Microsoft has made what I consider the most significant changes in its security-bulletin release policy since the beginning of security bulletins. Instead of sending out Windows patches every week, as has until recently been the case, the Redmond software giant now plans to circulate new patches only once a month, on the 2nd Tuesday of each month. (If a worm is running loose “in the wild,” Microsoft says it will release a special patch immediately.)
I wrote in the paid version of the Oct. 16 Brian’s Buzz that I’d analyze for you the full implications of this new policy. After interviewing several Microsoft officials and independent experts, I’m devoting today’s special report to this topic.
Microsoft’s last patch release was on Oct. 15. On that date, the company announced five patches affecting every supported version of Windows and two patches involving Exchange Server. The next scheduled announcement will be Nov. 11. No new patches have been released between these monthly milestones. That makes this the first time in years that the company has gone as long as four weeks without putting out a Windows patch. Because of this gap, I won’t in today’s issue analyze the latest new patches, since there aren’t any.
I wrote in my Nov. 3 eWeek column that some experts are already saying a monthly schedule will lead to less security than a real-time release policy. Personally, I believe the shift to monthly batches of patches can make your company more secure, if you act decisively to take advantage of the new regime. On the other hand, if you put off rolling out new patches for a week or two after a monthly announcement, you might then say, “I’ll wait until another batch comes out next month.” That would make Microsoft’s switch to a monthly schedule a net loss of security for your company.
The opportunity for greater Windows security is yours to grasp or ignore. Here, then are the major points you need to know:
• You have a rendezvous with destiny every 2nd Tuesday. Microsoft is moving its release of patches from every Wednesday to every 2nd Tuesday morning. This shift from Wednesday to Tuesday is intended to give legitimate companies almost a full working week to download, test, and roll out the latest batch of patches before black-hat hackers have enough spare time to create and launch viruses and worms.