Hackers' Window of OpportunityBy Lawrence Walsh | Posted 2009-01-13 Email Print
After five years of Microsoft releasing patches on the second Tuesday of the month, there’s some evidence that hackers are trying to game the release cycle to their advantage. Is it time for Microsoft to change its pattern?
Microsoft is aware of the window of opportunity between Patch Tuesday and the actual deployment of patches in production environments. For years, the recommended best practice for patching called for security teams to conduct regression testing in nonproduction environments before rolling out to production machines. The lag time created by testing creates the exploitation window of opportunity.
Microsoft even acknowledges the potential for hackers to keep exploits in reserve to see what fixes are released on Patch Tuesday. However, it believes both the process and layers of protection built into the Patch Tuesday release cycle provide adequate protection against many exploits. The first line of defense is the Active Protection Program, a collaborative effort by Microsoft and 22 partners to provide intermediary workarounds and shields against the exploitation of vulnerabilities before new patches are deployed.
When all else fails, Reavey says Microsoft will deploy a patch outside the regular Patch Tuesday cycle. While Microsoft released three out-of-band patches in 2008, it has only broken the Patch Tuesday cycle eight times in the last five years, Reavey says.
"The customers I’ve talked with still appreciate the predictable cycle," Reavey says. "Having partners that provide protection and releasing more information keep [Patch Tuesday] relevant."
Few people will dispute the utility and effectiveness of Patch Tuesday. While Microsoft is releasing only one patch this month, software rival Oracle is unleashing a tsunami of 41 patches for numerous applications. But should Microsoft consider a little less predictable patch release process? Reavey says no, but others say it should be on the table.
"Microsoft maybe should start thinking about some additional randomization; it might be helpful," FishNet’s Shilts says. "It’s probably better to have regularity and have a process in place to deploy patches as they come out."