the patch causing issues in itself
all come into play.

One would assume that MS wouldn't issue a patch to the gov't, before it
was fully tested. I doubt the Air Force want to be a Guinea Pig. So
since the US Gov't is getting patches a month earlier than the rest of
us get it, and considering that MS can't control the release of
exploits, it seems like they could give an exploit writer a considerable
head start at writing an exploit for the hole, before the patch is
released to the General Public. Hell, the State department lost a
couple of laptops in recent years, and the Dept. of Engergy has had a
hell of a time securing facilities that hold nuclear secrets, so how in
the world are they keep MS patches released to them early underwraps.

1.) I never agreed with MS's policy of waiting for specific time every
month to release patches, as it leave more time for holes to be
exploited before patch release.

2.) Waiting ever longer so the US Gov't can plug its holes before
everyone else will leave an even bigger window of opportunity, and
possibly get into the wrong hands to be able to find exploits in the
patch itself.

Computer security is nothing to wait around for. Once tested, critical
updates should be immediately released, not according to a set schedule,
or given out to one sector of our society before any other. If the net
goes down because of an exploit and because home users and businesses
are still waiting for their turn to get the patch to plug the hole, it
ain't gonna matter much that the gov'ts computers are protected, if they
can't communicate with each other.

--
Peace!
Kurt
Self-anointed Moderator
microscum.pubic.windowsexp.gonorrhea
http://microscum.com/mscommunity
"Trustworthy Computing" is only another example of an Oxymoron!
"Produkt-Aktivierung macht frei"

 

[Steve N.]

It depends on the vulnerability, really. If the vulnerability is obscure
(i.e. it's not likely to be found and exploited quickly) and person who
discovered it has worked closely with Microsoft in responsibly reporting the
problem, then making sure the patch is of the highest quality and is fully
tested is very important.

Problem is that as soon as a vulnerability is discovered atempts to
exploit it should be expected to be nearly instantaneous.

If the vulnerability is a potential denial of service problem and Microsoft
(or any vendor for that matter) rushes out a patch without testing, there is
a risk that the patch will do more damage than any exploit ever would.

I am confident that MS has some very good programmers on staff.
Nevermind all the b!tiching we may do about it, Windows is a damn good
OS. The sales numbers prove it. The fact that we still use it (by choice
or otherwise) proves it. I actually *like* Windows very much for the
most part. Not real fond of MS The Company sometimes, and some things
about XP tend to p!ss me off compared to Win2K, NT, and 98. (FWIW the
very best MS OS I've seen so far is Windows 2003 Server. That sucker rocks!)

So, it's a balance where the seriousness of the vulnerability,

ANY vulnerability is a doorway in. They ALL are potentially serious in
the long run.

the chance of
exploit,

As I stated above, exploits are probably very near-instantaneous
anymore. The cyber-terrorists are not asleep at the wheel. As soon as
they find a chink in the armor they will aim for it, regardless of its
apparent importance.

and the risk of the patch causing issues in itself all come into
play.

Protect yourself. We have the technology. Plenty of free firewalls and
packet analysers out there that'll let you examine things closer than
you probably care or need to. Additionally, no one HAS to apply hotfixes
and security patches, or even service packs for that matter. We all have
the ability to take stock of the situation before taking action if we
inform ourselves and so desire. Does that mean we are automatically
vulnerable? Well, that depends. Do we do stupid stuff online, get
click-happy and download every freebie-looking goodie we can find out
there? All OSes have vulerabilities. Functionality equals vulernability.
Think about it.

Steve

 

[JerryMouse]

And probably the more pertinent question is why does MS sit on
releasing critical updates to begin with?!

As long as they need to, and not one second longer!

 

[Torgeir Bakken \(MVP\)]

(snip)
But in the article MS is gonna release patches to the gov't a month
prior to the rest of us, so that is at least one month that the rest of
us will go with holes open, and a month for the malware scum to come up
with something before the patch is released to the general public.

Hi

From further research I understand that the article is about
Microsofts's Security Update Validation Program, so it is all
about testing the updates for a very limited number of people in a
controlled environment (bound by a signed NDA).

So this is not an early broad distribution of the patches all over
the U.S. government network as the article is indicating (as Debby
Fry Wilson [MSFT] writes in the first link below: "Late last week
there was some confusion about the Security Update Validation
program, and I wanted to take a minute to explain how the program
works and our reasons behind implementing it.")

More information here:

http://spaces.msn.com/members/msrc/Blog/cns!1pXVuEaSt8oHtnOILCsi_ZbA!156.entry

http://www.eweek.com/article2/0,1759,1750841,00.asp

 

[kurttrail]

(snip)
But in the article MS is gonna release patches to the gov't a month
prior to the rest of us, so that is at least one month that the rest
of us will go with holes open, and a month for the malware scum to
come up with something before the patch is released to the general
public.

Hi

From further research I understand that the article is about
Microsofts's Security Update Validation Program, so it is all
about testing the updates for a very limited number of people in a
controlled environment (bound by a signed NDA).

So this is not an early broad distribution of the patches all over
the U.S. government network as the article is indicating (as Debby
Fry Wilson [MSFT] writes in the first link below: "Late last week
there was some confusion about the Security Update Validation
program, and I wanted to take a minute to explain how the program
works and our reasons behind implementing it.")

More information here:

http://spaces.msn.com/members/msrc/Blog/cns!1pXVuEaSt8oHtnOILCsi_ZbA!156.entry

http://www.eweek.com/article2/0,1759,1750841,00.asp

Thanks, Torgeir!

Yeah, I saw similar reports in the days following the my posting this
thread, but even so, having these test patches out in wide distribution
doesn't make me feel any better, especially in the hands of the American
Gov't that leaks like a sieve.

Critical security patches should be treated like the crown jewels, until
release. Totally tested in house, under the tightest of security,
otherwise they will eventually get in the wrong hands. And who really
knows if those wrong hands might be just be the US Gov't itself.

Just think of the economic warfare applications that could be developed
with early access to patches.

I may not trust MS, but I trust my gov't even less. And that is just
one scenario. Test patches in the hands of low level, underpaid civil
servants and military personnel could get be an extra source of income
from the spyware/spamming community to get to holes that have yet to be
patched in the general public of the World.

I rather trust MS to keep these patches in house and test, than
spreading test patches throughout the US Gov't. But I know why MS is
doing it, they are spreading out their liability if and when a test
patch does get used to do something malicious. CYA! And with MS's ass
covered, it only makes it more likely that a test patch will be used
against all of us.

--
Peace!
Kurt
Self-anointed Moderator
microscum.pubic.windowsexp.gonorrhea
http://microscum.com/mscommunity
"Trustworthy Computing" is only another example of an Oxymoron!
"Produkt-Aktivierung macht frei"