Industry sources anticipate the disclosure of multiple vulnerabilities in the Windows operating system. The company announced its shift to a monthly patching cycle as a part of a new security initiative unveiled at its Worldwide Partner Conference in New Orleans last month. Microsoft said it was introducing the new schedule to ease the burden on systems administrators struggling with the frequency of security updates.
However security professionals have avoided giving Microsoft's policy shift the thumbs up, saying the effect is likely to be neutral. Co-founder and chief technology officer with U.S. based security company Neohapsis, Greg Shipley, told ZDNet Australia the new policy will actually make some things harder.
"The measuring stick is the volume of patches, not the release times," he said by phone from Chicago. "It's difficult because now we have to regression test all these patches in one lump sum."
On the surface the policy is a good one, Shipley says, because system administrators only have to schedule one service outage window a month. "But now you apply a bunch of patches, and something 'breaks' which one do you back up on?"
Furthermore, Shipley says the policy needs to be flexible in order for Microsoft to appropriately affect its customers. "If a hole is found in the wild... they should respond in a timely manner regardless of their patch cycle," he explained. "But if they're doing controlled releases then I'm not sure if it matters that much."
Security professional and former chief security officer of InterNIC Richard Forno also highlights the large time between updates as a potential source of risk. "Perhaps it makes it easier for the system administrators to do one major fix-it patch instead of several each month, but that means there's a greater window of opportunity for a bad guy to cause damage between patch cycles," he said. "Watch for the next major Windows exploits to occur within a week of a monthly patch being released by Microsoft."
"If I was a bad guy, that's when I'd release my malicious exploits," he added.
Its all fine for the big M to commit to a planned release of patches on a regular basis, my question is "What does this say about the quality of the product overall?".
Once again the human factor fails us. Programmers need to understand that the ones who would tear it all apart are humans too, and the nature of that beast will test the powers that be.
For all of us patching is fast becoming a nightmare. The O/S software too is far complicated to configure properly for security.
They need to adopt to a KISS pribciple if they want us to use a product thast is like a leaky hose.