Microsoft has shortest average patch development time at 18 days, compared to other OS's. - Gilham Consulting Microsoft Notepad

Skip to main content

Home

Agile technology for the Agile business

Sign In

San Diego Computer & Network Consulting Experts

Gilham Consulting Microsoft Notepad

Categories

z

Home > Gilham Consulting Microsoft Notepad > Posts > Microsoft has shortest average patch development time at 18 days, compared to other OS's.

10/30/2007

Microsoft has shortest average patch development time at 18 days, compared to other OS's.

Since their "Security Epiphany" in 2003 similar to the Internet epiphany in 1995, Microsoft has shown that it can optimize it's operational processes based on top customer feedback (a bad security perception). Microsoft also released it's own Security Intelligence Report last week detailing it's view of emerging security threats based on the first half of 2007.

“Of the five operating systems tracked in the first six months of 2007 (figure 18), Microsoft had the shortest average patch development time at 18 days, based on a sample set of 38 patched vulnerabilities. Of the 38 vulnerabilities, two affected third-party applications. This is lower than the average patch development time of 23 days in the second half of 2006 based on a sample set of 50 vulnerabilities, seven of which affected third-party applications.“

Symantec Internet Security Threat Report
Trends for January–June 07
Volume XII, Published September 2007
Page 54

Full PDF Report:

http://eval.symantec.com/mktginfo/enterprise/white_papers/ent-whitepaper_internet_security_threat_report_xii_09_2007.en-us.pdf

Update - More Graphics

Posted at 9:41 PM by John Gilham | Category: Security | Permalink | Email this Post | Comments (8)

Comments

Many more interesting trends in the full PDF

Have a look at page 53 and page 57.

There's also a break-down or web browser vulnerabilities one page 61 which shows that, once again, Opera is the safest browser by a LONG way.

I haven't finished reading it all yet but it looks like the rest is just as interesting as the bit I have read.

John Gilham at 1/9/2008 8:44 PM

Re: Microsoft has shortest average patch development time at 18 days, compared to other OS's.

Well, here is a post of security data from 2006 as not to focus on the snapshot of 1H2007. While there may be a negative perception based on attack surface of available targets (and actual tangible risk is increased of using a Microsoft solution), the "numbers" have statistically been in Microsoft's favor post Windows XP SP2.

http://blogs.csoonline.com/days_of_risk_in_2006

Now I will agree that any security data is not perfect, subject to taxonomy restrictions, and very hard to quantify as "more secure/less secure"...but all data leads to MS being slightly better than its competition in security responsiveness area. Trending analysis also shows this as well.

John Gilham at 1/9/2008 8:44 PM

where did the Vista data come from?

if this was Jan to un 07, there honestly could not have been measureable datum collected, as well as the fact that this article Portrays the data as coming direct from Symantec, where actually the bar graph is nothing remotely close to the actual Figure 18 listed in the PDF file. Your data is flawed.

John Gilham at 1/9/2008 8:44 PM

Re: Microsoft has shortest average patch development time at 18 days, compared to other OS's.

the open source doesn't publish the vulnerability bulletins until a patch is released.

John Gilham at 1/9/2008 8:44 PM

hope it helps to correct a perception

Hope it helps to correct a perception ... MS is as good or as bad as the rest.

Carried on www.winvistaclub.com . Thanx ! :)

John Gilham at 1/9/2008 8:44 PM

Post link fixed

I updated the correct link in the post.

I would agree that before 2003, it was not a top concern...but MS was no worse off then the rest of the industry/OSS IMHO.

John Gilham at 1/9/2008 8:44 PM

Lies, damned lies...

While it's good to see that they are improving, the figures still do lie a little bit. Microsoft often don't announce a vulnerability until they have a patch ready for download whereas open source projects are unable to do such a thing. This significantly lowers the average-time-to-patch for Microsoft while doing little to improve security.

In the past, Microsoft have had one of the worst records when it comes to vulnerabilities that never got patched. I'd like to see whether that has been addressed in this latest report but I think they must have moved it because the link you provided goes to a 404.

John Gilham at 1/9/2008 8:44 PM

Comments Restored

I restored some comments from a previous blog...sorry about the created by and dates being incorrect.

John Gilham at 1/9/2008 8:55 PM

Add Comment

Items on this list require content approval. Your submission will not appear in public views until approved by someone with proper rights. More information on content approval.

Title

Body *

CommentUrl

Attachments

Latest Reader Comments

it good for me

Free Office Communicator Integration Add-On for Outlook 2007 Allows Users to Interact with their OCS 2007 IM Contact List from the Outlook Pane.

Manager Cleanup

Importing and Deleting User Profiles in Sharepoint;Filtering Disabled Users from Import; Managing MySite of Deleted Users

I've updated the post title

System Center Configuration Manager (SCCM) 2007 R3 Announced

SCCM?

System Center Configuration Manager (SCCM) 2007 R3 Announced

More info?

Microsoft Dynamics CRM Online Update Coming November 2009

Deleting Features from SharePoint.

Removing Invalid SharePoint 2007 Features due to a Failed, Missing, or Unsuccessful Activation SharePoint WSP

server recovery tools

Changing the System Center DPM 2007 Server Recovery Tool (SRT) File Store location

jeu de sport

Utility to Install Windows Source Files from USB Flash Drive (Windows 7, Vista, WinPE and Windows Server 2008)

Killing processes attached to SQL Server folder

Manual Uninstall of SQL 2005 (32bit / 64bit) SQL Server or Express (including Reporting Services)

PBX Cluster group is installed to make netbackup cluster aware

The mysterious cluster group called PBX-ClusterGroup-Servername revealed

Subscribe and Bookmark

Subscribe via RSS

Follow me on Twitter

Locations of visitors to this page

Join us in San Diego

Last 20 Articles

Category

Windows Firewall with Advanced Security: Step-by-Step Guide to Deploying Windows Firewall and IPsec Policies
	Security

Automatically Test Application Compatibility for New Apps on Terminal Server/RDS Farm using the RDS Application Compatibility Analyzer
	Terminal Services

Hyper-V Live Migration Network Configuration Best Practices
	Virtualization

Forrester Research Posts on Legal Implications of Cloud Computing
	IT Management

Planning for an Automated Windows 7 Upgrade from Windows XP
	Windows Deployment

A CIO Check List for eDiscovery and Litigation
	IT Management

Microsoft Announces New SharePoint 2010 Certifications
	Sharepoint 2010

Transitioning Client Access Servers (CAS, OWA and ActiveSync) to Exchange Server 2010
	Exchange 2010

Exchange 2010 Transport Architecture Diagrams Available for Download
	Exchange 2010

Microsoft Forefront TMG Categories for Web URL Filtering/Blocking
	Security

Microsoft OCS 2010 New Features
	OCS 2010

Operation and Failover of Resource Hosting Subsystem (RHS) In Windows Server 2008 Failover Clusters
	Windows Deployment

Migrating Exchange 2003 or 2007 ActiveSync to Exchange 2010
	Exchange 2010

Problem Application Candidates for Virtualization with Microsoft App-V
	Virtualization

BlackBerry Enterprise Server (BES) fully supported on Exchange 2010 RU1
	Exchange 2010

How to setup an Exchange 2010 CAS Array to Load Balance MAPI
	Exchange 2010

Getting started with BI in SharePoint Server 2010
	Sharepoint 2010

Microsoft Infrastructure Planning and Design Guide Series
	IT Management

Simple Windows Server 2008 Core Configuration Tool
	Windows Deployment

SCVMM 2008 R2 VM Processor Hardware Profile CPU Type
	Systems Center

Contact Us | San Diego, California

Copyright 2007-2009 Gilham Consulting - All rights reserved

San Diego Computer Consulting - San Diego IT Consulting - San Diego IT Support - San Diego Managed IT Services
San Diego Network Security Consulting - San Diego VOIP Phone System for Business