And why Microsoft isn’t happy with Google.
So far this year Google has released information for 3 (fairly) major security holes in windows that could be exploited for a variety reasons. Obviously mostly trojans wanting banking information and the likes.
Microsoft isn’t happy because they were working on a patch for the last 2, with one of the patches being released only 2 days after Google released the exploit, the other one (released today) had a patch pushed from January to the February patch day because they weren’t happy with the patch.
So one would think that Microsoft is right and Google is wrong.
I happen to disagree.
One of the reasons that Google (and other people who publish exploits) have such a tight schedule is that security holes, even after the people responsible were notified, had a tendency of staying unpatched for a very long time. Microsoft’s internet explorer in particular had a reputation for being vulnerable to exploits that Microsoft had known about for over a year. These days Microsoft is doing a much better job. But Microsoft isn’t doing a much better job because they feel the need to make their products more secure (although much has changed and they actually do), but because they now know that the exploits will be released after 90 days.
Many companies have proven that it’s possible to fix vulnerabilities within 90 days. Even Microsoft isn’t doing so bad usually. One has to consider, though, that Windows contains millions of lines of code. So some hidden bugs could be fairly hard to track down. They also do have some of the best programmers working on it, though, so this really shouldn’t be an issue.
If Google is being consistent and doesn’t, for example, give RIM extra time to work on a patch, I think this is a good thing. I think 90 days is enough time. I think Microsoft is capable of providing patches for their products in time, with no problems. I just don’t think that they’re making this a priority. Or they need to streamline their project management and have the right people working on stuff in time.
I really don’t think Microsoft needs 60 days to work on a patch, so I think that they just started late. Start early, have the right people working on it and none of this will be a problem.