Security

Microsoft Planning To Push Patches Harder

Along with efforts to make its software more manageable, Microsoft has announced it is replacing its Software Update Services with a new, more forceful program called Windows Update Services, which will be aimed at getting security patches installed more quickly.

Microsoft said Update Services 1.0, released in beta this week, marks a major step forward in the company’s patch-and-update management strategy by providing customers with additional automation and control designed to reduce interruption when updating systems.

Gartner research vice president Richard Stiennon told TechNewsWorld that the increased automation, which reportedly might include forced updates when users shut down, flies in the face of best practices that dictate proper testing and integration assurance before actually using a patch.

However, Stiennon said the risk of not patching right away often outweighs the risk of exposing a system to patch problems that might have been avoided with proper time and testing.

“Because of the costs associated with patching, companies are going to do it with automation,” Stiennon said. “They’ve been forced into a nonstandard practice, into making an exception to best practices, because Microsoft’s security environment and the risk associated is so high.”

Pushing Patches

Microsoft said its new Update Services, which will include expanded functionality to update SQL Server, Exchange Server, Office 2003 and Office XP, should be released during the second half of the year.

The software will be offered as a free download to address an issue that has frustrated the Redmond, Washington-based company as well as the computer security community: the lack of timely patching by both companies and consumers.

Microsoft says that instead of waiting weeks to test its security patches, it wants companies to apply them as soon as they are available for download. Microsoft reportedly will offer tools to administrators to force updates before users shut off their machines. The automated patching will be able to download in segments to free up computer resources.

Priority and Improvement

Symantec lead global security architect Tony Vincent, whose company highlighted a more severe brand of security vulnerability — the targeting of core Windows components and the shrinking time window between disclosure of a security hole and its use in an attack — in its Internet Security Threat Report this week, credited Microsoft for putting such priority on security.

“Microsoft and other core technology providers are really taking security as a big issue to fix,” Vincent told TechNewsWorld.

Sunil James, iDefense director of vulnerability intelligence, accurately predicted a change in the severity rating of a Microsoft Outlook 2002 hole patched earlier this month. James indicated that despite some earlier hiccups, Microsoft’s monthly patching schedule that began last October has been easing the pain of patching.

James told TechNewsWorld that as administrators and others become more accustomed to the new schedule — which has included out-of-cycle updates to address significant security issues — Microsoft also will be improving the patch software and information that goes with it over the next year.

Weighing Risks

However much discomfort or danger there might be from deploying a Windows patch without fully testing its impact, the alternative — getting stung by a worm, heisted by a Trojan or clogged with mass-mailing malware — is even less attractive, according to Gartner’s Stiennon.

“The other risk associated with installing patches before testing them is paling in comparison to the risk of not being protected,” Stiennon said. “There’s always a tradeoff in risk.”

The analyst — who has criticized Microsoft for its delay on patches but also praised the software giant for its recent focus and investment in security — added that more automated patching could be a benefit or a burden to the company.

“It’s a trust relationship that Microsoft is gambling on,” Stiennon said. “Those corporations that do accept [patching] without testing — they’ll be fine until the inevitable thing that goes wrong or something breaks.”

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Technewsworld Channels