The "Patch-A-Month Club" was to have made life simpler for Microsoft customers. Instead, it's life as beforewhich leaves much to be desired. In moving to a monthly schedule for routine patches, Microsoft intended to make it easier for customers to maintain stable and secure systems. But in the weeks the program has been in effect, the company has had to violate the monthly timetable by issuing more frequent patchesand even patching the patches that it issued.
"Even though they've changed to monthly, they've already made some changes off the schedule," said an IT professional at Time, who asked not to be named. "So they've officially changedbut not really."
Microsoft's policy of batching patches began Oct. 15. On that date, the company released five Windows security bulletins, four of them rated "critical," plus two bulletins specifically for Exchange Server. The next batch wasn't due until Nov. 11. The new schedule is potentially a great idea that can protect your enterprise against script kiddies if you roll out needed vulnerability fixes as soon as they're available.
But on Oct. 22, Microsoft released a new version of one of the Windows patches and, on Oct. 24, a new version of one of the Exchange patches. On Oct. 29, three of the Windows patches were modified and reissuedincluding one for the revised Windows patch that had been issued just one week earlier. The latest round of revisions, Microsoft acknowledges, keeps the three initial Windows patches from hanging machines in certain cases when they're installed (see www.bri.li/3461).
No one would argue that Microsoft shouldn't have issued fixed patches when it learned of significant problems. Software isn't perfect and never will be. But Microsoft customers deserve to feel safe relying on Microsoft's megapatches every month. Most people won't feel safe if they keep getting patches with unadvertised side effects that disrupt their work. More important, their systems won't be fully secure.
These issues trouble even big believers in the new monthly patch policy. For example, Roger Wilding, senior technical engineer for CNF, a global supply chain service company, supports the new schedule, saying, "It actually makes it easier for us to understand. As long as there isn't a critical vulnerability that's going around the Net right now, we can wait until the second Tuesday of the month." Wilding uses the Software Update Services Feature Pack of Microsoft's Systems Management Server to administer patches to more than 2,000 machines.
Last month's Windows upgrades, however, caused him grief. "One of the patches broke one of our applications, so Microsoft is discussing with us whether or not the patch should have a 'shim' or something." Microsoft said the patch in question changes the way Windows handles text input and that other developers should change their code to avoid any problems.
Windows is such a complex organism now that it's hopeless to expect Microsoft's patches to ever play nicely with all possible software. That's why enterprises are heavily invested in patch management toolsMicrosoft's and others'to apply patches and patches to patches. Russ Cooper, editor of the NTBugtraq security mailing list, recently surveyed his 31,000 subscribers and found they're collectively using 29 fee-based patch management solutions and 18 free ones. Whew!
The new monthly patch schedule leaves companies with no excuse for not updating regularly. Michael Howard, Microsoft's senior program manager for security engineering and communications, told me customers demanded it: "The overwhelming feedback we had from customers is that this would be much more predictable. It allows you to do it in one fell swoop."
Having committed to sending out a broad batch of updates the second Tuesday of every month, Microsoft also has no excuse if it doesn't improve its testing during the extra weeks it now has between releases. We all have a big stake in everyone getting this right.
Brian Livingston is editor of BriansBuzz.com. His column appears every other week in eWEEK. Send your comments to eWEEK @ziffdavis.com.