Microsoft getting better at Patch Tuesday updates, experts say

Unfortunately, patching will be reality as long as software is around

All told, Microsoft released 74 patches in 2009 and while some months were worse than others (such as October), security experts say the software giant seems to be refining and improving the process of explaining and pushing out patches.

"These past couple of months I have been watching the information coming out of Microsoft and they are refining their processes and they are giving a lot more information to people," says Jason Miller, data and security team leader at Shavlik Technologies. "They are getting information out earlier. So definitely it appears that this patch process is starting to mature in a good way. I am definitely seeing more positives and some of the bumps and bruises we have seen in the past couple of years, we are not seeing those right now."

Unfortunately, patching will be reality as long as software is around, but any work to make it more manageable will be welcomed by those doing the hands-on work.

Miller says Microsoft's delivery of the actual bits for the patches is much more consistent month to month, that there is more technical information with more depth, and more effort to provide advisories on known vulnerabilities regardless if there is a patch or not.

"The process overall has improved," say Amol Sarwate, manager of Qualys' vulnerability research lab. "I think Microsoft has made a lot of progress on the whole patching cycle. They are ahead if you compare it with other companies. Microsoft is very formal and forthcoming about giving advanced notification."

Sarwate says the addition of the exploitability index, which debuted in October of last year, is one example of how Microsoft has enhanced patch process. The index uses a three-tier system to grade the likelihood of consistent, inconsistent or functioning exploit code for each patch.

"They have constantly added a lot of metric around the vulnerability and also the overall flow in how quick they are to respond to something like a proof-of-concept," Sarwate says. "Microsoft is quicker about getting an advisory out. They are more vigilant in that piece then they had been."

Shavlik's Miller agrees Microsoft is better about issuing advisories, which tell users about existing vulnerabilities or zero-day exploits that have yet to be patched.

The latest came last month concerning the zero-day exploit around Internet Explorer. Microsoft first acknowledged on Nov. 23 that it was investigating the issue and followed up later in the day with a formal security advisory, and before the day was done issued a second update to report a patch would be developed. That patch, MS09-072, was delivered Tuesday as part of the regular patching cycle.

"You have advisories, you have re-releases that they are announcing as they are going through the month, as well as some nifty diagrams of exploitability indexes along with commentary on the patches," Shavlik's Miller says.

He says he is seeing a lot more information coming from the Microsoft Security Research Center (MSRC) and technical information coming from Microsoft's Security Research & Defense blog, which is produced by the MSRC Engineering team.

MSRC blogs extensively on Patch Tuesday, an effort that includes charts, graphs and videos. It also blogs on advanced notifications before each Tuesday release, as well as on other vulnerability issues, including the recent Black Screen of Death episode.

The Security Research and Defense blog provides platform mitigation information directed at network administrators and information about new security defenses and tools that the Microsoft Security Engineering Center (MSEC) Security Science team is working on.

"If you look at the technical info that is out there that is extremely technical information that nine out of 10 people are not going to be able to read," Miller says. "But Microsoft also has other information that is coming out that is more down to earth for admins, where they can read and decipher this information and see how it is applicable to their networks."

In addition, Miller says Microsoft is more timely with the actual patch code.

"It was spotty," he says. "Sometimes it would be four o'clock in the afternoon before they started to release the information. The last few months it has been out five minutes to noon every time."

Miller said Microsoft is clearing up other issues that have plagued the patch process in the past including not releasing all the patches at the same time.

"There have been days when we waited until 8 o'clock at night and they still haven't gotten their servers updated. We have seen delays until late afternoon before even the first patch is coming on to their Web site. If you are planning, it gets very difficult."

But he says those issues are clearing out and he hopes that it will continue into 2010.

Follow John Fontana on Twitter: twitter.com/johnfontana

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags MicrosoftsecurityPatch Tuesday

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

John Fontana

Network World
Show Comments

Essentials

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?