Jump to content

This is a ready-only archive of the InstallSite Forum. You cannot post any new content here. / Dies ist ein Archiv des InstallSite Forums. Hier können keine neuen Beiträge veröffentlicht werden.

Microsoft's Patch Management is Broken

No replies to this topic

Stefan Krueger

Stefan Krueger


  • Administrators
  • 13,269 posts

Posted 04 June 2003 - 14:15

On June 3, 2003, Microsoft's Chief Security Strategist Scott Charney said at TechEd Dallas:

We have to keep up secure in deployment, and this is all about patch management. [...] When I came to Microsoft on April 1st, 2002, [...] what customers said to me first and foremost is that patch management was their biggest concern.

So I started looking at it, and what I realized was patch management was broken. It is broken. So I went to the next step, which is figure out why it's broken. It's not enough to say it's broken; you need to understand it. [...]

Today there are eight different installer technologies within Microsoft. Some patches register with the OS, some patches don't. Then, when you build tools to see if you're patched, some tools say yes you're patched because they're looking at registry keys; other products say no you're not patched because they're looking for DLLs. The third product has a guy come up, nice graphic, scratching his head going I don't know if you're patched.

So once you know what the problem is you can fix it. [...] So one of the things I did was create the patch management working group: get all the people to the table, get a common nomenclature for how you talk about patches. Does a hot fix mean the same thing to everyone? Does a quick fix QFE mean the same thing to everyone? You take stock of where you are, you figure out where you need to go, and then you start a plan.

And in starting to get from where we are to where we need to go, we came up with the commandments of patch management, the things you would expect. For example, every patch should have an installer. Every patch should have an uninstaller. Every patch should register with the operating system, and on it goes.

By the end of the year, instead of eight installer technologies we will have two, one for operating systems and one for applications. And as we move forward, we're going to have a consistent user interface. As we move forward instead of running different tools to see if Windows is updated, Office is updated, you'll have one set of tools that can look across the whole Microsoft spectrum and tell you what you need.

Read the full keynote speech at http://www.microsoft...6-03charney.asp

Quoted text © 2003 Microsoft Corporation