By Mark Burnett
Those of us who manage Windows systems got a pleasant surprise this month: no new patches for March! Could this be a trend? Unfortunately, not yet. We just got lucky this time.
But it does give us a chance to step back and talk about some other things. For one, I want to examine the quality of patches.
For a long time, people simply didn’t install patches unless they absolutely needed to. The first reason people gave was, "Why change something that’s working fine?" Second, people simply didn’t see the urgency of security patches. Finally, people had a good reason for not installing hotfixes: they had a tendency to break things.
Even to this day, administrators are wary of automatic updates because they might potentially break other software. Fortunately, this is becoming rare nowadays. Microsoft has made some notable improvements on the quality and consistency of their patches.
Monthly release schedule is improving patch quality
One of the biggest changes that Microsoft is releasing most patches on a regular monthly schedule. This allows them to properly plan for and test patch releases, rather than constantly scrambling around to get them out the door. This alone has made a big difference in the quality of patches and has also made things easier for us on our end.
Another big improvement is the adoption of standards throughout the entire patch management process. This includes standardizing Microsoft’s terminology, Knowledge Base article formatting, patch naming and, most importantly, the installer the patch uses. It’s not very apparent any more, but at one time there were well over a dozen different Microsoft installers. Each had its own command-line parameters, log formats, and uninstall support. Now they’ve almost got it down to just two installers: Microsoft Windows Installer (MSI) and Update.exe.
New Update.exe has features you can use
Microsoft has also made numerous improvements to Update.exe, which is used mostly for operating-system hotfixes. Two of my favorites are installation source integration and HotPatching.
Installation source integration allows you to incorporate a hotfix directly into your Windows source files. This means that the hotfixes install with Windows. Supposedly, you could do this previously, but my experience showed that it didn’t always work as expected.
Integration not only saves time, but a system that’s installed with the hotfixes in place is immediately protected. This avoids any possible security incidents during or shortly after install.
One thing to watch for, however, is that integrating hotfixes into the Windows source sometimes doesn’t register the hotfix properly, thereby fooling some patch management products. I’ve seen several products report a missing, which I know I already integrated into the OS.
If you ever see this happen, be sure to report it to the vendors so they can take care of the problem.
The other new feature is HotPatching. This is a technology scheduled for integration with the upcoming Windows Server 2003 Service Pack 1 (SP1). HotPatching actually patches a file in memory, significantly reducing the number of reboots required after installing hotfixes. It’s a promising technology, but I do hope they’ve taken the necessary precautions to prevent hackers from abusing this. We’llsee.
Five-week beta cycle provides real-world exposure
To address quality issues, Microsoft has implemented a five-week test cycle with significantly more stringent testing requirements.
The Redmond company has also launched a new customer patch validation program to further identify potential problems. A select number of organizations and individuals now beta test the hotfixes in different real-world environments. The program is closed — they aren’t taking anyone else — and was only made available to close business partners and Microsoft Most Valuable Professionals (MVPs).
Finally, the Microsoft Security Response Center (MSRC) performs a final post-mortem review of the update before releasing the security bulletin.
It’s been years since Bill Gates’ infamous Trustworthy Computing e-mail, but we’re finally starting to see a few tangible improvements. Hopefully, this will continue. If so, we’ll start seeing more Patch Tuesdays pass quietly — with the simple announcement that there are no new bulletins for this month’s release cycle.