Microsoft patch gaffe sparks policy U-turn

Microsoft promises to beta-test patches after flawed fix leads to Windows Server crashes.

Microsoft promises to beta-test patches after flawed fix leads to Windows Server crashes

A debacle over bugs in a critical software patch has forced Microsoft to change its security policies but industry leaders are calling for further quality improvements across the software industry.

Last week, Microsoft took the unprecedented step of contacting hundreds of its largest UK users directly to alert them of a new security patch for Windows 2000.

But less than 12 hours after its release, Microsoft had to produce a new version to combat a problem introduced by the patch, which caused some configurations of Windows 2000 Server to fail.

In the aftermath of this latest failing, Stuart Okin, chief security officer at Microsoft, told Computer Weekly, "We will be beta-testing our security patches from now on."

Previously, Microsoft tested patches internally, but now, "We are looking to expand the testing outside Microsoft," Okin said.

This concession did not satisfy corporate user groups in the UK. If a typical business was spending one man-day a month on software patching, it would cost an estimated £5,500 a year, according to industry experts. Nationwide this could cost UK industry tens of millions of pounds.

Tif, the corporate IT user forum which represents many UK blue-chip companies, sees the IT industry's insistence on issuing patches to fix problems in commercial software as a costly headache for users.

Jonathan Mitchell, Rolls-Royce's business process improvement director and Tif chairman, said, "It is no longer acceptable for vendors to sit smugly by and point out that customers should have patched their systems."

David Roberts, chief executive officer of Tif, said, "There needs to be significantly more responsibility."

As modern software can comprise millions of lines of code, Roberts said, even a tiny percentage of programming errors can result in many bugs. He said businesses faced a huge overhead constantly maintaining software by applying patches and service packs.

Peter Scargill, national IT chairman at the Federation of Small Businesses, said patching was an even bigger problem in small firms since many do not have access to broadband and rely on slow 56kbps modems for getting software updates. "Patching is a major inconvenience. Businesses are paying for the mistakes made by software designers," he said. As a consequence many small firms do not bother patching.

Commenting on the problem patch last week, Simon Conant, PSS security support at Microsoft, said, "It did not get the [level of] testing we would have liked. We had to balance the need to test with the need to release the patch."

In the short term, however, the industry will continue to issue patches so users should to be prepared. Tony Lock, senior analyst at Bloor, said, "Every organisation should have in place procedures to handle patch management."

He advised IT directors to ensure their staff tested patches on non-critical systems and then establish a change management process for rolling out the patch.

How to stay on top of the patches   

Create a policy and timetable for introducing patches 

Define how you test, integrate and roll out patches 

Establish a single source for obtaining information on patches 

Check roll-out and uninstall strategy if patches fail 

Investigate how much patch management can be automated. 

Ashem Pal, vice-president, Meta Group

Trustworthy systems myth >>

Read more on IT risk management