Potential Damage at an
Awkward Time "> Nachreiner said faulty patches could cause major financial damage for enterprises. "If its a patch being deployed on client machines, maybe its not that big a deal. But if youre patching servers that need to stay up to keep the business running, you can imagine the problem when something crashes. If you install that patch and all your VPN tunnels stop working properly, thats a big deal for a business."The company has gone a step further, recruiting external patch testers under a formal Security Update Validation Program that gives select customers "limited and controlled access" to security updates ahead of public release. Read more here about Microsofts plan for external patch testing. The goal of that program is to provide a small number of dedicated external evaluation teams with access to the patches to test for application compatibility, stability and reliability in simulated production environments. For the most part, Microsoft has come a long way. The company has not recalled a patch in some time, and significant patch re-releases have been few and far between. Even Nachreiner, as harsh a Microsoft critic as there is, is willing to cut the software giant some slack. "Theyve done a lot of things to convince me theyre getting smarter when it comes to dealing with software security. Ever since they announced the Trustworthy Computing initiative, theyve been slowly delivering on that. Even I have to admit that," he said with a chuckle. The plan to re-release the MS05-019 advisory is in itself a progressive move, Nachreiner added. "They know that a bad patch is a bigger problem. Its not easy to patch such a complicated vulnerability and the most important thing is to get it right." "Theres no doubt that theyre increasing their priority on security, but its always going to be a dilemma because the [Windows] operating system is so huge and complicated. Theyve just opened up the new advisories service, which is a big shift for them to even acknowledge vulnerabilities posted on the public lists." To read more about Microsofts security advisories service, click here. "Even the fact that theyll admit that those vulnerabilities exist and offer some guidance, that shows they are slowly getting it," Nachreiner added. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
The patch reliability problem comes at an awkward time for Microsoft. The company has invested heavily to improve its patch creation and release mechanism and has stuck to its message that customersbusiness and consumersshould download and install its fixes.