Microsoft Patch Day: The Next Generation

By Larry Seltzer  |  Posted 2004-09-13 Print this article Print

Opinion: Welcome to the SP2 era. Will we have a bifurcated patch day? Will Microsoft be able to move any faster?

Its not really the first patch day of the Windows XP Service Pack 2 era. Last months, Aug. 10, was a few days after the initial release of the massive security-focused update. But the initial day was anticlimactic, yielding only a single Exchange Server issue, and for an old version at that. But now were over a month since Microsoft finalized the "gold" SP2 code, and we may be about to see how they will handle patches in the post-SP2 era.

The biggest issue is how Microsoft prioritizes patches for vulnerabilities that affect only pre-SP2 versions. I agree with a lot of what my colleague Steven J. Vaughan-Nichols has to say on this matter, but I dont share his pessimistic sense. At the very worst, SP2 is now just another version of Windows they have to deal with.

I expect that for some time Microsoft will have to keep Windows XP SP1 and SP2 tracks for security vulnerabilities. In a very important sense, the SP1 track is more similar to the Windows 2000 track than SP2, because Internet Explorer is so different in Windows XP SP2.

The other thing Im looking out for is whether they move any faster on SP2 vulnerabilities than they have in the past on SP1 and other earlier versions. We have had one important SP2 vulnerability since it was released, the (in)famous drag-and-drop vulnerability. Its not a real killer, but its a bad one, and it demonstrates an oversight in Microsofts lockdown of Internet Explorer in Service Pack 2.

One can only imagine that when Microsoft works on the patch for this vulnerability they will discover underlying problems broader than this particular hole. The report accompanying the patch will expose other problems.

For insights on security coverage around the Web, check out Security Center Editor Larry Seltzers Weblog. But once again Im optimistic because another thing SP2 does is really, really urge you to turn on Automatic Updates. Some experts are uncomfortable with Automatic Updates. Fine, experts can turn them off, but novices should be running them. Enterprises and other expert-run networks can set up their own Windows Software Update Services servers and test patches while still allowing automatic updates to proceed as soon as they think it prudent.

But in either case I think we can expect that more users of SP2 will be getting updates more quickly. SP2 vulnerabilities will have a harder time getting exploited widely unless they appear as day 0 network worms. The drag-and-drop vulnerability, in spite of Secunias typically hysterical claims about outside exploits, dont have the potential to spread widely, and require user interaction and a Web site to host them, both of which are brakes on the spread of the attack.

I cant make up my mind about the severity of the drag-and-drop vulnerability. If its really serious, then I wouldnt expect it this patch day because Microsoft will fix it out of cycle when then can fix it. But if its not that important, then they may wait until next month to fix it, because it hasnt been that long since it was revealed.

In fact, if I had to wager, Id bet on more SP1 patches this month and for a while. There are still a bunch of SP1 vulnerabilities out there unpatched, and now that SP2 is done I would hope they would get some more attention.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out eWEEK.coms Security Center at for security news, views and analysis.
Be sure to add our security news feed to your RSS newsreader or My Yahoo page:   More from Larry Seltzer
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel