Hello, Bill here,
Today is the release of the Microsoft Security Intelligence Report volume 6. The report can be found here: http://www.microsoft.com/sir.
A section in the report is devoted to out-of-band (OOB) releases. So, I thought I would blog a bit about these types of releases in the broader context of update management.
Security update management is a security discipline in itself. It is a fundamental security pillar in the security protection landscape. It is comprised of risk assessment, deployment planning, and cost analysis to name a few. Efficiency and cost effective patch management relies heavily on predictability. Predictability is entirely dependent upon a software vendor’s release process. While this may be true, the threat landscape can change to the degree that predictability becomes a secondary consideration when it is outweighed by an imminent and potentially destructive threat. Understanding the nature of what drives the release of a security update is key to having a balanced patch management strategy.
Over the years Microsoft has been constantly striving to improve our release process to minimize the impact of security update deployment. In the early days, we would release updates at various times of the week and/or month without a predetermined schedule. It was probably easier to predict the weather in San Antonio Texas than it was to predict when an update would be released from Microsoft. Many years ago when in San Antonio, I remember temperatures of 40 degrees in the mornings and 80 degrees in the afternoons—in November.
In subsequent years we started to release updates on a more predictable schedule. And has matured to what we have today by releasing updates on the second Tuesday of each month.
Essentially, we established a significant measure of predictability. In spite of these improvements, it was predictably unpredictable when customers may be under imminent threat or active attack. Specifically, exploit code existing and being leveraged in the wild but no security update being available. Under such circumstances, we would have to expedite the release of a security update as soon as possible to protect customers from the immediate threat.
These types of releases are what we call out-of-band (OOB). In other words, updates were not released on the second Tuesday of the month; waiting for the scheduled release date would leave customers with limited recourse to protect them. To be sure, if Microsoft releases an OOB update, customers are at great risk of exploitation and should apply the update as soon as possible. As I noted earlier, predictability becomes a secondary consideration in light of an imminent or active threat.
What is also important to note is that OOB’s don’t really fit any type of pattern. In the last four years we have released eight OOB’s. So it’s reasonable to average this out to two OOB’s per year. But the numbers tell a different story in terms of distribution. There were two OOBs in the matter of several months in 2008. In contrast, 2004 yielded 3; 2005 yielded 0; 2006 yielded 2; and 2007 yielded 1. As you can see, the numbers are not necessarily a harbinger of things to come.
Here at Microsoft we are constantly focusing on improvements that we can make to lessen the impact of security update management. While Microsoft has refined processes that lend itself to a predicable release cycle, predictability becomes secondary to out-of- band releases if warranted to protect customers.
While not the focus of this blog post, there are other data that factor into a patch management strategy that falls under the rubric of vulnerability and exploit trends. This information as well as a closer analysis of OOB releases can be found in the newest version of the Microsoft Security Intelligence Report V6. The report can be found here: http://www.microsoft.com/sir.
Bill Sisk
*This posting is provided “AS IS” with no warranties, and confers no rights.*