Patch expert wants Ballmer to get to the bottom of buggy Windows, Office updates
Knowlton argued that the quality level for Office updates is "very high" considering the volume of updates issued and the number of customers who apply them. He also promised that the quality of patches would improve -- a message Microsoft has used before -- saying, "We are as concerned as any of our customers about these issues and we will come back in October better than we were before September."
Another Microsoft manager, however, sounded peeved that Bradley had emailed the CEO.
"We are following up with the people who published those updates. And no, it's not because Mr. Ballmer intervened," wrote Ben Herila, who identified himself as the program manager for WSUS (Windows Server Update Services), the widely used enterprise patch management service Microsoft runs. "Rather, it's because Susan so kindly let us (the WSUS product team) know about her problem."
Dustin Childs, a group manager of Microsoft's Trustworthy Computing group, also alluded to doing something -- he did not specify what -- to put a stop to the mistakes. "The quality of security updates is critical to our customers, and it is a high priority for us, too," Childs said. "We are actively looking at where improvements can be made with the goal of reducing implementation issues, and we will remain transparent with our customers about security threats, protections and update issue resolution."
It may take a lot more than words to calm the roiled waters.
"Not only are the end users suffering by these bad patches, the IT administrators are suffering even more because they have to hear all of the complaints from the end users and they have to spend time troubleshooting the issues and get things fixed," wrote John Hallis on the same mailing list thread. "You would think a company that has received billions of dollars from us would actually listen to what we are telling them about patching issues and get right on it."
And Bradley saw the problem as endemic at Microsoft.
"I think that releasing 80 non-security updates on an already busy patch month is releasing way too much code at one time," she said via in an email to Computerworld today. "You are going to get stuff missed."
Like other patch and security professionals, she cited the advantage baked into the cloud when compared to on-premise software. "Cloud gets a build to build deployment and thus when Exchange 2013 got its first security update, their cloud servers were fine, [but] on-premise servers barfed," she said, referring to the August update gaffe involving Exchange.
But she also blamed overstretch for the slide in quality.
"My rant wasn't just about the quality of security updates -- but the quality of patching as a whole," Bradley said. "Documentation is lacking, quality of updates -- especially in certain categories of updates -- is clearly lacking.
"I'm not paranoid enough to believe that this is Microsoft's way to showcase how it will be better in the cloud where they patch and deal with these issues. I'm not naive enough to believe that even once we all are in the cloud that we will suffer no patching issues.
"I feel that they are just managing a lot of different kinds of problems and patching [and] along with the faster cadence, there are just a lot more moving parts to keep track of these days ... and things are slipping through the cracks."
Microsoft's next regularly-scheduled security updates are to ship Oct. 8.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Why Are Customers Really Deploying an NGFW? It seems every IT Security expert is talking about the NGFW, but what are people really doing? This webcast covers 5 real-world customer... All Malware and Vulnerabilities White Papers | Webcasts