Wednesday is patch day at Microsoft

In case you haven't noticed, Wednesday is security patch day at Microsoft.

In the past year, the Redmond, Washington company quietly changed its procedure for releasing security bulletins and software patches for security vulnerabilities in its products, creating a carefully orchestrated process that predictably releases bulletins and patches to the public on Wednesdays, according to senior Microsoft security personnel.

The company never formally announced the change in procedure, which went into effect around May of 2002, nor is the policy mentioned on Microsoft's Web site or articulated in any document released by the company, according to Steve Lipner, director of security assurance at Microsoft.

Nevertheless, the policy has had a noticeable effect on how and when Microsoft releases product vulnerability information.

For example, in February 2002, before the change in procedure, Microsoft released eleven bulletins, MS02-002 through MS02-012, on seven separate days.

By comparison, in July the company released seven vulnerability notices, MS02-034 through MS02-040 on just three Wednesdays, July 10, 24, and 31. Four of those, MS02-036, 037, 038, and 039 were released on the July 24 alone.

The trend has continued into the new year. On Wednesday, Microsoft released its first three vulnerability notices of 2003.

The change in procedure was made in response to feedback from some of Microsoft's large corporate customers, according to Mike Nash, vice president of Microsoft's Security Business Unit.

"It was a relatively easy change for us to make. It didn't impact in a significant way when people became aware of vulnerabilities," Nash said.

Customer feedback was also behind Microsoft's decision to release vulnerabilities on Wednesday.

"Wednesday in Redmond is Thursday in most parts of the world, and Thursday in Redmond is Friday. So our large enterprise customers told us 'Wednesday is best,'" Nash said.

The company also consulted with security industry experts and analysts before making the change, according to Lipner and others.

"They asked me about it before they started doing it, and I said I thought it was a fantastic idea," said Russ Cooper, Surgeon General at security company TruSecure Corp. and editor of the NTBugtraq mailing list, which provides information on security exploits and bugs in Windows operating systems and applications.

Microsoft's new procedure of releasing patches on Wednesdays makes it easier for network administrators to make resources available to implement those patches once they are released, according to Cooper, who said that Microsoft asked him not to disclose the change in policy.

David Litchfield, managing director of NGSSoftware Ltd. in London said that he was told by a Microsoft employee of the company's policy of "rolling up" the security bulletins last year.

According to Litchfield, the employee explained the policy by saying that it was intended to make it easier for administrators to manage the different patches.

Litchfield said that he expressed reservations to Microsoft at the time.

"My personal opinion is: 'If a patch is available, don't hold it up. I did express that to them.'"Litchfield said that he understands Microsoft's desire to simplify the bulletin releases for administrators.

"It's a valid point of view. That doesn't work for me, but who am I to argue with Microsoft?" Litchfield said.

Microsoft denied that it holds patches for any length of time, however. Instead, the company retooled its production and testing processes to deliver the software patches just in time for release on Wednesday, according to Lipner.

"We don't hold over patches. If one is ready to go on Wednesday, it'll go," Lipner said.

The increasing tendency of the company to release two, three or more bulletins on a single day is a coincidence, according to Lipner.

"If you look at last year, we released seventy two bulletins. I don't know how many of those were released in the second half of the year, but the dynamic is that if you release one a week on average, one of the things that's going to happen is that on some days you're going to release more than one," Lipner said.

But consolidating the release of bulletins may be a way to improve the company's standing with network administrators who were weary of the frequent and unpredictable software patches from the company.

"The element of 'damage control' has likely been a big part of their consideration," according to Thor Larholm, a vulnerability researcher at security consulting company Pivx Solutions LLC.

"Swallowing four bulletins at once is definitely easier than continuously having to patch," Larholm said.

The change in patch release procedures is just one in a number of steps the company took during 2002 to tighten up its security bulletin and patch release process.

In November, for example, Microsoft changed the way it rates security issues and expanded its security notification service to better serve end users who are not technically savvy. [See "Microsoft adds security service for novice end-users," Nov. 19.]In contrast to the November changes, which the company announced in an e-mail message sent to current security bulletin subscribers, Microsoft to date has made no public mention of its decision to begin releasing patches and bulletins on Wednesdays.

Asked about the discrepancy in how the changes were handled by Microsoft, Lipner said that the company initially held off on making an announcement while it refined its patch release process to target Wednesdays.

By the time Microsoft had the process working, the change had been noted by customers and was "old news," Lipner said.

However, other considerations might have helped to keep the company mum about the change, including calls from industry and consumers for software vendors to expedite patches for vulnerable products, according to Cooper.

"At the time they made the change, the climate wasn't good for somebody saying 'We're going to hold on (to a patch) for six days,'" Cooper said.

Spelling out the mid-week release policy also obligates Microsoft to hold to it and opens the company to criticism whenever patches fail to go out as scheduled, according to Cooper.

Lipner said Microsoft has no plans to update its stated policy for releasing bulletins and patches to mention the mid-week target.

"As we evolve the process, that's something we can review. The key thing from a standpoint of getting patches out, however, was to make it easier and more likely that a customer installs a patch as fast as possible," Lipner said.

While it targets patch and security bulletin releases for Wednesday, Microsoft will break from form in the event of a security vulnerability that has not been patched and is actively being exploited, according to Lipner.

"The hard policy is that we won't put customers at risk by doing (mid-week releases). If we became aware of an issue where there was active exploitation or if a customer was being attacked, we would build a patch as fast as we could, test it and release it right then," Lipner said.

Asked about the company's silence, Cooper said that he doesn't see any problem with Microsoft formally stating its policy for patch releases.

"I don't think there's anything wrong with saying that 'Our policy is that we will release on Wednesday, when possible.'"

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about EvolveMicrosoftTruSecure

Show Comments