Microsoft aims to increase time between patches

Microsoft's director of product security has said that he wants to eliminate patching of Windows altogether, but in the short-term wants to extend the patch cycle to six months

Microsoft would like extend its Windows patch cycle from once a month to once every six months, but only after the company is confident its customers will remain safe between the updates.

George Stathakopoulos, director of Microsoft product security, told ZDNet UK sister site ZDNet Australia on Wednesday that his long term goal is to create an operating system that will never need patching. But he concedes that because software is so complex this is a virtual impossibility.

However, Stathakopoulos said that as Microsoft continues to rid Windows of bugs and improves its overall resilience, the company is hoping to extend the time between patches from the current monthly update to as much as six months between updates.

"I would prefer [it] if I never have to release another patch again. When it comes to six months -- this is a direction we may decide to go in at some point. Right now, we have to balance the risk of exposing our customers and the speed at which we can deliver a patch," said Stathakopoulos.

According to Stathakopoulos, extending the patch cycle is possible as Microsoft strengthens Windows defences. He believes SP2 is a step in the right direction because it brings greater resiliency to the Windows OS, which would mean an MSBlast-type attack on an SP2 system would not cause as much chaos because administrators would have more time to react.

"Take the RPC vulnerability -- that enabled the MSBlast worm. It was a buffer overrun and it scanned for other systems to infect. If you had a personal firewall, the vulnerability doesn't exist. Even if you take down the firewall, XP SP2 now has memory protection that filters buffer overruns.

"So if you had an XP SP2 machine with an MSBlast-like worm, you would still need to deploy the patch but it would be on your own schedule," said Stathakopoulos.

Microsoft hopes to build isolation and resiliency into more of its products, not just Windows, he said.

"We want to change the rules so even when a hacker can exploit a buffer overrun he can’t do anything material with it," said Stathakopoulos.

Neil Campbell, national security manager at Internet security specialists Dimension Data, welcomes Microsoft’s efforts at increasing the time between patches.

"Patching is time consuming and risky. It is important to patch but you want to minimise the number of times you want to patch throughout the year. Microsoft is definitely working towards reducing the number of times companies have to patch," said Campbell.

However, Campbell said AMD and Intel have improved their processor technology to aid Microsoft's cause by using hardware controls to defend against software flaws.

"If an application tries to write to a part of memory that it shouldn’t have access to, it will get stopped through a combination of software and hardware. This is a great catch-all for buffer overflows," said Campbell.

Munir Kotadia reported from Sydney for ZDNet Australia. For more ZDNet Australia stories, click here.