Although many of us cheered when Microsoft designated a Patch Tuesday regimen for releasing most security patches, hackers quietly cheered also, and we are now beginning to see the unintended consequences of trying to make IT managers’ lives easier by having regularly scheduled patch days.
Stop the patching madness by having a designated day each month (or quarter) when we can expect to see new software patches from a vendor — it seems like a great idea. It means we can schedule downtime and overtime to deal with the patches and the testing required before any sane IT security specialist would apply a new patch to all the systems under his or her control.
And for a while it seemed to be working just fine. But recently, a new element has reared its ugly head: Hackers have recognized that the best way to have a long time to exploit newly discovered vulnerabilities is to begin attacking them just a day or two before the scheduled patch release date. It’s too late for a vendor to add the new vulnerability to its patch, and it gives hackers a full patch cycle or more to take advantage of the newly developed exploit.
I use Microsoft because it’s the most obvious example, but the same logic applies to any vendor that institutes a fixed patch release schedule.
What’s your opinion? Should Microsoft abandon the regularly scheduled patch day because it lets the enemy know when it’s safest to attack? Or does the convenience for IT managers far outweigh the unintended consequence of giving the bad guys (and gals) the longest possible time to plan and execute attacks? Or do we not have enough data yet to make another change that’s likely to result in yet more unintended consequences?