Microsoft Overloads the Patch Process

Opinion: It's going to take you a long time to deal with everything that happened today. Perhaps it would have been better for Microsoft to have two patch days this month.

Im done patching my own systems.

I threw caution somewhat to the winds this time. I did do some testing; I have a test desktop and a test server I install these things on and run a few tests involving common tasks of mine, but this time was different from most others.

This time Microsoft had put out so much information and so many patches that I really didnt have time to understand it all before I applied them.

Thats one way to do things; I dont have so many computers or critical applications here that I cant recover from anything going wrong.

If I were administering a large enterprise things would be different. The flood of security bulletins and patches released today by Microsoft was so large and complicated that administrators have no choice but to prioritize.

Microsoft and others have attempted to set priorities in terms of the most serious problems, but only you know what issues are the important for your systems.

The problem of overload is even worse than the 12 security bulletins would indicate. Microsoft also chose today to release at least one Office patch unrelated to the vulnerabilities disclosed in the bulletins. There may be more, its still too hard to tell given the sheer volume of information. Microsoft also chose today to release an update for Exchange Server 2000 related to a bulletin from last year.

But wait, theres more. Perhaps hoping to slip in under the radar, other vendors reported problems today. For instance, Symantec revealed a bug in the UPX (Ultimate Packer for eXecutables) engine in a large number of their products that could allow an attacker to inject code and take control from the engine. Ill have more on this later.

So while youre getting ready to update all your Windows systems, dont forget to update your Symantec products. And a non-trivial vulnerability showed up in Apples MacOS X AppleFileServer.

Earlier I toyed with the idea of seeing if todays flood of patches cleaned the slate of unpatched vulnerabilities on Windows, but it appears this isnt the case, at least depending on who you talk to.

Last fall Finjan announced that they had found 10 new vulnerabilities in Windows XP SP2. Microsoft still disputes the severity of the problems, and in any event confirmed today that "none of the bulletins released today addressed any of the alleged vulnerabilities on Finjans list..." So fear not, there are more bulletins to come.

The point of having a regularly-scheduled patch day, and later on of giving limited advance information, was to help administrators plan for updates and to schedule time in which to test and apply them. Theres no way that anyones regularly-scheduled interval will be adequate to handle everything that happened today.

It might actually have been better for Microsoft to have announcd last Thursday—instead of saying that there would be 13 advisories (in the end there were only 12, as Microsoft held one back for further testing)—that the advisories would come in two phases.

They could declare a special off-schedule patch day next Tuesday or whatever an appropriate period would be. They could divide the two days based on priority or on products.

Since Microsoft didnt split up the problems for us, well have to prioritize on our own. But well have to do it with the issues and the patches in public, which means that the exploits will be coming out quicker than they would otherwise. We can only hope that overload days like this are rare, but maybe Microsoft will even the workflow out when they happen in the future.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.


Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.

More from Larry Seltzer