200 days to fix a broken Windows

Security researchers are divided on whether Microsoft's 200-day process for developing its latest critical patch was reasonable or just too slow.

Security researchers are both criticizing and empathizing with Microsoft for the 200 days the company needed to create its latest critical software patch.

The six-plus months is the longest the software giant has taken to release a fix since it started its Trustworthy Computing initiative, a companywide mandate to make security a top priority. Taking so long to fix

"If it really took them that long technically to make the fix, then they have other problems. That's not a way to run a software company."
--Marc Maiffret
Chief hacking officer
eEye Digital Security
a serious issue cast doubts on how much progress Microsoft has made in the two-year effort, said Marc Maiffret, chief hacking officer for security research firm eEye Digital Security.

"If it really took them that long technically to make (and test) the fix, then they have other problems," Maiffret said. "That's not a way to run a software company."

On Tuesday, Microsoft released a patch for vulnerabilities in a common networking component of Windows NT, Windows 2000, Windows XP and Windows Server 2003. The security flaws could allow an attacker to compromise a computer running any of those Windows systems or allow a malicious coder to create a worm that would affect a large number of systems connected to the Internet.

eEye notified Microsoft of the issue July 25 and of a second, similar issue on Sept. 25. The software giant didn't release a fix for either problem until this week, 200 days after the first flaw was found.


What's new:
Microsoft recently released a patch for a security flaw affecting various versions of Windows--more than six months after the company was first notified of the vulnerability.

Bottom line:
Some say the software giant was inefficient; others say the complex problem demanded a thorough going-over; still others say less important, but more widely publicized flaws skewed Microsoft's priorities.

For more info:
Track the players

Microsoft defended its responsiveness to security issues. The time required for each step in the patching process--from discovery and verification of the problem to creating and testing the fix--can vary, said Jeff Jones, senior director of Trustworthy Computing.

"If our goal was to get everything out in 30 days or 60 days, we could do that," Jones said. "But our goal is to get out a quality patch."

Other security researchers agreed that 200 days, while long, is not necessarily a sign of problems.

"Whatever time frame it takes to fix something, you could always argue that it could have been made somewhat shorter," said Chris Wysopal, vice president of research and development for security firm @Stake, which counts Microsoft as a client. "It is definitely in the multimonth category because of how many versions of the operating system and the big applications that they had to test."

The flaws exist in Microsoft's implementation of a basic networking protocol known as Abstract Syntax Notation One, or ASN.1. The code is shared by many Windows applications, and the vulnerabilities could let a remote user take control of a computer running a version of Windows that hasn't been patched, according to the advisory posted on Microsoft's Web site. Exploiting the flaw is much easier if the attacker can access a local network, the advisory noted.

Such widespread vulnerabilities are most tempting for the underground coders who

"If our goal was to
get everything out in 30 days or 60 days, we could do that.
But our goal is to get out a quality patch."
--Jeff Jones, senior director
Microsoft's Trustworthy Computing initiative
create worms such as MSBlast--also known as Blaster--and Slammer, both of which took advantage of Windows flaws.

Stephen Toulouse, senior program manager of Microsoft's Security Response Center, said the fix took so long to create because of the difficulties posed by such a pervasive technology.

"ASN.1 is really an extremely in Windows itself," Toulouse said. "This investigation required us to evaluate several different aspects. This is an instance where we really had to do our due diligence."

Yet the complexity of the problem isn't necessarily an adequate reason for the delay.

Another ASN.1 flaw that affected many more companies and involved more research was made public in only five months. Although the decision to disclose information on the flaw was made after such information had already leaked out, many companies had fixes in place or quickly made them available.

That flaw made network devices using version 1 of the Simple Network Management Protocol (SNMP)--a data language that allows network hardware to communicate over the Internet--vulnerable to attacks aimed at causing instability, crashes or compromises.

Some researchers believe that Microsoft may have been sidetracked with other vulnerabilities, such as

Such criticism may focus the company on flaws that should have a lower priority, said Thor Larholm, senior security researcher for security software maker PivX Solutions.

"Microsoft still does treat some of the security vulnerabilities as public relations issues," Larholm said. "They will put a priority on fixing flaws that their customers are complaining about."

The phishing flaw was patched in about 60 days, and the fix was released a week early.

For eEye, the difference in results is marked and has resulted in the company using new ways to get Microsoft to focus on its flaws. The company has turned up the heat on the creator of Windows by posting a list of vulnerabilities that eEye has submitted to Microsoft but that remain unfixed.

According to the list, two other serious flaws have yet to be patched, and it's been five months since the

Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

software giant was first notified of them.

For now, eEye's Maiffret is content to wait for the results of the new tactic. "It is just one sort of action to take," he said. "We have more things planned if they don't keep up."