Update Tuesday

[Bill Ridgeway]

Yesterday was update Tuesday when Microsoft release updates to their
operating system.

This time we had 9 critical updates. I wonder, why, if they were critical,
we had to wait. Why couldn't they be made available much sooner? By its
very nature if something is critical action needs to be taken now. You can
imagine a doctor saying you have a critical condition but, sorry, we only do
those operations on the second Tuesday of each month (yesterday).

Most users (those with any sense) have automatic updates turned on so that,
at least, they can be warned that an update is available even if they chose
not to download and install immediately.

I would be interested to hear if anyone has a good reason why we should wait
for updates.

Regards.

Bill Ridgeway
Computer Solutions

 

[Mike Brannigan [MSFT]]

Yesterday was update Tuesday when Microsoft release updates to their
operating system.

This time we had 9 critical updates. I wonder, why, if they were
critical, we had to wait. Why couldn't they be made available much
sooner? By its very nature if something is critical action needs to be
taken now. You can imagine a doctor saying you have a critical condition
but, sorry, we only do those operations on the second Tuesday of each
month (yesterday).

Most users (those with any sense) have automatic updates turned on so
that, at least, they can be warned that an update is available even if
they chose not to download and install immediately.

I would be interested to hear if anyone has a good reason why we should
wait for updates.

Regards.

Bill Ridgeway
Computer Solutions

Bill,

Our policy to release updates at regular intervals allows for corporate
admins to have a predictable patch deployment strategy.
We also obviously have to dev and test the patches too.
We operate a policy were if a problem is disclosed to us or discovered we do
not go public until the patch is ready - this helps limit the situation
where someone posts technical details of an exploit and then a malicious
individual uses that data to develop a day zero attack.

We always have the option of releasing extremely urgent patches "out of
band" if we needed to. But on the whole the feedback from our customers is
that they like the predictability of Patch Tuesday and the notification
e-mails and bulletins.
--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

 

[Bill Ridgeway]

Mike,

Thanks for your response.

You wrote <<Our policy to release updates at regular intervals allows for
corporate admins to have a predictable patch deployment strategy.>>
However, if updates were available 'as and when ready' (and I do appreciate
that MS need time to develop a patch) it would allow all users (including
corporate admins) the option of choosing a convenient time to update - which
may not always be the second Tuesday of each month. (Indeed I wonder how
many delay updating because this may be inconvenient.) I would suggest that
if a patch is deemed critical it should be made available as soon as it is
developed.

Could MS be persuaded to change its policy on the release of critical
updates so that users may have the opportunity of updating immediately or
delaying at their convenience? This would also place the onus of
responsibility - should anything go wrong - squarely on the user.

Regards.

Bill Ridgeway
Computer Solutions

 

[Mike Brannigan [MSFT]]

Mike,

Thanks for your response.

You wrote <<Our policy to release updates at regular intervals allows for
corporate admins to have a predictable patch deployment strategy.>>
However, if updates were available 'as and when ready' (and I do
appreciate that MS need time to develop a patch) it would allow all users
(including corporate admins) the option of choosing a convenient time to
update - which may not always be the second Tuesday of each month.
(Indeed I wonder how many delay updating because this may be
inconvenient.) I would suggest that if a patch is deemed critical it
should be made available as soon as it is developed.

If we released patches as and when ready then Corp\admins would be in a
position where we have posted a technical discussion of a patch that they
are\not ready to work with and the malicious coders will then be preparing
an attack for.
The strategy to release on a regular schedule was the result of pressure
form our corporate customers.
Certainly I can speak for my customers who have all adopted a patch strategy
in synch with the release cycle.
Also we moved to monthly releases as we were just not releasing that many
patches now and again our corporate customers like the bundling of al
updates at once.

Could MS be persuaded to change its policy on the release of critical
updates so that users may have the opportunity of updating immediately or
delaying at their convenience? This would also place the onus of
responsibility - should anything go wrong - squarely on the user.

I think that may be very unlikely.
Everyone gets the monthly released critical updates at the same time - the
choice to take them is still your own. And as I said we can still release
out of band if we wish.
Remember our policy of not going public on an issue until we release a fix
helps minimise the likelihood of day zero attacks.


--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

 

[Kerry Brown]

Could MS be persuaded to change its policy on the release of critical
updates so that users may have the opportunity of updating immediately or
delaying at their convenience? This would also place the onus of
responsibility - should anything go wrong - squarely on the user.

You do have this option. Turn off automatic updates and update manually or
set auto updates to notify only or download and notify. You have several
choices. If you are administering a network look at Microsoft Windows Server
Update Services.

http://www.microsoft.com/technet/pr...r2003/technologies/featured/wsus/default.mspx

Kerry

 

[Bill Ridgeway]

Kerry,

Sorry, you have misread my post. The issue is not about whether update
should be obtained manually or automatically. It is about when they become
available (released) from MS.

There is something in the MS argument that everyone knows that all except
the really urgent patches are released on update Tuesday as it gives system
admins a target date to update their systems. However, in the interim,
everyone (system admins and the 'small' user alike) run the risk of
encountering a problem for the sake of a patch which may have been developed
by MS the day after update Tuesday and not made available to users for,
perhaps, as much as 31 days.

I would like to see MS change its policy so that patches are made available
as soon as they have been developed. I, as a user (together with system
admins and other the 'small' user alike) could, then, take a decision when
to download and install patches (manually or automatically) and face the
consequences of any delay and not have that decision (and any consequences)
imposed by MS.

Regards.

Bill Ridgeway
Computer Solutions

 

[Kerry Brown]

Kerry,

Sorry, you have misread my post. The issue is not about whether update
should be obtained manually or automatically. It is about when they
become available (released) from MS.

There is something in the MS argument that everyone knows that all except
the really urgent patches are released on update Tuesday as it gives
system admins a target date to update their systems. However, in the
interim, everyone (system admins and the 'small' user alike) run the risk
of encountering a problem for the sake of a patch which may have been
developed by MS the day after update Tuesday and not made available to
users for, perhaps, as much as 31 days.

I would like to see MS change its policy so that patches are made
available as soon as they have been developed. I, as a user (together
with system admins and other the 'small' user alike) could, then, take a
decision when to download and install patches (manually or automatically)
and face the consequences of any delay and not have that decision (and any
consequences) imposed by MS.

I guess I misunderstood what you were trying to say. I can see advantages to
both methods of distribution. I like thoroughly test the updates before
deploying them for my customers. Having a regular schedule helps with this.

Kerry