The monthly patch cycle Microsoft adopted in October 2003 is still the best way to address a majority of the software giant's security holes, IT pros say. However, with zero-day flaws on the rise,
In past interviews with SearchSecurity.com, a majority of IT pros have lauded the current system where Microsoft releases patches on the second Tuesday of each month because they can plan around it more easily.
But zero-day threats like the Windows Meta File (WMF) and createTextRange flaws have appeared with growing frequency in recent months, leaving IT shops open to a variety of attacks. The WMF flaw was fixed out of cycle, five days before January's Patch Tuesday, while the createTextRange bug was fixed as part of the normal April cycle.
"The increase in zero-day vulnerabilities does concern me, although we've been fortunate enough to not be directly affected by one," Hornbuckle, IT administrator for the Taylor County School District in Perry, Fla., said in an e-mail exchange. "Our luck probably won't last forever, though, so I would be glad to see Microsoft increase the speed at which patches for such vulnerabilities are released."
Speed vs. testing
Brad Dinerman, technical operations manager for Newton, Mass.-based IT management firm MIS Alliance Corp., said IT shops need a schedule they can plan around, but that it's better for administrators to scramble to implement out-of-cycle patch deployments once in a while than to scramble because attackers are hammering their networks through an open security hole.
Yet the security pros said that doesn't mean Microsoft should respond to zero-day threats with untested patches.
"Internal testing on Microsoft's part is a must," Hornbuckle said. Unfortunately, he added, the need for testing makes it that much more difficult to meet zero-day threats with zero-day patches.
IT pros must help themselves
However long it takes Microsoft to produce a patch, IT pros can do more to mitigate zero-day threats, said Jeremy Martin, a Colorado Springs, Colo.-based penetration tester who spends his working days trying to bust into the networks of large enterprises to help them identify and close security gaps.
"I've been to many organizations where they wait for the patch instead of taking mitigation steps," he said. "One thing IT departments could do better is educate employees on steps they should be taking when there's a worm attack."
That could mean the IT department sends out an e-mail telling employees something is out there and advising them to stay away from untrusted Web sites, watch out for phishing e-mails and follow the general company user policies.
While there's a lot IT shops can do without hearing from Microsoft first, Martin said the software giant could help network administrators help themselves by including more information in its security advisories.
"I think it would help IT pros if Microsoft gave extra detail on the vulnerabilities," he said. "Give the IT pros more information and they can more effectively block threats targeting a given flaw at the firewall."
Communication has improved
While saying Microsoft could patch zero-day flaws more quickly and provide more detail in its security advisories, IT pros concede that the vendor has significantly improved its communications methods, which has proven helpful during recent zero-day incidents.
"I actually liked how Microsoft handled the WMF threat," said Matthew Murphy, an independent security researcher based in Springfield, Mo. "Microsoft noticed exploits were happening and they really swung into action. They developed and tested the patch and got it out the door pretty quickly."
Microsoft said a patch would come out as soon as testing was done and they kept communicating on it, so when it came out five days early there wasn't much disruption, Murphy said. "Combining this kind of ambitious schedule with transparency is a good development," he added. "People underestimate how much communication does help smooth a situation."
"The blog has been a very welcome site in the community," Murphy said. "We get more updates and we get them faster. It shows that Microsoft knows it needs to be more efficient and quick with information."
Expect no big changes
While zero-day fixes may not come as quickly as some would like, Microsoft's current approach is the result of feedback from the vast majority of customers, said Debby Fry Wilson, director of communications for Microsoft's Security Technology Unit. Therefore, people can expect the patch cycle to remain unchanged for the foreseeable future. However, she added, Microsoft's goal is always to release zero-day fixes as quickly as possible, even if it means deviating from its standard release cycle.
Fry Wilson said Microsoft will always consider releasing out-of-cycle updates "if we have a quality update available and customers are at serious risk, as we have done on several occasions, such as the WMF attack."
She also promised that a patch will never be released without adequate testing, no matter how bad a zero-day attack might be. "The only thing worse than not having a security update available in the heat of an attack," Fry Wilson said, "is having a broken update."
Microsoft customers have experienced the pain of broken patches in the past. Just last month the company was forced to re-release the Windows Explorer update first issued April 11. Fry Wilson said the company wants to minimize these problems as much as possible.
"It's imperative we ensure every security update is a quality update that will fix the underlying flaw," she said, "but at the same time work effectively in deployment."
This article originally appeared on SearchSecurity.com.