Recently I spoke with Scott Culp of the Microsoft Security Response Center (MSRC). It was hard not to be impressed by the (MSRC) dedication to fixing its products. No matter what you think of Microsoft, an awful lot of very smart, very dedicated people work there. I think I found just such a group in MSRC.
I heard what Scott said about how they took 15,000 reports to MSRC last year and distilled them down into about 60 security bulletins, and some of the reasons he gave for what seems to be such a relatively small number. I also asked about how long it takes them to react from first report to security patch. You've probably heard all the stories about how Microsoft gets these reports then sits on them, hoping that they'll just go away. While MSRC would love to respond much more quickly, there is a reason for what appears to be inactivity.
Because every problem and affected product is so very different, there is no typical time frame for a complete turnaround on a problem. Complicating things is how many versions of a product can be affected by a security problem. Scott used Word, with its 25 language versions running on how many operating system versions, as an example. When you take what is probably hundreds of variations, multiply that by even just the most typical hardware configurations, multiply again by other products that Word may be interacting with, multiplied again by the various ways that Microsoft delivers security updates, you begin to get a sense of the challenge. And interactions between Microsoft products are a whole other layer of complexity, particularly when the problem affects something like Internet Explorer, which is a part of so many products.
People are screaming at Microsoft for taking its sweet time responding to a problem, if it ever does. At the same time, anyone who has ever installed a security patch that has broken an application is screaming that Microsoft should be more careful about developing patches that work. Finally, mix in a bit of the Evil Empire suspicions and you begin to understand why Microsoft just can't win. Except, perhaps, by shipping only perfect products, but that's a different issue.
Timeliness vs. Quality
With some streamlining to simplify things a bit, Microsoft does its best to test every combination of hardware and software it can, which is a huge number. For example, localization doesn't need to be tested in every security patch. Scott and his team also know that if the quality of patches goes down, fewer people will install them, causing more and continuing problems in an ever tightening loop.
Security Through Obscurity
He also talked a bit about Microsoft's stance on protection through obscurity. It is common knowledge that Microsoft doesn't release details of a problem until it has a solution. More commonly, the discoverer of the problem trumpets the accomplishment, giving malicious hackers the ammunition they need to develop attacks before Microsoft has released a solution. The usual Evil Empire spin on this is that Microsoft doesn't want the world to know how full of security holes its products are. This is a particular rallying cry of the open source community, who works under the philosophy of protection through disclosure. That works in the open source world, since everyone has access to the source code.
But I digress. Microsoft's goal in the security bulletins is to provide the user or admin with enough information to assess the risk, understand what bad things can happen, and protect themselves. Information about how to exploit the problem is not useful to users and admins except as a curiosity. But it is useful for academics and others who are trying to understand security. So Microsoft has a 30-day rule. A month after they release the patch, giving users and admins plenty of time to install the patch, they'll release more details to various groups, including any demos of how to exploit the problem. Not a perfect solution, but one that seems reasonable.
I have to admit that I feel better about the whole situation and Microsoft's response to it. They're not perfect, but the people there certainly are trying their hardest to fix things when problems are found.