Third-party Microsoft patches could get new life

News analysis: Microsoft's process for providing security fixes is as orderly and predictable as it has ever been, but some believe the software giant's methodical nature may lead to more third-party patches.

It has been nearly three years since Microsoft moved to a monthly patch release schedule as a way to rein in some of the chaos that had begun to engulf its vulnerability reporting and repair efforts.

The result has been a more orderly, predictable process that enables enterprises to plan patch deployments well in advance and avoid costly downtime during business hours. And several other vendors, including Oracle and Hewlett-Packard  have followed suit by launching scheduled patch releases of their own.

But some administrators and security experts say that for all its benefits, the predictable release schedule also has its downsides, and can leave enterprises hanging when a new flaw is discovered between patch releases, which has led to a rise in third-party security fixes.

 Microsoft has released what have been called "out of cycle" patches a few times since it began the monthly schedule, but typically only after pressure from customers and media reports. Those rare instances have mainly come after exploit code for a new flaw has been made available, in effect forcing Microsoft's hand.

"The MSRC will always consider releasing an out-of-cycle update if we have a quality update available and customers are at serious risk, as we have done on several occasions such as the WMF attack," said Christopher Budd, security program manager at the Microsoft Security Response Center.

Budd said that process is largely determined by customers. When Microsoft discovers a security issue that could affect customers, he said the software giant's security experts investigate its severity and potential impact, and use that information to determine the best course of action.

"This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs," Budd said.

Some customers believe Microsoft should be a little more flexible on this policy.

"If they have the fix, I don't see a reason to hold it back," said Bill Cassada, enterprise network administrator at Healthways Inc., a health care support provider based in the US with more than 3,000 end users. "You never know these days. By the time you find out about an exploit, it's been used."

Cassada, who said he likes the overall concept of the monthly release schedule, suggested that Microsoft and other vendors consider building portals to enable customers with enterprise license agreements to access patches as soon as they are tested and ready. Healthways uses Patchlink Corp.'s automated deployment tool, which Cassada said gives him the ability to deploy patches as soon as they're available, without any additional testing.

"We used to use scripting and SMS, but we couldn't do it with the growth we were seeing," he said. "Now, for the PCs we control, we can patch them almost immediately."

At the time it moved to the monthly schedule, Microsoft and many other major software vendors were embroiled in an ongoing and often heated debate with a number of security researchers about when and how to disclose vulnerability data. Much of the talk centered on whether researchers should give vendors a chance to develop, test and release a patch before publicizing the details of a new flaw.

The public rhetoric on this topic has died down somewhat since 2003, with most researchers now giving software vendors a reasonable amount of time to release patches before disclosing the details of a given flaw. Yet Microsoft's adherence to the monthly schedule has given rise to the phenomenon of third-party patches, something that was almost unheard of until recently.

More on Microsoft security

Should Microsoft change its patching process?

Microsoft still unlocking its security identity

Microsoft's new security chief: We've come a long way


Microsoft's security strategy will outlast Gates
The best example of this was the Windows Meta File (WMF) flaw revealed in January. Within days of the flaw's discovery, several exploits were available and some security vendors reported targeted attacks on the vulnerability.

Microsoft initially said it would release a patch in its January update, which was then more than a week away. As a result, Slovakian antivirus vendor Eset LLC, as well as an independent Russian programmer Ifak Guilfanov, developed and released their own WMF third-party fixes. While the SANS Internet Storm Center endorsed Guilfanov's patch, Microsoft warned customers to avoid all of the unofficial fixes, and ended up releasing its own patch nearly a week early.

Microsoft's Budd said the vendor is keeping a close eye on the third-party patch trend, and is continuing to advise customers to avoid such fixes, for a variety of reasons.

"While Microsoft can appreciate the steps these vendors and independent security researchers are taking to provide our customers with mitigations, as a best practice, customers should obtain security updates and guidance from the original software vendor," Budd said via email. "Microsoft carefully reviews and tests security updates and workarounds to ensure that they are of high quality and have been evaluated thoroughly for application compatibility. We cannot provide similar assurance for independent third-party security updates or mitigations."

Still, many in the industry believe the WMF situation was only the beginning of the movement toward third-party patches, given the number of vulnerabilities published on a weekly basis.

"I'd expect the third-party patch trend to continue and I think we'll see the systems management vendors do it as well," said Dennis Szerszen, vice president of business development at SecureWave S.A., a security vendor based in Luxembourg. "Patching should be at the convenience of the administrator and not the vendor. The cost of patching needs to be considered."

Read more on IT risk management