Microsoft's process for releasing out-of-cycle patches can be unpredictable. So can the customer reaction that follows.
When the software giant released an early fix for the Windows Meta File (WMF)
When the createTextRange flaw in Internet Explorer became the target of hundreds of attacks in late March and early April, the company chose to address the problem within its normal cycle and IT professionals were largely supportive.
Tuesday, Microsoft took the rare step of re-releasing a patch out of cycle, addressing ongoing problems with a bulletin MS06-015, first released April 11 to fix a Windows Explorer remote code-execution vulnerability involving the way the program handles COM objects.
Though network administrators have largely favored the monthly schedule because it aides in patch planning, some of those contacted this week said Microsoft should act outside its normal patching cycle more often.
"I have no problem with random patch releases," said Richard May, IT administrator for a California-based healthcare equipment maker, via an e-mail exchange. "Patch Tuesday is actually more of an annoyance because Microsoft throws everything at us all at once. I'm required to review multiple patches and formulate the most prudent rollout strategy. So getting an out-of-band patch like the revised MS06-015 doesn't faze me. I wish they were all that way."
Eric Case, support systems analyst for the University of Arizona's Department of Chemical and Environmental Engineering in Tucson, said there are pluses and minuses to both the monthly schedule and the out-of-cycle updates. On one hand, he said, waiting a few weeks to fix non-critical security holes is not a problem. But if a vulnerability is already under attack, he said it doesn't make sense to wait.
"Before we had the 'normal' patch release cycle, Microsoft would kick out patches whenever and that was OK -- not great, but OK," he said in an e-mail exchange. "Now we have 'Black Tuesday,' as some call it around here. But if the patch is really critical, why wait?"
In light of recent events, Case said, it may be time for Microsoft to redefine the terms they use to rate the patches.
"To me, 'critical' is when the vulnerability is being exploited now, and 'important' is the vulnerability that will be exploited very soon," he said. "If the patch is critical then it should be released outside of the normal cycle, and if it's important it can wait for the normal cycle."
Problems with MS06-015
MS06-015, the critical April 11 update for Windows Explorer, has caused various problems for customers who also use products from Hewlett-Packard Co., Sunbelt Software and nVidia Corp., among others.
Apparently the number of volume and variety of issues compelled Microsoft to issue what it called "a targeted re-release" of the MS06-015 update on April 25. That means affected customers who have enabled automatic updates will receive the fix without taking any action. Those who aren't experiencing problems will not be affected and will not be strong-armed into installing the new patch.
MS06-015 was one of five new updates released April 11 as part of Microsoft's regularly scheduled monthly security update. The company released two other critical patches, one of which addressed the widely exploited createTextRange flaw in Internet Explorer and implemented some legally mandated changes in how its browser handles ActiveX controls. The other critical patch fixed a remote code execution vulnerability in the RDS.Dataspace ActiveX control that is distributed via Microsoft data access components (MDAC), a collection of components used to provide database connectivity on Windows platforms.