you're reading...

Patch Tuesday: A tradition born of desperation?

So, what is Patch Tuesday and why all the fuss?
Every second Tuesday of the month a stream of updates arrives, all from Microsoft. Normally it is a reasonably short list but yesterday (14/06/2011) the list was pretty long.
Luckily I subscribe to a list direct from Microsoft that forewarns of such issues but still 16 patches is unusual.
Patch Tuesday is an invention of Microsoft’s dating back to the early days of Internet updates (1997/1998). The principle is to a provide regular, routine schedule which people can plan and fit in to busy business calendars. Regular patch reviews can be set up to ensure the appropriateness of the patches, also allowing testing routines to be pencilled in. Don’t be fooled into thinking that Microsoft have fully tested the patch. They have but every corporate environment is different and simple, tiny patches have been known to blow bespoke applications and off-the-shelf systems out of the water. Testing patches is essential before applying to the primary/live systems.
Patches are small (normally) “delta” changes to subcomponents of systems or applications that (normally) fix bug, stability, vulnerability or security issues. Essentially all Microsoft products can receive such patches but for the majority of users we are referring to the Windows and Office systems.
Issues are raised, either publicly through exploitation (Zero Day) and security forums (CVE etc.) or privately through Microsoft’s internal security/bug channels (now simply an email address or telephone number).
Very occasionally a patch will tweak the application to enable a new or partially enabled feature.
Service Packs
Once there are enough patches to make management unrealistic, Microsoft issue a roll-up of them all called a Service Pack. Service Packs are more likely to include functional tweaks than patches, including items not released in any patch, to improve the product experience.
They replace all the previously installed patches- up to a certain point in time.
Patch Tuesday has been criticised in recent years by many security analysts for perceived shortcomings in the system.

  • System Administrators must review the effects and issues raised by each patch and releasing them all at once takes them away from other core roles for a significant part of the week, or at least day.
  • Other system are potentially “prone” whilst admins try to understand the implications of Patch Tuesday.
  • Patch Tuesday leads to Exploit Wednesday, when malware writers try to use the information released in the bulletins to write “exploits” so that they can attack unpatched systems. Unpatched systems will be the vast majority of systems for a considerable time after Patch Tuesday. Corporate and Government systems may be patched very close to Patch Tuesday but the testing model, if applied, would delay rollout.
  • Large patches being sent to a large number of systems can lead to network bottle necks for the entirety of the rest of the week as clients connect and request new updates.
    Many organisations use systems like ManageSoft to manage this a bit better but there is always a “hit” at some point.

  • Client systems can require multiple reboots or appear slow during updates.
  • {QUOTE}Patch Tuesday is a flawed Security model as it delays patches that could have been applied earlier.

Other providers
An array of processes are used by software houses to push patches to users.

  • Very few Linux distributions push delta changes and most provide repositories from which the administrator can manually choose to download patches (can be automated at a certain amount of risk). The repositories are updates as soon as a patch is available. Almost all of these are full replacement packages and require greater planning than delta changes.
  • Java checks and downloads patches frequently but irregularly. Similarly with Adobe products.
  • Google push delta changes to clients in the background without asking any permission at all.

Best approach?
I simply don’t have an answer to that.
If you absolutely trust the vendor then background delta changes is best.
If you need to schedule testing then Scheduled Releases helps.
All comments welcome, as usual.
Microsoft Security Bulletin
Adobe Products Updates
Common Vulnerabilities Exposure
Chromium Blog updates policy

– Posted using BlogPress

About harlekwinblog

"Thoughts of an idle mind." Information Security professional.


No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: