Microsoft getting better at Patch Tuesday updates, experts say

Unfortunately, patching will be reality as long as software is around

All told, Microsoft released 74 patches in 2009 and while some months were worse than others (such as October), security experts say the software giant seems to be refining and improving the process of explaining and pushing out patches.

"These past couple of months I have been watching the information coming out of Microsoft and they are refining their processes and they are giving a lot more information to people," says Jason Miller, data and security team leader at Shavlik Technologies. "They are getting information out earlier. So definitely it appears that this patch process is starting to mature in a good way. I am definitely seeing more positives and some of the bumps and bruises we have seen in the past couple of years, we are not seeing those right now."

Unfortunately, patching will be reality as long as software is around, but any work to make it more manageable will be welcomed by those doing the hands-on work.

Miller says Microsoft's delivery of the actual bits for the patches is much more consistent month to month, that there is more technical information with more depth, and more effort to provide advisories on known vulnerabilities regardless if there is a patch or not.

"The process overall has improved," say Amol Sarwate, manager of Qualys' vulnerability research lab. "I think Microsoft has made a lot of progress on the whole patching cycle. They are ahead if you compare it with other companies. Microsoft is very formal and forthcoming about giving advanced notification."

Sarwate says the addition of the exploitability index, which debuted in October of last year, is one example of how Microsoft has enhanced patch process. The index uses a three-tier system to grade the likelihood of consistent, inconsistent or functioning exploit code for each patch.

"They have constantly added a lot of metric around the vulnerability and also the overall flow in how quick they are to respond to something like a proof-of-concept," Sarwate says. "Microsoft is quicker about getting an advisory out. They are more vigilant in that piece then they had been."

Shavlik's Miller agrees Microsoft is better about issuing advisories, which tell users about existing vulnerabilities or zero-day exploits that have yet to be patched.

The latest came last month concerning the zero-day exploit around Internet Explorer. Microsoft first acknowledged on Nov. 23 that it was investigating the issue and followed up later in the day with a formal security advisory, and before the day was done issued a second update to report a patch would be developed. That patch, MS09-072, was delivered Tuesday as part of the regular patching cycle.

"You have advisories, you have re-releases that they are announcing as they are going through the month, as well as some nifty diagrams of exploitability indexes along with commentary on the patches," Shavlik's Miller says.

He says he is seeing a lot more information coming from the Microsoft Security Research Center (MSRC) and technical information coming from Microsoft's Security Research & Defense blog, which is produced by the MSRC Engineering team.

MSRC blogs extensively on Patch Tuesday, an effort that includes charts, graphs and videos. It also blogs on advanced notifications before each Tuesday release, as well as on other vulnerability issues, including the recent Black Screen of Death episode. 

The Security Research and Defense blog provides platform mitigation information directed at network administrators and information about new security defenses and tools that the Microsoft Security Engineering Center (MSEC) Security Science team is working on.

"If you look at the technical info that is out there that is extremely technical information that nine out of 10 people are not going to be able to read," Miller says. "But Microsoft also has other information that is coming out that is more down to earth for admins, where they can read and decipher this information and see how it is applicable to their networks."

In addition, Miller says Microsoft is more timely with the actual patch code.

"It was spotty," he says. "Sometimes it would be four o'clock in the afternoon before they started to release the information. The last few months it has been out five minutes to noon every time."

Miller said Microsoft is clearing up other issues that have plagued the patch process in the past including not releasing all the patches at the same time.

"There have been days when we waited until 8 o'clock at night and they still haven't gotten their servers updated. We have seen delays until late afternoon before even the first patch is coming on to their Web site. If you are planning, it gets very difficult."

But he says those issues are clearing out and he hopes that it will continue into 2010.

Follow John Fontana on Twitter: twitter.com/johnfontana

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags securityMicrosoftPatch Tuesday

Struggling for Christmas presents this year? Check out our Christmas Gift Guide for some top tech suggestions and more.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

John Fontana

Network World

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?