Time to Tweak Microsoft's Patch Tuesday?
Microsoft increasingly smacks into security flaws that materialize outside its Patch Tuesday cycle. Is it time for the software giant to find a new way to administer security updates?
By Bill Brenner , Senior Editor
February 09, 2009 — CSO —
It's been about six years since Microsoft set aside the second Tuesday of each month as the day to release security patches, and most IT administrators have come to appreciate a consistent schedule to plan around.
But every so often, zero-day vulnerabilities and attacks materialize outside the cycle, causing more than a little heartburn for Windows-based businesses.
In December, for example, Microsoft was forced to release an emergency, out-of-cycle patch for Internet Explorer (IE) to close a security hole that allowed attackers to infect more than 2 million machines. The malware allowed the bad guys to steal such personal data as passwords when the user visited one of at least 10,000 compromised websites.
Days later, Microsoft had another critical flaw on its hands: an SQL Server database software bug attackers could exploit to run unauthorized software on systems running versions of Microsoft SQL Server 2000 and SQL Server 2005.
Cases like these beg the question: Has Patch Tuesday outlived its usefulness? Is a more frequent update process in order to match the increased sophistication and speed of attackers?
The answer is no, according to most IT security pros CSO polled recently. The increase in zero-day threats is a problem to be sure, they say. But IT shops run with a lot less chaos thanks to a monthly schedule they can count on and plan around.
"For large organizations, it's been a boon," said Paul Robertson, a Washington D.C.-based network security specialist and computer forensics examiner. "There's no more last-minute rush to hold an IT staff onsite to make an emergency patch install on an unknown day. No more worrying about having time to schedule testing, and so on."
Perhaps more importantly, Robertson said, Patch Tuesday has raised overall security awareness. As a scheduled and predictable event, it's much easier for upper management to "manage."
"I think the infosec community is likely to do the usual 'what about a zero-day?' dance, but overall if we did the math, I doubt we'd see a difference in threat rates compared to patch adoption rates," he said.
William Langford is a Milwaukee-based IT specialist who runs an operation that helps small, cash-strapped companies find affordable tech solutions. Given the nature of his business, a set, spread out patching schedule is best. Therefore, the Patch Tuesday cycle is preferable to something more frequent.
"I like the idea of a regular time for patches from a security perspective because it gives me a set time to review them," he said. "When necessary, Microsoft does provide as-needed patches," which works out for the most part.