By Patrick Gray, 11 November 2003 09:15
NEWS Microsoft will release a series of security patches after midnight tonight in line with its new policy of releasing patches on a monthly schedule.
Industry sources anticipate the disclosure of multiple vulnerabilities in the Windows operating system. The company announced its shift to a monthly patching cycle as a part of a new security initiative unveiled at its Worldwide Partner Conference in New Orleans last month. Microsoft said it is introducing the new schedule to ease the burden on systems administrators struggling with the frequency of security updates.
However security professionals have avoided giving Microsoft's policy shift the thumbs-up, saying the effect is likely to be neutral.
Greg Shipley, chief technology officer of security company Neohapsis, said the new policy is likely to actually make some things harder for IT managers.
"The measuring stick is the volume of patches, not the release times," he said. "It's difficult because now we have to regression test all these patches in one lump sum."
On the surface the policy is a good one, Shipley says, because system administrators only have to schedule one service outage window per month. "But now you apply a bunch of patches, and something 'breaks' which one do you back up on?"
Furthermore, Shipley says the policy needs to be flexible in order for Microsoft to appropriately look after its customers.
"If a hole is found in the wild [Microsoft] should respond in a timely manner regardless of their patch cycle," he explained. "But if they're doing controlled releases then I'm not sure if it matters that much."
Security professional and former chief security officer of InterNIC Richard Forno also highlights the large time between updates as a potential source of risk. He said: "Perhaps it makes it easier for the system administrators to do one major fix-it patch instead of several each month, but that means there's a greater window of opportunity for a bad guy to cause damage between patch cycles," he said. "Watch for the next major Windows exploits to occur within a week of a monthly patch being released by Microsoft."
"If I was a bad guy, that's when I'd release my malicious exploits," he added.
Patrick Gray writes for ZDNet Australia
Comments
There are 2 comments. Join the discussion
1. James L. Dean
The new policy is disasterous for home users that dial in to ISPs that regularly drop their connection. (The larger downloads make it more likely the connection will be dropped during the download). This means there will be a vast reservoir of home machines to host worms.
2. Lionel A Smith
'If something breaks...' Greg Shipley said.
Well on my XP machine something has broken after a slew of patches (which can be a PITA to download by dial-up because of their size) and I have no idea how far back to go. Windows Explorer now faults with an error several times a day, I now think of it as Windows Exploder.
This means I dare not download patches as a background process as I consider I could end up in a worse mess.
I don't see how a monthly issue of patches is going to help and do think it will open doors and cause a bigger headache.