Microsoft's bug reports fail to produce prompt patches
55% of the flaws Microsoft reported to other vendors in the last 12 months go unfixed
Computerworld - Even Microsoft can't move software makers to patch their products.
According to data released Wednesday by the company, third-party developers patched just 45% of the vulnerabilities that Microsoft's security team reported to them during the 12 months from July 2009 to June 2010.
The newest number, however, was more than triple that during the year-long stretch through June 2009, when developers patched a measly 13% of the bugs Microsoft reported.
Yesterday's data came from a progress report issued by the Microsoft Vulnerability Research, or MSVR, a program launched in August 2008 in which the firm's security researchers report bugs they find in third-party software, and coordinate with other firms to make sure that details of the flaws don't go public until patches are ready.
Microsoft tried to explain the sluggish patching pace of its MSVR partners. "Most vulnerabilities identified ... since July 2009 have not yet been resolved," the progress report admitted. "This is not entirely surprising -- in most cases the vulnerabilities ... have been low-level architecture issues that are not easy to resolve, and vendors require considerable time to develop an effective resolution and test it thoroughly."
The pattern was repeated in a July 2009 episode that Microsoft touted as a good example of the MSVR program at work.
The multi-patch event began when Microsoft fixed a bug in a code "library," dubbed Active Template Library (ATL), that was extensively used by both Microsoft and other developers to craft software with the former's Visual Studio development platform. Anyone who had called on the flawed ATL to create programs was then forced to patch Visual Studio, then recompile their code and distribute the new, secure software to users.
Even though Microsoft went to great lengths to reach out to third-party developers who had used the buggy ATL -- identifying vendors whose products needed updates, holding confidential conference calls with each developer and sharing proof-of-concept exploit code with them to illustrate the danger -- fewer than a third actually patched their programs.
"Of the 37 vendors on the initial MSVR list, 12 had released updates to address the ATL issue by the time the process had concluded," the progress report acknowledged.
Adobe, which had used the buggy Microsoft library to create its Flash Player browser plug-in, was the first third-party developer to fix the flaw. Adobe updated Flash Player just two days after Microsoft patched the ATL vulnerability in Visual Studio.
Microsoft did not reveal the number of vulnerabilities its engineers found and reported to other companies in last 12 months, but did note that 97% of the bugs were rated by Microsoft as either "critical" or "important," the company's two highest threat rankings in its four-step scoring system.
The MSVR progress report can be downloaded in PDF or XPS formats from Microsoft's site.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
Read more about Security in Computerworld's Security Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts