In the wake of recent ugly worm episodes, Microsoft is planning to overhaul its much maligned patch management architecture in an effort to ease the frustrations of corporate users.
Company officials say they are: creating a common assessment engine that would verify whether patches are needed; adding automatic update capabilities to every product, including Office, Exchange and SQL Server; standardizing uninstaller technology; and reducing patch sizes to conserve bandwidth during deployment. Those offerings will be added to changes the company announced two months ago that included cutting the number of patch installers from eight to two and developing a patch-update site for Microsoft products.
Currently, the company uses eight different patch installers across its product lines, and those installers don't report that a patch has successfully installed. The tools used to verify a patch is installed often give conflicting results, leaving users vulnerable even though they think their systems are patched. This issue was highlighted during the recent Blaster worm attacks and the MS-SQL Slammer worm intrusions into SQL Server systems earlier this year.
"It's better not to have any tools, than ones that lie to you," says Tom Geairn, president of NewView Consulting. He says Microsoft's patching system has come a long way but still needs repairs. "People are mad enough now to force things to change."
The changes are long overdue, many say, after years of user frustration.
"What they are doing now is sewing the seams together so that they will look presentable enough to us so they can say they are trustworthy," says Russ Cooper, surgeon general of security services company TruSecure and moderator of the discussion list NTBugtraq. "They are cleaning up a mess to get to where they can deliver tangible improvements."
Cooper says many things Microsoft is doing are already possible with third-party patch management tools from Shavlik Technologies, which licenses some of its technology to Microsoft. Other vendors such as Aelita, BigFix, ConfigureSoft, Ecora, PatchLink and St. Bernard Software also offer patch management tools.
Microsoft, however, knows it has work to do. Scott Culp, senior security strategist for the company's Trustworthy Computing team, says dramatic changes are now in the works. "We've heard the same consistency complaints, and we agree," he says.
Microsoft's chief security strategist Scott Charney earlier this year created a 30-member internal task force to consolidate patch management into a standardized architecture that stretches across all Microsoft products.
The big question is: When will MS deliver all the pieces?
Microsoft first got serious about patch management two years ago following the Code Red and Nimda attacks. Culp says improvements will happen in phases but the most-significant improvements will be seen over the next four to 12 months.
A major part of the effort begins this week with the beta release of Microsoft Installer 3.0. The installer will be one of two that will replace the company's eight patch-installation technologies. MSI 3.0 will be the installer for applications such as SQL Server, Office and Exchange. Update.exe, which was developed by the Windows Sustained Engineering team, will be used on operating systems.
Rss FeedRss Feed
The Leader in Network Knowledge
Comment