Regular Patch Schedules "Two-Edged Sword"

A security analyst Thursday took aim at the practice of some vendors to roll out patches on regular schedules, calling the practice a "two-edged sword." A slowly-growing number of major software developers, in particular but not limited to operating system makers now schedule hard dates for patch releases, rather than roll them out when they're finished. Such regularly patching has been popularized by Microsoft, which began the practice in October, 2003, but it's been mimicked by the likes of Apple and Oracle. Thursday, Adobe added itself to the group, saying it would begin monthly patching in 2006.

"For maintenance releases -- small bug fixes, new features -- that's ideal. But it's a two-edged sword in security," said Chris Andrew, the vice president of product management and research at PatchLink, a Scottsdale, Ariz.-based enterprise patch management company. "One the one hand, it helps the administrators make the best of the situation. They have just one downtime window for patching. It's predictable and more manageable. "But it's also artificially delaying the release of a patch," he argued. With attackers becoming both faster reacting and more sophisticated, that spells can spell trouble.

Some of the firms which hew to a regular schedule, such as Microsoft, say that they'll release important fixes outside that cycle, but in practice -- at least with Microsoft -- it's very rare. Since the Redmond, Wash.-based developer began its second-Tuesday-of-the-month patch day, now dubbed "Black Tuesday" by many security professionals, it's only gone out-of-cycle 4 times. During that stretch of more than two years, the company released 112 security bulletins.

Andrew also warned companies against deploying patches automatically, without testing. While some vendors -- again, noticeably Microsoft -- have been pushing automatic updating on customers as a way to ensure as many users are protected as possible, that practice comes with risks.

"Some scenarios have shown automatic patching to be disastrous in the past," argued Andrew. "Just look at what happened with Windows XP Service Pack 2."

In 2004, when Microsoft rolled out Windows XP SP2, a major security upgrade to its current operating system, so many companies balked at automatic updating that Microsoft was forced to provide tools that turned off the update for eight months."Automatic patch updating sounds like a great idea, but it's very important that patches are tested," Andrew said. "For home users, auto updating is great, but not necessarily for enterprises."

For all users, 2006 will mean even less time to patch, Andrew added.

"The window between a security bulletin released by, say, Microsoft, and the appearance of an exploit is already very, very tight for administrators," said Andrew. "Some worms this year appeared in the wild just five days after a the vulnerability was disclosed.

"That trend will continue," Andrew added.

Such talk, of course, plays to PatchLink's product line, a blend of patch and vulnerability management software that, among other things, lets administrators force policies on all workstations to block, or at least mitigate, the dangerous unpatched bugs dubbed "zero day vulnerabilities."Andrew's take on the shrinking window between vulnerability and exploit, however, is backed up by other security vendors. Symantec's most recent report on the state of Internet security, for instance, noted that in the first half of 2005, that window shrunk about 6 percent, from 6.4 days to 6 days.