Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Regular Patch Schedules "Two-Edged Sword"

A security analyst Thursday took aim at the practice of some vendors to roll out patches on regular schedules, calling the practice a "two-edged sword."

A slowly-growing number of major software developers, in particular but not limited to operating system makers now schedule hard dates for patch releases, rather than roll them out when they're finished. Such regularly patching has been popularized by Microsoft, which began the practice in October, 2003, but it's been mimicked by the likes of Apple and Oracle. Thursday, Adobe added itself to the group, saying it would begin monthly patching in 2006.

"For maintenance releases -- small bug fixes, new features -- that's ideal. But it's a two-edged sword in security," said Chris Andrew, the vice president of product management and research at PatchLink, a Scottsdale, Ariz.-based enterprise patch management company. "One the one hand, it helps the administrators make the best of the situation. They have just one downtime window for patching. It's predictable and more manageable.

"But it's also artificially delaying the release of a patch," he argued. With attackers becoming both faster reacting and more sophisticated, that spells can spell trouble.

Some of the firms which hew to a regular schedule, such as Microsoft, say that they'll release important fixes outside that cycle, but in practice -- at least with Microsoft -- it's very rare. Since the Redmond, Wash.-based developer began its second-Tuesday-of-the-month patch day, now dubbed "Black Tuesday" by many security professionals, it's only gone out-of-cycle 4 times. During that stretch of more than two years, the company released 112 security bulletins.

Andrew also warned companies against deploying patches automatically, without testing. While some vendors -- again, noticeably Microsoft -- have been pushing automatic updating on customers as a way to ensure as many users are protected as possible, that practice comes with risks.

"Some scenarios have shown automatic patching to be disastrous in the past," argued Andrew. "Just look at what happened with Windows XP Service Pack 2."

In 2004, when Microsoft rolled out Windows XP SP2, a major security upgrade to its current operating system, so many companies balked at automatic updating that Microsoft was forced to provide tools that turned off the update for eight months.

  • 1