Its Time to Standardize Vulnerability Day

By Larry Seltzer  |  Posted 2005-07-18 Print this article Print

Opinion: Competitors are increasingly hiding behind Microsoft's patch releases; why not do it openly and in the right way?

Ive seen it coming for a while now. The second Tuesday of the month may be Microsoft patch day, but its evolved into Industry Patch Day. This is one of those instances, and they happen more often than youd think, where Microsoft sets the tone for the rest of industry. They didnt invent the security advisory, and heaven knows they wish they didnt have to be so expert in it, but they listened to their customers and they have the process down.

And now other companies are listening. Not only have they tried to emulate Microsoft, but they are trying to hide behind Microsofts skirts on the second Tuesday of the month. Its a poor substitute for doing things openly and correctly. Part of the correct way is how Microsoft gives notice—three business days before they release their alerts and patches—of how many patches there will be, which products will be affected, the maximum severity of the alerts, and whether systems will need to be rebooted.

Its all about helping IT plan. Some have criticized Microsoft for holding off patches until the regularly scheduled times, but unless an exploit is imminent, releasing serious, surprise patches is not helpful to an orderly IT department. When a real emergency comes along, the software vendor and customer need to cast schedules aside and expedite matters, but these events are comparatively rare.

My initial thought about Oracles recent announcements was that they too were tagging along with Microsoft, but one look at Oracles quarterly Critical Patch Update schedule shows that more often than not it will not coincide with Microsofts release dates. Oracle releases on the Tuesday closest to the 15th of January, April, July and October. Microsoft releases on the second Tuesday of the month. This month they coincided, but that was a rarity.

But would IT be better off if Microsoft and Oracle did release updates at the same time? It would depend on the specifics of the updates, details that are not available until close to the release date. When we get down to that point, for all we know everyone else will have updates too. That would be a really bad month, not unlike this one.

But while bad months will come every now and then, it is better to plan for the average case. And in the average month, the amount of work involved is not onerous, especially with advance warning. For those who think this months heavy load is a reason not to plan for a common date, bear in mind that its still possible, with no coordination and advance warning, for multiple vendors, including Microsoft, to release updates simultaneously. Wouldnt you rather have advance notice?

I suppose its not quite so critical that everyone release on the same day. Its the predictability that really matters. Im concerned that if all the major vendors decided to standardize on update release schedules of their own, security personnel would have too many scheduled events to deal with. Probably every individual department, given the software it runs and the availability of its personnel, will have a different attitude, and I would be anxious to hear yours.

But the information we have from the last couple of years of Microsofts update practices and those of other vendors tells me that its better to have order in the process.

Next page: Crowded patch days in 2005.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel