Kevin Liston at the ISC has an entry up about predicting when Microsoft will release an out of cycle patch and when they will release it on patch Tuesday. His conclusions are:
- Microsoft will release an
out-of-band patch only if a third party has released an unofficial
patch, and that patch involves a change more involved than a kill-bit.
- Microsoft will release a patch on the next release date if the fix involves only a kill-bit.
If a third party releases a patch, then Microsoft is left with two big problems (this list isn't meant to be complete):
- Pie on their face, especially if the patch works well
- A loss of confidence in their patching process (or more accurately a gaining in confidence in third party patches)
All of these problems affect Microsoft directly. While the fact that we as patch users may end up a little safer is most likely factored in by Microsoft it doesn't appear to weigh as heavily as the impact to them. I would rewrite Kevin's analysis as such:
- Microsoft will release an out of band patch if the situation impacts them directly.
Examples of this sort of impact are; media hype, third party patches, customer pressure etc. Notice that wide scale hacking incidents are specifically excluded from this list unless they lead to one of the above.
In my paper I argued that the most sensible criteria vendors should use is whether the vulnerability was 'responsibly' disclosed. The criteria then becomes:- If 0-day disclosure, release out of band.
- If 'responsible' disclosure, release on patch Tuesday.
The paper contains the detailed argumentation for this, but I believe this will reduce our (end-users) risk, especially if the community interaction detailed in the paper is implemented.
What this leads us to is the fact that Microsoft (and other companies) will only patch in a way that reduces our risk, iff our risk is aligned to their risk. Unless we convince hackers to hack Microsoft everytime there is a 0day, this isn't going to happen. Alternativley, we could try and create a media storm everytime Microsoft delays until Tuesday, which has worked in the past but has limited continued effect. The last option is to get it legislated, this seems to be the way to get these sorts of things done, although I am open to any other suggestions.