Microsoft vows to clean up its patch management mess

DALLAS — Microsoft will whittle down its stable of patch management tools from eight to two by the end of the year, according to the software giant’s chief security strategist.

During his keynote at Microsoft TechEd Tuesday, Scott Charney put it simply, “patch management is broken.” Charney, who served as cybercrime chief at the Department of Justice for eight years, then vowed to repair the damage and ease the headache of patch management.

Patch management has become a problem for end users, not only because of the number of patches Microsoft issues, but also because of the number of different tools organizations have to deploy.

Microsoft has eight installer technologies available to users. Charney said that number would be reduced to two by the end of the year – one for the operating system and one for applications.

“We will eventually have one tool across the entire platform,” said Charney. He added that the appearance of the tool would coincide with the release of the Longhorn operating system, which is expected in 2005.

“One or two tools would be manageable,” says Velda Wooten, supervisor of the client support group for American National Insurance in Galveston, Texas. “With several different tools, the tools themselves become hard to manage.” Wooten manages some 1,800 desktops and is currently working in-house to design her own tools to help with the patching process.

Others say cleaning up the tool glut will likely result in better-patched systems.

“One tool for the OS and one for applications probably means that more admins will do patch management,” says Cary Shufelt, Windows network architect for Oregon State University. “It’s about time Microsoft did this.”

But there are other hurdles to get over.

Charney admitted it would not be easy to fix the problems and there is a lot of work to be done. “But there will be improvements,” he said. 

When he joined Microsoft last April, Charney tapped every product team in the company to create a 30-person strong working group to repair the patch management problem.

“Now that we know the problems, we can fix them,” he said. Those fixes will include enhancements to Software Update Services and Windows Update.

Charney spent the bulk of his keynote pushing Microsoft’s Trustworthy Computing initiative, which Microsoft chief software architect Bill Gates kicked off early last year. Charney said the initiative must insure the protection of confidentiality, integrity and availability of data. 

Charney also announced that Microsoft and VeriSign would partner on several security initiatives based on the public key infrastructure included in Windows Server 2003, including auto enrollment of VeriSign certificates in PKI, and interoperability between certificates and mobile devices.

Microsoft also announced a new security certification program that will begin immediately for Microsoft Certified Systems Engineers and Microsoft Certified Systems Administrators.