Microsoft's bug reports fail to produce prompt patches

Computerworld - Even Microsoft can't move software makers to patch their products.

According to data released Wednesday by the company, third-party developers patched just 45% of the vulnerabilities that Microsoft's security team reported to them during the 12 months from July 2009 to June 2010.

The newest number, however, was more than triple that during the year-long stretch through June 2009, when developers patched a measly 13% of the bugs Microsoft reported.

Yesterday's data came from a progress report issued by the Microsoft Vulnerability Research, or MSVR, a program launched in August 2008 in which the firm's security researchers report bugs they find in third-party software, and coordinate with other firms to make sure that details of the flaws don't go public until patches are ready.

Microsoft tried to explain the sluggish patching pace of its MSVR partners. "Most vulnerabilities identified ... since July 2009 have not yet been resolved," the progress report admitted. "This is not entirely surprising -- in most cases the vulnerabilities ... have been low-level architecture issues that are not easy to resolve, and vendors require considerable time to develop an effective resolution and test it thoroughly."

The pattern was repeated in a July 2009 episode that Microsoft touted as a good example of the MSVR program at work.

The multi-patch event began when Microsoft fixed a bug in a code "library," dubbed Active Template Library (ATL), that was extensively used by both Microsoft and other developers to craft software with the former's Visual Studio development platform. Anyone who had called on the flawed ATL to create programs was then forced to patch Visual Studio, then recompile their code and distribute the new, secure software to users.

Even though Microsoft went to great lengths to reach out to third-party developers who had used the buggy ATL -- identifying vendors whose products needed updates, holding confidential conference calls with each developer and sharing proof-of-concept exploit code with them to illustrate the danger -- fewer than a third actually patched their programs.

"Of the 37 vendors on the initial MSVR list, 12 had released updates to address the ATL issue by the time the process had concluded," the progress report acknowledged.

Adobe, which had used the buggy Microsoft library to create its Flash Player browser plug-in, was the first third-party developer to fix the flaw. Adobe updated Flash Player just two days after Microsoft patched the ATL vulnerability in Visual Studio.

Microsoft did not reveal the number of vulnerabilities its engineers found and reported to other companies in last 12 months, but did note that 97% of the bugs were rated by Microsoft as either "critical" or "important," the company's two highest threat rankings in its four-step scoring system.

The MSVR progress report can be downloaded in PDF or XPS formats from Microsoft's site.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com.

Read more about Security in Computerworld's Security Topic Center.