Microsoft delays patches to better server customers

Discussion in 'NZ Computing' started by Adam Warner, Oct 17, 2003.

  1. Adam Warner

    Adam Warner Guest

    I would like to commend Microsoft's new strategy of releasing notification
    of patches on a monthly basis. Deliberately delaying the release of
    necessary security updates is, quote, a "major benefit" as servers only
    have to be rebooted once a month.[1]

    It takes tremendous courage to stare your customers directly in the eye
    and tell them that you will be deliberately withholding necessary and
    ready-to-release updates from them until the second Tuesday of every
    month. After all, ignorance is bliss.

    Nothing can possibly go wrong. Microsoft "may" release security patches as
    soon as possible to help protect customers if customers are at immediate
    risk from viruses, worms, attacks or other malicious activities.[2]
    There's no chance that news of the bug could filter out while the patch is
    being withheld, and I can't think of Microsoft being under any pressure to
    give its preferred customers or governments advance notification and
    access to security updates.[3]

    All up I can't think of one downside to this new policy. I commend
    Microsoft for being able to list a total of four multiple benefits from
    the policy.[4] There clearly aren't any costs as Microsoft doesn't list any.

    Being bashful Microsoft didn't even list two additional benefits:

    * Security updates only being newsworthy once per month. The October
    bulletins contained seven security updates and without releasing
    them all on the same day Microsoft security issues could have been in
    the news on a weekly basis.

    * Network administrators being able to spend more time with their
    families (as patches will come out predictably on a Tuesday). Does any
    other OS company think of the children? No, only Microsoft does.
    Microsoft are clearly establishing a pattern of being family friendly,
    quickly following up upon their decision to close most MSN chat rooms.

    Regards,
    Adam

    Refer <http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/revsbwp.asp?frame=true&hidetoc=true>

    [1] "A major benefit of switching to a monthly release cycle for security
    patches is that it allows customers to install multiple patches with a
    single install and single reboot (using Qchain.exe, Update.exe and other
    similar tools). This will minimize downtime on mission-critical systems
    and will allow customers to consolidate the patch deployment to once per
    month."

    [2] "Microsoft will make an exception to the above release schedule if we
    determine that customers are at immediate risk from viruses, worms,
    attacks or other malicious activities. In such a situation Microsoft may
    release security patches as soon as possible to help protect customers."

    [3] Anyone notice an opportunity for differential pricing here? Good,
    you're sharp. One only needs to perform a news search to read about the
    plan: <http://biz.thestar.com.my/news/story.asp?file=/2003/10/15/business/6492693&sec=business>

    Within the next few weeks, Microsoft will roll out a "Security
    Officer Program" to encourage its larger clients to appoint their
    own IT security officers, responsible for the "IT security health"
    of their respective organisations.

    "These security officers will act as liaison persons to whom we can
    communicate security issues directly and co-ordinate the deployment of
    updates and patches to keep their systems secure," Fong told
    reporters in Kuala Lumpur yesterday.

    He said Microsoft would throw in three free premier support services
    (PSS) to companies that signed up and similar programmes would be
    expanded to their mid-tier clients later.

    Microsoft appears to be creating an extra information asymmetry between
    premier/mid-tier clients and regular clients who may not be told about
    security issues for up to an extra month.

    [4] * Improved packaging and formatting provide customers a high-level
    view of all patch information for the product family in the security
    advisory, and detailed patch information in the security bulletin.

    * Longer time between releases will allow customers to evaluate, test
    and install patches in a more timely manner

    * Predictability of security patch releases allows customers to plan
    in advance for testing and installing patches.

    * Additional mitigation guidance for all security vulnerabilities that
    provides customers options other than deploying the patch for the
    short-term.
    Adam Warner, Oct 17, 2003
    #1
    1. Advertising

  2. Adam Warner

    AD. Guest

    On Fri, 17 Oct 2003 13:56:34 +1300, Adam Warner wrote:

    > I would like to commend Microsoft's new strategy of releasing notification
    > of patches on a monthly basis. Deliberately delaying the release of
    > necessary security updates is, quote, a "major benefit" as servers only
    > have to be rebooted once a month.[1]
    >
    > It takes tremendous courage to stare your customers directly in the eye
    > and tell them that you will be deliberately withholding necessary and
    > ready-to-release updates from them until the second Tuesday of every
    > month. After all, ignorance is bliss.


    Now Adam, I must strongly protest the accuracy of that statement...

    IME they seem to come out on Wednesdays (Thursday NZ time).

    :)

    Cheers
    Anton
    AD., Oct 17, 2003
    #2
    1. Advertising

  3. Adam Warner

    Adam Warner Guest

    Hi AD.,

    > Now Adam, I must strongly protest the accuracy of that statement...
    >
    > IME they seem to come out on Wednesdays (Thursday NZ time).
    >
    > :)


    :) FYI and time differences notwithstanding, "Security bulletins will
    normally be released on the second calendar Tuesday of every month.
    However, the first monthly bulletins will be released on Wednesday,
    October 15, 2003."

    Regards,
    Adam
    Adam Warner, Oct 17, 2003
    #3
  4. Adam Warner

    AD. Guest

    On Fri, 17 Oct 2003 15:56:56 +1300, Adam Warner wrote:

    > :) FYI and time differences notwithstanding, "Security bulletins will
    > normally be released on the second calendar Tuesday of every month.
    > However, the first monthly bulletins will be released on Wednesday,
    > October 15, 2003."


    That's a relief, I won't have to change our Wednesday night
    scheduled downtime after all. It was starting to seem like 90% of their
    advisories were issued on Wednesdays (US time).

    A while back we sat down at work to decide on a good night for
    after hours scheduled maintenance and picked Wednesday night. Over the
    last few months I have been dreading Thursday mornings, as I usually
    arrive to a stack of MS advisories after an evening of patching (anything
    exposed to the net got patched quicker). I was about to try and get the
    downtime shifted to Thursday nights, but BillG has answered my prayers!

    :)

    Changing to monthly releases just shows they are listening to their
    customers. MS did say they were heard customers complaining about too much
    patching.

    Cheers
    Anton
    AD., Oct 17, 2003
    #4
  5. Adam Warner

    Peter Guest

    this quote is from Adam Warner of Fri, 17 Oct 2003 13:56 :

    > I would like to commend Microsoft's new strategy of releasing notification
    > of patches on a monthly basis. Deliberately delaying the release of
    > necessary security updates is, quote, a "major benefit" as servers only
    > have to be rebooted once a month.

    <snip>
    > Microsoft appears to be creating an extra information asymmetry between
    > premier/mid-tier clients and regular clients who may not be told about
    > security issues for up to an extra month.


    Does this have anything to do with why, a few days ago, these guys stopped
    publishing unpatched vulnerabilities in IE ...
    http://www.pivx.com/larholm/unpatched/

    or is it just a coincidence?


    Peter
    Peter, Oct 17, 2003
    #5
  6. Adam Warner

    Robert Guest

    Why do they make it so difficult to find the security patches!!
    You can download service packs to install on PC's when building them. Why
    not the same for security patches?

    "Adam Warner" <> wrote in message
    news:p...
    > I would like to commend Microsoft's new strategy of releasing notification
    > of patches on a monthly basis. Deliberately delaying the release of
    > necessary security updates is, quote, a "major benefit" as servers only
    > have to be rebooted once a month.[1]
    >
    > It takes tremendous courage to stare your customers directly in the eye
    > and tell them that you will be deliberately withholding necessary and
    > ready-to-release updates from them until the second Tuesday of every
    > month. After all, ignorance is bliss.
    >
    > Nothing can possibly go wrong. Microsoft "may" release security patches as
    > soon as possible to help protect customers if customers are at immediate
    > risk from viruses, worms, attacks or other malicious activities.[2]
    > There's no chance that news of the bug could filter out while the patch is
    > being withheld, and I can't think of Microsoft being under any pressure to
    > give its preferred customers or governments advance notification and
    > access to security updates.[3]
    >
    > All up I can't think of one downside to this new policy. I commend
    > Microsoft for being able to list a total of four multiple benefits from
    > the policy.[4] There clearly aren't any costs as Microsoft doesn't list

    any.
    >
    > Being bashful Microsoft didn't even list two additional benefits:
    >
    > * Security updates only being newsworthy once per month. The October
    > bulletins contained seven security updates and without releasing
    > them all on the same day Microsoft security issues could have been in
    > the news on a weekly basis.
    >
    > * Network administrators being able to spend more time with their
    > families (as patches will come out predictably on a Tuesday). Does any
    > other OS company think of the children? No, only Microsoft does.
    > Microsoft are clearly establishing a pattern of being family friendly,
    > quickly following up upon their decision to close most MSN chat rooms.
    >
    > Regards,
    > Adam
    >
    > Refer

    <http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security
    /bulletin/revsbwp.asp?frame=true&hidetoc=true>
    >
    > [1] "A major benefit of switching to a monthly release cycle for security
    > patches is that it allows customers to install multiple patches with a
    > single install and single reboot (using Qchain.exe, Update.exe and other
    > similar tools). This will minimize downtime on mission-critical systems
    > and will allow customers to consolidate the patch deployment to once per
    > month."
    >
    > [2] "Microsoft will make an exception to the above release schedule if we
    > determine that customers are at immediate risk from viruses, worms,
    > attacks or other malicious activities. In such a situation Microsoft may
    > release security patches as soon as possible to help protect customers."
    >
    > [3] Anyone notice an opportunity for differential pricing here? Good,
    > you're sharp. One only needs to perform a news search to read about the
    > plan:

    <http://biz.thestar.com.my/news/story.asp?file=/2003/10/15/business/6492693&
    sec=business>
    >
    > Within the next few weeks, Microsoft will roll out a "Security
    > Officer Program" to encourage its larger clients to appoint their
    > own IT security officers, responsible for the "IT security health"
    > of their respective organisations.
    >
    > "These security officers will act as liaison persons to whom we can
    > communicate security issues directly and co-ordinate the deployment of
    > updates and patches to keep their systems secure," Fong told
    > reporters in Kuala Lumpur yesterday.
    >
    > He said Microsoft would throw in three free premier support services
    > (PSS) to companies that signed up and similar programmes would be
    > expanded to their mid-tier clients later.
    >
    > Microsoft appears to be creating an extra information asymmetry between
    > premier/mid-tier clients and regular clients who may not be told about
    > security issues for up to an extra month.
    >
    > [4] * Improved packaging and formatting provide customers a high-level
    > view of all patch information for the product family in the security
    > advisory, and detailed patch information in the security bulletin.
    >
    > * Longer time between releases will allow customers to evaluate, test
    > and install patches in a more timely manner
    >
    > * Predictability of security patch releases allows customers to plan
    > in advance for testing and installing patches.
    >
    > * Additional mitigation guidance for all security vulnerabilities that
    > provides customers options other than deploying the patch for the
    > short-term.
    Robert, Oct 17, 2003
    #6
  7. Adam Warner

    Adam Warner Guest

    Re: Microsoft delays patches to better serve customers

    Hi Peter,

    >> Microsoft appears to be creating an extra information asymmetry between
    >> premier/mid-tier clients and regular clients who may not be told about
    >> security issues for up to an extra month.

    >
    > Does this have anything to do with why, a few days ago, these guys
    > stopped publishing unpatched vulnerabilities in IE ...
    > http://www.pivx.com/larholm/unpatched/
    >
    > or is it just a coincidence?


    I had not connected the events. You've raise a very compelling question!

    Let's start with a fact: The page simply had to be retracted for a few
    days to determine whether MS03-040 rendered many of the vulnerabilities
    obsolete as claimed.

    But the rest of the statement doesn't follow from this fact. I can't even
    logically parse it. So let's concentrate on two additional facts: The PivX
    Solutions Security Team states that they are implementing a twofold
    approach: Being `available to consult with system administrators to assist
    them in developing and implementing appropriate security policies and
    measures to mitigate the potential of security attacks' and `developing a
    mitigation utility tool that will act as a "Qwik Fix" to many of the IE
    vulns that MS is working on patching presently.'

    What these two approaches have in common is that PivX Solutions must have
    preferred access to vulnerability information to (a) be able to mitigate
    the potential of security attacks and (b) develop the mitigation tool for
    vulnerabilities that Microsoft is in the process of patching.

    An extra month without information could be a significant impediment to
    competing with security companies that have a better relationship with
    Microsoft.

    Furthermore it could become advantageous for other companies to form a
    relationship with PivX Solutions as (a) PivX Solutions are really good at
    uncovering Windows vulnerabilities and (b) PivX Solutions will become part
    of the same delay mechanism. So Microsoft's approach is not simply a stick
    to get security companies to comply. Any company within the circle of
    knowledge could financially gain from the association.

    Regards,
    Adam
    Adam Warner, Oct 17, 2003
    #7
  8. Adam Warner

    Max Burke Guest

    > Robert scribbled:
    > Why do they make it so difficult to find the security patches!!
    > You can download service packs to install on PC's when building them.
    > Why not the same for security patches?


    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tips/pcprotec.asp
    http://www.microsoft.com/technet/security/topics/patch/secpatch/Default.asp
    http://www.microsoft.com/security/security_bulletins/alerts.asp
    http://www.microsoft.com/WindowsXP/security/default.asp
    http://v4.windowsupdate.microsoft.com/en/default.asp

    --
    mlvburke@#%&*.net.nz
    Replace the obvious with paradise to email me.
    See Found Images at:
    http://homepages.paradise.net.nz/~mlvburke/
    Max Burke, Oct 17, 2003
    #8
  9. "Robert" <> wrote in message
    news:uaMjb.1422$...
    > Why do they make it so difficult to find the security patches!!
    > You can download service packs to install on PC's when building them. Why
    > not the same for security patches?


    What do you mean?
    Have you seen http://windowsupdate.microsoft.com or if you want to download
    individually and save for use later
    http://windowsupdate.microsoft.com/catalog or search on
    http://microsoft.com/download

    Best bet if you haven't updated patches in a while is to download this
    Security Rollup hotfix for Windows XP
    http://download.microsoft.com/downl...4-1cd00c880a20/WindowsXP-KB826939-x86-ENU.exe
    details at http://support.microsoft.com/?kbid=826939

    Cheers
    Nathan
    Nathan Mercer, Oct 18, 2003
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mcploppy ©

    Microsoft Patches 'Critical' Windows Hole

    Mcploppy ©, Jul 10, 2003, in forum: Computer Support
    Replies:
    1
    Views:
    510
    Jimchip
    Jul 10, 2003
  2. Bay0Wulf
    Replies:
    4
    Views:
    375
    Bay0Wulf
    Sep 19, 2003
  3. Boomer
    Replies:
    8
    Views:
    468
    Jimmy Dean
    Sep 20, 2003
  4. Have A Nice Cup of Tea

    Microsoft Partners Stunned By Vista, Office Delays

    Have A Nice Cup of Tea, Mar 30, 2006, in forum: NZ Computing
    Replies:
    11
    Views:
    412
    thingy
    Mar 31, 2006
  5. Colin Palmer

    Delays-delays-delays

    Colin Palmer, Feb 25, 2008, in forum: Computer Support
    Replies:
    5
    Views:
    468
    chuckcar
    Feb 26, 2008
Loading...

Share This Page