There's another factor that needs to be considered besides just how fast patches to fix the problem are created, distributed and applied. That's whether a patch is even neccesary. For example, there was an OpenSSL vulnerability that, while dangerous, could easily be neutered merely by turning off one not-commonly-used authentication method. Recently there was an exploit for the "shell:" protocol in popular browsers on Windows that could be easily closed in the Mozilla-based browsers by just turning off handling of the "shell:" protocol entirely. In both cases, even before a patch to fix the actual problems existed users had ways of avoiding exposure without compromising usability very much (if at all). Contrast these to some of the recent IE-related exploits where the only ways of closing off the hole would cripple large portions of the system, leaving users to wait completely exposed until a patch arrived.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/299/30606#30606