Complexity of patching at microsoft

Mar 31st, 2004

Comments: 0
Category: Vulnerability Management

Complexity of patching at microsoft

This Story over at Zone-H.org makes an interesting point about Eeye’s outstanding vulnerabities which they’ve reported to Microsoft.
One point of view that you could take from this is that Microsoft is pretty famous for the amount of integration in its products, and as the number of products and the amount of code in those products increases, the cost and time required to fix a vulnerability will also increase. On the Eeye page you can see that they’ve got vulnerabilites that they reported to Microsoft 200+ days agot which they regard as critical and which have not been patched.
Given Eeye’s approach of non-disclosure this isn’t too serious a problem, however if we assume that Microsoft has been working hard to patch these problems (and we’ve no reason to assume that’s not the case), what would happen if they got an equally serious vulnerability from a source who believed in publishing after only say 10 days of notification or even worse one who decided to post expkoit code first and ask questions later!
If it takes 200+ days to patch the problem, that would leave a pretty large window of exploitation and potentially a lot of damage to systems around the world.

Add a comment

Your email address will not be shared or published. Required fields are marked *