Microsoft patch delay may contribute to early exploit

Subject: Microsoft patch delay may contribute to early exploit
From: Gary Stoneburner <gary.stoneburner@nist.gov>
Date: Fri, 13 Feb 2004 10:47:53 -0500
Content-Type: multipart/alternative; boundary="=====================_76244453==.ALT"

re: http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci950149,00.html

Wait a minute before jumping on this bandwagon: ""Nearly 200 days to research and resolve a 'critical' vulnerability on such a far-reaching problem is nothing short of gross negligence by Microsoft, and is a direct affront to its much-hyped Trustworthy Computing projects and public statements about how security is playing much more important role in its products."

If the flaw is in code that is used by many and varied applications, how long does it take to get a patch right? I have no idea if 200 days is too long and I suggest that few people do outside of those involved with actually producing the patch. Without knowing more, calling it "gross negligence" appears to me to be over the top. After all, there is no 'X" for "no patch takes longer than X days to develop and adequately test".

We need to get it right. Maybe a two step patching (something about right quick and something more trustworthy later). Maybe 200 days represents a lack of focus. Maybe 200 days represents a reasonable length of time.

What we do know is that the problem is not this vulnerability, but common commercial practice that produces very complex IT that is full of flaws. Decades of experience show that measures to produce security quality work and do produce trustworthy IT. It is not that we do not know how to do it. It is that it is not being done.

But let's not jump on MS for taking 200 days without knowing whether or not that was just what it took to try and do a good job with this patch.

Cheers,
Gary

************************************************************************** * Opinions expressed are not intended to reflect an official position ************************************************************************** * Gary Stoneburner
* Computer Security Division, National Institute of Standards & Technology
* 100 Bureau Drive, Stop 8930, Gaithersburg, MD 20899-8930
* Phone: 301-975-5394, FAX: 301-948-0279, Email: Stoneburner@nist.gov
* http://csrc.nist.gov/staff/stoneburner/gshome.html
**************************************************************************

Prev by Date: Microsoft ASN flaw may be biggest defect ever found
Next by Date: Microsoft Says Parts of Source Code Were Leaked
Prev by thread: Microsoft Says Parts of Source Code Were Leaked
Next by thread: Microsoft ASN flaw may be biggest defect ever found

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov