Slashdot Mirror
Time to End Microsoft's Patch Tuesday?
buzzardsbay writes "Techtarget's resident security curmudgeon, Dennis Fisher, is calling for an end to Microsoft's monthly security patching cycle. Fisher points out that 'a hacker only needs one unpatched system, one little crack in the fence in order to launch a major attack on a given network. The sheer volume of the patches Microsoft releases each month makes it quite difficult for even the most conscientious IT department to get every patch out to all of the affected systems in a reasonable amount of time.'"
It allows IT departments to specifically set aside 1 (or more) days a month on a regular schedule to test the updates before rolling them out to the client computers.
If the updates come out on a random schedule, as done before, you cannot plan ahead for the testing required to ensure the updates don't break functionality.
Except for the fact that Linux also requires patching. Every other day I have a little star on my desktop notifying me of updates to various libraries, applications, and yes the kernel itself. Mac's have patches too. This is not necessarily a Windows vs. , this is about what the best way of releasing patches is. It's an Incremental vs. Bulk release debate. MS chose the bulk method. Is that a good decision? Maybe, maybe not. Regardless of the OS, patching is always required. No piece of software is bulletproof.
"It's not whether you win or lose, it's how drunk you get." -- H. J. Simpson
It allows IT departments to specifically set aside 1 (or more) days a month on a regular schedule to test the updates before rolling them out to the client computers.
Your comment is accurate, and gets to the heart of the problem. The current system minimizes cost, at the expense of security.
The pundit would rather companies get more staff, do rolling testing, etc., whatever it takes - to maximize security.
Now, as a non-user of Microsoft products and a victim of attacks by unpatched machines, some of them corporate, it's clear that the current strategy just shifts the costs off of the companies and onto me. If it just crashed their networks I couldn't care less. But it's more than that.
So I need to side with the proposal - the users need to improve their security. They can do this by having rolling patches from Microsoft or picking a more secure product to use. I don't care how they do it, but they need to stop expecting me to pay for their poor performance.
Unfortunately, liability is poorly defined in this realm, otherwise I could theoretically sue for damages, and their insurance company would make sure they were in good shape or charge them through the roof for being in bad shape.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
You always wondered? You must be fairly new to IT. MS switched to that format well within the past 10 years. I think it was around 5 years ago. Before that they released them as each was finished.
As for why they do them that way now, their large corporate customers asked them to. In large corporate settings there are often lots and lots of in-house-developed applications the company runs. Each time a new patch comes out, the IT dept must go through a lengthy (sometimes several weeks) process of testing the new patch, on test beds of the various models/configurations of computers the company uses, to make sure it doesn't break any of those apps, or any other purchased applications. They often run into many bugs/conflicts that MS doesn't in their testing.
If MS comes out with a patch, the company starts testing it out, then 3 days later MS comes out with another patch, the big corp now has multiple cycles of testing trying to go on at the same time, using up tons of IT resources, backing things up in the pipeline. If their testing cycle is 2 weeks, and MS releases 6 patches during those two weeks, the pipeline is now filled up with 12 weeks worth of throughput. Not fun.
If, on the other hand, MS releases on a regularly scheduled day each month, the company can easily run their test suite just a single time, freeing up IT resources, and also letting them plan for the patches/testing, rather than being surprised and having to pull folks off of other projects to work on testing if MS suddenly goes on a streak of releasing several patches in a row.
When Microsoft releases a patch for an exploit, it's immediately known that computers are wide open to this attack. Malicious hackers - virus writers and the like included - can reverse engineer the patch to find out what vulnerability is being patched exactly, and know that, since your organization doesn't patch until such-and-such day, you're wide open to attacks. "Exploit Wednesday", the day after patch Tuesday, is a testament to the importance of Microsoft's patches in the development of exploits. Companies can't afford to gear up for patches every day, but can't afford to risk the ramifications of not applying a patch immediately either. Patch Tuesday gets them out of this catch-22.