Microsoft to revamp "broken" patching system
Michael Jackman
Published: 20 Aug 2003 16:15 BST
Occasionally, Microsoft's patches have been known to cause problems worse than the ones they were programmed to solve. The bad patches then have to be removed -- if there's an uninstaller.
On 3 June, 2003, Scott Charney, a former Justice Department cybercrime expert and Microsoft's chief security strategist since 1 April, 2002, told the audience at TechEd 2003 in Dallas that he knew Microsoft's patch management "was broken."
"Today there are eight different installer technologies within Microsoft," he admitted. "Some patches register with the OS, some patches don't. Then, when you build tools to see if you're patched, some tools say you're patched because they're looking at registry keys; other products say you're not patched because they're looking for DLLs." Thanks to Charney's efforts, Microsoft not only admits on the record that it needs to improve the way it manages updates to its applications and operating systems, but appears to have made a sincere commitment to fixing the problem.
Both Charney and Microsoft's white paper acknowledged that Microsoft ought to release more secure, better tested code in the first place. To oversee these changes in its update strategy, Charney formed a departmental Patch Management Task Force. As a result, in recent weeks there have been signs that the software Goliath has begun its overhaul.
Notification changes
Microsoft has tweaked its Security Bulletin notifications by adding a less technical Consumer Bulletin geared toward end users. Though not written for tech staff, it might serve IT management and staff both as a model for passing on patch information to employees, and as a quick, easier-to-digest overview of new issues. Both the Consumer Bulletins and the more technical Security Bulletins are available by email subscription: Register for Consumer Bulletins at Microsoft's Web site. Register for Security Bulletins at Microsoft's TechNet
Responding to customers' suggestions, Microsoft also changed its rating system. According to feedback, Microsoft defined too many issues as "critical." The new system has four levels, as shown in Table A, with the most critical reserved for those vulnerabilities that easily allow a virus or worm to propagate.
Table A
| Level | Description |
| Low | Extremely difficult to exploit, or one with minimal impact. |
| Moderate | Less likelihood of exploitation, due to a combination of factors, such as default configuration, auditing, or difficulty. |
| Important | Possibility of system compromise, including "the confidentiality, integrity, or availability of users’ data, or of the integrity or availability of processing resources." |
| Critical | Possibility of Internet worm/virus propagation without any user action. |
Previous
Did you find this article useful?
91 out of 200 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
Full Talkback thread
1 comment
