The folks at TechTarget were kind enough to let me republish my posts at the Expert Answer Center here. This post first appeared on July 7. Link here [1].On my Security Incite blog, I've made no bones about how sick I am of Patch Tuesday (here [1] and here [1]). Thankfully the preamble to July's festivities happens during a holiday week, so many of the beat reporters that need this stuff for content are MIA. That's a good thing in my book. But it got me thinking, why does Microsoft pre-announce what they are going to fix anyway?
I checked out Microsoft's web site [2] and saw the following explanation:
As part of the monthly security bulletin release cycle, Microsoft provides advance notification to our customers on the number of new security updates being released, the products affected, the aggregate maximum severity and information about detection tools relevant to the update. This is intended to help our customers plan for the deployment of these security updates more effectively.
The cynical and devious bastard in me thinks Microsoft is opening holes by pointing out exposures that folks may not have known about. So now the bad guys have roughly six days to get an exploit out there and do some damage.
It's kind of like a bank saying, "We're fortifying the sub-basement under our vault next Tuesday." If you are a bank robber, you know your timetable and where the exposure is. Of course, there is still a lot of work to get in, but you've got a lot more information than you did before. You probably assumed the sub-basement was already fortified, no?
Alas, I also see the other point of view, which is that enterprises (both small and large) need to plan. If Microsoft drops a bomb on Tuesday with a very high profile patch that requires immediate attention, administrators get really pissed. They like to know exactly what is happening and why, even though many of them use automated patching products to "set it and forget it" once it's QA'd by the patch vendor.
The conclusion I come to is that Microsoft is dealing in numbers that mere mortals could only dream about. When they patch something it goes out in volumes of HUNDREDS of millions, not like 10 or 15 or even 1000. They've honed in on a patching process that is far from perfect, but works pretty good over a long period of time. To my knowledge, no one has taken a pre-announced patch and exploited it in the window of opportunity. So they have their bases covered.
There is also a halo effect with most customers about coming clean with issues. Everyone knows that every piece of software has vulnerabilities. Sure Microsoft's software has a lot (relatively more than others), but they acknowledge it and are moving to fix the systemic root causes of the problems.
One man's opinion is that Oracle [3] and Apple [4] should communicate a bit more about things they find. Apple just fixes things, but their software makes the updates relatively transparent and their lack of presence in the data center makes this a non-issue for most enterprises. Oracle, on the other hand, patches once a quarter and doesn't even get to everything. So it's hard to point to Microsoft as a security innovator, but they are eons ahead of the other folks relative to patching problems they created.