Why did Microsoft take so long?
Published: 13 Feb 2004 15:00 GMT
Security researchers are both criticising and empathising with Microsoft for the 200 days that the company needed to create its latest critical software patch.
The six-plus months is the longest that the software giant has taken to release a fix since it started its Trustworthy Computing initiative, which is a companywide mandate to make security a top priority. Taking so long to fix a serious issue casts doubts on how much progress Microsoft has made in the two-year effort, said Marc Maiffret, chief hacking officer for security research firm eEye Digital Security.
"If it really took them that long technically to make [and test] the fix, then they have other problems," Maiffret said. "That's not a way to run a software company."
On Tuesday, Microsoft released a patch for vulnerabilities in a common networking component of Windows NT, Windows 2000, Windows XP and Windows Server 2003. The security flaws could allow an attacker to compromise a computer running any of those Windows systems or allow a malicious coder to create a worm that would affect a large number of systems connected to the Internet.
eEye notified Microsoft of the issue on 25 July and of a second, similar issue on 25 September. The software giant didn't release a fix for either problem until this week, 200 days after the first flaw was found.
Microsoft defended its responsiveness to security issues. The time required for each step in the patching process -- from discovery and verification of the problem to creating and testing the fix -- can vary, said Jeff Jones, senior director of Trustworthy Computing.
"If our goal was to get everything out in 30 days or 60 days, we could do that," Jones said. "But our goal is to get out a quality patch."
Other security researchers agreed that 200 days, while long, is not necessarily a sign of problems.
Previous
Did you find this article useful?
165 out of 298 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
