Our patch management is 'not good', says Microsoft security chief


Our patch management is 'not good', says Microsoft security chief

Microsoft's chief security strategist has admitted that the company has not yet shown it can reach its own security goals and he slammed its handling of patch management and bug fixes.

Scott Charney made the admission at a US user conference this week and warned that it could be a year before users were offered a consistent patch management approach from the software giant.

The importance of patch management and the problems it poses to corporate IT departments were highlighted last month when the Slammer worm hit businesses hard around the world, even though a patch for the security flaw it exploited had been available for months.

Charney said Microsoft's patch management procedures were "not good today at all".

The Microsoft's decentralised management approach, while "wonderful" in many respects, becomes an impediment to effective patch management, said the chief security strategist. For example, the company had eight different patch installers and some tools cannot determine whether a patch has been installed properly or not, he said. 

Frustrated users will have to wait for the release of Longhorn, the next release of the Windows operating system, which is not expected before mid-2004 for the deployment of a single patch installer.

According to Charney, Microsoft's Trustworthy Computing initiative has seen the introduction of two added layers of security verification outside of the product groups.

Allowing developers in the product groups to be responsible for security "was like having the fox guarding the henhouse", Charney said.

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy