Folks out of Redmond have been talking more than normal about the advantages of Microsoft's security and track record. Witness the statements from Microsoft's Chief of Security in this article and Bill Gates himself speaking about security in an interview with the BBC.
With these statements in mind, a reader might assume that Microsoft is responding to vulnerabilities quickly in order to ensure that their customers are protected. One might assume that Microsoft is performing adequate testing and performing due diligence to ensure that old bugs don't pop up again in new versions of software. However, a cursory glance at two Microsoft-related security disclosures in February reveals that, for all of the rhetoric, Microsoft is very slow to respond to critical vulnerabilities. It appears that Microsoft is merely controlling the information rather than controlling the security vulnerabilities and protecting their customers. In addition, old bugs are showing up in new versions of their products.

As released onto the Bugtraq mailing list, both Windows XP Professional with SP2 and Windows Server 2003 are vulnerable to an old, old, old,, and incredibly enough, previously-patched flaw in their TCP stack. The attack, called a LAND attack, causes a DoS condition against the operating systems.

Of course, it's only applicable if XP SP2 isn't running the Windows firewall but that's the case within many (most?) corporate networks today. In addition, Windows Server 2003 is not running with its own firewall rather it's probably hidden behind an external firewall. However, if that server happens to be running a public web server or another TCP-based service on the Internet, it's vulnerable to this attack.

Microsoft was notified 10 days ago about this vulnerability and has done nothing about it, no fix, not even an announcement. Meanwhile, the computers are vulnerable to the first person that can write a shell script to exploit this DoS.

Another critical vulnerability patched last month allows an attacker to craft a URL that, when viewed with Internet Explorer, results in the URL being viewed at the security level of the "Local" zone which has much less protection than other zones in Internet Explorer's protection scheme. More details on this vulnerability are located in this post to the Bugtraq mailing list. While the vulnerability itself isn't of issue here, the length of time until the fix was released is certainly cause for concern. According to the post, Microsoft was informed of the vulnerability on February 16, 2004, over one year ago. It took until September for an initial fix to be released for testing which didn't even fix the problem. Only last month was the patch released to the public.

Microsoft classified this vulnerability as critical but yet sat on the information for nearly a year. The only people who have known about this vulnerability for the last 12 months are Microsoft, the person who disclosed the vulnerability, and any other malicious user anywhere in the world. Microsoft merely controlled the information while leaving the general public at risk of having this critical vulnerability exploited on unwitting user's computers.

The "MSN Messenger PNG Image Parsing Vulnerability" disclosed last month by Core Security is another example of an unacceptable delay in disclosing the vulnerability and providing a fix. Microsoft was originally informed of this critical vulnerability on August 23, 2004 yet a fix wasn't released until February 8, 2005.

Like other vulnerabilities, Microsoft also classified the MSN Messenger vulnerability as critical yet took nearly 6 months to release a fix. While this vulnerability doesn't affect as many users as the Internet Explorer vulnerability it's still important to fix this flaw in a timely manner. Again, the only people to know about the vulnerability are Microsoft, the discoverer, and anyone else in the world who also discovered the vulnerability but didn't report it.

Contrast Microsoft's policy of information control rather than vulnerability control with any given Linux vendor's policy of open information and rapid release of fixes. Many vulnerabilities for Linux systems are fixed the same day that they are disclosed. In addition, Linux vendors frequently fix third-party software packages that can be installed on their systems. That would be akin to Microsoft releasing fixes for software like Winamp or Real Player.

Some might point out that Microsoft's delay in producing patches for these and other vulnerabilities is caused by the sheer complexity of producing patches for their software. Microsoft cannot simply patch the vulnerability and release the patch to the public, much testing needs to be done in order to ensure that the patch doesn't create unforeseen problems with other software.

Testing is a reason for a delay in releasing a patch but it's certainly not Microsoft's reason. How quick we forget the re-release of patches because of "unexpected consequences." I would also hope that any testing performed on a patch doesn't take a year, which was the length of time between the latest Internet Explorer vulnerability report and the patch being released to the public.

If complexity is the reason for the delay in releasing a patch, then Microsoft has indeed learned nothing from its repeated attempts to improve security and it only furthers my point that Microsoft truly does not understand computer security. Complexity is the enemy of security. If the software is sufficiently complex as to cause a months-long delay in fixing a critical vulnerability then it's time to solve the root problem rather than merely and continually treating the symptoms.

It's time for Microsoft to devote more attention to providing timely fixes for its software and less time telling us how good it is at security.