Site Network: | | Jongsma & Jongsma

Innovation in Information Security

Coverage of important Information Security and Information Technology news and events from the research team at S?nnet Beskerming.

Username: | Password: Contact us to request an account

Six Years of Microsoft Monthly Patches, Many More to Come

It has been pointed out by a some commentators that this month marks the sixth year of Patch Tuesday, the day that Microsoft releases their Security Bulletins (the second Tuesday of every month). In that period there have been around 400 individual bulletins released, with more than half attracting Microsoft's highest security rating, of Critical. Over the years, the number of vulnerabilities fixed each year continues to grow, with no sign that things will be slowing any time soon.

Microsoft's move to a routine monthly release cycle was seen as a good thing by Information Technology specialists and system administrators. For the first time, it gave end users and administrators a known, routine point in time that security patches would be delivered and allowed people to more effectively develop patch testing and rollout plans and procedures. This was a vast improvement over the ad-hoc release cycle that Microsoft had been following until October 2003. Microsoft still releases adhoc patches, though they are now referred to as out-of-cycle patches and are most often seen when a serious threat is posed to systems, normally in response to a widely attacked vulnerability.

Perhaps the greatest overall benefit with the monthly release cycle is in reducing the exploitability window, the time between when a vulnerability is discovered and the first exploits arise and when the vulnerability is patched and the patch applied to vulnerable systems. Unfortunately, it doesn't work so well when the vulnerabilities have been publicly discussed and freely available well ahead of the patch release, but for those that haven't been disclosed in this manner, the approach severely limits their usefulness as widespread exploits. This benefit is offset by administrators who are struggling with the increasing numbers of patches and vulnerabilities addressed, delaying the eventual implementation of the patches on their systems. Some Information Security companies provide services to help administrators in this situation rapidly identify what the patches are going to do and what can be done in the interim to protect vulnerable systems before the patches can be applied.

Since Microsoft has moved to a monthly release cycle, other major software vendors have also moved away from ad-hoc patch release cycles, with the most notable cyclical patch release being Oracle's quarterly security patch releases. Some might argue that quarterly is too infrequent for patching, especially when many of the flaws being patched allow for complete remote control of various Oracle database and software platforms. Others would argue that quarterly is an appropriate release timeframe, as database and enterprise software administrators are not going to be likely to take their platforms offline monthly in order to apply patches, and even quarterly might be too frequent for that purpose (although there are some ways to mitigate that). Adobe has also moved to a quarterly patching cycle for its range of software products.

Not all vendors stick to such a reliable cycle. Linux distros are quite often the most fluid when it comes to frequency of patch release, there isn't always a defined timeframe when patches are released, only when they are needed. Other large software vendors, such as Apple, continue to release patches on an adhoc cycle.

There are commentators who consider the whole procedural, rigid patch release cycle a fundamentally broken system. That is certainly one way to look at it, however given the current state of deployed software and operating systems, it is one of the better solutions available. Not everyone is going to be able to manage their systems in an environment where patches are provided on an adhoc basis (Apple or the frequent adhoc approach of many Linux distributions). It's not a perfect system by any stretch of the imagination, but it is an improvement over what has come before. The addition of an Advance Notification release on the Thursday before patching gives just that little bit of extra awareness about what might be released and allow the testing and deployment of the patches to be shortened if needs be to address a higher threat.

Microsoft's big push for improved security over the last few years hasn't always been successful, and the newly released Windows 7 has already had Critical patches released for it, even before it hit the retail shelves.

In coming years Windows 2000, then Windows XP will stop being supported by Microsoft and the focus will then be increasingly on systems that were developed following Microsoft's massive shift towards secure development practices. The number of patches released each year is still expected to keep growing and the second Tuesday of every month is going to be a busy one for Information Security staff and system administrators for a very long time to come.

22 October 2009

Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis

Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.

Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.

Comments will soon be available for registered users.