The company announced its shift to a monthly patching cycle as a part of a new schedule to ease the burden on systems administrators struggling with the frequency of security updates. Industry sources anticipate the disclosure of multiple vulnerabilities in the Windows operating system.unveiled at its Worldwide Partner Conference in New Orleans last month. Microsoft said it was introducing the
However, security professionals have avoided giving Microsoft's policy shift the thumbs-up, saying the effect is likely to be
Get Up to Speed on...
Get the latest headlines and
company-specific news in our
expanded GUTS section.
"The measuring stick is the volume of patches, not the release times," he said by phone from Chicago. "It's difficult because now we have to regression-test all these patches in one lump sum."
On the surface, the policy is a good one, Shipley said, because system administrators have to schedule only one service outage window a month. "But now you apply a bunch of patches, and (if) something 'breaks,' which one do you back up on?"
Shipley says the policy needs to be flexible in order for Microsoft to appropriately affect its customers. "If a hole is found in the wild...they should respond in a timely manner regardless of their patch cycle," he said. "But if they're doing controlled releases, then I'm not sure if it matters that much."
Security professional and former chief security officer of InterNICalso highlights the large as a potential source of risk.
"Perhaps it makes it easier for the system administrators to do one major fix-it patch instead of several each month, but that means there's a greater window of opportunity for a bad guy to cause damage between patch cycles," he said. "Watch for the next major Windows exploits to occur within a week of a monthly patch being released by Microsoft."
"If I was a bad guy, that's when I'd release my malicious exploits," he added.
Patrick Gray of ZDNet Australia reported from Sydney.