Hackers' Window of Opportunity

By Lawrence Walsh  |  Print this article Print


Modernizing Authentication - What It Takes to Transform Secure Access

After five years of Microsoft releasing patches on the second Tuesday of the month, there’s some evidence that hackers are trying to game the release cycle to their advantage. Is it time for Microsoft to change its pattern?


Microsoft is aware of the window of opportunity between Patch Tuesday and the actual deployment of patches in production environments. For years, the recommended best practice for patching called for security teams to conduct regression testing in nonproduction environments before rolling out to production machines. The lag time created by testing creates the exploitation window of opportunity.

Microsoft even acknowledges the potential for hackers to keep exploits in reserve to see what fixes are released on Patch Tuesday. However, it believes both the process and layers of protection built into the Patch Tuesday release cycle provide adequate protection against many exploits. The first line of defense is the Active Protection Program, a collaborative effort by Microsoft and 22 partners to provide intermediary workarounds and shields against the exploitation of vulnerabilities before new patches are deployed.

"If you look at Patch Tuesday, we provide means to protect and information to prioritize the patch deployment," says Mike Reavey, director of the Microsoft Security Response Center, the unit charged with triaging Microsoft vulnerabilities and creating patches. "The window of vulnerability is what Active Protection was designed for. While users are doing their regression testing of the new patch, they’re being protected by the 22 vendors in the program."

Additionally, automatic updates embedded in Windows and other Microsoft applications enable Microsoft to transparently deploy patches—which is particularly useful for home and small-business users that don’t follow security bulletins or have dedicated administrative support.

When all else fails, Reavey says Microsoft will deploy a patch outside the regular Patch Tuesday cycle. While Microsoft released three out-of-band patches in 2008, it has only broken the Patch Tuesday cycle eight times in the last five years, Reavey says.

"The customers I’ve talked with still appreciate the predictable cycle," Reavey says. "Having partners that provide protection and releasing more information keep [Patch Tuesday] relevant."

Few people will dispute the utility and effectiveness of Patch Tuesday. While Microsoft is releasing only one patch this month, software rival Oracle is unleashing a tsunami of 41 patches for numerous applications. But should Microsoft consider a little less predictable patch release process? Reavey says no, but others say it should be on the table.

"Microsoft maybe should start thinking about some additional randomization; it might be helpful," FishNet’s Shilts says. "It’s probably better to have regularity and have a process in place to deploy patches as they come out."


Lawrence Walsh Lawrence Walsh is editor of Baseline magazine, overseeing print and online editorial content and the strategic direction of the publication. He is also a regular columnist for Ziff Davis Enterprise's Channel Insider. Mr. Walsh is well versed in IT technology and issues, and he is an expert in IT security technologies and policies, managed services, business intelligence software and IT reseller channels. An award-winning journalist, Mr. Walsh has served as editor of CMP Technology's VARBusiness and GovernmentVAR magazines, and TechTarget's Information Security magazine. He has written hundreds of articles, analyses and commentaries on the development of reseller businesses, the IT marketplace and managed services, as well as information security policy, strategy and technology. Prior to his magazine career, Mr. Walsh was a newspaper editor and reporter, having held editorial positions at the Boston Globe, MetroWest Daily News, Brockton Enterprise and Community Newspaper Company.