It's hard to believe that Microsoft started Patch Tuesday a bit more than five years ago. During that time, I've seen a major change for the better in the way users, administrators, and other vendors perceive Microsoft's attitude toward security and the company's execution of its security strategies. Having a regular and predictable pattern for security updates has been a good thing for Microsoft, its customers, and the industry as a whole. However, sometimes individual product teams—like, for example, the Exchange Server team—find themselves in difficult positions because of this strategy.
Take this week's Microsoft Exchange Server 2007 SP1 Update Rollup 6 release. Exchange 2007 rollup packages are cumulative updates, so when you install Rollup 6, you're getting all of the fixes previously included in rollups 1 through 5. However, Rollup 6 actually contains a fairly small number of changes, according to the Microsoft article "Description of Update Rollup 6 for Microsoft Exchange Server 2007 Service Pack 1."
Does this mean that there weren't any other bugs in Exchange that Microsoft needed to fix? Not necessarily. It means that because there was a critical security issue that needed to be fixed, the rollup was released with the fixes that had been tested and were ready at the time the critical fix needed to get released. Every fix that's applied to the Exchange codebase has to go through a clearly defined development and testing process, and that process takes time.
However, time is typically in short supply for security fixes. In fact, Lawrence Walsh makes an interesting argument in "Is 'Patch Tuesday' Dead?" that attackers are waiting until after Patch Tuesday releases to see what Microsoft did, and didn't, fix, and that this kind of delaying tactic is responsible for the spread of the Conficker worm over the last two or three months. In this week's Patch Tuesday update, the Exchange Server vulnerability announced in "Microsoft Security Bulletin MS09-003" is a serious one: Attackers can remotely execute code of their choice on the targeted server, which is why it's rated as critical. The Exchange team made the right decision to release a rollup with few fixes; I'd rather have the critical security fix now than a security fix plus more bug fixes a month from now.
In related news, Microsoft is now maintaining a forum where administrators can discuss Exchange software updates, including problems with those updates, as part of the Microsoft TechNet Forums.
Additional articles about recent security problems:
- Microsoft releases four security bulletins. Two rated critical.
- Microsoft Security Bulletins: Admin Rights Make Users Vulnerable
- Data Leaks Abound And No One Is Safe
- Confick or Downadup Worm Can Be Squashed: By Common Sense
Additional articles about Exchange Server updates: