Fix the patch update system

After last summer’s Blaster outbreak – which would have been much shorter-lived if users patched more Windows machines – there’s been considerable debate about why users are slow to apply necessary security patches.

One reason is the time and effort required to determine which machines need patches, test those patches and roll them out across the network. Microsoft is developing new tools that might help automate these processes (see story ), but there are also more elementary reasons why Johnny can’t – or doesn’t – patch.

One is that vendors aren’t providing clear-cut information about when, why and how to adopt security updates. Both commercial and open source software vendors make it difficult to track what security updates apply to our machines.

When Microsoft announced numerous security updates in October, its announcement was unclear at best and downright confusing at worst. Microsoft’s Web site, depending on what page you looked at, gave you different versions of what patches were available. Adding to the confusion were separate and irregularly cross-referenced notices. The Windows summary for last October covers MS03-041 through MS03-045. There is no mention of how to find announcements about other Microsoft products, and therefore it totally misses the Exchange announcements, which were labeled MS03-046 and MS03-047  (note these are labeled from the same naming system, adding further to the confusion).

There is no single, definitive place to look on the Microsoft Web site for patch information.

Not only does Microsoft make it hard to find the right information, but the information can change overnight. Just last week, when Redmond rolled out its security patches for the month of March, it announced three patches for various products on Tuesday  and had to turn around and revise both the severity rating and the client update package less than 24 hours later.

This patch confusion issue is not unique to Microsoft or to commercial vendors in general for that matter.

Open source projects are not exempt from this charge; take the slew of OpenSSH updates  issued last fall, for example. The OpenSSH team released three updates in two days (3.6.1p1, 3.7.1p1 and 3.7.1p2) before they finally got one of the known vulnerabilities corrected.

You can subscribe to vendor announcement services, monitor SANS Web sites and hang out on security mailing lists, but these are not reasonable ways to learn about security updates. Why should we have to rely on the kindness of strangers to learn what patches we need to apply?

The challenge

As Dr. Tina Bird, computer security officer at Stanford University, has suggested in her SANS lectures, users should have a standardized means by which they can go to any vendor’s Web site and identify any security updates that are issued.

As the major operating system vendors, we throw our Tester’s Challenge gauntlet at the feet of Apple, Microsoft, Novell and Red Hat. We challenge you to create an effective, simplified means by which we can get our hands on pertinent patch information pertaining to your products.

We’d like to see a single point of contact – like “abuse@” or postmaster@ – so software users have a straightforward, easily identifiable point of contact. We also want a central place to run to on your Web sites – such as www.company.com/security-updates – that lists all security vulnerabilities and corresponding patches.

In this challenge, we’re not asking for these companies to fix all the ills of the patching dilemma – although that would be nice because we’re paying good money for these products – we just want a simple, effective way of locating the patches.

Network professionals responsible for maintaining the security of their systems need clear-cut information directly from the horses’ mouths. They need to know:

• How to learn new updates are available.

• How to retrieve updates (online or off).

• How to confirm the update applies to their network.

We have to spend enough time hunting down security issues without having to waste time hunting for appropriate security updates.

Given the resources in terms of money, people and equipment that Microsoft has, it shouldn’t be this difficult to distribute its security updates in a clear, coherent manner.

We’re prepared to print your 800-word reply letting us know exactly how you can make that happen. For the security handlers at Apple, Novell and Red Hat – or any other vendor that has a plan to address this issue – we invite you to chime in with your plans to provide better update information in our online forum.