Microsoft's bug reports fail to produce prompt patches
55% of the flaws Microsoft reported to other vendors in the last 12 months go unfixed
Computerworld - Even Microsoft can't move software makers to patch their products.
According to data released Wednesday by the company, third-party developers patched just 45% of the vulnerabilities that Microsoft's security team reported to them during the 12 months from July 2009 to June 2010.
The newest number, however, was more than triple that during the year-long stretch through June 2009, when developers patched a measly 13% of the bugs Microsoft reported.
Yesterday's data came from a progress report issued by the Microsoft Vulnerability Research, or MSVR, a program launched in August 2008 in which the firm's security researchers report bugs they find in third-party software, and coordinate with other firms to make sure that details of the flaws don't go public until patches are ready.
Microsoft tried to explain the sluggish patching pace of its MSVR partners. "Most vulnerabilities identified ... since July 2009 have not yet been resolved," the progress report admitted. "This is not entirely surprising -- in most cases the vulnerabilities ... have been low-level architecture issues that are not easy to resolve, and vendors require considerable time to develop an effective resolution and test it thoroughly."
The pattern was repeated in a July 2009 episode that Microsoft touted as a good example of the MSVR program at work.
The multi-patch event began when Microsoft fixed a bug in a code "library," dubbed Active Template Library (ATL), that was extensively used by both Microsoft and other developers to craft software with the former's Visual Studio development platform. Anyone who had called on the flawed ATL to create programs was then forced to patch Visual Studio, then recompile their code and distribute the new, secure software to users.
Even though Microsoft went to great lengths to reach out to third-party developers who had used the buggy ATL -- identifying vendors whose products needed updates, holding confidential conference calls with each developer and sharing proof-of-concept exploit code with them to illustrate the danger -- fewer than a third actually patched their programs.
"Of the 37 vendors on the initial MSVR list, 12 had released updates to address the ATL issue by the time the process had concluded," the progress report acknowledged.
Adobe, which had used the buggy Microsoft library to create its Flash Player browser plug-in, was the first third-party developer to fix the flaw. Adobe updated Flash Player just two days after Microsoft patched the ATL vulnerability in Visual Studio.
Microsoft did not reveal the number of vulnerabilities its engineers found and reported to other companies in last 12 months, but did note that 97% of the bugs were rated by Microsoft as either "critical" or "important," the company's two highest threat rankings in its four-step scoring system.
The MSVR progress report can be downloaded in PDF or XPS formats from Microsoft's site.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
Read more about Security in Computerworld's Security Topic Center.
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- The Truth About Cloud Security "Security" is the number one issue holding business leaders back from the cloud. But does the reality match the perception?
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!