The company announced its shift to a monthly patching cycle as a part of a new security initiative unveiled at its Worldwide Partner Conference in New Orleans last month. Microsoft said it was introducing the new schedule to ease the burden on systems administrators struggling with the frequency of security updates. Industry sources anticipate the disclosure of multiple vulnerabilities in the Windows operating system.
However, security professionals have avoided giving Microsoft's policy shift the thumbs-up, saying the effect is likely to be neutral. Greg Shipley, co-founder and chief technology officer of U.S.-based security company Neohapsis, said the new policy will actually make some things harder.
"The measuring stick is the volume of patches, not the release times," he said by phone from Chicago. "It's difficult because now we have to regression-test all these patches in one lump sum."
On the surface, the policy is a good one, Shipley said, because system administrators have to schedule only one service outage window a month. "But now you apply a bunch of patches, and (if) something 'breaks,' which one do you back up on?"
Shipley says the policy needs to be flexible in order for Microsoft to appropriately affect its customers. "If a hole is found in the wild...they should respond in a timely manner regardless of their patch cycle," he said. "But if they're doing controlled releases, then I'm not sure if it matters that much."
Security professional and former chief security officer of InterNIC Richard Forno also highlights the large time between updates as a potential source of risk.
"Perhaps it makes it easier for the system administrators to do one major fix-it patch instead of several each month, but that means there's a greater window of opportunity for a bad guy to cause damage between patch cycles," he said. "Watch for the next major Windows exploits to occur within a week of a monthly patch being released by Microsoft."
"If I was a bad guy, that's when I'd release my malicious exploits," he added.
