Should Microsoft Take You out of the Patching Question?

Sometimes Microsoft gets pushy and tries to force policies on customers, but not usually. The monthly patch cycle is an example of how they give enterprises as much flexibility as they can, and you wouldn't want it any other way. Customers gain nothing if Microsoft abandons the monthly cycle and will only lose customers if it forces users to apply updates.

When Microsoft went to the regular monthly patch cycle many years ago it seemed counter-intuitive to many. Turns out it's very popular among enterprises. But it still rubs some people the wrong way, including Wolfgang Kandek, chief technology officer at security company Qualys.

Kandek has been quoted in more than one publication recently arguing that Microsoft should abandon the monthly patch cycle, at least for Internet Explorer, and follow the Mozilla model. That model has the application searching for and installing updates automatically when it is launched.

It's not for nothing that Kandek says this; the success of the Conficker worm confirms his assertion that many companies don't apply patches as quickly as they should. The security advisories on the particular vulnerability exploited by that worm were about as explicit and dire as they could be. I said at the time: This vulnerability is one of those rare ones that could result in a true network worm, where a system could be successfully attacked over the network with no user action at all.

There are plenty of mitigating circumstances for this worm; for instance, while Vista could theoretically be attacked, in practice defense-in-depth features make it almost impossible to do so. All the exploited systems in the real world are XP and earlier. But the large majority of enterprise systems run those older platforms, so any conscious network administrator should have prioritized this patch. Many did not.

Of course, the schedule isn't the problem here. Very few outbreaks of any vulnerability happen before the patch, and when something is urgent Microsoft can go out of band. The real problem, as Kandek sees it, is that network admins have chosen to centralize administration of patches and to go slow with them. Thus the key to Kandek's proposal is not to change the schedule, although he does say that IE patches should come out as soon as available, but that IE should have its own independent patch mechanism, and that administrators should not control it.

Updates to IE, Kandek says, should just be installed automatically. No testing by you.

No doubt this would increase patch frequency in the enterprise, and I sympathize with Kandek. I definitely think that the odd application compatibility problem introduced by a patch have to be minor in comparison to the potential security problems of not patching. But that's not my decision to make. I have no business making your patch decisions for you and neither does Microsoft. It's your job. And if your decision not to rush the MS08-067 patch resulted in a Conficker outbreak in your enterprise, well you and whoever else is responsible deserve to suffer the consequences. It's not Microsoft's fault; they made a patch available and told you how serious the matter was.

As for single users and unmanaged networks, once again I don't see the advantage. Automatic Updates is on by default in Windows for many years, so end users should be getting these updates, too. Unless they turn off automatic updates, which a stunning number of users do.

So if we move the patch decision from Windows to IE, won't those same users defer patching because they heard somewhere that these patches actually make things worse?

The only alternative, where Kandek appears to be going, is to take the decisions out of the hands of the users. Do what Google's Chrome does, and what Firefox comes close to doing: patch without asking. Chrome doesn't bother to ask; Firefox asks, but they ask over and over again until you say yes. And there's no way to manage the updates at a network level.

And Firefox's pushiness may not be the be-all and end-all of this; A German study using Google user-agent data showed that "...the maximum share of the latest, most secure version never exceeded 80% for Firefox users..." Even for Firefox some users blow off the updates. Sounds like user freedom is a loser and Chrome's forced patching model is the only alternative.

I really want to hear from you, either through e-mail or with a comment below: how do you feel about losing the decision-making power on whether to patch IE?

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzer's blog Cheap Hack.