135 Days to Patch

Saw this on Slashdot originally, but the Washington Post is reporting that its taking Microsoft 25% longer (now ~135 days) to get critical patches out the door. This number falls to ~45 (from 71 days in 2003 and 55 days in 2004) when dealing with fully disclosed issues.

The company also seems to have done a better job convincing security researchers to give it time to develop a patch before going public with their vulnerability findings. In 2003, Microsoft learned of at least eight critical Windows vulnerabilities through full disclosure. Last year, this happened half as many times.

It looks like Microsoft is taking more time to verify and rigorously test the patches before they go out the door. When dealing with Security, QA is not something that should be neglected regardless of what the purported threat level may be. I don’t particularily have a problem with this and I’m sure that if the issue was deemed (by whom?) of critical enough importance that resources could be allocated to significantly reduce that 45 days. In fact we saw this happen earlier this year with MS patching a 0day exploit within 10 days.

Caveat of this post is that Windows is not actually my primary operating system. Sure I’ve got a Windows partition on my laptop but day to day, and much of the past decade, I’ve been a Linux user. Unfortunately, it’s going to take more than Security improvements to see me moving my development back to Windows.