Windows 24 Hr Vulnerabilty Patch - Would It Help?

super_ogg asks: "In light of the recent Windows infection rate problem, it prompted me to ask the question: if Microsoft was able to guarantee a 24-hour-patch for a vulnerability (and hell didn't freeze over), how much would it affect the rate of infection seeing that a lot of people don't patch their systems? Would the rate of infection increase dramatically?"

Users are users...

[rpbailey1642]

Releasing patches that quickly would probably make the releases smaller, which means people would be less likely to cancel the download in disgust when they see it would take 2+ hours to complete. Having said that, given the users I've encountered, MS would need something like "Automatically Apply Patches without Prompting Me" as one of the initial options or users would just "X" out of the warning pop-up, as they do nowadays.

No

[MBCook]

Here is my theory, based on my observations and opionions.

For big businesses, it wouldn't help. They are already on top of these things checking their firewalls and such, trying to prevent infections. (Note: if this isn't the case, they fit in with group 2)

Then there is individuals. I can't tell you how many people's PCs I've found with basically NO updates applied (for whatever usually pointless reason). These are the people where such a quick patch could make a difference (since it tends to be home computers and those under the care of someone who doesn't know what they're doing), but they won't get the patch because these people don't patch in the first place.

MS's best solution at this point would be to force automatic updates to be on for all copies of XP Home, with no way to turn it off (short of registry editing). That way, the computers would get the updates they need, but the few people who want to turn it off would probably know enough to run their computers safely if they knew where to find the instructions and how to change the registry. (I'm ignoring the point that anyone with half a brain that was a "power user" would want XP Pro over XP Home).

A 24 hour turn around would be great, but I don' think it would make that much of a difference. Forced updates (especially if expanded to include XP Pro that isn't being managed by a domain controller/active directory to cover those one machine businesses and such) would probably go a farther way.

Cut down the number of installers!

[AnamanFan]

Warning: Apple reference ahead, but no where does it state the fix is to buy an Apple computer.

What would help the situation is if roll-ups or service packs were released in conjunction with hot fixes, limiting the number of total patch installers.

Let's take Apple for example. In a nutshell, there's the retail box release (10.4.0), then a few security patches as needed (Denoted as: date of post). Let's say there are three of such fixes.

Active Patch Installers: 3 (1 reboot)

Eventually a point release is made (Denoted as: 10.4.1). This point release includes all of the previous security patches as well as other fixes usually along the lines of 'recommended' as Microsoft would put it.

Active Patch Installers: 1 (1 reboot)

After 10.4.1 is released, a few more security holes are found and patched, each with a date of release. We'll say there's two.

Active Patch Installers: 3 (1 reboot)

When 10.4.2 comes around, Apple releases two versions of the update:
A smaller file size for systems with 10.4.1 installed
A larger file if 10.4.0 (Retail) installed.

Active Patch Installers: 2 - Only one needed (1 reboot)

Here's the key point: From the retail version of the software, you only need to install one service pack release, and maybe 3 to 5 security patches at any point in time. Not 50 which branching restart cycles; One to five patches, one restart.

Obviously there's some variation here and there. Apple will have a lot more than five updates at a time for all the other non-OS software, but the underlining concept is there:

The fewer the installers and restarts, the easier patches are for the normal user.