Patches That Patch

Microsoft's monthly plan is off to a rough start.

The "Patch-A-Month Club" was to have made life simpler for Microsoft customers. Instead, its life as before—which leaves much to be desired. In moving to a monthly schedule for routine patches, Microsoft intended to make it easier for customers to maintain stable and secure systems. But in the weeks the program has been in effect, the company has had to violate the monthly timetable by issuing more frequent patches—and even patching the patches that it issued.

"Even though theyve changed to monthly, theyve already made some changes off the schedule," said an IT professional at Time, who asked not to be named. "So theyve officially changed—but not really."

Microsofts policy of batching patches began Oct. 15. On that date, the company released five Windows security bulletins, four of them rated "critical," plus two bulletins specifically for Exchange Server. The next batch wasnt due until Nov. 11. The new schedule is potentially a great idea that can protect your enterprise against script kiddies if you roll out needed vulnerability fixes as soon as theyre available.

But on Oct. 22, Microsoft released a new version of one of the Windows patches and, on Oct. 24, a new version of one of the Exchange patches. On Oct. 29, three of the Windows patches were modified and reissued—including one for the revised Windows patch that had been issued just one week earlier. The latest round of revisions, Microsoft acknowledges, keeps the three initial Windows patches from hanging machines in certain cases when theyre installed (see

No one would argue that Microsoft shouldnt have issued fixed patches when it learned of significant problems. Software isnt perfect and never will be. But Microsoft customers deserve to feel safe relying on Microsofts megapatches every month. Most people wont feel safe if they keep getting patches with unadvertised side effects that disrupt their work. More important, their systems wont be fully secure.

These issues trouble even big believers in the new monthly patch policy. For example, Roger Wilding, senior technical engineer for CNF, a global supply chain service company, supports the new schedule, saying, "It actually makes it easier for us to understand. As long as there isnt a critical vulnerability thats going around the Net right now, we can wait until the second Tuesday of the month." Wilding uses the Software Update Services Feature Pack of Microsofts Systems Management Server to administer patches to more than 2,000 machines.

Last months Windows upgrades, however, caused him grief. "One of the patches broke one of our applications, so Microsoft is discussing with us whether or not the patch should have a shim or something." Microsoft said the patch in question changes the way Windows handles text input and that other developers should change their code to avoid any problems.

Windows is such a complex organism now that its hopeless to expect Microsofts patches to ever play nicely with all possible software. Thats why enterprises are heavily invested in patch management tools—Microsofts and others—to apply patches and patches to patches. Russ Cooper, editor of the NTBugtraq security mailing list, recently surveyed his 31,000 subscribers and found theyre collectively using 29 fee-based patch management solutions and 18 free ones. Whew!

The new monthly patch schedule leaves companies with no excuse for not updating regularly. Michael Howard, Microsofts senior program manager for security engineering and communications, told me customers demanded it: "The overwhelming feedback we had from customers is that this would be much more predictable. It allows you to do it in one fell swoop."

Having committed to sending out a broad batch of updates the second Tuesday of every month, Microsoft also has no excuse if it doesnt improve its testing during the extra weeks it now has between releases. We all have a big stake in everyone getting this right.

Brian Livingston is editor of His column appears every other week in eWEEK. Send your comments to eWEEK