I read The Inquirer every day through their RSS feed, and although its often amusing, they now have a very valid point: Microsoft's new release policy according to security fixes/bulletins is completely irresponsible.
Microsoft has now decided to release security bulletins and fixes only once a month, to make it more predictable when they are released and sysadmins can now plan upgrades easier. When I read that the first time, I thought: "WTF!? What are they thinking?". And it is still my opinion about the matter. This is serious stuff, people: when the Thursday after the security fixes are released a flaw is discovered and posted on the security focus forums, you have to wait at least another month before you get the fix, instead of the old situation where you could expect a fix perhaps within 2 days.
I simply don't see how a company that thinks security is its top priority, leaves customers in the dark by not handing out fixes when they are available, but waits until a scheduled release date is reached. How does that help security? It only helps crackers and scriptkiddies to enter our servers because we can't patch the software with a patch that is already done. It is easier for sysadmins because they can now schedule downtime and patch the systems with an easy one-exe-for-all-the-fixes-download but it comes with a cost: it leaves systems vulnerable while patches are done.
Sorry Mr. Ballmer, you can shout as hard as you can how much effort Microsoft is putting into security, there is still one thing that you don't understand after all these years: when you make security your top priority, it is then thus more important than usability, however up till today, usability seems to be more important than security. We're talking sysadmins here, for crying out loud. Monthly patches? Great idea, but at least offer the patches as separate downloads also for the people who want to patch their systems when the patch is released. Thank you.
Previous Topic
