Security Blog Log: Scrapping Patch Tuesday a bad idea

IT pros scoff at the notion that Patch Tuesday should be scrapped in favour of a quicker, more frequent security update process.

IT security bloggers have been mostly polite in their reaction to the column from Dennis Fisher, where he suggested Microsoft scrap Patch Tuesday in exchange for a quicker, more frequent security update process.

That doesn't mean they all agree with him.

In his column, Fisher wrote that instead of leaving flaws unpatched for weeks between cycles, Microsoft should use its resources to produce high-quality patches shortly after vulnerabilities are discovered.

I haven't found anyone in the blogosphere arguing that it's acceptable to leave security holes unpatched for weeks at a time. Most people agree the software giant needs to develop a better way to deal with the steady increase in zero-day flaws, many of which have been disclosed right after a monthly patch rollout. One indication that a quicker fix schedule is needed is that some IT shops are starting to rush through their patch testing because they're desperate to get them deployed before the big attack arrives.

But a majority of bloggers say the answer isn't to do away with Patch Tuesday altogether. They still like knowing that Microsoft patches will be released consistently the second Tuesday of each month. It's something they can plan around. Nobody wants to go back to the days when Redmond would send out critical fixes without warning.

About Security Blog Log:
Senior News Writer Bill Brenner peruses security blogs each day to see what's got the information security community buzzing. In this column he lists the weekly highlights. If you'd like to comment on the column or bring new security blogs to his attention, contact him at [email protected].

Recent columns:

Bloggers not for easing PCI DSS

Are hacking contests good or evil?

Mac hack puts Apple faithful on the defence

Instead, they seem to want a quicker method for receiving patches for serious zero-day flaws outside the monthly cycle. Other than the zero-day fixes, however, people seem content saving the rest of the patch load for once a month.

New Zealand-based computer programming student Kaiwai Gardiner wrote in his blog that getting rid of Patch Tuesday is a "stupid" idea.

The current arrangement, he wrote, is a lot better than the old situation where a large number of patches used to be released in a random fashion. "You either have Patch Tuesday or have patches that are rushed out, resulting in large numbers of patches having to be pulled and re-issued because they either cause [or] expose new vulnerabilities, fail to address the problem, or worse, cause numerous issues in regards to system stability and compatibility," he said.

A self-described academic systems administrator wrote in his SysAdmin1138 Events blog that Fisher's argument is problematic because it flies in the face of responsible disclosure. He cited the recent patch process for the DNS flaw as an example of responsible disclosure in which everyone received protection in a reasonable period of time.

"The disclosure," he said, "was done to Microsoft in January, and it was in May before the fix was released. The time spent between 'initial vendor response' and 'coordinated public disclosure' was spent by Microsoft developing a fix, testing the fix, and integrating the fix into the patch release pipeline. This is part of 'responsible disclosure,' which is telling the vendor about a problem, and not telling anyone else about it until the vendor has produced a patch."

He said that while some people quibble about how long it takes Microsoft to come up with a patch after a flaw is disclosed, it does indeed take awhile for the Microsoft patch pipeline to produce production-quality code, and that "doing a staged release schedule like what they do right now makes all the sense in the world. They can do short-cycle patches, but even then it still takes weeks to produce a patch."

He added, "I've been at this game long enough to have been around for the opportunistic patch schedule Microsoft followed before they started regulating when they released. And let me tell you, having a schedule for these things helps immensely. We know patches from Microsoft come out on Tuesdays, so we've built into our schedule a 'change management' window Tuesday night expressly for that. This is pre-arranged with our users, we don't have to go to them to take their systems down so long as we do it Tuesday night."

Mike Rothman, president and principal analyst of Security Incite in Atlanta, wrote in his Daily Incite blog that Fisher makes some valid points, but that the monthly cycle is still the right approach for the vast majority of patches and the vast majority of customers.

"Any organization of size has huge issues with testing and ensuring the patches won't cause regression issues with the rest of the systems," he said. "Doing any more than once a month means patching is pretty much all they'd do. There are approaches to get patch-like functionality and use IPS signatures to block these attacks until the patches can be worked through the change control process, which does take time. So I hear where Dennis is coming from, but monthly is still the right frequency for patching."

To be fair, I did find a couple bloggers who agreed with Fisher.

In the Live Journal blogging site, Brian Martinez wrote of Fisher's suggestion, "I'd be all for this, considering how Windows Update brought both of my laptops to their knees during the latest patch-fest."

IT professional Todd Towles wrote in his Thoughts of a Technocrat blog that he understands why corporations like Patch Tuesday, but, as Fisher stated, rarely are the patches applied right away anyways.

"Plus," Towles wrote, "a good company should have multiple layers of defense against emerging evil. This is why they don't have to patch right away in the first place."

Those who like having a once-a-month security update they can plan around will probably be more likely to embrace the process, now that Microsoft has announced it'll start squeezing more detail into the advance bulletins that come out each Thursday before Patch Tuesday.

Read more on IT risk management