CHICAGO -- Windows administrators were just getting used to Microsoft's weekly practice of releasing vulnerability alerts and patches. The routine, however, came to end this week when Microsoft announced five critical Windows and Exchange vulnerabilities as part of a new monthly patch-release cycle.
Microsoft had been releasing alerts on Wednesdays. The change to a monthly schedule may sound like a bad idea because it means users of vulnerable machines will have to wait even longer to patch their systems. Yet Scott Charney, the company's chief security strategist, defended the company's plan Thursday at Information Security magazine's Security Decisions conference.
"Is this the end of the patch parade? Yes," Charney said. "Is it the end of patching? No."
For some, holding off on releasing patches until the second Tuesday of the month means the bad guys have more time to craft their exploits to take advantage of vulnerable systems. But Charney disagrees. In fact, he said, the information surrounding the release of a patch and the patch itself actually increases the risk associated with vulnerabilities.
"Patches can be reverse-engineered, so vulnerabilities are more likely to be exploited after a patch is released," he said.
Charney's logic was a big pill for some Security Decisions attendees to swallow. George Stephenson of the Chicago Housing Authority, for example, wants the patches as soon as they are ready.
"If a patch is available three days before [Microsoft's set day to release patches] then I want it then," he said. "I want them as soon as possible so I can decide when to install them."
Some may welcome Microsoft's having more time to test and tweak a patch before releasing it, but not Stephenson. He has test server and client machines that he uses to make sure every patch doesn't break his systems. He even is planning to go one step further and start running known exploits against his systems to make sure the patches fix what they purport to.
In fact, customer testing was a concern for Microsoft when considering whether to go to a monthly patch-release schedule, Charney said. "For example, if they had five patches, would they on the first day even get to patch No. 5?" he asked.
But Charney said customers told him they usually test patches in parallel, so multiple patches on one day a month isn't an insurmountable obstacle. The convenience of only having to test and then apply patches once a month is worth it. Smaller organizations may not be as well equipped to test multiple patches at once. But, on the other hand, they don't have as many internal applications they need to test against either, he said.
There are exceptions. Microsoft will release patches out of schedule when a vulnerability is being exploited in the wild, Charney said. For example, earlier this month, the company released a patch on a Friday night that patched flaws in Internet Explorer, one of which was being exploited by the QHost-1 Trojan.