On April 12th, 2023, Microsoft released a slew of new patches for its Windows operating system, one of which was to fix CVE-2023-21554, a remotely-exploitable vulnerability in the obscure Windows Message Queuing (MSMQ) service that can lead to remote code execution (RCE).

Google's Project Zero has published a report showing that organizations took less time to address the zero-day vulnerabilities that the team reported last year.

• In 2021, vendors took an average of 52 days to fix security vulnerabilities reported from Project Zero. This is a significant acceleration from an average of about 80 days 3 years ago.
• In addition to the average now being well below the 90-day deadline, we have also seen a dropoff in vendors missing the deadline (or the additional 14-day grace period). In 2021, only one bug exceeded its fix deadline, though 14% of bugs required the grace period.
• Differences in the amount of time it takes a vendor/product to ship a fix to users reflects their product design, development practices, update cadence, and general processes towards security reports. We hope that this comparison can showcase best practices, and encourage vendors to experiment with new policies.
• This data aggregation and analysis is relatively new for Project Zero, but we hope to do it more in the future. We encourage all vendors to consider publishing aggregate data on their time-to-fix and time-to-patch for externally reported vulnerabilities, as well as more data sharing and transparency in general.