All told, Microsoft released 74 patches in 2009 and while some months were worse than others (such as October), security experts say the software giant seems to be refining and improving the process of explaining and pushing out patches.
“These past couple of months I have been watching the information coming out of Microsoft and they are refining their processes and they are giving a lot more information to people,” says Jason Miller, data and security team leader at Shavlik Technologies. “They are getting information out earlier. So definitely it appears that this patch process is starting to mature in a good way. I am definitely seeing more positives and some of the bumps and bruises we have seen in the past couple of years, we are not seeing those right now.”
Unfortunately, patching will be reality as long as software is around, but any work to make it more manageable will be welcomed by those doing the hands-on work.
Miller says Microsoft's delivery of the actual bits for the patches is much more consistent month to month, that there is more technical information with more depth, and more effort to provide advisories on known vulnerabilities regardless if there is a patch or not.
“The process overall has improved,” say Amol Sarwate, manager of Qualys' vulnerability research lab. “I think Microsoft has made a lot of progress on the whole patching cycle. They are ahead if you compare it with other companies. Microsoft is very formal and forthcoming about giving advanced notification.”
Sarwate says the addition of the exploitability index, which debuted in October of last year, is one example of how Microsoft has enhanced patch process. The index uses a three-tier system to grade the likelihood of consistent, inconsistent or functioning exploit code for each patch.
“They have constantly added a lot of metric around the vulnerability and also the overall flow in how quick they are to respond to something like a proof-of-concept,” Sarwate says. “Microsoft is quicker about getting an advisory out. They are more vigilant in that piece then they had been.”
Shavlik's Miller agrees Microsoft is better about issuing advisories, which tell users about existing vulnerabilities or zero-day exploits that have yet to be patched.
The latest came last month concerning the zero-day exploit around Internet Explorer. Microsoft first acknowledged on Nov. 23 that it was investigating the issue and followed up later in the day with a formal security advisory, and before the day was done issued a second update to report a patch would be developed. That patch, MS09-072, was delivered Tuesday as part of the regular patching cycle.
“You have advisories, you have re-releases that they are announcing as they are going through the month, as well as some nifty diagrams of exploitability indexes along with commentary on the patches,” Shavlik's Miller says.
He says he is seeing a lot more information coming from the Microsoft Security Research Center (MSRC) and technical information coming from Microsoft's Security Research & Defense blog, which is produced by the MSRC Engineering team.
MSRC blogs extensively on Patch Tuesday, an effort that includes charts, graphs and videos. It also blogs on advanced notifications before each Tuesday release, as well as on other vulnerability issues, including the recent Black Screen of Death episode.
The Security Research and Defense blog provides platform mitigation information directed at network administrators and information about new security defenses and tools that the Microsoft Security Engineering Center (MSEC) Security Science team is working on.
“If you look at the technical info that is out there that is extremely technical information that nine out of 10 people are not going to be able to read,” Miller says. “But Microsoft also has other information that is coming out that is more down to earth for admins, where they can read and decipher this information and see how it is applicable to their networks.”
In addition, Miller says Microsoft is more timely with the actual patch code.
“It was spotty,” he says. “Sometimes it would be four o'clock in the afternoon before they started to release the information. The last few months it has been out five minutes to noon every time.”
Miller said Microsoft is clearing up other issues that have plagued the patch process in the past including not releasing all the patches at the same time.
“There have been days when we waited until 8 o'clock at night and they still haven't gotten their servers updated. We have seen delays until late afternoon before even the first patch is coming on to their Web site. If you are planning, it gets very difficult.”
But he says those issues are clearing out and he hopes that it will continue into 2010.