- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
Network World - All told, Microsoft released 74 patches in 2009 and while some months were worse than others (such as October), security experts say the software giant seems to be refining and improving the process of explaining and pushing out patches.
"These past couple of months I have been watching the information coming out of Microsoft and they are refining their processes and they are giving a lot more information to people," says Jason Miller, data and security team leader at Shavlik Technologies. "They are getting information out earlier. So definitely it appears that this patch process is starting to mature in a good way. I am definitely seeing more positives and some of the bumps and bruises we have seen in the past couple of years, we are not seeing those right now."
Unfortunately, patching will be reality as long as software is around, but any work to make it more manageable will be welcomed by those doing the hands-on work.
Miller says Microsoft's delivery of the actual bits for the patches is much more consistent month to month, that there is more technical information with more depth, and more effort to provide advisories on known vulnerabilities regardless if there is a patch or not.
"The process overall has improved," say Amol Sarwate, manager of Qualys' vulnerability research lab. "I think Microsoft has made a lot of progress on the whole patching cycle. They are ahead if you compare it with other companies. Microsoft is very formal and forthcoming about giving advanced notification."
Sarwate says the addition of the exploitability index, which debuted in October of last year, is one example of how Microsoft has enhanced patch process. The index uses a three-tier system to grade the likelihood of consistent, inconsistent or functioning exploit code for each patch.
"They have constantly added a lot of metric around the vulnerability and also the overall flow in how quick they are to respond to something like a proof-of-concept," Sarwate says. "Microsoft is quicker about getting an advisory out. They are more vigilant in that piece then they had been."
Shavlik's Miller agrees Microsoft is better about issuing advisories, which tell users about existing vulnerabilities or zero-day exploits that have yet to be patched.
The latest came last month concerning the zero-day exploit around Internet Explorer. Microsoft first acknowledged on Nov. 23 that it was investigating the issue and followed up later in the day with a formal security advisory, and before the day was done issued a second update to report a patch would be developed. That patch, MS09-072, was delivered Tuesday as part of the regular patching cycle.
"You have advisories, you have re-releases that they are announcing as they are going through the month, as well as some nifty diagrams of exploitability indexes along with commentary on the patches," Shavlik's Miller says.
He says he is seeing a lot more information coming from the Microsoft Security Research Center (MSRC) and technical information coming from Microsoft's Security Research & Defense blog, which is produced by the MSRC Engineering team.