Originally posted by: Nothinman
But the release of security announcements probably goes though PR just like all press releases, it's possible they could have a quota of non-critical releases. If there's a known exploit or even a post on BugTraq they probably consider the release a must but I could definately see them holding back on things they found internally that aren't known outside yet to help their image.
I don't want to get involved in a flamewar, but I thought I could shed some light on this debate just because I happen to work at said company, in the OS division, as a person who writes code.
The fixes for critical vulnerabilities that we are made aware of (whether from external reporting, or internal testing) are usually posted to the latest Windows source tree within hours. Security vulnerabilities are top priority, and they simply do not exist in our bug tracking database for long because they get everyone's attention. Many are resolved before I even notice them. I can't say for sure that all of them are fixed that quickly, but from what I've seen it's a pretty good estimate.
Sometimes these fixes are made easier by fantastic customers who have narrowed down the problem to such an extent that a single e-mail isolates the flaw. These customers are some of the best people around, because they have not only taken it upon themselves to notify us of the flaw, but have agreed to work with Microsoft to help solve the problem, rather than going public before a patch is ready to get publicity. It warms my heart immensely to know that good people like this still exist on our planet. Whenever I am saddened by news that some twisted hacker has caused $billions of damage by releasing an exploit, I try to think of how many more attacks have been thwarted by these good souls.
Unfortunately, fixing the vulnerability is the easy part. The much harder problem is solving how to distribute the fix to the customer in the most painless way possible. Hundreds of factors come into play. Take a few hypothetical scenarios:
Is the vulnerability susceptible to a remotely exploitable elevation-of-privilege attack? Is an exploit for this vulnerability already public? If so, such a flaw would probably warrant an immediate critical update patch. Such patches are the most painful to customers because they could be announced at any moment, and they must be installed immediately to prevent further outbreak.
Or perhaps the vulnerability was reported by a concerned customer through Product Support Services. If the customer kept the vulnerability confidential and there is no known public exploit for the vulnerability, then MS has more time to make the patches less painful to customers. One way to do this is to release periodically several of these patches in a bundle, to ease the burden on system administrators who are obviously least efficient when applying patches one at a time on irregular schedules.
Among the other legion factors in patch release management is regression testing: MS wants to do its best to make sure that these patches, when installed, will not break software components unnecessarily. When you consider the sheer number of possible combinations of OS version (9x, Me, NT4, NT4 Server, 2k, 2k Server, 2k AS, XP, 2003, etc), hardware configuration (cpu, video, ram, etc), and software configuration (drivers, system utilities, anti-virus, firewall, etc), you can imagine how difficult regression testing can be. Nevertheless, such tests are extremely important to ensure these patches meet the quality bar.
I could go on, but I think you get the idea. Obviously I don't know everything that happens inside MS. But from what I've seen, MS makes every effort possible to address critical vulnerabilities in a timely fashion. Most of the patches you've seen recently are entirely pre-emptive (i.e., there was no public knowledge of the vulnerability before the Microsoft announcement). And I know of no critical vulnerability that we are refusing to patch "because of the bad PR it might cause."
And please, please don't take this post the wrong way: I am not intending to upset anyone. I'm just trying to shed light on the issue from the MS perspective.
Just to be clear lest lawyers somehow twist my words: this post represents my own opinion, and in no way claims to represent the views of Microsoft Corporation. It should not be construed as an official statement or press release in any way, shape, or fashion.
