Microsoft Increases Security By Patching Less

from the counter-intuitive dept

Let's see if we can follow the logic on this one. Because Windows systems need to be patched on a very regular basis, people are concerned about its security. Microsoft has responded to this by announcing they'll now release fewer patches. Sounds counter intuitive. However, the reasoning isn't that bad. Basically, most folks don't patch their system that often, because the day after you patch, it seems like another patch gets released - and if you're just going to spend your days updating your system, why bother at all? Thus, the thinking is that if they only release patches once a month, it will be a bigger deal (patch party!) and people will be more willing to install the patch. Of course, that does mean that security holes and bugs will remain open longer for those who normally do patch quickly. Microsoft claims that many hackers are using the patches as a blueprint for exploits - so getting more people to patch regularly, rather than patching often, should protect more machines. Not sure if things will actually work that way, but it's an interesting theory.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    w.h., 9 Oct 2003 @ 8:19pm

    No Subject Given

    I think there's a few ways they could actually make that sort of thing work.

    The key thing is that if an exploit is out in the wild, you have no choice but to release the patch.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 9 Oct 2003 @ 11:56pm

      Re: No Subject Given

      Yeha. I like the laughable idea that the fixes are being use to make exploits. No, but the exploits may be used for the fixes. It's all about the source code, people, and one of them's open.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 12 Oct 2003 @ 5:37pm

        Re: No Subject Given

        Not laughable at all: disassembling a patch gives an exact map to what was wrong with the old code.
        It's almost -- but not quite -- the same as publishing an exploit.

        link to this | view in chronology ]

  • identicon
    Home Delivery, 9 Oct 2003 @ 10:37pm

    No Subject Given

    Reminds me of how MS "fixed" UAEs by renaming them GPFs.

    link to this | view in chronology ]

    • identicon
      LittleW0lf, 10 Oct 2003 @ 2:25pm

      Re: No Subject Given

      Reminds me of how MS "fixed" UAEs by renaming them GPFs.

      Or how Microsoft fixed RPC DCOM in MS01-048, MS03-026 and MS03-039, only to have it come out again this week that RPC DCOM is vulnerable to the same bug, just that the mechanism to get to it has changed. I swear, Microsoft appears to be fixing the code solely to make the exploit not work, not actually fixing the vulnerability!

      Just another reason why close-source security being more secure than open-source security is a farce, if the open-source folks fixed the exploit instead of the vulnerability, then everyone could see that they are idiots. With close-source, only the bad guys can see that they are idiots, but they are still idiots.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Oct 2003 @ 11:56pm

    Instutionalized Patching? It could work.

    Let's designate Monday as patch day and move the work week to 4 days. With the rank-and-file getting Monday off and the Techies doing the patching getting Friday off. That will move the *real* work (interfacing with managment/rank-and-file) to three days a week.... it will be paradize, trust me.

    link to this | view in chronology ]

  • identicon
    AMetamorphosis, 10 Oct 2003 @ 7:36am

    Critical Updates ...

    Wasn't the automatic notification of needed patches supposed to solve this problem ? I have my workstation set to alert me to when critical updates are available but I always review them before proceeding.
    On the other hand though, I sort of like the idea that Microsoft appears to be leaning towards a defined distribution of patches. If we have to slog our way through constantly patching the product @ least we can make it a part of our monthly tasks and schedule appropriately for this task. As it stands now, every time there is another security issue we get stuck having to place everything else on hold in order to attempt to protect ourselves.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.