Microsoft getting better at Patch Tuesday updates, experts say

Unfortunately, patching will be reality as long as software is around

All told, Microsoft released 74 patches in 2009 and while some months were worse than others (such as October), security experts say the software giant seems to be refining and improving the process of explaining and pushing out patches.

"These past couple of months I have been watching the information coming out of Microsoft and they are refining their processes and they are giving a lot more information to people," says Jason Miller, data and security team leader at Shavlik Technologies. "They are getting information out earlier. So definitely it appears that this patch process is starting to mature in a good way. I am definitely seeing more positives and some of the bumps and bruises we have seen in the past couple of years, we are not seeing those right now."

Unfortunately, patching will be reality as long as software is around, but any work to make it more manageable will be welcomed by those doing the hands-on work.

Miller says Microsoft's delivery of the actual bits for the patches is much more consistent month to month, that there is more technical information with more depth, and more effort to provide advisories on known vulnerabilities regardless if there is a patch or not.

"The process overall has improved," say Amol Sarwate, manager of Qualys' vulnerability research lab. "I think Microsoft has made a lot of progress on the whole patching cycle. They are ahead if you compare it with other companies. Microsoft is very formal and forthcoming about giving advanced notification."

Sarwate says the addition of the exploitability index, which debuted in October of last year, is one example of how Microsoft has enhanced patch process. The index uses a three-tier system to grade the likelihood of consistent, inconsistent or functioning exploit code for each patch.

"They have constantly added a lot of metric around the vulnerability and also the overall flow in how quick they are to respond to something like a proof-of-concept," Sarwate says. "Microsoft is quicker about getting an advisory out. They are more vigilant in that piece then they had been."

Shavlik's Miller agrees Microsoft is better about issuing advisories, which tell users about existing vulnerabilities or zero-day exploits that have yet to be patched.

The latest came last month concerning the zero-day exploit around Internet Explorer. Microsoft first acknowledged on Nov. 23 that it was investigating the issue and followed up later in the day with a formal security advisory, and before the day was done issued a second update to report a patch would be developed. That patch, MS09-072, was delivered Tuesday as part of the regular patching cycle.

"You have advisories, you have re-releases that they are announcing as they are going through the month, as well as some nifty diagrams of exploitability indexes along with commentary on the patches," Shavlik's Miller says.

He says he is seeing a lot more information coming from the Microsoft Security Research Center (MSRC) and technical information coming from Microsoft's Security Research & Defense blog, which is produced by the MSRC Engineering team.

MSRC blogs extensively on Patch Tuesday, an effort that includes charts, graphs and videos. It also blogs on advanced notifications before each Tuesday release, as well as on other vulnerability issues, including the recent Black Screen of Death episode.

The Security Research and Defense blog provides platform mitigation information directed at network administrators and information about new security defenses and tools that the Microsoft Security Engineering Center (MSEC) Security Science team is working on.

"If you look at the technical info that is out there that is extremely technical information that nine out of 10 people are not going to be able to read," Miller says. "But Microsoft also has other information that is coming out that is more down to earth for admins, where they can read and decipher this information and see how it is applicable to their networks."

In addition, Miller says Microsoft is more timely with the actual patch code.

"It was spotty," he says. "Sometimes it would be four o'clock in the afternoon before they started to release the information. The last few months it has been out five minutes to noon every time."

Miller said Microsoft is clearing up other issues that have plagued the patch process in the past including not releasing all the patches at the same time.

"There have been days when we waited until 8 o'clock at night and they still haven't gotten their servers updated. We have seen delays until late afternoon before even the first patch is coming on to their Web site. If you are planning, it gets very difficult."

But he says those issues are clearing out and he hopes that it will continue into 2010.

Follow John Fontana on Twitter:

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securityMicrosoftPatch Tuesday

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

John Fontana

Network World
Show Comments



Victorinox Werks Professional Executive 17 Laptop Case

Learn more >



Back To Business Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?