Should Microsoft change its patching process?

By Bill Brenner, Senior News Writer 11 May 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

The monthly patch cycle Microsoft adopted in October 2003 is still the best way to address a majority of the software giant's security holes, IT pros say. However, with zero-day flaws on the rise, they believe the company should be willing to break the cycle more often.

In past interviews with SearchSecurity.com, a majority of IT pros have lauded the current system where Microsoft releases patches on the second Tuesday of each month because they can plan around it more easily.

But zero-day threats like the Windows Meta File (WMF) and createTextRange flaws have appeared with growing frequency in recent months, leaving IT shops open to a variety of attacks. The WMF flaw was fixed out of cycle, five days before January's Patch Tuesday, while the createTextRange bug was fixed as part of the normal April cycle.

Microsoft noticed exploits were happening and they really swung into action. They developed and tested the patch and got it out the door pretty quickly. Matthew Murphy on Microsoft's handling of the WMF threat

Since exploit code is more commonly targeting vulnerabilities just hours after they are revealed, John Hornbuckle is among those who would like more out-of-cycle fixes.

"The increase in zero-day vulnerabilities does concern me, although we've been fortunate enough to not be directly affected by one," Hornbuckle, IT administrator for the Taylor County School District in Perry, Fla., said in an e-mail exchange. "Our luck probably won't last forever, though, so I would be glad to see Microsoft increase the speed at which patches for such vulnerabilities are released."

Speed vs. testing
Brad Dinerman, technical operations manager for Newton, Mass.-based IT management firm MIS Alliance Corp., said IT shops need a schedule they can plan around, but that it's better for administrators to scramble to implement out-of-cycle patch deployments once in a while than to scramble because attackers are hammering their networks through an open security hole.

Yet the security pros said that doesn't mean Microsoft should respond to zero-day threats with untested patches.

For more information Exchange, Windows focus of latest Microsoft fixes New IE flaws bring tally to three

While he'd like to see zero-day threats patched out-of-cycle more often, Hornbuckle said he's not willing to sacrifice reliability for speed.

"Internal testing on Microsoft's part is a must," Hornbuckle said. Unfortunately, he added, the need for testing makes it that much more difficult to meet zero-day threats with zero-day patches.

IT pros must help themselves
However long it takes Microsoft to produce a patch, IT pros can do more to mitigate zero-day threats, said Jeremy Martin, a Colorado Springs, Colo.-based penetration tester who spends his working days trying to bust into the networks of large enterprises to help them identify and close security gaps.

"I've been to many organizations where they wait for the patch instead of taking mitigation steps," he said. "One thing IT departments could do better is educate employees on steps they should be taking when there's a worm attack."

That could mean the IT department sends out an e-mail telling employees something is out there and advising them to stay away from untrusted Web sites, watch out for phishing e-mails and follow the general company user policies.

While there's a lot IT shops can do without hearing from Microsoft first, Martin said the software giant could help network administrators help themselves by including more information in its security advisories.

"I think it would help IT pros if Microsoft gave extra detail on the vulnerabilities," he said. "Give the IT pros more information and they can more effectively block threats targeting a given flaw at the firewall."

Communication has improved
While saying Microsoft could patch zero-day flaws more quickly and provide more detail in its security advisories, IT pros concede that the vendor has significantly improved its communications methods, which has proven helpful during recent zero-day incidents.

"I actually liked how Microsoft handled the WMF threat," said Matthew Murphy, an independent security researcher based in Springfield, Mo. "Microsoft noticed exploits were happening and they really swung into action. They developed and tested the patch and got it out the door pretty quickly."

Microsoft said a patch would come out as soon as testing was done and they kept communicating on it, so when it came out five days early there wasn't much disruption, Murphy said. "Combining this kind of ambitious schedule with transparency is a good development," he added. "People underestimate how much communication does help smooth a situation."

The vendor also offers a wider variety of communication vectors, including advisories on its TechNet site and a blog from the Microsoft Security Response Center.

"The blog has been a very welcome site in the community," Murphy said. "We get more updates and we get them faster. It shows that Microsoft knows it needs to be more efficient and quick with information."

Expect no big changes
While zero-day fixes may not come as quickly as some would like, Microsoft's current approach is the result of feedback from the vast majority of customers, said Debby Fry Wilson, director of communications for Microsoft's Security Technology Unit. Therefore, people can expect the patch cycle to remain unchanged for the foreseeable future. However, she added, Microsoft's goal is always to release zero-day fixes as quickly as possible, even if it means deviating from its standard release cycle.

Fry Wilson said Microsoft will always consider releasing out-of-cycle updates "if we have a quality update available and customers are at serious risk, as we have done on several occasions, such as the WMF attack."

She also promised that a patch will never be released without adequate testing, no matter how bad a zero-day attack might be. "The only thing worse than not having a security update available in the heat of an attack," Fry Wilson said, "is having a broken update."

Microsoft customers have experienced the pain of broken patches in the past. Just last month the company was forced to re-release the Windows Explorer update first issued April 11. Fry Wilson said the company wants to minimize these problems as much as possible.

"It's imperative we ensure every security update is a quality update that will fix the underlying flaw," she said, "but at the same time work effectively in deployment."

Tags: Security Patch Management,  Web Browser Security,  Windows Security: Alerts, Updates and Best Practices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Patch Management Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe When is it suitable to remove Java updates? Web Browser Security Microsoft fixes security update that breaks Internet Explorer Mozilla update repairs Firefox buffer overflow vulnerabilities Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Do Facebook URL security concerns justify blocking social networks? Phishing attacks to remain a major problem, say security experts Adrian Perrig: Improve SSL/TLS Security Through Education and Technology New Bahama botnet evades search engines, fuels click fraud SANS: Application threats, website flaws pose biggest security threats Mozilla helps Adobe push out faster patches Web Browser Security Research Windows Security: Alerts, Updates and Best Practices Microsoft to address flaws in Windows, Office for Mac Microsoft fixes security update that breaks Internet Explorer What is the best database patch management process? Microsoft addresses critical SMBv2 flaw, fixes record number of flaws Microsoft to address SMB zero-day, IIS FTP Service vulnerabilities Microsoft releases temporary fix for SMB2 zero-day vulnerability Microsoft issues SMB vulnerability advisory, patch pending Attackers target Microsoft IIS; new SMB flaw discovered Microsoft repairs Windows media, TCP/IP vulnerabilities Microsoft five critical updates won't include IIS

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary