Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity
    • IT Management
    • Networking

    Changing Patch Habits With Microsoft

    By
    Dennis Fisher
    -
    December 6, 2004
    Share
    Facebook
    Twitter
    Linkedin

      In the year since Microsoft Corp. made its controversial decision to begin releasing patches on a monthly basis, the policy has had a profound effect on enterprise security—changing forever the way companies deploy updates and helping to hasten the end of the manual patching process.

      Administrators say the predictable patch cycle afforded to them by the monthly schedule has given them the ability to develop a plan for testing and deploying the fixes. Enterprises now know that on the second Tuesday of every month they will have a batch of updates delivered from Microsoft, which eliminates much of the fire drill mentality that surrounded the irregular releases of patches previously.

      So far, Microsoft officials say they are pleased with the overall effect of the monthly patch program.

      “Its going just as wed hoped. Two years ago, we didnt have consumer mailers; we didnt have separate technical bulletins; we didnt have any of that stuff,” said Stephen Toulouse, security program manager at the Microsoft Security Response Center, in Redmond, Wash. “It was a painful process. No one knew what was coming out. Customers get a higher patch quality now.”

      In enterprise IT departments, the regular patch cycle has led to a number of changes. Many administrators say the change has given them time to test patches comprehensively and has upped their confidence in the updates they deploy.

      “The real issue is that you have to test patches, and how quickly we move on one is a function of the severity of the problem,” said Adam Hansen, manager of security at Sonnenschein Nath & Rosenthal LLP, a Chicago law firm with more than 2,000 users in 11 offices. “I can plan for resource allocation better now. I plan on at least one critical patch every month, and I havent been disappointed. And I can package the patches together once theyre tested and push them out in a pack.”

      For large distributed enterprises such as Sonnenschein, the increase in the number of patches in recent years made it nearly impossible to patch PCs manually. This has led to the rapid proliferation of automated patching and remediation tools such as Citadel Inc.s Hercules and PatchLink Corp.s Update, which enable administrators to identify vulnerable machines and push updates to them automatically.

      “I measured our compliance with manual patching once, and we had just 20 percent, and that was just the machines we knew about,” said Hansen, whose company uses Hercules. “In a mobile work force, things just happen, so now we push anything that a user is missing and dont let them on the network until theyre in compliance.”

      But not all the changes have been positive. Security experts say crackers have taken notice of the monthly cycle and have begun timing their attacks to coincide with the release of the patches. In fact, managed security providers say that within hours of the release of a new set of patches from Microsoft, they see spikes in activity against whatever components or services the software company has just fixed.

      Worm writers, too, are taking advantage of the fact that Microsoft has been loath to release patches outside the regular cycle. Last month, the Bofra worm hit the Internet just two days after the public disclosure of a vulnerability in Internet Explorer. The worm appeared at the same time as Microsofts November patch release, which did not include a fix for the IE flaw. Microsoft did, however, release an out-of-cycle patch for the vulnerability last week.

      /zimages/4/28571.gifClick here to read more about how Microsoft patched this vulnerability out of cycle.

      The vulnerability in IE was a buffer overrun in the way that the browser handles certain HTML tags and could allow an attacker to execute arbitrary code on a remote machine. In order to exploit the flaw, an attacker would simply need to entice a user to visit a malicious Web site that contained the exploit code.

      Patch work
      Changes since Microsoft went to monthly updates:

      • 320% increase in use of Windows Update
      • 400% increase in use of automatic updates
      • More than 100,000 SUS (Software Update Service) servers connecting to Microsoft monthly

      /zimages/4/28571.gifCheck out eWEEK.coms Windows Center at http://windows.eweek.com for Microsoft and Windows news, views and analysis. Be sure to add our eWEEK.com Windows news feed to your RSS newsreader or My Yahoo page: /zimages/4/19420.gif http://us.i1.yimg.com/us.yimg.com/i/us/my/addtomyyahoo2.gif

      Dennis Fisher
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×