Biography of a Worm

Patch Delays: How Long Is Too Long?

Some security experts say software companies are taking too long to create security patches, leaving computers unprotected for months.

In the case of the LSASS vulnerability, EEye senior software engineer Yuji Ukai is baffled by the amount of time that it took Microsoft to fix one line of code. "LSASS was not a complex fix, so it was incomprehensible to me that they took 188 days to supply a patch," he says. "It's an unwritten rule that you give vendors 30 days to fix such a problem and 60 days if the problem is complex."

Rob Shively, CEO of PivX Solutions, a company that develops vulnerability and patch management software, agrees. If PivX has provided a company with enough proof of a vulnerability, PivX expects the vendor to patch that hole within a month, he says. If a patch is not available immediately, the vendor at fault should post a workaround (usually involving disabling the vulnerable feature in the program), "so users are not left in the lurch," he says.

In Microsoft's defense, Kevin Kean, director of the Microsoft Security Response Center, and Stephen Toulouse, Microsoft's security program manager, say that every hole or patch presents unique challenges. In the case of LSASS, 13 other vulnerabilities had to be fixed, explains Toulouse. Microsoft must balance timeliness and quality, says Kean. "We don't want to take risks that would cause people to distrust the patch."

But a security patch that takes more than six months to produce--even if it is well-tested and trustworthy when it arrives--is unacceptable, say some business users. Tom Kellerman, senior data risk management specialist at the World Bank, says, "We need patches before the underground finds exploits."

On the flip side, PC users have a lot of responsibility in this process, too, Kellerman adds. Users must install a patch within 24 hours of its release, he believes. When someone discovers a vulnerability, "hackers smell blood in the water, backdooring thousands of networks as [users] ponder when to patch."

MacDonnell Ulsch, managing director of Janus Risk Management, says that if customers are ever to get software that's secure straight out of the box, they must demand change. But for now, he adds, no one seems to be demanding it in an organized way.

More Online: Sasser News Updates

For news developments about Sasser, Sven Jaschan's trial, and other topics in this story that broke after this issue went to press, head to Virus and Worms.

Dan Verton is a senior writer for Computerworld. PC World Senior Associate Editor Andrew Brandt contributed to this article.

Subscribe to the Security Watch Newsletter

Comments