If You Could Change One Thing about Your Job, What Would it Be? I think this is a universally great question… interview candidates, colleagues, friends and family, and even strangers. Everyone has an answer; no one loves everything about his or her job.
If you want to have an interesting conversation at home, ask your significant other this question and follow it up with “Why?” It’s a question I often ask myself when I’m interested in self-reflection. After all, if the answer is“my boss” or “everyone I work with” it’s probably time to look for a new job.
I figured, since the answer wasn’t “my boss” that I’d share the one item I could change with everyone:
Question: If you could change one thing about your job, what would it be?
Answer: Microsoft’s Patch Process
Answer: This is going to take a while…
It doesn’t matter who I talk to… customers, colleagues, partners, friends, family, or strangers… Microsoft Security is one of the most confusing organizations in the world, and most people don’t even realize the source of the problem… they just see something that’s difficult to understand.
Let’s compare Microsoft to a couple of other vendors:
Microsoft: At least once a month a series of patches will be released. These patches will fix vulnerabilities across a number of products. Sometimes you install one patch and sometimes you install 20 patches.
Sometimes you install three patches for a single vulnerability and sometimes you install three patches for three instances of the same vulnerability. Sometimes the patches replace previous patches, some patches don’t. Sometimes the patches replace a previous patch but only on certain software and sometimes 4 patches replace a single patch.
Apple: A new point release of OS X comes out or a giant bundle named “Security Update <year>-<number>” is released. The exceptions are iTunes and Safari… they get their own patches. The downside is that the patches do not ship on a regular basis.
Adobe: A patch is available. Your client updates or prompts you to update. You’re done. These generally ship once a month.
Which process confuses you the most? Some people will say, “But Microsoft has the most products.” This is true… but I’ve seen Microsoft security bulletins that include Windows, Office, SharePoint, Groove Server, and a dozen other platforms. Each will have their own patch (or multiple patches), and some won’t be available via automatic updates or WSUS.
Which brings us to the next issue: Microsoft / Windows Update. Raise your hand if you remember when this was introduced. Windows update only had your OS patches; Microsoft update had your Office patches and others. Then it became a single service… or did it?
Did you know that if you run automatic updates like a good consumer, that you’re not necessarily fully patched? Given that Microsoft has an unprecedented end-of-life policy (a statement of how long software is supported), some of their software doesn’t work with automatic updates (home user) and WSUS (enterprise user).
To make matters worse, since Microsoft can’t get an automatic update mechanism that works with the same ease as other vendors update systems, third party patch management software was introduced. I’ve never seen one of these products work 100% correctly either. They’re all flawed. The consumer thinks they are patched though. Let’s just heap on additional confusion.
One last point… Microsoft only releases patches for “supported” software, and they don’t support all versions of an application, just the most recent service pack (or two). This means that a lot of products, their own Microsoft Baseline Security Analyzer included, will tell you that you aren’t vulnerable to known vulnerabilities simply because the version of Windows you are running is considered outdated.
Yes, you should update, but there’s a big difference between “Fully Patched” and “Patches cannot be applied”.
Over the next few months I intend to introduce some of the caveats of the Microsoft Patch system in a series of blog posts. I want to add clarity for consumers of Microsoft patches. Stay tuned for more on the subjected.
While you’re waiting, tell me… If you could change one thing about your job, what would it be and why?
- Vulnerability: Who is Watching Your IP Camera?
- Vulnerabilities: It’s Time to Review Your ReviewBoard
- Defcon Sneak Peek: How Risky is Google Apps for Your Business?
- Why Cross-Site Scripting Always Matters
P.S. Have you met John Powers, supernatural CISO?
Title image courtesy of ShutterStock