Microsoft's move to a monthly patch-release cycle one year ago this month has made it easier to install security updates for Windows and other products, IT managers said last week -- even as they were greeted with a barrage of new fixes, many for flaws that were given "critical" severity ratings by Microsoft.
The October patch rollout was one of Microsoft's largest yet this year, consisting of 10 separate patches designed to address a total of 20 vulnerabilities across a wide range of the company's software. Seven of the security updates were rated as "critical" for users to install, and the other three were labeled "important."
The massive release highlighted Microsoft's continuing struggles with software security. Nevertheless, six users said the monthly cycle that the vendor has followed for almost all the patches released since last October has made the patching process more predictable and manageable.
"Overall, the (monthly patching) schedule is a good thing," said Hugh McArthur, information systems security officer at Online Resources, an online bill-processing company. "It has been helpful for planning purposes and in allowing us to evaluate the patches once a month, versus having them trickle in randomly throughout the day, week and month."
David Krauthamer, director of information systems at Advanced Fibre Communications, said Microsoft appears to have become much more aware of the heavy burden that patching systems puts on IT managers. He added that a regular patching schedule reduces much of the instability that results from intermittent releases and eases the challenge of keeping up to date on patches.
"What it gives you is the consistency you need to factor patching into your overall (systems management) process," Krauthamer said. "It's a great thing if you can spend just one night a month doing patches."
From a systems administration standpoint, the predictability of the monthly releases has made it "much easier" to manage the patching of Windows-based machines, said Mike Tindor, vice president of network operations at First Internet Inc., an Internet service provider in St. Clairsville, Ohio.
Debbie Fry Wilson, director of marketing at Microsoft's Security Response Center, said the shift from an ad hoc patch release process to a weekly schedule and then to the monthly one was driven by feedback from users who said they "were not able to plan well because they didn't know in advance when we would have patches for them."
The policy of releasing patches on the second Tuesday of each month has also given Microsoft more time to work on improving the quality of its fixes and to do a "deeper level of testing" in the patch development stage, Wilson said.
Even so, users and analysts cited some ongoing concerns with the patching process.
Microsoft's growing habit of grouping together multiple security fixes in large patches can increase the testing burden for IT managers, said Russ Cooper, an analyst at TruSecure, an IT security consulting firm.
For instance, last week's crop of patches included one that was designed to fix eight separate vulnerabilities. "Users should get used to the idea of being snowed under on 'Patch Tuesday,' " Cooper said.
A monthly schedule can sometimes also expose users to longer periods of risk, said Andrew Plato, president of Anitian, a systems integrator and consulting firm. "If a new security flaw is discovered right after an update, waiting 30 days for a patch is too long," he said.
Tindor said that if information about a security flaw were to become public before the next monthly patch release, he would expect Microsoft to be "proactive in pushing the updates quickly rather than waiting to release them at the scheduled time."
Stephen Toulouse, security program manager at the Microsoft Security Response Center, reiterated that the company is releasing combined fixes in response to requests from users.
"We have heard very clearly from customers that when there is an opportunity to have just one update, that's what they want," Toulouse said, noting that Microsoft tries to combine fixes for multiple flaws found in the same source-code files.
In response to concerns about users being exposed to longer periods of risk, Wilson said Microsoft will issue out-of-cycle fixes if the situation warrants it. In late July, for instance, the company rushed out a patch after an active exploit was found to be taking advantage of a flaw in Internet Explorer.