Security

Microsoft overhauling "broken" patch management system

The Microsoft patch management system makes many CIOs cringe at the thought of untested patches wreaking havoc on expensive network systems. See what Microsoft is doing to ensure future patches are bug-free.


Occasionally, Microsoft's patches have been known to cause worse problems than the ones they were programmed to solve. The bad patches then have to be removed—if there's an uninstaller. On June 3, 2003, Scott Charney, a former Justice Department cybercrime expert and Microsoft Corp.'s chief security strategist since April 1, 2002, told the audience at TechEd 2003 in Dallas that he knew Microsoft's patch management "was broken."

"Today there are eight different installer technologies within Microsoft," he admitted. "Some patches register with the OS, some patches don't. Then, when you build tools to see if you're patched, some tools say you're patched because they're looking at registry keys; other products say you're not patched because they're looking for DLLs." Thanks to Charney's efforts, Microsoft not only admits on the record that it needs to improve the way it manages updates to its applications and operating systems, but appears to have made a sincere commitment to fixing the problem.

Tip
For more information, read Microsoft's June, 2003, Patch Management White Paper.

Both Charney and Microsoft's white paper acknowledged that Microsoft ought to release more secure, better tested code in the first place. To oversee these changes in its update strategy, Charney formed a departmental Patch Management Task Force. As a result, in recent weeks there have been signs that the software Goliath has begun its overhaul.

Notification changes
Microsoft has tweaked its Security Bulletin notifications by adding a less technical Consumer Bulletin geared toward end users. Though not written for tech staff, it might serve IT management and staff both as a model for passing on patch information to employees, and as a quick, easier-to-digest overview of new issues. Both the Consumer Bulletins and the more technical Security Bulletins are available by e-mail subscription:

Note
A Microsoft .NET Passport is required for TechNet, but registration is free. You can also use TechNet to browse current and past Security Bulletins.

Responding to customer's suggestions, Microsoft also changed its rating system. According to feedback, Microsoft defined too many issues as "critical." The new system has four levels, as shown in Table A, with the most critical reserved for those vulnerabilities that easily allow a virus or worm to propagate.
Table A
Level Description
Low Extremely difficult to exploit, or one with minimal impact.
Moderate Less likelihood of exploitation, due to a combination of factors, such as default configuration, auditing, or difficulty.
Important Possibility of system compromise, including "the confidentiality, integrity, or availability of users’ data, or of the integrity or availability of processing resources."
Critical Possibility of Internet worm/virus propagation without any user action.
Microsoft's new patch rating system

Finally, the company overhauled the TechNet security site by adding more content, making it easier to search for specific security information, and adding a Microsoft Guide to Security Patch Management (Version 1, July 2003). The 2.5-MB download is a 2-part, 11-chapter PDF file designed for both IT management and in-the-trenches staff.

Proposed patch management remedies
Consumers have always been able to use the Web to apply updates—Windows Update for operating systems and Office Update for its flagship product. But this has never been a good solution for IT departments, because you don't want users adding patches before they've been tested (you probably lock down their workstations to keep them from doing so). What solutions are available for IT staff?

To help with patch and update testing, Microsoft makes available Software Update Services (SUS). After network administrators approve a patch, SUS helps them deploy the update to Windows 2000 servers and Windows XP Professional and 2000 Professional desktops. Microsoft's Systems Management Server Feature Pack adds SUS capabilities to the System Management Server (SMS). The drawback to this technology is that SUS only downloads critical updates. Other patches have to be applied manually, and they lack a standardized interface, patching method, and even standardized command line switches.

In response to this problem, Charney stated at TechEd that IT customers could expect the following improvements in the near future (these promises are repeated in the white paper):
  • An automatic, online update service for security patches and other critical updates that covers more products
  • An SUS 2.0 release, which will include the ability to update more Microsoft products
  • Systems Management Server 2003, to be released this year, which will add the ability to automatically install patches during downtime
  • A standardized look, feel, and behavior of all patch installers; for example, all patches will register with the system (and be recognized as a patch by other patches) the same way, and all patches will use consistent command line flags (no more "/quiet" flag on one package and "/silent" flag on another)
  • The ability to uninstall or roll back the patch

It's a lot for the Patch Management Task Force to take on, but Charney said he'd have all of it done in six months, a time line that is frankly, unrealistic. Nevertheless, he said, "By the end of the year, instead of eight installer technologies we will have two, one for operating systems and one for applications." In addition to consistent, better designed patches, Charney said the new releases will be more stable and will have been tested more than in the past.

What's next?
So this is Microsoft's plan, spearheaded by Charney, and it is certainly an ambitious and credible one. How long it will take, and whether Microsoft will be able to follow through on all these customer concerns remains to be seen. In the meantime, make use of the new security notification system, look for the SUS and SMS updates, check TechRepublic's and Microsoft's Web sites periodically for signs of progress, and keep your fingers crossed.

Editor's Picks