Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Security Microsoft IT

Time to End Microsoft's Patch Tuesday? 256

Posted by Zonk from the plenty-of-time-for-trickery dept.
buzzardsbay writes "Techtarget's resident security curmudgeon, Dennis Fisher, is calling for an end to Microsoft's monthly security patching cycle. Fisher points out that 'a hacker only needs one unpatched system, one little crack in the fence in order to launch a major attack on a given network. The sheer volume of the patches Microsoft releases each month makes it quite difficult for even the most conscientious IT department to get every patch out to all of the affected systems in a reasonable amount of time.'"
This discussion has been archived. No new comments can be posted.

Time to End Microsoft's Patch Tuesday? More

Time to End Microsoft's Patch Tuesday?

Comments Filter:

  • Re:I have always wondered... (Score:2, Insightful)

    by Pentavirate ( 867026 ) on Thursday May 10, 2007 @01:48PM (#19070913) Homepage Journal
    So your machine only reboots on you when you're not looking once a month instead of every single day!

  • Re:I have always wondered... (Score:5, Insightful)

    by kcurtis ( 311610 ) on Thursday May 10, 2007 @01:49PM (#19070939)
    It allows IT departments to specifically set aside 1 (or more) days a month on a regular schedule to test the updates before rolling them out to the client computers.

    If the updates come out on a random schedule, as done before, you cannot plan ahead for the testing required to ensure the updates don't break functionality.

  • SUS (Score:2, Insightful)

    by u-bend ( 1095729 ) on Thursday May 10, 2007 @01:52PM (#19071011) Homepage Journal
    I'm not a fan of MS, nor am I a network administrator, but if you're running a network large enough for patching to be a big problem, shouldn't you have a PDC or BDC or something like that that runs SUS? Then you can choose which patches get installed to clients, and when, right? Probably an oversimplification, but it helped in management of our M$ boxes at a previous job.

  • The Real Reason for Patch Day (Score:4, Insightful)

    by Gary W. Longsine ( 124661 ) on Thursday May 10, 2007 @01:52PM (#19071013) Homepage Journal
    Dennis Fisher fails to grok. Patch Day was created because Microsoft was getting hammered by the poor press which resulted from releasing many patches in one month. Patch Day, as much as it sucks, is probably here to stay.

  • Patch Tuesday (Score:2, Insightful)

    by Anonymous Coward on Thursday May 10, 2007 @01:54PM (#19071083)
    My understanding is that they basically did it to allow IT guys to schedule their downtime and patching, instead of having to scramble every time MS releases a patch in the middle of the week. Which is how it used to work, up until 2003 or so.

  • I call Bullshit on the Red Bull (Score:3, Insightful)

    by The Media Mechanic ( 1084283 ) on Thursday May 10, 2007 @01:56PM (#19071139)

    "Known in some circles as Black Tuesday, the second Tuesday of each month in the last few years has become a kind of national day of mourning in the IT industry, as admins call all hands on deck and load up on pizza and Red Bull for the long night ahead."


    I call bullshit on this anecdotal bit of trivia. Is the author of the article actually suggesting that some companies rush to test the new Winblows patches all through the night on Tuesday so that the patches are ready to deploy on Wednesday ? This sounds like a fresh steaming load of bullshit... what places actually force their employees to work ridiculous hours like this just due to an arbitrary vendor schedule! I would not work at such a place, regardless of the amount of free pizza or Redbull available.

    My point is that this bit of exaggeration in the article has no basis in fact and should be supported by quotes from someone who actually enforces this policy at their IT department.

  • Re:Volume of patches won't get better (Score:4, Insightful)

    by gad_zuki! ( 70830 ) on Thursday May 10, 2007 @02:02PM (#19071251)
    Patch day was started because administrators didnt want random patches being pushed out at random times. Its supposed to help the process by giving people a schedule, especially for people who arent using SUS.

    The real question is when are they going to patch the patch system. The 100% CPU svchost bug is killing me and KB916089 (and its predecessor) doesnt do squat.

  • Fix The Real Problem (Score:3, Insightful)

    by EXTomar ( 78739 ) on Thursday May 10, 2007 @02:02PM (#19071257)
    The original reason why "Patch Tuesday" was created was because too many were giving feedback to Microsoft that their patching process was far too disruptive to their enterprise. Before "Patch Tuesday", you could check any particular machine, at any time of day or week, and regardless of its role or usage it may have a patch pestering people that it needs to be applied and the machine rebooted. "Patch Tuesday" essentially is a "work around" to condense all of these patches that could be highly disruptive into a smaller, brief time frame.

    The real problem is the patching system Microsoft chose is highly disruptive. Too many still demand user attention even if applied remotely by an administrator. Although less often, too many still require a reboot which is a larger disruption to the user's work. Should Microsoft consider changing how patching is done so that it isn't so "hands on" and pesters the users and administrators to take action? Improve patching to the point where patches can be applied painless from the IT Center and "Patch Whateverday" goes away.

  • Re:I have always wondered... (Score:2, Insightful)

    by Professor_UNIX ( 867045 ) on Thursday May 10, 2007 @02:10PM (#19071403)

    For system administrators, it allows them to only have to address patching Windows machines once a month.
    This is a stupid idea though. It saves the administrators some hassle, but if Microsoft is putting out a patch for a vulnerability then don't you think that maybe, just maybe, the hackers already know about the vulnerability and are actively exploiting it? Why should I have to wait a month for a patch to a critical vulnerability just because some company's IT department only wants to work one day a month on patching? Patches should be released as soon as possible for anything critical or security-related and you can let companies choose to sit on them for a month if they want.

  • Re:End Patch Tuesday (Score:5, Insightful)

    by businessnerd ( 1009815 ) on Thursday May 10, 2007 @02:12PM (#19071441)
    Except for the fact that Linux also requires patching. Every other day I have a little star on my desktop notifying me of updates to various libraries, applications, and yes the kernel itself. Mac's have patches too. This is not necessarily a Windows vs. , this is about what the best way of releasing patches is. It's an Incremental vs. Bulk release debate. MS chose the bulk method. Is that a good decision? Maybe, maybe not. Regardless of the OS, patching is always required. No piece of software is bulletproof.

  • That's the Problem (Score:5, Insightful)

    by bill_mcgonigle ( 4333 ) * on Thursday May 10, 2007 @02:13PM (#19071467) Homepage Journal
    It allows IT departments to specifically set aside 1 (or more) days a month on a regular schedule to test the updates before rolling them out to the client computers.

    Your comment is accurate, and gets to the heart of the problem. The current system minimizes cost, at the expense of security.

    The pundit would rather companies get more staff, do rolling testing, etc., whatever it takes - to maximize security.

    Now, as a non-user of Microsoft products and a victim of attacks by unpatched machines, some of them corporate, it's clear that the current strategy just shifts the costs off of the companies and onto me. If it just crashed their networks I couldn't care less. But it's more than that.

    So I need to side with the proposal - the users need to improve their security. They can do this by having rolling patches from Microsoft or picking a more secure product to use. I don't care how they do it, but they need to stop expecting me to pay for their poor performance.

    Unfortunately, liability is poorly defined in this realm, otherwise I could theoretically sue for damages, and their insurance company would make sure they were in good shape or charge them through the roof for being in bad shape.

  • Re:Not MS' problem (Score:2, Insightful)

    by danlor ( 309557 ) on Thursday May 10, 2007 @02:14PM (#19071493) Homepage
    Sounds to me like you are the problem. That's a heinous comment.

    Patching is dangerous. It is not for the foolhardy, or ignorant. Your IT department is there to protect you from the "just do it" mentality. Trust them, and when they wine about problems in the process, take heed.

    Our systems have been taken down twice this year due to bad patches from good old MS. Patches that we in IT were FORCED to deploy before proper testing. Guess who has control of the process in our organization now?

  • Re:I have always wondered... (Score:5, Insightful)

    by Matt Perry ( 793115 ) <perry.matt54@ya[ ].com ['hoo' in gap]> on Thursday May 10, 2007 @02:28PM (#19071747)

    It allows IT departments to specifically set aside 1 (or more) days a month on a regular schedule to test the updates before rolling them out to the client computers.

    If the updates come out on a random schedule, as done before, you cannot plan ahead for the testing required to ensure the updates don't break functionality.
    Nonsense. Companies are free to test and upgrade on a given day no matter when updates come out. I test patches and update my Linux servers once a month even though patches for said machines may come out at any point in time between my patch days. I make exceptions to this only for patches that we deem critical enough to apply outside of our schedule.

  • Re:I have always wondered... (Score:5, Insightful)

    by LurkerXXX ( 667952 ) on Thursday May 10, 2007 @02:39PM (#19071945)
    You always wondered? You must be fairly new to IT. MS switched to that format well within the past 10 years. I think it was around 5 years ago. Before that they released them as each was finished.

    As for why they do them that way now, their large corporate customers asked them to. In large corporate settings there are often lots and lots of in-house-developed applications the company runs. Each time a new patch comes out, the IT dept must go through a lengthy (sometimes several weeks) process of testing the new patch, on test beds of the various models/configurations of computers the company uses, to make sure it doesn't break any of those apps, or any other purchased applications. They often run into many bugs/conflicts that MS doesn't in their testing.

    If MS comes out with a patch, the company starts testing it out, then 3 days later MS comes out with another patch, the big corp now has multiple cycles of testing trying to go on at the same time, using up tons of IT resources, backing things up in the pipeline. If their testing cycle is 2 weeks, and MS releases 6 patches during those two weeks, the pipeline is now filled up with 12 weeks worth of throughput. Not fun.

    If, on the other hand, MS releases on a regularly scheduled day each month, the company can easily run their test suite just a single time, freeing up IT resources, and also letting them plan for the patches/testing, rather than being surprised and having to pull folks off of other projects to work on testing if MS suddenly goes on a streak of releasing several patches in a row.

  • Re:I have always wondered... (Score:2, Insightful)

    by Joebert ( 946227 ) on Thursday May 10, 2007 @03:16PM (#19072561) Homepage
    No, it's your fault that you didn't learn how to configure your system to meet your needs. :)

  • No (Score:3, Insightful)

    by Kjella ( 173770 ) on Thursday May 10, 2007 @03:16PM (#19072569) Homepage
    A bug might have been there for one year, two years, five years. The chance someone will find it by accident in the next two weeks (average delay to release) is rather slim. On the other hand you know the moment the patch is out, hackers will reverse engineer it within a short period of them. That leads to the following conclusions:

    1. You have to patch within a short period of release
    2. One patch may break any functionality, so you must test all of it
    3. If Microsoft releases patches all the time, you must test all the functionality all the time

    In 99% of the companies out there, that's just not going to happen. I love getting daily patches, my desktop or home server isn't a critical business machine. I'm mostly interested in avoiding someone hacking it so I have to set it up again, far more than a broken patch. At the very least that leaves the machine in a "known broken" state that hopefully be fixed by another patch, where as a decent virus infection might end in a reinstall. For many a corporate machine down means you're down. Sales lost, salaries roll and nothing gets done. Sometimes data gets stolen but most of the time the cost is downtime - whether it's broken software or infected software. Quite often the solution is the same - rollback to a known good state (after you've figured out how to not get reinfected). Under those conditions I see why they prefer a mad scramble every patch Tuesaday instead of a mad scramble all the time.

  • Re:I have always wondered... (Score:5, Insightful)

    by Kijori ( 897770 ) <ward.jake @ g m a i l . c om> on Thursday May 10, 2007 @03:51PM (#19073313)
    When Microsoft releases a patch for an exploit, it's immediately known that computers are wide open to this attack. Malicious hackers - virus writers and the like included - can reverse engineer the patch to find out what vulnerability is being patched exactly, and know that, since your organization doesn't patch until such-and-such day, you're wide open to attacks. "Exploit Wednesday", the day after patch Tuesday, is a testament to the importance of Microsoft's patches in the development of exploits. Companies can't afford to gear up for patches every day, but can't afford to risk the ramifications of not applying a patch immediately either. Patch Tuesday gets them out of this catch-22.

  • Re:I have always wondered... (Score:3, Insightful)

    by lgw ( 121541 ) on Thursday May 10, 2007 @03:58PM (#19073421) Journal
    I disable the damn update service. Once a month I hit Microsoft Update, generally on the Wednesday following patch Tuesday. Why is this hard?

  • Re:I have always wondered... (Score:2, Insightful)

    by Tacvek ( 948259 ) on Thursday May 10, 2007 @04:07PM (#19073567) Journal
    My wish is for: Download Automatically. Prompt me when downloaded so i can review what is to be installed. If I install them, and it wants to reboot, but I do not reboot, it may leave a systray icon, but MUST NOT keep popping up that window every 10 minutes asking me to restart. I will generally install the updates ASAP, but I only restart when i want to, or if the system becomes really messed up, or BSOD.

  • Re:That's the Problem (Score:3, Insightful)

    by bill_mcgonigle ( 4333 ) * on Thursday May 10, 2007 @09:01PM (#19077435) Homepage Journal
    So there's a point where increasing investments security becomes more costly than loss of security. Current system seems like a good balamce to me.

    And more importantly the current system shifts cost off of those with poor security and onto everybody else. Since there's no downside for those doing the shifting, it is a good state of affairs for them. The trouble is with all those insecure goats, the commons are becoming bare.

Slashdot Top Deals

Love may laugh at locksmiths, but he has a profound respect for money bags. -- Sidney Paternoster, "The Folly of the Wise"

Close