Predicting Microsoft's Patch Cycle

Dominic White

 

Predicting Microsoft's Patch Cycle

Kevin Liston at the ISC has an entry up about predicting when Microsoft will release an out of cycle patch and when they will release it on patch Tuesday. His conclusions are:

  • Microsoft will release an out-of-band patch only if a third party has released an unofficial patch, and that patch involves a change more involved than a kill-bit.
  • Microsoft will release a patch on the next release date if the fix involves only a kill-bit.
This is an interesting bit on analysis, although I think you can take his analysis one step deeper. When I wrote my paper on optimal vendor patch release cycles I spent time analysing exactly this point: What criteria should be used when deciding to release a patch in or out of cycle to minimise risk to the people applying patches? Microsoft's current practise as pointed out by Kevin is highly flawed, but you don't need to research this to know that. However, I believe Kevin misses the root of what Microsoft's actual decision making criteria is. It is the same logic that applied in the case of their DRM being cracked; they released a patch out of band before anyone even asked; that of the impact on Microsoft directly.

If a third party releases a patch, then Microsoft is left with two big problems (this list isn't meant to be complete):

  1. Pie on their face, especially if the patch works well
  2. A loss of confidence in their patching process (or more accurately a gaining in confidence in third party patches)

All of these problems affect Microsoft directly. While the fact that we as patch users may end up a little safer is most likely factored in by Microsoft it doesn't appear to weigh as heavily as the impact to them. I would rewrite Kevin's analysis as such:

  • Microsoft will release an out of band patch if the situation impacts them directly.

Examples of this sort of impact are; media hype, third party patches, customer pressure etc. Notice that wide scale hacking incidents are specifically excluded from this list unless they lead to one of the above.

In my paper I argued that the most sensible criteria vendors should use is whether the vulnerability was 'responsibly' disclosed. The criteria then becomes:
  • If 0-day disclosure, release out of band.
  • If 'responsible' disclosure, release on patch Tuesday.

The paper contains the detailed argumentation for this, but I believe this will reduce our (end-users) risk, especially if the community interaction detailed in the paper is implemented.

What this leads us to is the fact that Microsoft (and other companies) will only patch in a way that reduces our risk, iff our risk is aligned to their risk. Unless we convince hackers to hack Microsoft everytime there is a 0day, this isn't going to happen. Alternativley, we could try and create a media storm everytime Microsoft delays until Tuesday, which has worked in the past but has limited continued effect. The last option is to get it legislated, this seems to be the way to get these sorts of things done, although I am open to any other suggestions.

Tuesday, November 14. 2006
Posted by Dominic White in Security
Comments (0) | Trackbacks (0)

 

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

No comments

Add Comment