Network News

X My Profile
View More Activity

More MS Patch Data

The data Security Fix released earlier this week showing Microsoft is taking roughly 50 percent more time to issue updates to correct "critical" security holes in Windows have generated an enormous response, most of it positive. Some folks even appear to have been inspired to tweak and/or combine the data in ways I hadn't considered.

Dan Geer, the security expert who is giving the keynote address at the ShmooCon 2006 hacker conference that starts today in Washington, sent a nice note this morning, along with his own interpretation of the time-to-patch data:

Download krebs.12i06.xls

Geer's graph shows that Microsoft increased its time-to-patch gap by a little more than one day per month from the start of 2003 to the end of 2005.

A Dominic White left a comment on the blog today pointing to his blog, where he claims that there are a few errors here and there in the graphs. He may be right: I must have looked at those graphs more than a hundred times each, and that's always the kiss of death, it seems. At any rate, I fully expected someone would write in to correct me on something.

Readers: if you find any inconsistencies in the data, please let me know where in graphs you found the error and I will verify it and amend the graphs if needed. At the end of his post, White acknowledges that even accounting for the problems he says he found, his time-to-patch numbers weren't off by more than a day from ours.

This also was picked up in a 90-second segment on AT&T/SBC's Internet Security News Network.

Oh, and a shortened version of the original time-to-patch blog post will be included in the Business section of Sunday's Washington Post newspaper.

By Brian Krebs  |  January 13, 2006; 10:06 AM ET
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Conning the Con
Next: Windows Wireless Flaw a Danger to Laptops


It's been said that the sheer speed with which Microsoft fixed the wmf vulnerability is suspicious in itself - as if they knew all about it already. There are suggestions that it doesn't sound at all like a coding error, but rather like a deliberately designed backdoor:

"It has the feeling of something that Microsoft deliberately designed into Windows. Given the nature of what it is, this would make it a remote code execution "backdoor." We will likely never know if this was the case, but the forensic evidence appears to be quite compelling."

Admittedly, that suggestion is coming from Steve Gibson, famous for his hysteria over the Berkeley sockets specification. But it does bear looking into ...

And what other similar backdoors/errors might be in Windows?
As Gibson himself says, with open source software you *know* what's there (providing you review the code and compile from source yourself, of course).

Posted by: Simon X | January 13, 2006 10:35 AM | Report abuse

"As Gibson himself says, with open source software you *know* what's there (providing you review the code and compile from source yourself, of course)."

You mean, provided you know what the heck you are looking at.

The number of people who, when handed some open source code, know how to spot a security issue and how to fix it is very small.

The percentage of those people who actually WANT to look for and fix security issues is even smaller.

Posted by: Matt | January 13, 2006 11:59 AM | Report abuse

Is this time to patch data for all patches or for just the ones labeled Critical? If it's the first, then it isn't all that surprising since Microsoft prioritizes the effort it spends based on exploit criticality. If it's the latter, it would be surprising.

Posted by: AXAF | January 13, 2006 1:56 PM | Report abuse

By the way, here is the MSRC's response to Gibson's self-promoting paranoia:

Posted by: Matt | January 14, 2006 1:16 AM | Report abuse

Thanks for the link Brian. Have you had a chance to look at the errors? I might be getting something wrong.

Posted by: Dominic White | January 14, 2006 1:55 PM | Report abuse

The graph in the spreadsheet krebs.12i06.xls shows a regression line with a value for R-squared of 0.0375. R-squared is a measure of the proportion of the variation which is explained by the regression. If R-squared is close to 1, then most of the variation is explained. An R-squared of 0.0375 means that over 97% of the variation is unaccounted for (read "random") with respect to the relationship being examined.

In other words, there is no statistical basis for suggesting a change in the "time to patch" over the period examined.

(Brian - I would rather have emailed this observation to you than posted it as a comment, but I couldn't find an email address on the page. Sorry. Dave)

Posted by: Dave Katz | January 17, 2006 11:53 AM | Report abuse

Hospedagem de Sites -

Hospedagem de Sites -

Posted by: Hospedagem de Sites | August 6, 2006 7:56 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company