Microsoft Users Get First Taste of Monthly Patching Plan

Computerworld - Microsoft Corp. last week released seven patches—five of them for critical vulnerabilities—as part of its recently announced plan to move to a monthly security update schedule.

Five of the patches are for flaws in Windows, and two are for flaws in Exchange Server.

The fact that users now have to deal with several patches at once is "disappointing" said Edward York, chief technology officer at 724 Inc., an application service provider in Lompoc, Calif.

"I was pretty upset yesterday when I saw all those patches come out at once," York said. "But when I sit down and think about it, it's probably not all that bad" to have a monthly schedule for patching, he added. "It will probably be quicker for me to manage my systems instead of having to update two or three times a month."

"It's nice to get the patches as a cluster of patches instead of one patch at a time," said Tim Rice, network systems analyst at Duke University Health System in Durham, N.C. The hospital uses an automated patching tool from Emeryville, Calif.-based BigFix Inc. to deploy patches to all 5,600 systems on its network. Getting multiple patches at the same time will make patch testing easier, Rice said. A new option for uninstalling patches that appears along with the security bulletin is also useful, he added.

However, with a monthly schedule, "the longer potential delay between a patch being ready and me getting it concerns me a little bit," Rice said.

The University of Texas at Dallas is using Microsoft's automated Software Update Service to deploy patches. So moving to a monthly schedule won't make much difference, said Paul Schmehl, the university's adjunct information security officer.

"Frankly, I don't think they're going to be able to strictly adhere to a monthly release schedule anyway," Schmehl said. With some serious patches, "they won't have the option to wait until the next monthly release."

Threat Assessment

Of the vulnerabilities for which Microsoft released patches last week, three in particular are serious, said Russ Cooper, editor of NTBugtraq and an analyst at Herndon, Va.-based TruSecure Corp.

The most serious is a buffer-overrun flaw in Windows' Messenger Service. The feature has already been widely exploited to spam unprotected Internet-connected systems. "It is such a simple service that it is very easy to craft a buffer-overflow" attack that exploits the flaw, Cooper said,

Another major flaw is in a Microsoft technology called Authenticode, which is used to verify the authenticity of downloadable software and applications—such as a Macromedia player, for instance. The flaw could allow attackers to download malicious ActiveX controls on a victim's computer under certain low-memory conditions, Cooper said.