Skip to content ↓ | Skip to navigation ↓

If You Could Change One Thing about Your Job, What Would it Be? I think this is a universally great question… interview candidates, colleagues, friends and family, and even strangers. Everyone has an answer; no one loves everything about his or her job.

If you want to have an interesting conversation at home, ask your significant other this question and follow it up with “Why?” It’s a question I often ask myself when I’m interested in self-reflection. After all, if the answer is“my boss” or “everyone I work with” it’s probably time to look for a new job.

I figured, since the answer wasn’t “my boss” that I’d share the one item I could change with everyone:

Question: If you could change one thing about your job, what would it be?

Answer: Microsoft’s Patch Process

Question: Why?

Answer: This is going to take a while…

It doesn’t matter who I talk to… customers, colleagues, partners, friends, family, or strangers… Microsoft Security is one of the most confusing organizations in the world, and most people don’t even realize the source of the problem… they just see something that’s difficult to understand.

Let’s compare Microsoft to a couple of other vendors:

Microsoft: At least once a month a series of patches will be released. These patches will fix vulnerabilities across a number of products. Sometimes you install one patch and sometimes you install 20 patches.

Sometimes you install three patches for a single vulnerability and sometimes you install three patches for three instances of the same vulnerability. Sometimes the patches replace previous patches, some patches don’t. Sometimes the patches replace a previous patch but only on certain software and sometimes 4 patches replace a single patch.

Apple: A new point release of OS X comes out or a giant bundle named “Security Update <year>-<number>” is released. The exceptions are iTunes and Safari… they get their own patches. The downside is that the patches do not ship on a regular basis.

Adobe: A patch is available. Your client updates or prompts you to update. You’re done. These generally ship once a month.

Which process confuses you the most? Some people will say, “But Microsoft has the most products.” This is true… but I’ve seen Microsoft security bulletins that include Windows, Office, SharePoint, Groove Server, and a dozen other platforms. Each will have their own patch (or multiple patches), and some won’t be available via automatic updates or WSUS.

Which brings us to the next issue: Microsoft / Windows Update. Raise your hand if you remember when this was introduced. Windows update only had your OS patches; Microsoft update had your Office patches and others. Then it became a single service… or did it?

Did you know that if you run automatic updates like a good consumer, that you’re not necessarily fully patched? Given that Microsoft has an unprecedented end-of-life policy (a statement of how long software is supported), some of their software doesn’t work with automatic updates (home user) and WSUS (enterprise user).

To make matters worse, since Microsoft can’t get an automatic update mechanism that works with the same ease as other vendors update systems, third party patch management software was introduced. I’ve never seen one of these products work 100% correctly either. They’re all flawed. The consumer thinks they are patched though. Let’s just heap on additional confusion.

One last point… Microsoft only releases patches for “supported” software, and they don’t support all versions of an application, just the most recent service pack (or two). This means that a lot of products, their own Microsoft Baseline Security Analyzer included, will tell you that you aren’t vulnerable to known vulnerabilities simply because the version of Windows you are running is considered outdated.

Yes, you should update, but there’s a big difference between “Fully Patched” and “Patches cannot be applied”.

Over the next few months I intend to introduce some of the caveats of the Microsoft Patch system in a series of blog posts. I want to add clarity for consumers of Microsoft patches. Stay tuned for more on the subjected.

While you’re waiting, tell me… If you could change one thing about your job, what would it be and why?


Related Articles:


P.S. Have you met John Powers, supernatural CISO?


Title image courtesy of ShutterStock

Tripwire University
  • Nick

    "unprecedented end-of-life policy" – 10 years ? Because you drew a comparison to Apple it's worth noting they primarily only update the 2 most recent versions; though OS X 10.4 did get a Safari Update in 2010 – a whopping 8 years of support.
    "some of their software doesn’t work with automatic updates (home user)" – what software is this? I'm sure you're right that there is something because "Microsoft has the most products", but is there any mainstream home user software that both a) needs to be patched if it's working fine and b) is not in Microsoft Update?
    "Microsoft only releases patches for “supported” software, and they don’t support all versions of an application, just the most recent service pack (or two)" – again an issue of comparisons; what software company allows you install patches that were released after a different free patch? If they give you a service pack for free, then it is reasonable for them to base their later patches on you having that service pack. This is much different than supporting older versions of Windows, for example, which they do for 10 years after last major release. Otherwise, I can't imagine this being done any other way – what software do you know that consistently allows you to update with a patch later than one you skipped?

    • Tyler

      Hey Nick, thanks for the response. The points you bring up are exactly what I want to expand on in my upcoming blog posts.

      I'll cover these in more details then but for now I wanted to provide you with a few additional thoughts.

      EOL Policy — Microsoft's Policy allows shipping software to exist for too long. Windows XP will be 13 years old when it finally goes EOL. This is, in my opinion, too long for an operating system to continue to remain mainstream. SharePoint 2003 is 10 years old and still in the update cycle. This long life cycle, in my opinion, isn't beneficial.

      Software that isn't update automatically — Office Viewers are common products that I come across that fit this description. A random security update will deem the old version dead and tell you to download the new version from Microsoft Download. The user running Windows Update or the Enterprise running WSUS will continue to have vulnerable software on their system.

      Releasing Patches for "supported" software — I'm not sure where you find fault with this. The discussion was not centered around Microsoft's practice, which I fully support but the fact that they (and others) offer tools that don't account for this. If I download MBSA, it should tell me exactly what I need to do to secure a system. However, it will often leave off specific updates or information because the system isn't running at the supported level. Windows Update will also do this, as will WSUS. If you've chosen not to deploy a service pack and hidden that from reporting, a system may appear as fully patched in these products, when the reality is that the system is extremely vulnerable but results are masked by the way the update logic works.

      I'm not saying all of this is the fault of Microsoft… I'm a big supporter of Microsoft and the security work that they do… but there are improvements that need to be made with the overall process and that involves Microsoft, the vendors, and the end users. As I write more of these posts and expand on my thoughts, hopefully you'll see where I'm coming from and stay involved in the discussion.

  • armorbear

    Lots of useful information here. I’m sending it to a few friends ans also sharing in delicious. And certainly, thanks for your sweat!. I added it to my favorites blog list and will be checking back soon.