News

Microsoft's Charney Promises Patch Management Improvements

• By Scott Bekker
• June 04, 2003

The patch management problem is in Microsoft's crosshairs. During a TechEd keynote on Tuesday, Microsoft chief security strategist Scott Charney said he has created a patch management working group inside Microsoft. Current projects include a white paper that will lay out the company's patch management strategy and an engineering effort to reduce the company's number of patch installation technologies from the current eight to two by the end of the year.

Charney used his speech in part to lay out an insider's view of why patch management is flawed at Microsoft.

"When I came on [in April 2002], what customers said to me first and foremost is that patch management was their biggest concern. So I started looking at it, and what I realized was patch management was broken," Charney said. "So I went to the next step, which is figure out why it's broken. ... And one of the interesting things I learned is the things that make Microsoft a great company is also what made patch management unworkable."

The problem, according to Charney, is that Microsoft encourages internal competition, where product groups build their own versions of similar technologies and, hopefully, the best technology wins.

"And what ended up happening, of course, is today there are eight different installer technologies within Microsoft. Some patches register with the OS, some patches don't. Then, when you build tools to see if you're patched, some tools say yes you're patched because they're looking at registry keys; other products say no you're not patched because they're looking for DLLs. The third product has a guy come up, nice graphic, scratching his head going I don't know if you're patched," Charney said.

Microsoft's internal problems with patch management contribute to lower uptake, as customers don't trust the quality of Microsoft patches or find them too time consuming and troublesome to install.

"About 95 percent of exploits occur after bulletins and patches are put out. As a result, the reason the exploit is effective is because the patch uptake is too low. The reason the patch uptake is too low is it's too hard to patch, and the quality of the patch is not consistent enough that people can feel safe patching right away," Charney said.

The first step for Charney's working group was to agree across Microsoft on definitions for patching terms, such as hot fix or QFE. Through that process, Microsoft has come up with a set of commandments of patch management, including that every patch will have an installer, will have an uninstaller and will register with the operating system.

"By the end of the year, instead of eight installer technologies we will have two, one for operating systems and one for applications. And as we move forward, we're going to have a consistent user interface. As we move forward instead of running different tools to see if Windows is updated, Office is updated, you'll have one set of tools that can look across the whole Microsoft spectrum and tell you what you need," Charney said to applause from the audience of developers and IT administrators.