Patches: Once a month is not enough
Microsoft needs to rethink its policy of stockpiling security bulletins and patches and releasing them all on the second Tuesday of each month. It doesn’t solve a problem for any customer, and it exposes an unknown number of innocent Windows users to unnecessary risk.
The whole concept of Patch Tuesday started in November 2004. Ostensibly, the reason was “to assist customers with resource planning for the scheduled monthly security bulletin.” In reality, it was a symbolic move to take control of the news cycle, after headlines had been appearing seemingly every week announcing Yet Another Horrible Security Flaw and Yet Another Critical Update for Windows. It’s true that corporate customers like an orderly update plan, but the real impact of the Patch Tuesday program is that Microsoft gets to dump all their bad security news in one big heap, once a month. They get positive press when they only have a few updates to release in a given month, and – with the exception of extraordinary events – the news cycle is contained to a few days between the preview announcement and the actual delivery of security bulletins.
That’s not necessarily a bad thing. Critical updates by definition are, well, critical. But that doesn’t mean the world is going to end if a Critical patch is delayed by 5, 10, or even 30 days. Reducing the level of hysteria around Internet security is a good thing. Unfortunately, in January, Microsoft decided for the first time to make an exception to its once-a-month patch policy. And in doing so, they open a Pandora’s box.
Once you start issuing out-of-band patches, two things happen: First, you effectively create a new security category, above and beyond Critical. For the sake of argument, let’s call these patches Super Critical. Second, you encourage people to begin agitating for each Critical update to be reclassified as Super Critical, and you encourage the irresponsible-disclosure community to release their proof-of-concept code the day after Patch Tuesday, so they can force this sort of arbitrary reexamination and drive Microsoft nuts. And in the process, you force your security team to start coordinating security bulletins with the PR department. Bad idea.
Why is this subject in the public debate right now? It came up last week in George Ou’s post about Secunia’s disclosure of an unpatched zero-day exploit for IE6. George wrote:
This IE6 vulnerability is serious enough that Microsoft should immediately create an out-of-cycle patch before the next monthly patch and spend less time lecturing about Apple's missteps. Microsoft was forced to release an emergency patch for the WMF vulnerability in January. Waiting for next months cycle for a zero-day critical flaw is unacceptable. [emphasis in original]
And he’s not alone. Here’s a sampling of the scary headlines that appeared at the top of Google News last week:
- Microsoft Warns Of Dangerous IE Exploit (InformationWeek)
- Microsoft Details IE Vulnerability (Security Pronews)
- 'Critical' IE bug threatens PC users (ElectricNews.net)
- IE hit with third bug in one week (Techworld.com)
And you could read 70 more just like those if you kept scrolling.
The outraged press wants a patch. They want it now. They got Microsoft to cave in January, and this situation looks identical. Several commenters on George’s post connect the dots and suggest that the monthly patch cycle is part of the problem. Commenter Tic Swayback (heh) spoke for the majority when he asked this eminently logical question in the TalkBack section of George’s post:
This is something I've always found confusing. Why is it better to have to wait on a patch at all, whether it's critical or trivial? If a company wants to patch their own machines on a regular, monthly schedule, why can't they just do that? Why must the software provider hold back on patches?
George responds:
If there is a proof-of-concept out in the wild, release the patch ASAP. Other than that, keeping an orderly patch schedule is a good thing. …
IT departments barely can keep up with the monthly cycle. There is a lot of testing evolved before IT departments will implement any patch. If you drop the orderly cycle and you have patches every week or just random, it will result in chaos. What’s needed is a flexible approach that if a critical exploit is responsibly disclosed without enough details or PoC, then the best thing to do is leave the cycle intact. But if a PoC is already available then we need to break out of the cycle because it’s an emergency situation. This IE6 flaw is an emergency.
Sorry, I have to agree with Vic and disagree with George. Microsoft management made the same argument in favor of releasing an out-of-band patch for the WMF exploit in January. In that case, as in the present instance, proof-of-concept code had been (irresponsibly) released, and Microsoft’s Security Response Center had to scramble to fix it. According to Mike Nash, Corporate VP for Security, the patch was released five days earlier than Patch Tuesday because corporate customers demanded it:
I reminded them of their past feedback about out of band updates being an inconvenience and their preference for the monthly release schedule. Overall, they felt that we had made these out of band releases so infrequent, that doing it once when it matters was not a big deal.
That’s the trouble with “doing it once” – people expect you to do it again. In this case, less than three months later. And then next month. And the month after that, and so on, and so on, and so on…
My question is simple: Why should any Critical update be delayed? When it’s ready, release it with a preliminary Security Bulletin. Continue to publish the fully edited, fully vetted collection of Security Bulletins on the second Tuesday of the month, but give security-conscious Windows users and well-organized IT admins the chance to protect themselves ASAP. Overtaxed IT administrators can choose to wait till Patch Tuesday; you shouldn’t have to.
So, Microsoft, forget about agonizing over whether to wait for Patch Tuesday or release a Critical update out of band. When you hear about a new vulnerability (especially if exploit code is available), jump on it. Make the patch. As soon as it’s ready, release it.
We won’t mind, honest.