Its Time Microsoft Patched Its Patch System

Updated: Opinion: When it comes to patches, Microsoft needs to be more like Oracle and fix its products when flaws are discovered, not wait as long as a month.

You almost have to pity Microsoft sometimes. While it sells the most popular computer OS, it is also one of the worst designed ones. Moreover, they have made the business decision to keep the very features that make it a security nightmare in the name of backward compatibility. As a result, they have to keep issuing patches to the OS all the time. Well, once a month anyway.

They have gotten smarter about distributing their patches in the last few years with their "automatic update" mechanism. This works acceptably for a single user, but can be a real pain for enterprise-wide deployment.

Indeed, an entire cottage industry has arisen just to manage the application of Microsoft patches. Most of them use a server of some sort that distributes the patches to other machines, with a control interface that can allow for specific exceptions where needed. Whether the patches applied will break any mission-critical applications is always up in the air until proven otherwise.

It seems that Microsoft expects vulnerabilities to happen, and has integrated the need for corrective measures into their regular workflow. That is, patches now seem to be a regular every-30-day feature, not a response to events.

/zimages/3/28571.gifOn its latest patch day, Microsoft shipped patches for Word and Internet Explorer flaws. Click here to read more.

Patches to the Oracle 9i database necessitated by vulnerabilities that were disclosed in January showed up on the Oracle Web site the weekend after they were made public. The weekend, not just on a regular business-as-normal day.

But sadly, Oracle seems to have gone to a more laid-back approach as of late. It has gone to once-a-quarter updating, albeit (it says) with critical patches as needed.

An as-close-as-possible-to-immediate response to a problem builds confidence in customers. While they expect software problems to occur, how the manufacturer responds to them can either build up the confidence in the maker or destroy it. Treating security patches as just another software problem belies the seriousness that users see in them.

/zimages/3/28571.gifOracle releases a major patch that contains 49 fixes. Click here to read more.

Perhaps it just takes Microsoft longer to fix things. Perhaps they have not developed this kind of core competency in-house so they can turn things around in a timely manner. Maybe Windows has turned into such a complex beast that changing it in any way gives rise to unwanted second order effects that must be dealt with before a patch can be released.

Whatever the case, even Microsoft has to realize there is a deep problem here.

So, while Microsoft and Oracle both released scheduled patches Tuesday, customers have come to realize that these are reactive efforts rather than proactive ones. And while customers may have to do business with a company that acts only reactively, they want to do business with one that acts in their interest proactively.

Editors Note: This story was updated with new comments from the author.

/zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.