In the year since Microsoft Corp. made its controversial decision to begin releasing patches on a monthly basis, the policy has had a profound effect on enterprise security—changing forever the way companies deploy updates and helping to hasten the end of the manual patching process.
Administrators say the predictable patch cycle afforded to them by the monthly schedule has given them the ability to develop a plan for testing and deploying the fixes. Enterprises now know that on the second Tuesday of every month they will have a batch of updates delivered from Microsoft, which eliminates much of the fire drill mentality that surrounded the irregular releases of patches previously.
So far, Microsoft officials say they are pleased with the overall effect of the monthly patch program.
“Its going just as wed hoped. Two years ago, we didnt have consumer mailers; we didnt have separate technical bulletins; we didnt have any of that stuff,” said Stephen Toulouse, security program manager at the Microsoft Security Response Center, in Redmond, Wash. “It was a painful process. No one knew what was coming out. Customers get a higher patch quality now.”
In enterprise IT departments, the regular patch cycle has led to a number of changes. Many administrators say the change has given them time to test patches comprehensively and has upped their confidence in the updates they deploy.
“The real issue is that you have to test patches, and how quickly we move on one is a function of the severity of the problem,” said Adam Hansen, manager of security at Sonnenschein Nath & Rosenthal LLP, a Chicago law firm with more than 2,000 users in 11 offices. “I can plan for resource allocation better now. I plan on at least one critical patch every month, and I havent been disappointed. And I can package the patches together once theyre tested and push them out in a pack.”
For large distributed enterprises such as Sonnenschein, the increase in the number of patches in recent years made it nearly impossible to patch PCs manually. This has led to the rapid proliferation of automated patching and remediation tools such as Citadel Inc.s Hercules and PatchLink Corp.s Update, which enable administrators to identify vulnerable machines and push updates to them automatically.
“I measured our compliance with manual patching once, and we had just 20 percent, and that was just the machines we knew about,” said Hansen, whose company uses Hercules. “In a mobile work force, things just happen, so now we push anything that a user is missing and dont let them on the network until theyre in compliance.”
But not all the changes have been positive. Security experts say crackers have taken notice of the monthly cycle and have begun timing their attacks to coincide with the release of the patches. In fact, managed security providers say that within hours of the release of a new set of patches from Microsoft, they see spikes in activity against whatever components or services the software company has just fixed.
Worm writers, too, are taking advantage of the fact that Microsoft has been loath to release patches outside the regular cycle. Last month, the Bofra worm hit the Internet just two days after the public disclosure of a vulnerability in Internet Explorer. The worm appeared at the same time as Microsofts November patch release, which did not include a fix for the IE flaw. Microsoft did, however, release an out-of-cycle patch for the vulnerability last week.
The vulnerability in IE was a buffer overrun in the way that the browser handles certain HTML tags and could allow an attacker to execute arbitrary code on a remote machine. In order to exploit the flaw, an attacker would simply need to entice a user to visit a malicious Web site that contained the exploit code.
Patch work
Changes since Microsoft went to monthly updates:
- 320% increase in use of Windows Update
- 400% increase in use of automatic updates
- More than 100,000 SUS (Software Update Service) servers connecting to Microsoft monthly