Patch Monday: A way to avoid more Microsoft Automatic Update fiascos

This month’s Black Tuesday — Sept. 10, 2013 — enters the record books as Microsoft’s most patch-botching month in history. That’s quite an accomplishment, frankly. Having followed Microsoft’s bungled patch efforts since long before the ascendancy of Patch Tuesday, I think there’s a better — if rather unorthodox — way to manage patching.

The release dilemma is quite straightforward: Microsoft has to test the patches without letting them leak to the bad guys. Conventional wisdom dictates that if the bad guys can reverse engineer the patches before they roll down the Automatic Update chute, Windows as we know it will cease to exist. However, given the recent revelations of governmental stockpiling of zero-days, the ascendancy of companies that specialize in selling such zero-days to governments and corporate spies alike, and the fascinating proposal that the U.S. government share its zero-day trove with private companies (for a fee, of course), I think the day-and-date exposure threat is way overblown.

Here’s my proposal: Instead of rolling all the patches out via Automatic Update on Black Tuesday, engulfing an unsuspecting public and creating all sorts of buggy havoc, I think Microsoft should let volunteers test the patches one day earlier. Call it Patch Monday. That would give software manufacturers, corporate customers with patch testing capabilities, enthusiasts and, yes, hackers, a one-day head start on the pandemonium that invariably ensues upon unleashing Automatic Updates.

Microsoft would put together all of the patches as it now does for Black Tuesday. But instead of keeping the security patches under wraps until the fateful moment on Tuesday when millions and millions of machines get hit almost simultaneously, it should let volunteers take a swing at them 24 hours earlier.

That would’ve given Kaspersky Antivirus, for example, a chance to test KB 2823324 a day before its release and to discover that older versions of Kaspersky would freeze. It would’ve given ambitious Outlook 2013 users a chance to see before KB 2817630 hit that their folders disappeared. It would’ve offered Office Starter Edition users a chance before KB 2589275 got rammed down the Automatic Update chute to scream about the fact that they’re being told to buy Office 2010. The Brazilian manufacturer of the banking security plugin “G-Buster” might’ve avoided the massive meltdown of PCs in Brazil after KB 2823324 hit. And on and on.

Of course, the immediate argument is that, by opening up an all-volunteer Patch Monday, you’re giving the bad guys a head start — an extra day to reverse-engineer the patches and wipe out the Internet. To which I say, “baloney,” or something less printable.

The really bad guys already have hundreds of zero days at their disposal. Chances are very good that the most tied-in government-sponsored crackers already know about the holes that Microsoft is going to patch. The real vulnerability lies with bad guys who aren’t working for the government. They  don’t have enough money to buy a zero day, but they’re capable of reverse engineering and distributing a massive malicious attack in 24 hours. Yes, such people do exist.

Microsoft already has a rating system that can pinpoint patches vulnerable to those kinds of attackers. Every security bulletin these days has three key components, described in a TechNet article, which you can see readily on the SANS Internet Storm Center listing for each Black Tuesday. Each security bulletin (and presumably each individual patch) gets rated with a severity level, an exploitability level, and a description of whether the hole has already been publicly disclosed.

My proposal for Patch Monday has some wiggle room for Microsoft: If a particular patch (not a security bulletin, but an individual patch) has a severity rating of critical, an exploitability rating of 1, and it has not yet been publicly disclosed, Microsoft may (that’s the operative word) choose to withhold the patch from Patch Monday volunteer testing.

If you look back on this month’s botched and re-issued patches — KB 2871630, KB 2589275, KB 2760589, KB 2760411, KB 2767913, KB 2810048, KB 2760583, KB 2760590, KB 2760588, KB 2810009, KB 2553145, and KB 2553351 — not one of the patches met those three criteria. They all would’ve been put in the Patch Monday testing jar.

Similarly, the last publicly pulled and reworked botched patch, August’s KB 2859537, fixed a hole that had been previously reported and demonstrated, so it could’ve been subject to Patch Monday scrutiny. July’s KB 2844286 was part of MS13-052 which, Microsoft contends, had been publicly disclosed, thus it would’ve gone in the Patch Monday bucket, too. The botched one before that, April’s KB 2823324, also would’ve met the criteria for Patch Monday scrutiny.

Look at it this way: We’re going through all of this Automatic Update hell in order to beta test patches that should’ve been put out for beta testing anyway. Microsoft has massive testing farms and puts all of its patches through a rigorous testing regime. You can see how well it’s worked. Why not give everybody and his brother an early crack at them — before they get absorbed into Aunt Gertrude’s computer?

One more note: For the life of me, I don’t understand why Microsoft funnels so many patches through the Automatic Update sewer pipe. In September we had 116 patches on Black Tuesday. Twelve of them were subsequently yanked. That’s unmanageable and, I would argue, unconscionable.

Yes, I know Microsoft wants to minimize reboots by pouring all of its reboot-requiring fixes into one giant monthly bucket. But mixing security with nonsecurity patches and pushing out more than a hundred at a time — that’s just stupid.

If Windows and Office are in such bad shape that we have to reboot twice a month, so be it. Second and fourth Tuesdays are OK by me — and I suspect most of the Windows community would agree.

So, Microsoft, how about while you’re re-imagining Windows for the second or third or fourth time, you spend a little more effort solving a confounding problem that affects almost all of your 140 billion customers?

This story, “Patch Monday: A way to avoid more Microsoft Automatic Update fiascos,” was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.