COLUMN

Scrapping Patch Tuesday a bad idea, say bloggers

By Bill Brenner 18 May 2007 | SearchSecurity.com Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

IT security bloggers have been mostly polite in their reaction to last week's column from my colleague Dennis Fisher, where he suggested Microsoft scrap Patch Tuesday in exchange for a quicker, more frequent security update process.

That doesn't mean they all agree with him.

In his column, Fisher wrote that instead of leaving flaws unpatched for weeks between cycles, Microsoft should use its resources to produce high-quality patches shortly after vulnerabilities are discovered.

I haven't found anyone in the blogosphere arguing that it's acceptable to leave security holes unpatched for weeks at a time. Most people agree the software giant needs to develop a better way to deal with the steady increase in zero-day flaws, many of which have been disclosed right after a monthly patch rollout. One indication that a quicker fix schedule is needed is that some IT shops are starting to rush through their patch testing because they're desperate to get them deployed before the big attack arrives.

But a majority of bloggers say the answer isn't to do away with Patch Tuesday altogether. They still like knowing that Microsoft patches will be released consistently the second Tuesday of each month. It's something they can plan around. Nobody wants to go back to the days when Redmond would send out critical fixes without warning.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what's got the information security community buzzing. In this column he lists the weekly highlights. If you'd like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com. Recent columns: Bloggers not for easing PCI DSS Are hacking contests good or evil? Mac hack puts Apple faithful on the defense

Instead, they seem to want a quicker method for receiving patches for serious zero-day flaws outside the monthly cycle. Other than the zero-day fixes, however, people seem content saving the rest of the patch load for once a month.

New Zealand-based computer programming student Kaiwai Gardiner wrote in his blog that getting rid of Patch Tuesday is a "stupid" idea.

The current arrangement, he wrote, is a lot better than the old situation where a large number of patches used to be released in a random fashion. "You either have Patch Tuesday or have patches that are rushed out, resulting in large numbers of patches having to be pulled and re-issued because they either cause [or] expose new vulnerabilities, fail to address the problem, or worse, cause numerous issues in regards to system stability and compatibility," he said.

A self-described academic systems administrator wrote in his SysAdmin1138 Events blog that Fisher's argument is problematic because it flies in the face of responsible disclosure. He cited the recent patch process for the DNS flaw as an example of responsible disclosure in which everyone received protection in a reasonable period of time.

"The disclosure," he said, "was done to Microsoft in January, and it was in May before the fix was released. The time spent between 'initial vendor response' and 'coordinated public disclosure' was spent by Microsoft developing a fix, testing the fix, and integrating the fix into the patch release pipeline. This is part of 'responsible disclosure,' which is telling the vendor about a problem, and not telling anyone else about it until the vendor has produced a patch."

He said that while some people quibble about how long it takes Microsoft to come up with a patch after a flaw is disclosed, it does indeed take awhile for the Microsoft patch pipeline to produce production-quality code, and that "doing a staged release schedule like what they do right now makes all the sense in the world. They can do short-cycle patches, but even then it still takes weeks to produce a patch."

He added, "I've been at this game long enough to have been around for the opportunistic patch schedule Microsoft followed before they started regulating when they released. And let me tell you, having a schedule for these things helps immensely. We know patches from Microsoft come out on Tuesdays, so we've built into our schedule a 'change management' window Tuesday night expressly for that. This is pre-arranged with our users, we don't have to go to them to take their systems down so long as we do it Tuesday night."

Mike Rothman, president and principal analyst of Security Incite in Atlanta, wrote in his Daily Incite blog that Fisher makes some valid points, but that the monthly cycle is still the right approach for the vast majority of patches and the vast majority of customers.

"Any organization of size has huge issues with testing and ensuring the patches won't cause regression issues with the rest of the systems," he said. "Doing any more than once a month means patching is pretty much all they'd do. There are approaches to get patch-like functionality and use IPS signatures to block these attacks until the patches can be worked through the change control process, which does take time. So I hear where Dennis is coming from, but monthly is still the right frequency for patching."

To be fair, I did find a couple bloggers who agreed with Fisher.

In the Live Journal blogging site, Brian Martinez wrote of Fisher's suggestion, "I'd be all for this, considering how Windows Update brought both of my laptops to their knees during the latest patch-fest."

IT professional Todd Towles wrote in his Thoughts of a Technocrat blog that he understands why corporations like Patch Tuesday, but, as Fisher stated, rarely are the patches applied right away anyways.

"Plus," Towles wrote, "a good company should have multiple layers of defense against emerging evil. This is why they don't have to patch right away in the first place."

Those who like having a once-a-month security update they can plan around will probably be more likely to embrace the process, now that Microsoft has announced it'll start squeezing more detail into the advance bulletins that come out each Thursday before Patch Tuesday.

Tags: Security Patch Management,  Windows Security: Alerts, Updates and Best Practices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Patch Management Adobe patches ColdFusion vulnerability blocking website attack Microsoft to address DirectShow, ActiveX zero-day flaws Adobe fixes critical Shockwave Flash Player flaw Mozilla patches 11 Firefox security flaws, JavaScript errors Microsoft patches WebDAV security vulnerability in bevy of updates Adobe issues first quarterly patch release fixing 13 flaws Microsoft plans 10 security updates, fixing IE, Word, Excel vulnerabilities Adobe shifts to Microsoft patching process, incident response plan Software delivery could fix software patching issues Microsoft updates Office to address serious PowerPoint vulnerabilities Windows Security: Alerts, Updates and Best Practices Microsoft to address DirectShow, ActiveX zero-day flaws New attack code targets Microsoft ActiveX zero-day vulnerability When BIOS updates become malware attacks Microsoft patches WebDAV security vulnerability in bevy of updates Microsoft plans 10 security updates, fixing IE, Word, Excel vulnerabilities Hackers targeting unpatched Microsoft DirectShow flaw Microsoft warns of IIS zero-day vulnerability Microsoft updates Office to address serious PowerPoint vulnerabilities Microsoft to patch critical PowerPoint zero-day flaw How to perform Microsoft Baseline Security Analyzer (MBSA) scans

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary