Microsoft overhauling "broken" patch management system

Occasionally, Microsoft's patches have been known to cause worse problems than the ones they were programmed to solve. The bad patches then have to be removed—if there's an uninstaller. On June 3, 2003, Scott Charney, a former Justice Department cybercrime expert and Microsoft Corp.'s chief security strategist since April 1, 2002, told the audience at TechEd 2003 in Dallas that he knew Microsoft's patch management "was broken."

"Today there are eight different installer technologies within Microsoft," he admitted. "Some patches register with the OS, some patches don't. Then, when you build tools to see if you're patched, some tools say you're patched because they're looking at registry keys; other products say you're not patched because they're looking for DLLs." Thanks to Charney's efforts, Microsoft not only admits on the record that it needs to improve the way it manages updates to its applications and operating systems, but appears to have made a sincere commitment to fixing the problem.

Both Charney and Microsoft's white paper acknowledged that Microsoft ought to release more secure, better tested code in the first place. To oversee these changes in its update strategy, Charney formed a departmental Patch Management Task Force. As a result, in recent weeks there have been signs that the software Goliath has begun its overhaul.

Notification changes
Microsoft has tweaked its Security Bulletin notifications by adding a less technical Consumer Bulletin geared toward end users. Though not written for tech staff, it might serve IT management and staff both as a model for passing on patch information to employees, and as a quick, easier-to-digest overview of new issues. Both the Consumer Bulletins and the more technical Security Bulletins are available by e-mail subscription:

• Register for Consumer Bulletins at Microsoft's Web site.
• Register for Security Bulletins at Microsoft's TechNet.

Responding to customer's suggestions, Microsoft also changed its rating system. According to feedback, Microsoft defined too many issues as "critical." The new system has four levels, as shown in Table A, with the most critical reserved for those vulnerabilities that easily allow a virus or worm to propagate.

Finally, the company overhauled the TechNet security site by adding more content, making it easier to search for specific security information, and adding a Microsoft Guide to Security Patch Management (Version 1, July 2003). The 2.5-MB download is a 2-part, 11-chapter PDF file designed for both IT management and in-the-trenches staff.