Microsoft has shortest average patch development time at 18 days, compared to other OS's. - Gilham Consulting Microsoft Notepad

Skip to main content

Home

Agile technology for the Agile business

Sign In

San Diego Computer & Network Consulting Experts

Gilham Consulting Microsoft Notepad

Categories

z

Home > Gilham Consulting Microsoft Notepad > Posts > Microsoft has shortest average patch development time at 18 days, compared to other OS's.

10/30/2007

Microsoft has shortest average patch development time at 18 days, compared to other OS's.

Since their "Security Epiphany" in 2003 similar to the Internet epiphany in 1995, Microsoft has shown that it can optimize it's operational processes based on top customer feedback (a bad security perception). Microsoft also released it's own Security Intelligence Report last week detailing it's view of emerging security threats based on the first half of 2007.

“Of the five operating systems tracked in the first six months of 2007 (figure 18), Microsoft had the shortest average patch development time at 18 days, based on a sample set of 38 patched vulnerabilities. Of the 38 vulnerabilities, two affected third-party applications. This is lower than the average patch development time of 23 days in the second half of 2006 based on a sample set of 50 vulnerabilities, seven of which affected third-party applications.“

Symantec Internet Security Threat Report
Trends for January–June 07
Volume XII, Published September 2007
Page 54

Full PDF Report:

http://eval.symantec.com/mktginfo/enterprise/white_papers/ent-whitepaper_internet_security_threat_report_xii_09_2007.en-us.pdf

Update - More Graphics

Posted at 9:41 PM by John Gilham | Category: Security | Permalink | Email this Post | Comments (8)

Comments

Many more interesting trends in the full PDF

Have a look at page 53 and page 57.

There's also a break-down or web browser vulnerabilities one page 61 which shows that, once again, Opera is the safest browser by a LONG way.

I haven't finished reading it all yet but it looks like the rest is just as interesting as the bit I have read.

John Gilham at 1/9/2008 8:44 PM

Re: Microsoft has shortest average patch development time at 18 days, compared to other OS's.

Well, here is a post of security data from 2006 as not to focus on the snapshot of 1H2007. While there may be a negative perception based on attack surface of available targets (and actual tangible risk is increased of using a Microsoft solution), the "numbers" have statistically been in Microsoft's favor post Windows XP SP2.

http://blogs.csoonline.com/days_of_risk_in_2006

Now I will agree that any security data is not perfect, subject to taxonomy restrictions, and very hard to quantify as "more secure/less secure"...but all data leads to MS being slightly better than its competition in security responsiveness area. Trending analysis also shows this as well.

John Gilham at 1/9/2008 8:44 PM

where did the Vista data come from?

if this was Jan to un 07, there honestly could not have been measureable datum collected, as well as the fact that this article Portrays the data as coming direct from Symantec, where actually the bar graph is nothing remotely close to the actual Figure 18 listed in the PDF file. Your data is flawed.

John Gilham at 1/9/2008 8:44 PM

Re: Microsoft has shortest average patch development time at 18 days, compared to other OS's.

the open source doesn't publish the vulnerability bulletins until a patch is released.

John Gilham at 1/9/2008 8:44 PM

hope it helps to correct a perception

Hope it helps to correct a perception ... MS is as good or as bad as the rest.

Carried on www.winvistaclub.com . Thanx ! :)

John Gilham at 1/9/2008 8:44 PM

Post link fixed

I updated the correct link in the post.

I would agree that before 2003, it was not a top concern...but MS was no worse off then the rest of the industry/OSS IMHO.

John Gilham at 1/9/2008 8:44 PM

Lies, damned lies...

While it's good to see that they are improving, the figures still do lie a little bit. Microsoft often don't announce a vulnerability until they have a patch ready for download whereas open source projects are unable to do such a thing. This significantly lowers the average-time-to-patch for Microsoft while doing little to improve security.

In the past, Microsoft have had one of the worst records when it comes to vulnerabilities that never got patched. I'd like to see whether that has been addressed in this latest report but I think they must have moved it because the link you provided goes to a 404.

John Gilham at 1/9/2008 8:44 PM

Comments Restored

I restored some comments from a previous blog...sorry about the created by and dates being incorrect.

John Gilham at 1/9/2008 8:55 PM

Add Comment

Items on this list require content approval. Your submission will not appear in public views until approved by someone with proper rights. More information on content approval.

Title

Body *

CommentUrl

Attachments

Latest Reader Comments

OCS 2007 R2 support for SQL 2008 DB mirroring

SQL Server 2008 Mirroring in Standard Edition

what about iPhone 4.0?

Configuring Exchange Server 2007 ActiveSync for iPhone OS 3.1 (and prior)

CAS Array in Hyper-V

How to setup an Exchange 2010 CAS Array to Load Balance MAPI

Disallow all agents except SharePoint?

Useful SharePoint 2007 (MOSS 2007 SEO) configuration with robots.txt file for public facing SharePoint 2007 sites.

Cloud PBX

Microsoft OCS 2010 Is Coming To Unified Communications, PBX Killer

smart card

How To: Configure Microsoft Remote Desktop Client and Smart Card Authentication

Profiles missing from Import

Importing and Deleting User Profiles in Sharepoint;Filtering Disabled Users from Import; Managing MySite of Deleted Users

Thank you

Manual Uninstall of SQL 2005 (32bit / 64bit) SQL Server or Express (including Reporting Services)

Auto-deletes all mysites after Full Import Schedule

Importing and Deleting User Profiles in Sharepoint;Filtering Disabled Users from Import; Managing MySite of Deleted Users

Perfect

Manual Uninstall of SQL 2005 (32bit / 64bit) SQL Server or Express (including Reporting Services)

Subscribe and Bookmark

Subscribe via RSS

Follow me on Twitter

Locations of visitors to this page

Last 20 Articles

Category

Remote Desktop Connection Manager (RDCMan)
	Windows Deployment

SharePoint Server 2010 Product Licensing Details
	Sharepoint 2010

Manage Windows 7 Power Options from the Command Line
	Windows Deployment

Download details: Windows Phone 7 Training Kit for Developers - April 2010 CTP
	Windows Mobile

Clustering Remote Desktop Connection (RDC) Broker for High Availability when Deploying Microsoft VDI
	Virtualization

SharePoint 2010 Reference .Net Software Development Kit (SDK)
	Sharepoint 2010

Microsoft Private Cloud “AppFabric” Prepares for Release
	Cloud Computing

Malware and Virus Scanning Architecture in Forefront Threat Management Gateway (TMG) 2010
	Security

Best Practices Analyzer (BPA) for HYPER-V (RTM and R2)
	Virtualization

Microsoft Threat Management Gateway (TMG) 2010 - Key Features & Capabilities
	Security

The forecast is sunny for [Microsoft] cloud services.
	Cloud Computing

Microsoft announces "RemoteFX," the Calista-based Hyper-V-requiring PC-over-IP competitor
	Virtualization

Dynamic Memory (aka Memory Overcommit) Coming To Hyper-V
	Virtualization

SharePoint Overwhelms Business Intelligence - Gartner
	Sharepoint 2010

Active Directory Power Tool: AD Explorer (and Editor)
	Active Directory

Protect your Business Information for Free using Encrypting File System (EFS)
	Security

How to: Integrate Office Communications Server (OCS) 2007 R2 with Exchange 2010 OWA/CAS
	Exchange 2010

Microsoft Forefront Identity Manager (FIM) 2010 Released
	Security

Microsoft Thinks VDI Might Not be the Answer to Every Desktop Scenario
	Windows Deployment

Creating Hyper-V Virtual Machine Templates for VDI or SCVMM Library
	Virtualization

Contact Us | San Diego, California

Copyright 2007-2009 Gilham Consulting - All rights reserved