Time to Tweak Microsoft’s Patch Tuesday?

It’s been about six years since Microsoft set aside the second Tuesday of each month as the day to release security patches, and most IT administrators have come to appreciate a consistent schedule to plan around.

But every so often, zero-day vulnerabilities and attacks materialize outside the cycle, causing more than a little heartburn for Windows-based businesses.

In December, for example, Microsoft was forced to release an emergency, out-of-cycle patch for Internet Explorer (IE) to close a security hole that allowed attackers to infect more than 2 million machines. The malware allowed the bad guys to steal such personal data as passwords when the user visited one of at least 10,000 compromised websites.

Days later, Microsoft had another critical flaw on its hands: an SQL Server database software bug attackers could exploit to run unauthorized software on systems running versions of Microsoft SQL Server 2000 and SQL Server 2005.

Cases like these beg the question: Has Patch Tuesday outlived its usefulness? Is a more frequent update process in order to match the increased sophistication and speed of attackers?

The answer is no, according to most IT security pros CSO polled recently. The increase in zero-day threats is a problem to be sure, they say. But IT shops run with a lot less chaos thanks to a monthly schedule they can count on and plan around.

“For large organizations, it’s been a boon,” said Paul Robertson, a Washington D.C.-based network security specialist and computer forensics examiner. “There’s no more last-minute rush to hold an IT staff onsite to make an emergency patch install on an unknown day. No more worrying about having time to schedule testing, and so on.”

Perhaps more importantly, Robertson said, Patch Tuesday has raised overall security awareness. As a scheduled and predictable event, it’s much easier for upper management to “manage.”

“I think the infosec community is likely to do the usual ‘what about a zero-day?’ dance, but overall if we did the math, I doubt we’d see a difference in threat rates compared to patch adoption rates,” he said.

William Langford is a Milwaukee-based IT specialist who runs an operation that helps small, cash-strapped companies find affordable tech solutions. Given the nature of his business, a set, spread out patching schedule is best. Therefore, the Patch Tuesday cycle is preferable to something more frequent.

“I like the idea of a regular time for patches from a security perspective because it gives me a set time to review them,” he said. “When necessary, Microsoft does provide as-needed patches,” which works out for the most part.

Ditto, said Eric Thoeming, network operations center analyst at Pittsburgh-based Philips Respironics.

“Being able to deploy a majority of our needed patches at planned intervals is a definite benefit from a large enterprise standpoint,” he said. He added that Windows Server Update Services (WSUS) — the free add-on to Windows server software that lets companies feed security updates to client systems — offers quite a bit of flexibility as far as out-of-cycle patching is concerned. That means out-of-cycle patching is no longer as chaotic as one might expect.

While a majority of those polled favor the monthly cycle, some security pros do see problems with the set schedule.

“I have always thought of Patch Tuesday as a great attack vector for evil-doers,” said Kurt Baumgarten, a Boston-based information security executive. “If you know when patches are released and (should be) applied, you have one more variable in your arsenal of tools.”

Another piece of the equation is that attacks have moved away from the operating system and more toward the broad array of third-party applications users tend to embrace.

Such a trend means a more frequent patch release for Windows won’t do much for the larger security fight, according to Paul Calatayud, an IT security professional at Best Buy and advisory board member for the Minnesota School of Business.

“Many organizations are maturing and using patch deployment programs, but most patch deployment tools check the common programs and operating systems, not Adobe or other third-party programs that can pose a threat,” he said.