Wednesday is patch day at Microsoft

In case you haven't noticed, Wednesday is security patch day at Microsoft.

In the past year, the Redmond, Washington company quietly changed its procedure for releasing security bulletins and software patches for security vulnerabilities in its products, creating a carefully orchestrated process that predictably releases bulletins and patches to the public on Wednesdays, according to senior Microsoft security personnel.

The company never formally announced the change in procedure, which went into effect around May of 2002, nor is the policy mentioned on Microsoft's Web site or articulated in any document released by the company, according to Steve Lipner, director of security assurance at Microsoft.

Nevertheless, the policy has had a noticeable effect on how and when Microsoft releases product vulnerability information.

For example, in February 2002, before the change in procedure, Microsoft released eleven bulletins, MS02-002 through MS02-012, on seven separate days.

By comparison, in July the company released seven vulnerability notices, MS02-034 through MS02-040 on just three Wednesdays, July 10, 24, and 31. Four of those, MS02-036, 037, 038, and 039 were released on the July 24 alone.

The trend has continued into the new year. On Wednesday, Microsoft released its first three vulnerability notices of 2003.

The change in procedure was made in response to feedback from some of Microsoft's large corporate customers, according to Mike Nash, vice president of Microsoft's Security Business Unit.

"It was a relatively easy change for us to make. It didn't impact in a significant way when people became aware of vulnerabilities," Nash said.

Customer feedback was also behind Microsoft's decision to release vulnerabilities on Wednesday. "Wednesday in Redmond is Thursday in most parts of the world, and Thursday in Redmond is Friday. So our large enterprise customers told us 'Wednesday is best,'" Nash said.

The company also consulted with security industry experts and analysts before making the change, according to Lipner and others.

"They asked me about it before they started doing it, and I said I thought it was a fantastic idea," said Russ Cooper, Surgeon General at security company TruSecure Corp. and editor of the NTBugtraq mailing list, which provides information on security exploits and bugs in Windows operating systems and applications.

Microsoft's new procedure of releasing patches on Wednesdays makes it easier for network administrators to make resources available to implement those patches once they are released, according to Cooper, who said that Microsoft asked him not to disclose the change in policy.

David Litchfield, managing director of NGSSoftware Ltd. in London said that he was told by a Microsoft employee of the company's policy of "rolling up" the security bulletins last year.

According to Litchfield, the employee explained the policy by saying that it was intended to make it easier for administrators to manage the different patches.

Litchfield said that he expressed reservations to Microsoft at the time.

"My personal opinion is: 'If a patch is available, don't hold it up. I did express that to them.'"

Litchfield said that he understands Microsoft's desire to simplify the bulletin releases for administrators. "It's a valid point of view. That doesn't work for me, but who am I to argue with Microsoft?" Litchfield said.

Microsoft denied that it holds patches for any length of time, however. Instead, the company retooled its production and testing processes to deliver the software patches just in time for release on Wednesday, according to Lipner.

"We don't hold over patches. If one is ready to go on Wednesday, it'll go," Lipner said.

The increasing tendency of the company to release two, three or more bulletins on a single day is a coincidence, according to Lipner.

"If you look at last year, we released seventy two bulletins. I don't know how many of those were released in the second half of the year, but the dynamic is that if you release one a week on average, one of the things that's going to happen is that on some days you're going to release more than one," Lipner said.

But consolidating the release of bulletins may be a way to improve the company's standing with network administrators who were weary of the frequent and unpredictable software patches from the company.

"The element of 'damage control' has likely been a big part of their consideration," according to Thor Larholm, a vulnerability researcher at security consulting company Pivx Solutions LLC.

"Swallowing four bulletins at once is definitely easier than continuously having to patch," Larholm said.

The change in patch release procedures is just one in a number of steps the company took during 2002 to tighten up its security bulletin and patch release process.

In November, for example, Microsoft changed the way it rates security issues and expanded its security notification service to better serve end users who are not technically savvy. [See "Microsoft adds security service for novice end-users," Nov. 19.]

In contrast to the November changes, which the company announced in an e-mail message sent to current security bulletin subscribers, Microsoft to date has made no public mention of its decision to begin releasing patches and bulletins on Wednesdays.

Asked about the discrepancy in how the changes were handled by Microsoft, Lipner said that the company initially held off on making an announcement while it refined its patch release process to target Wednesdays.

By the time Microsoft had the process working, the change had been noted by customers and was "old news," Lipner said.

However, other considerations might have helped to keep the company mum about the change, including calls from industry and consumers for software vendors to expedite patches for vulnerable products, according to Cooper.

"At the time they made the change, the climate wasn't good for somebody saying 'We're going to hold on (to a patch) for six days,'" Cooper said.

Spelling out the mid-week release policy also obligates Microsoft to hold to it and opens the company to criticism whenever patches fail to go out as scheduled, according to Cooper.

Lipner said Microsoft has no plans to update its stated policy for releasing bulletins and patches to mention the mid-week target.

"As we evolve the process, that's something we can review. The key thing from a standpoint of getting patches out, however, was to make it easier and more likely that a customer installs a patch as fast as possible," Lipner said.

While it targets patch and security bulletin releases for Wednesday, Microsoft will break from form in the event of a security vulnerability that has not been patched and is actively being exploited, according to Lipner.

"The hard policy is that we won't put customers at risk by doing (mid-week releases). If we became aware of an issue where there was active exploitation or if a customer was being attacked, we would build a patch as fast as we could, test it and release it right then," Lipner said.

Asked about the company's silence, Cooper said that he doesn't see any problem with Microsoft formally stating its policy for patch releases.

"I don't think there's anything wrong with saying that 'Our policy is that we will release on Wednesday, when possible.'"

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Paul Roberts

PC World
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?