Microsoft defends monthly patch update as best way to beat hackers

Microsoft has defended its policy of issuing monthly security patches for the Windows operating system, despite growing evidence...

Microsoft has defended its policy of issuing monthly security patches for the Windows operating system, despite growing evidence that hackers use them to develop new ways of attacking corporate systems within days of their release.

David Aucsmith, Microsoft's chief technology officer for security, admitted at last week's Hi-Tech Crime Unit conference in London that IT departments were facing an increasingly fraught race to patch systems before hackers found ways to exploit weaknesses.

But he said that, with so many security professionals and hackers trawling Windows for new vulnerabilities, Microsoft had no choice but to alert its customers to problems as soon as it could.

"With the exception of one exploit, we have never learned of a vulnerability that has become an active attack before we have released the patch. The vast majority of the attacks - 99.9% - only occur after the patch has been released," he said.

By releasing monthly patches that fix a number of vulnerabilities, Aucsmith said Microsoft was making it more difficult for hackers to reverse-engineer the code to find new ways of attacking Windows. But the appearance of programs on the internet that can automatically analyse patches and turn them into code that hackers can use to attack systems means that businesses could become vulnerable within days of a patch being released.

"Businesses cannot afford to apply a patch without testing it, particularly in the financial sector. The bad guys do not have to test their software," he said.

Over the past two years the time taken for hackers to exploit patches has fallen from months to days, he revealed. Yet businesses are still slow to apply patches.

Six months after signatures were issued to protect against the Blaster worm, 8.8 million computers worldwide were still vulnerable.

Fraudsters are the biggest threat to businesses, said Aucsmith, using tools developed by security professionals to create viruses capable of harvesting passwords and e-mail addresses.

"Guys who do not consider themselves to be criminals are writing tools that are so good they can be used by non-technical people. But they are also being picked up by organised criminals," he said.

E-crime investigation course >>

Read more on IT risk management