Tuesday, March 6, 2007

Microsoft Patch Day: The Next Generation

Opinion: Welcome to the SP2 era. Will we have a bifurcated patch day? Will Microsoft be able to move any faster?


It's not really the first patch day of the Windows XP Service Pack 2 era. Last month's, Aug. 10, was a few days after the initial release of the massive security-focused update.

But the initial day was anticlimactic, yielding only a single Exchange Server issue, and for an old version at that. But now we're over a month since Microsoft finalized the "gold" SP2 code, and we may be about to see how they will handle patches in the post-SP2 era.

The biggest issue is how Microsoft prioritizes patches for vulnerabilities that affect only pre-SP2 versions. I agree with a lot of what my colleague Steven J. Vaughan-Nichols has to say on this matter, but I don't share his pessimistic sense. At the very worst, SP2 is now just another version of Windows they have to deal with.

I expect that for some time Microsoft will have to keep Windows XP SP1 and SP2 tracks for security vulnerabilities. In a very important sense, the SP1 track is more similar to the Windows 2000 track than SP2, because Internet Explorer is so different in Windows XP SP2.

The other thing I'm looking out for is whether they move any faster on SP2 vulnerabilities than they have in the past on SP1 and other earlier versions. We have had one important SP2 vulnerability since it was released, the (in)famous drag-and-drop vulnerability. It's not a real killer, but it's a bad one, and it demonstrates an oversight in Microsoft's lockdown of Internet Explorer in Service Pack 2.

One can only imagine that when Microsoft works on the patch for this vulnerability they will discover underlying problems broader than this particular hole. The report accompanying the patch will expose other problems.

But once again I'm optimistic because another thing SP2 does is really, really urge you to turn on Automatic Updates. Some experts are uncomfortable with Automatic Updates. Fine, experts can turn them off, but novices should be running them. Enterprises and other expert-run networks can set up their own Windows Software Update Services servers and test patches while still allowing automatic updates to proceed as soon as they think it prudent.

But in either case I think we can expect that more users of SP2 will be getting updates more quickly. SP2 vulnerabilities will have a harder time getting exploited widely unless they appear as day 0 network worms. The drag-and-drop vulnerability, in spite of Secunia's typically hysterical claims about outside exploits, don't have the potential to spread widely, and require user interaction and a Web site to host them, both of which are brakes on the spread of the attack.

I can't make up my mind about the severity of the drag-and-drop vulnerability. If it's really serious, then I wouldn't expect it this patch day because Microsoft will fix it out of cycle when then can fix it. But if it's not that important, then they may wait until next month to fix it, because it hasn't been that long since it was revealed.

In fact, if I had to wager, I'd bet on more SP1 patches this month and for a while. There are still a bunch of SP1 vulnerabilities out there unpatched, and now that SP2 is done I would hope they would get some more attention.

No comments: