Scott Charney made the admission at a US user conference this week and warned that it could be a year before users were offered a consistent patch management approach from the software giant.
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
The importance of patch management and the problems it poses to corporate IT departments were highlighted last month when the Slammer worm hit businesses hard around the world, even though a patch for the security flaw it exploited had been available for months.
Charney said Microsoft's patch management procedures were "not good today at all".
The Microsoft's decentralised management approach, while "wonderful" in many respects, becomes an impediment to effective patch management, said the chief security strategist. For example, the company had eight different patch installers and some tools cannot determine whether a patch has been installed properly or not, he said.
Frustrated users will have to wait for the release of Longhorn, the next release of the Windows operating system, which is not expected before mid-2004 for the deployment of a single patch installer.
According to Charney, Microsoft's Trustworthy Computing initiative has seen the introduction of two added layers of security verification outside of the product groups.
Allowing developers in the product groups to be responsible for security "was like having the fox guarding the henhouse", Charney said.