Microsoft Patches Up Its Patch Approach

Microsoft is reworking its software-patch management approach and plans to reduce eight patch installers to two by year's end.

The company is about to publish a road map for releasing software that helps IT departments fix Microsoft products to guard against hacker attacks, chief security strategist Scott Charney said during a speech and interview at Microsoft's TechEd conference in Dallas on Tuesday. By the end of the year, Microsoft plans to offer customers two patch installers—one for operating systems and one for applications—versus the eight that are available today. That could go down to one by the time Microsoft ships "Longhorn," the next version of its Windows desktop operating system, due in 2005. Difficulty managing installation technology for security patches has caused uptake to be too low, Charney said.

"Patch management was broken," he said. About 95% of hacker attacks occur against known vulnerabilities in software, Charney said. Patches issued by Microsoft have been too difficult to use and their quality has been too low, partly because internal competition among Microsoft developers to build better patch-management software caused too many to reach the market. "We were making it more difficult than it had to be." By the end of the year, he said, "you'll have one set of tools that can look across the whole Microsoft spectrum and tell you what you need."

Charney, the Justice Department's former cybercrime chief and a former principal at PricewaterhouseCoopers, joined Microsoft in April 2002 to work on computer security, privacy, and public-policy issues. He reports to Microsoft chief technical officer Craig Mundie.

The slowdown in IT spending and investment has let technology companies pay more attention to quality, testing, and security without market penalty, Charney said. "Internet time is dead," he said. But "as we continue to move to new technologies, the bad guys are going to follow us and innovate." In response, Microsoft has been encouraging more discussion about security technologies across its product groups, and it formed a patch-management working group.

In other security-related announcements, Microsoft said it plans to develop new security software with software vendor VeriSign Inc. and will offer new security certifications for systems administrators and engineers trained in Microsoft technology.