One thing that we do a lot of around here is installing Microsoft Patches. We install each and every security update as they are released on each and every platform they affect. There are also several occasions where we install and test the patches a second or third time.
I tell you this simply to set a baseline and establish that Tripwire’s Vulnerability and Exposure Research Team (VERT) deals with Microsoft updates quite frequently… you might even say we’re experts. You might, but I wouldn’t… sometimes I wonder if we understand the patch process at all.
You may ask, with all the patching that we do, how can we question if we understand the process? Well, It’s Microsoft. You double-click the binary (formerly .exe files, these days generally a .msi or .msu) and click next until you’re done.
More Than Meets The Eye
This is true when you’re talking about Windows patches. Microsoft, however, releases updates to a large number of products across all manner of technology. These updates can vary greatly, especially for some of their server products. Some updates have prerequisites, some require patches be applied in a specific order and some require a specific sub-component be selected during installation.
If you’re using Windows Update, WSUS, or any number of third-party patch tools, this isn’t a problem you generally encounter… until you do. We frequently work with customers who use patch management solutions and are missing patches. The reason? I don’t think anyone fully understands the Microsoft Patching process and the third-parties don’t always get it right either.
Even WSUS doesn’t get it right 100 percent of the time and while I haven’t seen it happen in a while, I can point to times on Windows XP and Server 2003 when Windows Update got confused, too. For these reasons, I think everyone needs to know how their systems are patched.
What components are installed? How does a patch apply? When does it install?
Members of VERT have written about this in the past and there are sites dedicated to the biggest culprit of them all – Microsoft SharePoint Server. Personally, I’d like to see Microsoft step up and help us all resolve this issue. In the process, they can even eliminate a second issue with their patches.
What Can Microsoft Do?
I entitled this post ‘Improving Microsoft Patching’ and there is plenty that doesn’t need improvement. One of those “good things” is the consistency of updates. This past Patch Tuesday, one of the concerns I expressed was that people had to patch SQL Server 2014 for the first time. No one knew what the update process would look like because a security update hadn’t been previously released. I think there’s a way to fix this.
I propose that Microsoft, along with the release of all new software, release a set of dummy software updates. These updates should be in the same format as regular updates: a generic Office update, a specific Word update, or an update for each component of SharePoint Server.
These dummy updates would serve two purposes. Since Microsoft’s update process is predictable on a product-by-product basis, it would allow admins to understand what will be involved in updating the product when the first real patch is released.
Additionally, for software where multiple components are affected, it will allow them to see which components are actually installed, noting which patches will be required by which servers and eliminating the risk of trial-and-error patching after a vulnerability is announced.
This may be a pipe dream but it may also benefit a number of system administrators that bang their heads against the desk wondering why specific updates do or don’t apply. The ultimate question is how much overhead does it provide for Microsoft and is there enough interest to make something like this happen?
- VERT Alert: August 2014 Microsoft Patch Tuesday Analysis
- Microsoft Remote Desktop Protocol Vulnerability Analysis
- Patch Priority Index for June 2014
- To Pen Test or Not to Pen Test: That is the Question…
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock