Network News

X My Profile
View More Activity

Microsoft Stock Price Routinely Dinged by Security Patches

Microsoft's stock price suffers more than usual on days that it ships software updates to plug security holes, new research suggests.

With few exceptions, Redmond issues security updates on the second Tuesday of each month. Microsoft implemented what's known as "Patch Tuesday" several years ago in order to give companies more time to plan for testing and rolling out the updates. It also began disclosing each Thursday prior how many security problems customers could expect to have to deal with on Patch Tuesday.

msftopenclose.jpg

Microsoft did all this in the name of increasing the predictability of its patching process. But according to researchers at McAfee Avert Labs, the other predictable part of Patch Tuesday and Advance Notification Thursday is that Microsoft's stock price almost always sinks on those days relative to other trading days.

On average, Patch Tuesday saw Microsoft's stock price fall -0.11 percent in 2006, -0.29 percent last year, and -0.45 percent so far in 2008.

Compare that to the fate of Microsoft's stock on an average day in:

2006: +0.08 percent
2007: +0.06 percent
2008: -0.17 percent

Or consider trading on any other Tuesday:

2006: -.03 percent
2007: +.05 percent
2008: +.16 percent

These trends are even more noticeable when you examine the graphs showing the effect of Patch Tuesdays when measured from the trading day's opening bell both to the intraday low and intraday high for Microsoft's stock.

msftintralow.jpg

Interestingly, McAfee found Microsoft's stock nearly always rebounded the day after Patch Tuesday. "This is probably because institutional investors or market makers feel Microsoft was oversold the day before because of the bad news and that, in reality, Microsoft's value as an investment was only negligibly affected," wrote McAfee researcher Anthony Bettini.

msftintrahigh.jpg

Given this trend, one might expect traders would have figured it out by now and made a buck off of it. However, the researchers found that the average volume of trading on Microsoft's stock was significantly lower on Patch Tuesday and Advance Notification Thursday.

Still, it may be that some investors have figured out the trend and are short selling Microsoft stock on Patch Tuesdays -- a type of trading where investors essentially bet that a company's stock will sink on any given day.

The report did not examine whether the share price dip was deepened by Patch Tuesdays that addressed a greater number of flaws and/or more dangerous security holes. That would be an interesting topic for further research.

Bettini said he and other researchers soon would be looking at other tech giants like Oracle to see if patch days have an impact on their share prices. It's too bad Oracle only releases patches four times each year, as that's not a lot of comparative data.

I would also love to see research in the other direction: Namely, whether the publication of instructions on exploiting a critical, unpatched flaw in widely used software has shown any historical and consistent impact on affected vendors' share prices.

At any rate, if volume of patches is any indicator, tomorrow's Patch Tuesday should be an especially fun one for Microsoft investors: Redmond said last week that it plans to issue at least 11 bulletins on Tuesday. It's impossible to say how many individual security flaws will be addressed by these bulletins, as each can fix multiple security holes. As usual, Security Fix will have the lowdown on those patches shortly after they're released.

By Brian Krebs  |  October 13, 2008; 8:21 AM ET
Categories:  From the Bunker , New Patches  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Phishers, Virus Writers Exploit Global Financial Crisis
Next: Security Software Suites No Match for Custom Attacks

Comments

It looks like the changes are small enough that you probably can't make too much money off it.

Posted by: William | October 13, 2008 9:02 AM | Report abuse

What does the price of Microsoft stock have to do with security?

If this were a financial blog, this could be interesting.

Posted by: Bob | October 13, 2008 10:32 AM | Report abuse

Microsoft, more like MicroStocks.....

Posted by: No Monay In Tha Bank | October 13, 2008 11:36 AM | Report abuse

"What does the price of Microsoft stock have to do with security?

If this were a financial blog, this could be interesting.

Posted by: Bob | October 13, 2008 10:32 AM"

--

@Bob -- I thought this topic was interesting because it approaches that question from the other direction: What does security have to do with Microsoft's stock price? Turns out, at least a little bit.

The data in the study didn't support this, but I think it's also interesting to consider the possibility that criminals could profit from short-selling Microsoft's stock by releasing exploits timed with short sells.

Anyway, I thought there were fascinating tangents here, and there is very fertile ground for further research here.

But since you asked, I'll suggestion a question for discussion: Given how much businesses and consumers lose in time, money, frustration and opportunity costs due to faulty security software, why shouldn't we see a much bigger impact from security on a company's stock price?

Posted by: Bk | October 13, 2008 11:47 AM | Report abuse

I thought it was an interesting article, BK.

That kind of movement would seem to be too small for most investors to actually be able to trade in enough volume to make a buck. But I am surprised that the computer programs that major investment firms use didn't pick up on the fact that microsoft stock does the same thing at the same time every month.

Posted by: Ugh | October 13, 2008 1:55 PM | Report abuse

For the amounts of stock a regular individual investor like is likely to invest, the commissions would wipe out any gains on that small a movement. But for an institutional investor (or possibly someone actively buying and selling over the course of the day), I see the opportunity Brian is talking about.

There are several interesting topics in there: The overall price fluctuation, the price change over the course of Patch Tuesday, and yeah, why don't security holes cause bigger fluctuations?

Posted by: Blair | October 14, 2008 9:30 AM | Report abuse

"But since you asked, I'll suggestion a question for discussion: Given how much businesses and consumers lose in time, money, frustration and opportunity costs due to faulty security software, why shouldn't we see a much bigger impact from security on a company's stock price?"

...if it were a company other than MS, maybe. With MS you know that the sw is full of security-holes, and that people will run it anyway.

Posted by: jfc1 | October 14, 2008 7:52 PM | Report abuse

Must be slow out there on the security front, Brian. This answer falls into the category of the kind of useless questions my kids used to ask me (way back when). My response was, "What will you do with the answer to that?" Oh well, you deserve a rest after all the good work you are doing otherwise.

Posted by: Pete from Arlington | October 15, 2008 10:47 AM | Report abuse

Glad that McAfee's doing important security work. Sort a makes a body glad for AVG Free.

This is useful financial info, but if I was paying McAfee $ to secure my machine, I wouldn't want it spent this way!

Posted by: Kfritz | October 16, 2008 9:25 AM | Report abuse

Glad that McAfee's doing important security work. Sort a makes a body glad for AVG Free.

This is useful financial info, but if I was paying McAfee $ to secure my machine, I wouldn't want it spent this way!

Posted by: Kfritz | October 16, 2008 9:43 AM | Report abuse

Brian, the problem with these "statistics" is that there is no indication that the results are statistically significant. In other words, the results may mean nothing whatsoever.

Posted by: Richard Bejtlich | October 16, 2008 10:42 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company