Microsoft customers want more out-of-cycle patches

By Bill Brenner, Senior News Writer 25 Apr 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Microsoft's process for releasing out-of-cycle patches can be unpredictable. So can the customer reaction that follows.

When the software giant released an early fix for the Windows Meta File (WMF) glitch in January, some complained the software giant waited too long to address a flaw that had already been massively exploited.

When the createTextRange flaw in Internet Explorer became the target of hundreds of attacks in late March and early April, the company chose to address the problem within its normal cycle and IT professionals were largely supportive.

Tuesday, Microsoft took the rare step of re-releasing a patch out of cycle, addressing ongoing problems with a bulletin MS06-015, first released April 11 to fix a Windows Explorer remote code-execution vulnerability involving the way the program handles COM objects.

SearchSecurity.com storyline Windows patch problems to force out-of-cycle repair Microsoft confirms Windows patch glitch Microsoft releases five fixes for IE, Windows Five patches coming, but why wait?

IT professionals seem to be supporting the move. As of Tuesday afternoon, 60% of those responding to an online SearchSecurity.com poll said they were pleased Microsoft isn't waiting until the next Patch Tuesday to fix the problem. Another 40% called the out-of-cycle re-release an "OK move," and nobody said it was a bad move.

Though network administrators have largely favored the monthly schedule because it aides in patch planning, some of those contacted this week said Microsoft should act outside its normal patching cycle more often.

"I have no problem with random patch releases," said Richard May, IT administrator for a California-based healthcare equipment maker, via an e-mail exchange. "Patch Tuesday is actually more of an annoyance because Microsoft throws everything at us all at once. I'm required to review multiple patches and formulate the most prudent rollout strategy. So getting an out-of-band patch like the revised MS06-015 doesn't faze me. I wish they were all that way."

Eric Case, support systems analyst for the University of Arizona's Department of Chemical and Environmental Engineering in Tucson, said there are pluses and minuses to both the monthly schedule and the out-of-cycle updates. On one hand, he said, waiting a few weeks to fix non-critical security holes is not a problem. But if a vulnerability is already under attack, he said it doesn't make sense to wait.

"Before we had the 'normal' patch release cycle, Microsoft would kick out patches whenever and that was OK -- not great, but OK," he said in an e-mail exchange. "Now we have 'Black Tuesday,' as some call it around here. But if the patch is really critical, why wait?"

In light of recent events, Case said, it may be time for Microsoft to redefine the terms they use to rate the patches.

"To me, 'critical' is when the vulnerability is being exploited now, and 'important' is the vulnerability that will be exploited very soon," he said. "If the patch is critical then it should be released outside of the normal cycle, and if it's important it can wait for the normal cycle."

Problems with MS06-015
MS06-015, the critical April 11 update for Windows Explorer, has caused various problems for customers who also use products from Hewlett-Packard Co., Sunbelt Software and nVidia Corp., among others.

Apparently the number of volume and variety of issues compelled Microsoft to issue what it called "a targeted re-release" of the MS06-015 update on April 25. That means affected customers who have enabled automatic updates will receive the fix without taking any action. Those who aren't experiencing problems will not be affected and will not be strong-armed into installing the new patch.

MS06-015 was one of five new updates released April 11 as part of Microsoft's regularly scheduled monthly security update. The company released two other critical patches, one of which addressed the widely exploited createTextRange flaw in Internet Explorer and implemented some legally mandated changes in how its browser handles ActiveX controls. The other critical patch fixed a remote code execution vulnerability in the RDS.Dataspace ActiveX control that is distributed via Microsoft data access components (MDAC), a collection of components used to provide database connectivity on Windows platforms.

Tags: Security Patch Management,  Enterprise Risk Management: Metrics and Assessments,  Windows Security: Alerts, Updates and Best Practices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Patch Management Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe When is it suitable to remove Java updates? Enterprise Risk Management: Metrics and Assessments How to avoid Internet liability lawsuits Bruce Jones: Report Security and Risk Metrics in a Business-Friendly Way Bernie Rominski: Communicate Effectively with Management about Risk Best Policy and Risk Management Products Monitoring program data and internal controls for risk management Risk management strategy for an information technology solution provider Align your data protection efforts with GRC The basics of enterprise GRC project management RSA council addresses growing security risks in the cloud How to write a risk methodology that blends business, security needs Enterprise Risk Management: Metrics and Assessments Research Windows Security: Alerts, Updates and Best Practices Microsoft to address flaws in Windows, Office for Mac Microsoft fixes security update that breaks Internet Explorer What is the best database patch management process? Microsoft addresses critical SMBv2 flaw, fixes record number of flaws Microsoft to address SMB zero-day, IIS FTP Service vulnerabilities Microsoft releases temporary fix for SMB2 zero-day vulnerability Microsoft issues SMB vulnerability advisory, patch pending Attackers target Microsoft IIS; new SMB flaw discovered Microsoft repairs Windows media, TCP/IP vulnerabilities Microsoft five critical updates won't include IIS

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary