It has been nearly three years since Microsoft moved to a
monthly patch release schedule as a way to
rein in some of the chaos that had begun to engulf its
vulnerability reporting and repair efforts.
The result has been a more orderly, predictable process that
enables enterprises to plan patch deployments well in advance and
avoid costly downtime during business hours. And several other
vendors, including Oracle Corp. and Hewlett-Packard Co., have
followed suit by launching scheduled patch releases of their
own.
But some administrators and security experts say that for all
its benefits, the predictable release schedule also has its
downsides, and can leave enterprises hanging when a new flaw is
discovered between patch releases, which has led to a rise in
third-party security fixes.
Microsoft has released what have been called
"out of cycle" patches a few times since it
began the monthly schedule, but typically only after pressure
from customers and media reports. Those rare instances have
mainly come after exploit code for a new flaw has been made
available, in effect forcing Microsoft's hand.
"The MSRC will always consider releasing an out-of-cycle update
if we have a quality update available and customers are at serious
risk, as we have done on several occasions such as the WMF attack,"
said Christopher Budd, security program manager at the Microsoft
Security Response Center.
Budd said that process is largely determined by customers. When
Microsoft discovers a security issue that could affect customers,
he said the software giant's security experts investigate its
severity and potential impact, and use that information to
determine the best course of action.
"This may include providing a security update through our
monthly release process or providing an out-of-cycle security
update, depending on customer needs," Budd said.
Some customers believe Microsoft should be a little more
flexible on this policy.
"If they have the fix, I don't see a reason to hold it back,"
said Bill Cassada, enterprise network administrator at Healthways
Inc., a health care support provider based in Nashville, Tenn.,
with more than 3,000 end users. "You never know these days. By the
time you find out about an exploit, it's been used."
Cassada, who said he likes the overall concept of the monthly
release schedule, suggested that Microsoft and other vendors
consider building portals to enable customers with enterprise
license agreements to access patches as soon as they are tested and
ready. Healthways uses Patchlink Corp.'s automated deployment tool,
which Cassada said gives him the ability to deploy patches as soon
as they're available, without any additional testing.
"We used to use scripting and SMS, but we couldn't do it with
the growth we were seeing," he said. "Now, for the PCs we control,
we can patch them almost immediately."
At the time it moved to the monthly schedule, Microsoft and many
other major software vendors were embroiled in an ongoing and often
heated debate with a number of security researchers about when and
how to
disclose vulnerability data. Much of the
talk centered on whether researchers should give vendors a
chance to develop, test and release a patch before publicizing
the details of a new flaw.
The public rhetoric on this topic has died down somewhat since
2003, with most researchers now giving software vendors a
reasonable amount of time to release patches before disclosing the
details of a given flaw. Yet Microsoft's adherence to the monthly
schedule has given rise to the phenomenon of
third-party patches, something that was
almost unheard of until recently.
The best example of this was the
Windows Meta File (WMF) flaw revealed in
January. Within days of the flaw's discovery, several exploits
were available and some security vendors reported targeted
attacks on the vulnerability.
Microsoft initially said it would release a patch in its January
update, which was then more than a week away. As a result,
Slovakian antivirus vendor Eset LLC, as well as an independent
Russian programmer Ifak Guilfanov, developed and released their own
WMF third-party fixes. While the SANS
Internet Storm Center endorsed Guilfanov's patch, Microsoft
warned customers to avoid all of the unofficial fixes, and ended
up releasing its own patch nearly a week early.
Microsoft's Budd said the vendor is keeping a close eye on the
third-party patch trend, and is continuing to advise customers to
avoid such fixes, for a variety of reasons.
"While Microsoft can appreciate the steps these vendors and
independent security researchers are taking to provide our
customers with mitigations, as a best practice, customers should
obtain security updates and guidance from the original software
vendor," Budd said via email. "Microsoft carefully reviews and
tests security updates and workarounds to ensure that they are of
high quality and have been evaluated thoroughly for application
compatibility. We cannot provide similar assurance for independent
third-party security updates or mitigations."
Still, many in the industry believe the WMF situation was only
the beginning of the movement toward third-party patches, given the
number of vulnerabilities published on a weekly basis.
"I'd expect the third-party patch trend to continue and I think
we'll see the systems management vendors do it as well," said
Dennis Szerszen, vice president of business development at
SecureWave S.A., a security vendor based in Luxembourg. "Patching
should be at the convenience of the administrator and not the
vendor. The cost of patching needs to be considered."