As we roll around to another monthly Windows patch day, things seem awfully quiet. In the last few months, Windows patch day has meant a lot of hemming and hawing in tech forums like Slashdot and Digg. The fact that things seem to be quiet this month interests me less than trying to figure out why so many of the tech savvy can get so worked up about a topic that seems pretty cut and dried to me. The discussion usually starts out with the normal Windows vs. Linux vs. Apple browbeating that seems to permeate so many technical discussions these days, but if you stick with it, things usually quiet down and if you are lucky there is some actual discussion about patching in general, including who is getting it right and who is getting it wrong.
As far as I am concerned, with the speed at which the details of a vulnerability spread throughout the cracker community these days, fixed release schedules for security fixes cause more problems than they avoid. As I see it, the cons outweigh the pros by a considerable margin. I am going to limit myself to the consumer’s point of view on this and not discuss the reasons that a fixed patch schedule would benefit the Microsofts and Apples of the world. Here is my short list of pros and cons with a myth (misconception) or two thrown in.
Pro: A fixed schedule encourages the average user to update their software on a regular basis. I think it can be argued that automated updates have helped, but I guess we need all the help we can get.
Myth: A fixed schedule allows corporate customers to limit the costly downtime associated with updates. That may be true, but it is not the only way to do it. Tools such as WSUS and Software Update that Microsoft, Apple, and others provide allow corporate users to download and apply updates on their own schedule regardless of when the updates are actually released.
Con: A fixed schedule means that some patches are not released as soon as they are ready and extend the exposure of zero day exploits. To deal with this issue, Microsoft recently released a critical patch a week early.
Pro: A fixed schedule allows small patches to be grouped together and released as a single update. While this is true, corporate customers can do the same thing with the update tools mentioned above, and applying small individual patches usually carries less risk than applying groups of unrelated patches.
Con: Attempting to update your system when it is convenient for you is less effective and may promote a false sense of security. This is slightly contrived, but if you build a new system on Monday and get all available updates, you will still have to deal with the newly released updates on Wednesday. Automated updates have reduced the risk, but I believe that patches should be released as soon as they are ready.
Developers only have to follow a few simple rules to keep me happy:
- Acknowledge problems publicly as soon as they are brought to your attention.
- Release critical or security updates as soon as they are ready; do not delay them to group them with other updates.
- Don’t sneak new features into security updates. On high risk systems, I want to change one thing at a time to reduce the chance of problems and simplify their resolution should they occur.
- Make as much information available about an update as you possibly can.
- Don’t make me reboot unless it is actually necessary.
Both Microsoft and Apple seem to be learning from their mistakes; maybe that is why things are so quiet this month.
[tags]patch,update,windows patch day,update tool,fixed schedule patch[/tags]