Time is security
Earlier, I commented on the speed, or lack there-of for Microsoft’s addressing a vulnerability. First, I want to make a point that Microsoft is not the only vendor that tends to take absurd amounts of time to release fixes. Apple is also guilty of this, as are others. Microsoft simply represents the single largest attack surface for the Internet as a whole.
Now that Mike Reavey has addressed some people’s concerns, I wanted to take a look at the timeline that he offered. First, a small graphical version:
I’ve used estimated process dates from his posting, but they’re accurate enough for the point needing to be made. Overall, I think the basic process is sound, but there’s a troubling bit:
The next stage in our investigation process is creating and testing the security updates which this update went through in February and March. This is an extensive process that takes, on average, two months for the majority of Windows related security updates.
Two months to test a security update. I’ve heard from various former Microsoftians than “building Windows” is a gigantic undertaking that has an enormous staff just to babysit the compilation process. This, combined with some of the horror stories about how code is managed, indicates a faulty process that has been scaled by brute force up to an absurd level. I may be wrong, but two months should not be required to regression test a patch, unless it touches everything.
Therein lies my fear. That a patch to fix a buffer overflow represents a monstrous undertaking. Jokes aside about Windows and QA, a vast majority of the process should be automated, and building should not require a single minute of human interaction most of the time. Anything else is scalable only because of the effective monopoly that Microsoft wields in the marketplace.
This entry was posted at 9:58 pm on 4 April 2007 and is filed under Security. You can follow any responses to this entry through the post-specific RSS 2.0 feed.
No comments found.
Both comments and pings are currently closed.