Sometimes Microsoft gets pushy and tries to force policies on customers, but not usually. The monthly patch cycle is an example of how they give enterprises as much flexibility as they can, and you wouldn't want it any other way. Customers gain nothing if Microsoft abandons the monthly cycle and will only lose customers if it forces users to apply updates.
When Microsoft went to the regular monthly patch cycle many years
ago it seemed counter-intuitive to many. Turns out it's very popular
among enterprises. But it still rubs some people the wrong way,
including Wolfgang Kandek, chief technology officer at security company
Kandek has been quoted in more than one publication recently arguing
that Microsoft should abandon the monthly patch cycle, at least for
Internet Explorer, and follow the Mozilla model. That model has the
application searching for and installing updates automatically when it
It's not for nothing that Kandek says this; the success of the
Conficker worm confirms his assertion that many companies don't apply
patches as quickly as they should. The security advisories on the
particular vulnerability exploited by that worm were about as explicit
and dire as they could be. I said at the time
vulnerability is one of those rare ones that could result in a true
network worm, where a system could be successfully attacked over the
network with no user action at all.
There are plenty of mitigating circumstances for this worm; for
instance, while Vista could theoretically be attacked, in practice
defense-in-depth features make it almost impossible to do so. All the
exploited systems in the real world are XP and earlier. But the large
majority of enterprise systems run those older platforms, so any
conscious network administrator should have prioritized this patch.
Many did not.
Of course, the schedule isn't the problem here. Very few outbreaks
of any vulnerability happen before the patch, and when something is
urgent Microsoft can go out of band. The real problem, as Kandek sees
it, is that network admins have chosen to centralize administration of
patches and to go slow with them. Thus the key to Kandek's proposal is
not to change the schedule, although he does say that IE patches should
come out as soon as available, but that IE should have its own
independent patch mechanism, and that administrators should not control
Updates to IE, Kandek says, should just be installed automatically. No testing by you.
No doubt this would increase patch frequency in the enterprise, and
I sympathize with Kandek. I definitely think that the odd application
compatibility problem introduced by a patch have to be minor in
comparison to the potential security problems of not patching. But
that's not my decision to make. I have no business making your patch
decisions for you and neither does Microsoft. It's your job. And if
your decision not to rush the MS08-067 patch resulted in a Conficker
outbreak in your enterprise, well you and whoever else is responsible
deserve to suffer the consequences. It's not Microsoft's fault; they
made a patch available and told you how serious the matter was.
As for single users and unmanaged networks, once again I don't see
the advantage. Automatic Updates is on by default in Windows for many
years, so end users should be getting these updates, too. Unless they
turn off automatic updates, which a stunning number of users do.
So if we move the patch decision from Windows to IE, won't those
same users defer patching because they heard somewhere that these
patches actually make things worse?
The only alternative, where Kandek appears to be going, is to take
the decisions out of the hands of the users. Do what Google's Chrome
does, and what Firefox comes close to doing: patch without asking.
Chrome doesn't bother to ask; Firefox asks, but they ask over and over
again until you say yes. And there's no way to manage the updates at a
And Firefox's pushiness may not be the be-all and end-all of this; A
German study using Google user-agent data showed that "...the maximum
share of the latest, most secure version never exceeded 80% for Firefox
users..." Even for Firefox some users blow off the updates. Sounds like
user freedom is a loser and Chrome's forced patching model is the only
I really want to hear from you, either through e-mail
or with a comment below: how do you feel about losing the decision-making power on whether to patch IE?
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack.