Its Time to Standardize Vulnerability Day

Opinion: Competitors are increasingly hiding behind Microsoft's patch releases; why not do it openly and in the right way?

Ive seen it coming for a while now. The second Tuesday of the month may be Microsoft patch day, but its evolved into Industry Patch Day.

This is one of those instances, and they happen more often than youd think, where Microsoft sets the tone for the rest of industry. They didnt invent the security advisory, and heaven knows they wish they didnt have to be so expert in it, but they listened to their customers and they have the process down.

And now other companies are listening. Not only have they tried to emulate Microsoft, but they are trying to hide behind Microsofts skirts on the second Tuesday of the month. Its a poor substitute for doing things openly and correctly. Part of the correct way is how Microsoft gives notice—three business days before they release their alerts and patches—of how many patches there will be, which products will be affected, the maximum severity of the alerts, and whether systems will need to be rebooted.

Its all about helping IT plan. Some have criticized Microsoft for holding off patches until the regularly scheduled times, but unless an exploit is imminent, releasing serious, surprise patches is not helpful to an orderly IT department. When a real emergency comes along, the software vendor and customer need to cast schedules aside and expedite matters, but these events are comparatively rare.

My initial thought about Oracles recent announcements was that they too were tagging along with Microsoft, but one look at Oracles quarterly Critical Patch Update schedule shows that more often than not it will not coincide with Microsofts release dates. Oracle releases on the Tuesday closest to the 15th of January, April, July and October. Microsoft releases on the second Tuesday of the month. This month they coincided, but that was a rarity.

But would IT be better off if Microsoft and Oracle did release updates at the same time? It would depend on the specifics of the updates, details that are not available until close to the release date. When we get down to that point, for all we know everyone else will have updates too. That would be a really bad month, not unlike this one.

But while bad months will come every now and then, it is better to plan for the average case. And in the average month, the amount of work involved is not onerous, especially with advance warning. For those who think this months heavy load is a reason not to plan for a common date, bear in mind that its still possible, with no coordination and advance warning, for multiple vendors, including Microsoft, to release updates simultaneously. Wouldnt you rather have advance notice?

I suppose its not quite so critical that everyone release on the same day. Its the predictability that really matters. Im concerned that if all the major vendors decided to standardize on update release schedules of their own, security personnel would have too many scheduled events to deal with. Probably every individual department, given the software it runs and the availability of its personnel, will have a different attitude, and I would be anxious to hear yours.

But the information we have from the last couple of years of Microsofts update practices and those of other vendors tells me that its better to have order in the process.

Next page: Crowded patch days in 2005.