Microsoft delays patches to better server customers
 

I would like to commend Microsoft's new strategy of releasing notification
of patches on a monthly basis. Deliberately delaying the release of
necessary security updates is, quote, a "major benefit" as servers only
have to be rebooted once a month.[1]

It takes tremendous courage to stare your customers directly in the eye
and tell them that you will be deliberately withholding necessary and
ready-to-release updates from them until the second Tuesday of every
month. After all, ignorance is bliss.

Nothing can possibly go wrong. Microsoft "may" release security patches as
soon as possible to help protect customers if customers are at immediate
risk from viruses, worms, attacks or other malicious activities.[2]
There's no chance that news of the bug could filter out while the patch is
being withheld, and I can't think of Microsoft being under any pressure to
give its preferred customers or governments advance notification and
access to security updates.[3]

All up I can't think of one downside to this new policy. I commend
Microsoft for being able to list a total of four multiple benefits from
the policy.[4] There clearly aren't any costs as Microsoft doesn't list any.

Being bashful Microsoft didn't even list two additional benefits:

* Security updates only being newsworthy once per month. The October
bulletins contained seven security updates and without releasing
them all on the same day Microsoft security issues could have been in
the news on a weekly basis.

* Network administrators being able to spend more time with their
families (as patches will come out predictably on a Tuesday). Does any
other OS company think of the children? No, only Microsoft does.
Microsoft are clearly establishing a pattern of being family friendly,
quickly following up upon their decision to close most MSN chat rooms.

Regards,
Adam

Refer <http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/revsbwp.asp?frame=true&hidetoc=true>

[1] "A major benefit of switching to a monthly release cycle for security
patches is that it allows customers to install multiple patches with a
single install and single reboot (using Qchain.exe, Update.exe and other
similar tools). This will minimize downtime on mission-critical systems
and will allow customers to consolidate the patch deployment to once per
month."

[2] "Microsoft will make an exception to the above release schedule if we
determine that customers are at immediate risk from viruses, worms,
attacks or other malicious activities. In such a situation Microsoft may
release security patches as soon as possible to help protect customers."

[3] Anyone notice an opportunity for differential pricing here? Good,
you're sharp. One only needs to perform a news search to read about the
plan: <http://biz.thestar.com.my/news/story.asp?file=/2003/10/15/business/6492693&sec=business>

Within the next few weeks, Microsoft will roll out a "Security
Officer Program" to encourage its larger clients to appoint their
own IT security officers, responsible for the "IT security health"
of their respective organisations.

"These security officers will act as liaison persons to whom we can
communicate security issues directly and co-ordinate the deployment of
updates and patches to keep their systems secure," Fong told
reporters in Kuala Lumpur yesterday.

He said Microsoft would throw in three free premier support services
(PSS) to companies that signed up and similar programmes would be
expanded to their mid-tier clients later.

Microsoft appears to be creating an extra information asymmetry between
premier/mid-tier clients and regular clients who may not be told about
security issues for up to an extra month.

[4] * Improved packaging and formatting provide customers a high-level
view of all patch information for the product family in the security
advisory, and detailed patch information in the security bulletin.

* Longer time between releases will allow customers to evaluate, test
and install patches in a more timely manner

* Predictability of security patch releases allows customers to plan
in advance for testing and installing patches.

* Additional mitigation guidance for all security vulnerabilities that
provides customers options other than deploying the patch for the
short-term.

Re: Microsoft delays patches to better server customers
 

On Fri, 17 Oct 2003 13:56:34 +1300, Adam Warner wrote:

> I would like to commend Microsoft's new strategy of releasing notification
> of patches on a monthly basis. Deliberately delaying the release of
> necessary security updates is, quote, a "major benefit" as servers only
> have to be rebooted once a month.[1]
>
> It takes tremendous courage to stare your customers directly in the eye
> and tell them that you will be deliberately withholding necessary and
> ready-to-release updates from them until the second Tuesday of every
> month. After all, ignorance is bliss.

Now Adam, I must strongly protest the accuracy of that statement...

IME they seem to come out on Wednesdays (Thursday NZ time).

:)

Cheers
Anton

Re: Microsoft delays patches to better server customers
 

Hi AD.,

> Now Adam, I must strongly protest the accuracy of that statement...
>
> IME they seem to come out on Wednesdays (Thursday NZ time).
>
> :)

:-) FYI and time differences notwithstanding, "Security bulletins will
normally be released on the second calendar Tuesday of every month.
However, the first monthly bulletins will be released on Wednesday,
October 15, 2003."

Regards,
Adam

Re: Microsoft delays patches to better server customers
 

On Fri, 17 Oct 2003 15:56:56 +1300, Adam Warner wrote:

> :-) FYI and time differences notwithstanding, "Security bulletins will
> normally be released on the second calendar Tuesday of every month.
> However, the first monthly bulletins will be released on Wednesday,
> October 15, 2003."

That's a relief, I won't have to change our Wednesday night
scheduled downtime after all. It was starting to seem like 90% of their
advisories were issued on Wednesdays (US time).

A while back we sat down at work to decide on a good night for
after hours scheduled maintenance and picked Wednesday night. Over the
last few months I have been dreading Thursday mornings, as I usually
arrive to a stack of MS advisories after an evening of patching (anything
exposed to the net got patched quicker). I was about to try and get the
downtime shifted to Thursday nights, but BillG has answered my prayers!

:)

Changing to monthly releases just shows they are listening to their
customers. MS did say they were heard customers complaining about too much
patching.

Cheers
Anton

Re: Microsoft delays patches to better server customers
 

this quote is from Adam Warner of Fri, 17 Oct 2003 13:56 :

> I would like to commend Microsoft's new strategy of releasing notification
> of patches on a monthly basis. Deliberately delaying the release of
> necessary security updates is, quote, a "major benefit" as servers only
> have to be rebooted once a month.
<snip>
> Microsoft appears to be creating an extra information asymmetry between
> premier/mid-tier clients and regular clients who may not be told about
> security issues for up to an extra month.

Does this have anything to do with why, a few days ago, these guys stopped
publishing unpatched vulnerabilities in IE ...
http://www.pivx.com/larholm/unpatched/

or is it just a coincidence?


Peter

Re: Microsoft delays patches to better server customers
 

Why do they make it so difficult to find the security patches!!
You can download service packs to install on PC's when building them. Why
not the same for security patches?

"Adam Warner" <usenet@consulting.net.nz> wrote in message
news:pan.2003.10.17.00.56.29.972410@consulting.net .nz...
> I would like to commend Microsoft's new strategy of releasing notification
> of patches on a monthly basis. Deliberately delaying the release of
> necessary security updates is, quote, a "major benefit" as servers only
> have to be rebooted once a month.[1]
>
> It takes tremendous courage to stare your customers directly in the eye
> and tell them that you will be deliberately withholding necessary and
> ready-to-release updates from them until the second Tuesday of every
> month. After all, ignorance is bliss.
>
> Nothing can possibly go wrong. Microsoft "may" release security patches as
> soon as possible to help protect customers if customers are at immediate
> risk from viruses, worms, attacks or other malicious activities.[2]
> There's no chance that news of the bug could filter out while the patch is
> being withheld, and I can't think of Microsoft being under any pressure to
> give its preferred customers or governments advance notification and
> access to security updates.[3]
>
> All up I can't think of one downside to this new policy. I commend
> Microsoft for being able to list a total of four multiple benefits from
> the policy.[4] There clearly aren't any costs as Microsoft doesn't list
any.
>
> Being bashful Microsoft didn't even list two additional benefits:
>
> * Security updates only being newsworthy once per month. The October
> bulletins contained seven security updates and without releasing
> them all on the same day Microsoft security issues could have been in
> the news on a weekly basis.
>
> * Network administrators being able to spend more time with their
> families (as patches will come out predictably on a Tuesday). Does any
> other OS company think of the children? No, only Microsoft does.
> Microsoft are clearly establishing a pattern of being family friendly,
> quickly following up upon their decision to close most MSN chat rooms.
>
> Regards,
> Adam
>
> Refer
<http://www.microsoft.com/technet/tre...chnet/security
/bulletin/revsbwp.asp?frame=true&hidetoc=true>
>
> [1] "A major benefit of switching to a monthly release cycle for security
> patches is that it allows customers to install multiple patches with a
> single install and single reboot (using Qchain.exe, Update.exe and other
> similar tools). This will minimize downtime on mission-critical systems
> and will allow customers to consolidate the patch deployment to once per
> month."
>
> [2] "Microsoft will make an exception to the above release schedule if we
> determine that customers are at immediate risk from viruses, worms,
> attacks or other malicious activities. In such a situation Microsoft may
> release security patches as soon as possible to help protect customers."
>
> [3] Anyone notice an opportunity for differential pricing here? Good,
> you're sharp. One only needs to perform a news search to read about the
> plan:
<http://biz.thestar.com.my/news/story...iness/6492693&
sec=business>
>
> Within the next few weeks, Microsoft will roll out a "Security
> Officer Program" to encourage its larger clients to appoint their
> own IT security officers, responsible for the "IT security health"
> of their respective organisations.
>
> "These security officers will act as liaison persons to whom we can
> communicate security issues directly and co-ordinate the deployment of
> updates and patches to keep their systems secure," Fong told
> reporters in Kuala Lumpur yesterday.
>
> He said Microsoft would throw in three free premier support services
> (PSS) to companies that signed up and similar programmes would be
> expanded to their mid-tier clients later.
>
> Microsoft appears to be creating an extra information asymmetry between
> premier/mid-tier clients and regular clients who may not be told about
> security issues for up to an extra month.
>
> [4] * Improved packaging and formatting provide customers a high-level
> view of all patch information for the product family in the security
> advisory, and detailed patch information in the security bulletin.
>
> * Longer time between releases will allow customers to evaluate, test
> and install patches in a more timely manner
>
> * Predictability of security patch releases allows customers to plan
> in advance for testing and installing patches.
>
> * Additional mitigation guidance for all security vulnerabilities that
> provides customers options other than deploying the patch for the
> short-term.

Re: Microsoft delays patches to better serve customers
 

Hi Peter,

>> Microsoft appears to be creating an extra information asymmetry between
>> premier/mid-tier clients and regular clients who may not be told about
>> security issues for up to an extra month.
>
> Does this have anything to do with why, a few days ago, these guys
> stopped publishing unpatched vulnerabilities in IE ...
> http://www.pivx.com/larholm/unpatched/
>
> or is it just a coincidence?

I had not connected the events. You've raise a very compelling question!

Let's start with a fact: The page simply had to be retracted for a few
days to determine whether MS03-040 rendered many of the vulnerabilities
obsolete as claimed.

But the rest of the statement doesn't follow from this fact. I can't even
logically parse it. So let's concentrate on two additional facts: The PivX
Solutions Security Team states that they are implementing a twofold
approach: Being `available to consult with system administrators to assist
them in developing and implementing appropriate security policies and
measures to mitigate the potential of security attacks' and `developing a
mitigation utility tool that will act as a "Qwik Fix" to many of the IE
vulns that MS is working on patching presently.'

What these two approaches have in common is that PivX Solutions must have
preferred access to vulnerability information to (a) be able to mitigate
the potential of security attacks and (b) develop the mitigation tool for
vulnerabilities that Microsoft is in the process of patching.

An extra month without information could be a significant impediment to
competing with security companies that have a better relationship with
Microsoft.

Furthermore it could become advantageous for other companies to form a
relationship with PivX Solutions as (a) PivX Solutions are really good at
uncovering Windows vulnerabilities and (b) PivX Solutions will become part
of the same delay mechanism. So Microsoft's approach is not simply a stick
to get security companies to comply. Any company within the circle of
knowledge could financially gain from the association.

Regards,
Adam

Re: Microsoft delays patches to better server customers
 

> Robert scribbled:
> Why do they make it so difficult to find the security patches!!
> You can download service packs to install on PC's when building them.
> Why not the same for security patches?

http://www.microsoft.com/technet/tre...s/pcprotec.asp
http://www.microsoft.com/technet/sec...ch/Default.asp
http://www.microsoft.com/security/se...ins/alerts.asp
http://www.microsoft.com/WindowsXP/security/default.asp
http://v4.windowsupdate.microsoft.com/en/default.asp

--
mlvburke@#%&*.net.nz
Replace the obvious with paradise to email me.
See Found Images at:
http://homepages.paradise.net.nz/~mlvburke/

Re: Microsoft delays patches to better server customers
 

"Robert" <PcTech@paradise.net.nz> wrote in message
news:uaMjb.1422$ws.138473@news02.tsnz.net...
> Why do they make it so difficult to find the security patches!!
> You can download service packs to install on PC's when building them. Why
> not the same for security patches?

What do you mean?
Have you seen http://windowsupdate.microsoft.com or if you want to download
individually and save for use later
http://windowsupdate.microsoft.com/catalog or search on
http://microsoft.com/download

Best bet if you haven't updated patches in a while is to download this
Security Rollup hotfix for Windows XP
http://download.microsoft.com/downlo...39-x86-ENU.exe
details at http://support.microsoft.com/?kbid=826939

Cheers
Nathan