“Software vulnerabilities don’t follow timetables”

You gotta love the term Zero-day Wednesdays. It explains in a sentence everything that is wrong with Microsoft’s Patch Tuesday, the major problem being Microsoft trying to regulate the industry without having the power to do so.

Just because Microsoft decided to issue security patches on the 2nd Tuesday of every month doesn’t mean the people finding security holes will adhere to this schedule. In fact, knowing how the ‘bad guys’ think, it gives them a fool-proof algorithm to maximize damage. Want to release a Zero-day? You no longer have to wait until Christmas to catch the administrators out on their new year’s vacation – just wait until the 2nd Wednesday of the month and you will have admins scattering around for a month until a patch is released.

  • Rick

    Lessee…first, everyone complains about patches being released too often in a month. So Microsoft goes to a monthly release. Then everyone complains about not enough patches.

    “Can’t win for losing…”

    …Rick…(not a MS employee)

  • http://www.BeyondSecurity.com aviram

    Rick – I don’t think people were complaining patches were released too often – they were complaining vulnerabilities were found too often :-)

    Anyway, the choice doesn’t have to be between releasing patches on a daily basis versus releasing them only once a month – there’s a lot of room in between.

  • http://kliconsulting.com Mike

    Whatever hurts microsoft is a very good thing.

  • http://blogs.securiteam.com/index.php/archives/author/mattmurphy/ Matthew Murphy

    I think accusing Microsoft of trying to “control the industry” is a bit harsh. The move to a scheduled release is a very good thing for most vulnerabilities.

    The exceptions are the zero-day attacks. In those cases, the schedule should go out the window and a patch should be released as soon as QA on it is done to standard. That would totally eliminate the incentive to exploit around Microsoft’s patch schedule while still preserving most of the good done by a regularly-scheduled patch day.

    The scheduled patch releases eliminate a major problem Microsoft had in recent years. They’d not release any patches for a while, and then five or six would come out on one day. Admins were broad-sided, suddenly having to patch thousands of machines in multiple different roles, often against multiple critical bugs.

    Though I believe that Microsoft should patch vulnerabilities used in attacks without regard to its preferred schedule, I also am glad to see a preferred schedule being used as a basis point. I think you’ll find that most agree — and those who don’t are a vocal minority without experience in deploying patches to a thousands-strong IT investment.

  • http://www.BeyondSecurity.com aviram

    I didn’t say Microsoft were trying to control the industry, only that they are trying to regulate it.

    A schedule is good. It helps predictability and is crucial when deploying patches enterprise-wide. But I’m sure you’d agree that some patches are too important to wait a month until release.

  • http://blogs.securiteam.com/index.php/archives/author/mattmurphy/ Matthew Murphy

    Absolutely agree. I do believe Microsoft should be willing to void the schedule in cases of known or imminent in-the-wild attacks.

    As far as I’m concerned, regulate = control. However, I don’t think they’re trying to “regulate the industry” so much as make life easier on their customers. It just so happens that their customers are 90% or so of the world. A major policy shift at Microsoft will always (at least indirectly) control the policies of a large portion of the industry, either as a goal or as a side effect.

  • http://www.BeyondSecurity.com Aviram

    I think you hit the nail on the head:

    “A major policy shift at Microsoft will always (at least indirectly) control the policies of a large portion of the industry, either as a goal or as a side effect.”

    No doubt about that. The only question (and this is, I think, the point of our disagreement) is whether it’s an intentional goal or an unintentional side effect. Since neither of us is a mind reader and we don’t yet have access to the internal Microsoft meeting summaries, we can only guess and speculate…