Microsoft to revamp patch management software

In the wake of recent ugly worm episodes, Microsoft is planning to overhaul its much maligned patch management architecture in an effort to ease the frustrations of corporate users.

In the wake of recent ugly worm episodes, Microsoft is planning to overhaul its much maligned patch management architecture in an effort to ease the frustrations of corporate users.

Company officials say they are: creating a common assessment engine that would verify whether patches are needed; adding automatic update capabilities to every product, including Office, Exchange and SQL Server; standardizing uninstaller technology; and reducing patch sizes to conserve bandwidth during deployment. Those offerings will be added to changes the company announced two months ago that included cutting the number of patch installers from eight to two and developing a patch-update site for Microsoft products.

Currently, the company uses eight different patch installers across its product lines, and those installers don’t report that a patch has successfully installed. The tools used to verify a patch is installed often give conflicting results, leaving users vulnerable even though they think their systems are patched. This issue was highlighted during the recent Blaster worm attacks and the MS-SQL Slammer worm intrusions into SQL Server systems earlier this year.

“It’s better not to have any tools, than ones that lie to you,” says Tom Geairn, president of NewView Consulting. He says Microsoft’s patching system has come a long way but still needs repairs. “People are mad enough now to force things to change.”

The changes are long overdue, many say, after years of user frustration.

“What they are doing now is sewing the seams together so that they will look presentable enough to us so they can say they are trustworthy,” says Russ Cooper, surgeon general of security services company TruSecure and moderator of the discussion list NTBugtraq. “They are cleaning up a mess to get to where they can deliver tangible improvements.”

Cooper says many things Microsoft is doing are already possible with third-party patch management tools from Shavlik Technologies, which licenses some of its technology to Microsoft. Other vendors such as Aelita, BigFix, ConfigureSoft, Ecora, PatchLink and St. Bernard Software also offer patch management tools.

Microsoft, however, knows it has work to do. Scott Culp, senior security strategist for the company’s Trustworthy Computing team, says dramatic changes are now in the works. “We’ve heard the same consistency complaints, and we agree,” he says.

Microsoft’s chief security strategist Scott Charney earlier this year created a 30-member internal task force to consolidate patch management into a standardized architecture that stretches across all Microsoft products.

The big question is: When will MS deliver all the pieces?

Microsoft first got serious about patch management two years ago following the Code Red and Nimda attacks. Culp says improvements will happen in phases but the most-significant improvements will be seen over the next four to 12 months.

A major part of the effort begins this week with the beta release of Microsoft Installer 3.0. The installer will be one of two that will replace the company’s eight patch-installation technologies. MSI 3.0 will be the installer for applications such as SQL Server, Office and Exchange. Update.exe, which was developed by the Windows Sustained Engineering team, will be used on operating systems.

“You will see dramatic convergence on the installer technology by the end of this year, although it might not be on all products,” Culp says. MSI 3.0 is expected to ship in mid 2004, and all Microsoft products are expected to use the new installers by year-end 2004.

He says MSI 3.0 can be installed on Windows Server 2003, Windows XP and Windows 2000 with Service Pack 3 and higher. The installer will be integrated into Microsoft software starting with the Longhorn products, which start with a new operating system that is scheduled for release in 2005 or 2006.

Microsoft also is working on a standard set of installer options that will mean every patch has the exact naming conventions for deployment operations, such as quiet rollouts that reduce the number of dialog boxes. In the works is a standard title for patches that will include documentation information, platform, service pack and patch version. These efforts are designed to make it easier for users to understand the patch just by looking at its title.

The company also will expand its uninstall feature beyond Windows patches to every patch for every system. This feature was added to patches for Internet Explorer in March 2003, Culp says, but he would not specify a time frame for other products.

“Reducing the number of installers will make my life easier,” says Raj Maini, systems analyst for the American Chemistry Council, a lobbying group for chemical companies in Arlington, Va. “But what I really would prefer is to have something that ensures the patch installs correctly.”

Microsoft plans to address that issue and is developing a standard assessment technology for determining if a patch is needed or is properly installed. The assessment engine will be standard across Windows Update, Software Update Services (SUS), Microsoft Baseline Security Analyzer (MBSA) and System Management Server and the forthcoming System Center, which is a combination of SMS and Microsoft Operations Manager.

Also being developed is a companion reporting engine that will provide details on whether a patch was installed successfully. Microsoft’s Culp again says there is no time frame for the two engines, but that improvements would be evident in the next 12 months.

Microsoft plans to add support for other products including Office and for foreign language patches into MBSA, which checks for missing patches.

The company also is creating one centralized patch update site that includes all its products. 

“There should be one place to go to get all your patches,” Culp says.

Currently, Windows Update, aimed at consumers and SUS for corporations, only provides operating system patches. Office has its own patch-update site, while Exchange and SQL Server don’t have an official patch-management site.

Microsoft also plans to add automated patch updating to all its products including SQL Server, Exchange and Office. Automated patch updating is found in XP and Win 2000 with Service Pack 3 and 4. And the company is considering making it the default configuration on some products, especially those for consumers, according to Culp.