Why can't Microsoft just patch everything?

Nearly four years ago, Microsoft's Bill Gates ate some humble pie and declared that they must do much better with their security issues and launched the Trustworthy Computing Initiative.  One and a half years later, the company launches Windows 2003 Server with fewer vulnerabilities and extremely defensive default settings.  Another year goes by and Microsoft releases Windows XP SP2 with many new enhanced security features.  Almost 4 years after the launch of Trustworthy Computing, I found myself wondering why am I staying up till 4:00 AM to deliver an emergency set of instructions (Home and Enterprise) to my readers because Microsoft felt it unnecessary to patch a flaw six months ago that was originally low risk but mutated in to something extremely dangerous.

Technically, this is a new twist to an old vulnerability that was originally deemed "low risk" because it initially thought to only be capable of producing Denial of Service attacks.  While I have nothing but disgust for the British company that released this zero-day exploit in to the wild when people have no way of defending themselves, Microsoft is an extremely wealthy company with an army of programmers.  If smaller software companies can patch all of their bugs serious or minor, why can't Microsoft just patch all of their vulnerabilities with their massive army of programmers and massive budget?  Had Microsoft fixed this vulnerability six months ago even though it was low risk, perhaps we could have avoided this entire incident.

Apple, Mozilla, and Oracle have all recently been plagued with significantly more vulnerabilities and flaws than Microsoft, but Microsoft seems to be the only one that leaves a few vulnerabilities unpatched here and there.  Granted that almost all of these unpatched problems are minor to moderately minor problems, but it leaves the perception that Microsoft leaves holes in their software and just doesn't care enough to patch all their flaws.  Take this detailed comparison of Firefox versus Internet Explorer, it clearly shows Microsoft having fewer vulnerabilities this last year but has far more vulnerabilities unpatched, that's 6 (7 if you count this latest serious vulnerability) unpatched flaws for IE 6 and 0 for Firefox.  Even though Firefox has been hit with many more vulnerabilities compared to IE, Firefox proponents can take the high road and claim victory because at least their vulnerabilities are patched.

If we look at Secunia's database for Windows XP vulnerabilities, we see that 22% of the vulnerabilities are unpatched.  Although most of these issues are minor or moderate, the most serious one is "highly critical".  It boggles my mind how Microsoft could allow this to badly mar their vastly improved security record with Windows XP SP2, Windows 2003 server, and IIS 6.0.  With Microsoft's delicate reputation on security, you would think that some Product Manager would be cracking some heads open somewhere in Redmond over this.  IT Managers and CIOs should be giving their Microsoft Rep an earful over this.

Here is a list of unpatched Windows XP issues:

• Microsoft Windows UPnP GetDeviceList Denial of Service
• Microsoft Windows XP Wireless Zero Configuration Wireless Profile Disclosure (Microsoft promises a fix for Windows Vista, but what about Windows XP SP2?  That's still the most up to date environment the last time I checked.)
• Windows Registry Editor Utility String Concealment Weakness
• Microsoft Windows Unspecified USB Device Driver Vulnerability
• Windows Remote Desktop Protocol Private Key Disclosure
• Microsoft Windows Image Rendering Denial of Service Vulnerability
• Microsoft Jet Database Engine Database File Parsing Vulnerability
• Windows Registry Key Locking Denial of Service
• Windows XP Internet Connection Firewall Bypass Weakness
• Windows Packet Fragmentation Handling Denial of Service Vulnerability
• Microsoft Java Virtual Machine Cross-Site Communication Vulnerability
• Microsoft Windows "desktop.ini" Arbitrary File Execution Vulnerability
• Windows Metafile Handling Vulnerability
• Windows XP Malicious Folder Automatic Code Execution Vulnerability
• Microsoft HTML Help Control Privilege Escalation Vulnerability
• Windows RPC Race Condition Denial of Service Vulnerability
• Microsoft Windows Unauthorised Thread Termination
• Microsoft Windows TCP Packet Information Disclosure
• Windows NTFS File System Information Disclosure
• XP PostMessage Password Disclosure
• Microsoft Windows Terminal Server Denial of Service
• Microsoft Windows crashes on invalid font file
• Microsoft Windows Certificate Chain vulnerability
• Windows XP expose registered wireless access points
• Windows XP admin downgrade problem
• NT will let user execute any 16bit application
• XP Remote Desktop DoS

Microsoft should respond to each and every one of these issues and what they intend to do about them.  They should give us an ETA on when they intend to fix these problems if ever.  In my opinion, Microsoft should take the high road and just fix everything and lead the software industry by example.  Most people who read my blogs know that I am anything but a Microsoft hater.  I like Microsoft technology and I spent a lot of time deploying it.  While I believe there are plenty of times that Microsoft gets treated unfairly, I think these questions are more than fair.  I await Microsoft's answer.