Microsoft changing Patch Tuesday process

August 10, 2008 – 7:50 AM

Microsoft is to release fixes for a dozen serious vulnerabilities next Tuesday, seven of them ranked critical. But the firm has also announced a three-stage process to reducing the effects of future vulnerabilities.

Next week’s update (the regular ‘Patch Tuesday’ release which comes in the second week of each month) includes critical fixes for Windows, Internet Explorer, Media Player, Access, Excel, PowerPoint plus Office in general.

The full details are, as usual, kept under wraps until the release comes out (to avoid hackers getting so much information they can prepare for attacks). However, all seven critical fixes involve plugging gaps which could have allowed remote code execution.

The notification process will be one of three changes to the update process from October. In future, third-party manufacturers of security software can become eligible to receive advance notice of the full details of impending updates.

This follows a growing trend by which hackers were able to break down the details of each fix as it came out, figure out the original vulnerability, and exploit it among unprotected computers before security firms had found a way to deal with the consequences. In one recent case, hackers were exploiting a loophole just two hours after the relevant update came out.

To receive the advance notice, firms must have “a significant Microsoft customer base” and sign non-disclosure agreements promising to keep the details secret.

Microsoft also plans to introduce an ‘Exploitability Index’ which effectively serves as a prediction of how likely it is hackers will target particular vulnerabilities. The idea is to give customers a better idea of which are the most important fixes. Rather than apply a score, there will be a three-level rating, predicting either a consistent exploit likely, an inconsistent exploit likely, or exploit being unlikely. The critical/important/moderate/low ratings will remain, showing how serious the effects of an exploit would be.

The firm is also launching a programme to work with third-party software developers to find fixes for problems in non-Microsoft software which could still have serious consequences for Windows users.


You must be logged in to post a comment.