On Microsoft's new Security Bulletin release scheduling

I read The Inquirer every day through their RSS feed, and although its often amusing, they now have a very valid point: Microsoft's new release policy according to security fixes/bulletins is completely irresponsible.

Microsoft has now decided to release security bulletins and fixes only once a month, to make it more predictable when they are released and sysadmins can now plan upgrades easier. When I read that the first time, I thought: "WTF!? What are they thinking?". And it is still my opinion about the matter. This is serious stuff, people: when the Thursday after the security fixes are released a flaw is discovered and posted on the security focus forums, you have to wait at least another month before you get the fix, instead of the old situation where you could expect a fix perhaps within 2 days.

I simply don't see how a company that thinks security is its top priority, leaves customers in the dark by not handing out fixes when they are available, but waits until a scheduled release date is reached. How does that help security? It only helps crackers and scriptkiddies to enter our servers because we can't patch the software with a patch that is already done. It is easier for sysadmins because they can now schedule downtime and patch the systems with an easy one-exe-for-all-the-fixes-download but it comes with a cost: it leaves systems vulnerable while patches are done.

Sorry Mr. Ballmer, you can shout as hard as you can how much effort Microsoft is putting into security, there is still one thing that you don't understand after all these years: when you make security your top priority, it is then thus more important than usability, however up till today, usability seems to be more important than security. We're talking sysadmins here, for crying out loud. Monthly patches? Great idea, but at least offer the patches as separate downloads also for the people who want to patch their systems when the patch is released. Thank you.


  • Actually, they said that if a flaw is particularly severe or there is a possible exploit available, then they'll release this info outside of the schedule. So I don't expect remotely exploitable bugs to remain unattended for a whole month.

    Seems reasonable to me :-)

  • Stefan: you assume that when a security fix is released, the world doesn't know that there is a flaw. However this is not true in a lot of cases, see the securityfocus.com forums.

    I saw MS will release a patch immediately when an exploit is in the open. How often do they check for this exploit? 24/7? It doesn't say, plus even if they do, they can't be sure the exploit isn't there.

    I think the only real option is to keep it as it is: release the patch when it is done, thus allowing people who want to patch immediately, to patch immediately.

  • Microsoft did research and discovered that these vulnerabilities were almost never exploited before the patch was released. People were reverse-engineering the patches to determine the flaws and THEN exploiting them. Also, once a week patches were very hard on guys like me who deal very heavily with security (www.patchdayreview.com). Besides, a lot of IT people were screaming bloody murder that they had to patch every week, granted, patches weren't released EVERY week, but people are not making use of SUS like they should. Critical patches are still released as meeded.

    Besides, weren't you just complaining a couple of months ago that you didn't like Microsoft's patching techniques? At least they are trying something different.

  • Robert, I complained some time ago that they didn't release patches when they were available. Now they do something different, but IN THAT DIRECTION.

    Frankly, I don't care if a sysadmin is angry when he has to patch systems, its his job. I was not happy with all the patches in a continuous stream but not because they were released frequently, but because there were leaks in the first place, AFTER all those code seminars MS held with the developers and the code-reviews.

    I as a customer am now handed over to Microsoft's decision if the flaw is critical enough to release a patch immediately. I don't think that's MS decision to make, since the systems I have to keep up running (we're small, so no sysadmin here) are not their responsibility but mine.

  • The patch headache is related to how many servers you're administering. If you have only a few, applying the patches is not a big deal. For companies with 100's or 1000's of servers, it's a nightmare.

    Microsoft does release many patches but they are for different applications. Some are for IE, some are for Outlook, some for Exchange, some for the OS and there's an importance level for each patch. I personally only apply critical patches for systems that are connected to the net, otherwise I don't bother. The likehood that a patch breaks something is higher than fxing a non important issue. If it aint broke, don't fix it. I mean if you're not experiencing the problem it's fixing, don't bother.


Comments have been disabled for this content.