Skip navigation

Security Patches R Us: Would You Like a Heads-Up with That?

Since Microsoft began its monthly security-patch-release schedule last year, the company has come under fire from what I call the "can't-win-no-matter-what-you-do" crowd. Microsoft used to issue security patches whenever the patches were ready, and as any battle-weary systems administrator can tell you, the effects were painful. Because of the number of Microsoft security patches over the past few years, some administrators did little more than evaluate and deploy patches, while spending their few remaining minutes of free time wondering when the next patch was coming. Moving to a monthly patch-release schedule, however, didn't mollify all users. Some security experts, for example, warned that the monthly release schedule meant that some critical bugs might go weeks without being fixed, simply so that Microsoft could adhere to an artificial release schedule.

So the software giant added a provision to its plan, whereby under certain circumstances the company will release critical patches out of band with the regularly planned schedule, which releases security patches on the second Tuesday of each month. Since announcing this plan, Microsoft has indeed released a few out-of-band security patches, most notably for Microsoft Internet Explorer (IE), which remains, quite possibly, the buggiest piece of software the company has ever written.

Although one might debate the soundness of this plan, Microsoft has to balance the needs of its customers with a desire to treat its volume buyers a bit better than the rest of us. In keeping with this policy, late last year the company instituted a plan whereby certain customers would receive advance warning about the regularly scheduled monthly security patches, giving them time to prepare for what's become known as Black Tuesday in certain IT circles. The idea is that, with a little heads-up, administrators can plan downtime accordingly and deploy patches as needed without interrupting business.

Microsoft eventually opened up the early access program to any company that was willing to sign a nondisclosure agreement (NDA). The reasons for this requirement are many, but my feeling is that Microsoft feared that malicious hackers might use the early-access information to create malicious software (malware) that exploits bugs before the patches are widely available. Those fears were partially realized when several customers who had signed NDAs earlier this year leaked information about upcoming security patches. Although I know of no examples of malicious hackers using this information to successfully exploit the flaws, the cat was out of the bag. By late summer, bad press and complaining companies had forced Microsoft to, once again, re-evaluate its stance on patch information access.

The problem here is obvious. Users were asking why Microsoft was hiding security patch information from most customers. As with airbags in cars, shouldn't all customers benefit from this information? Responding to the criticism, Microsoft has indeed opened up the early-access patch information program--now called Microsoft Security Bulletin Advanced Notification--to all users. However, the program now provides less information: The advance notification will include only the number of patches the company will issue, the expected severity ratings of each flaw, and a list of affected products.

The Microsoft Security Bulletin Advanced Notification program starts this month, and currently takes the form of a Web page on the Microsoft Web site (URL below). Starting in December, the program will also include an email notification to which you can subscribe. Microsoft says that it will give "3 business days" of advance notice about the patches, so you'll have the basic information by the Friday before the second Tuesday of each month or 3 business days before any out-of-band security patch.

Frankly, I think Microsoft should be commended for making this information available to customers, even though the company had to be dragged, kicking and screaming, to the party (similar, again, to the way the automobile industry reacted to various security-oriented requirements for cars). This type of transparency can only help those customers who elect to take advantage of the service. Go forth, people, and complain no more.

Microsoft Security Bulletin Advance Notification

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.