In-Depth

Best Practices for Applying Microsoft Security Patches

• By Kurt Mackie
• 08/11/2011

Microsoft released a report this month updating the progress of the Microsoft Security Response Center (MSRC) in ensuring software security.

The 30-page August report is well worth reading by IT professionals -- not just for the detailed descriptions of Microsoft's programs and collaborative efforts, but also for Microsoft's tips on how to carry out patch management tasks. Each month, Microsoft rolls out a security update containing a bunch of fixes for IT pros with Windows-based environments to consider, test and apply. It can be a real time drag, and Microsoft claims to feel that pain, especially for those maintaining Windows Server.

"Microsoft understands that deploying security updates can cause disruption to organizations and businesses, particularly when those updates affect server products. To help minimize disruption, Microsoft conducts extensive testing before releasing security updates to help avoid deployment or compatibility issues," the report states (p. 9).

Microsoft initiated its exploitability index (XI) in 2008 to help IT pros better prioritize their patching schedules. That help is likely needed, since Microsoft released a total of 117 security bulletins aimed at addressing 283 vulnerabilities from July 2010 through July 2011.

That number of fixes represents a lot of testing, deployment and restart time for IT pros to endure, but the report outlines scenarios that could save some time (see Table). For instance, opting to deploy only the "critical" Windows Server security bulletins with an exploitability index rating of 1 on the release day would result in applying 20 Windows Server fixes rather than 83 fixes over that year-long time period.

It seems it's not so easy to find Microsoft's best practices for applying security updates by searching on the Web. A Google (Bing) search likely will pull up an old archived article from the Microsoft TechNet library, and Redmond readers appear to have different opinions on what consitutes best practices. However, this August MSRC report succintly describes Microsoft's view of what IT pros should do each month.

"Microsoft recommends that customers install all applicable security updates, including bulletins with an exploitability index of 3 or a severity rating of Moderate. Exploitation techniques change over time, and newly developed techniques can make it easier for an attacker to exploit vulnerabilities that had previously been more difficult to successfully exploit. Nevertheless, Microsoft recognizes that prioritization decisions will be made within each organization and that time and resources may often be limited. The Exploitability Index allows customers facing such limitations to better prioritize their update deployments," the report states on p. 10.

That's it in a nutshell. However, prioritizing which patches to apply, based on Microsoft's exploitability index, still can be an exercise in logic for IT pros. Here's how Microsoft lays it out:

"For example, a customer might prioritize addressing an Important severity vulnerability that is likely to be exploited in the first 30 days after release of the security update over a Critical vulnerability that is unlikely to ever be exploited," the report states (p. 18).

The August MSRC report contains a few other observations of note, such as that the number of remote code execution vulnerabilities have been declining over the last five years, from 73 percent to 62.8 percent. Microsoft also provides some evidence showing that newer versions of its software are less vulnerable than older versions.

"Of the 256 Exploitability Index ratings published from July 2010 through May 2011, 97 issues were less serious or nonexistent on the latest version of the affected application than on earlier versions. In contrast, only seven vulnerabilities affected the most recent version but not older versions," the report notes (p. 3).

Microsoft's report, "Building a Safer, More Trusted Internet Through Information Sharing, MSRC, Aug. 2011," is further described in this blog post and can be downloaded here.

The report contains a lot of details about Microsoft's various security programs, including statistics on its "coordinated vulnerability disclosure" program for reporting software flaws. While Microsoft advocates private communications between security researchers and Microsoft or between security researchers and a national or regional Computer Emergency Readiness Team (CERT), some researchers don't agree. In July of 2010, for instance, a Google researcher asserted that his public "full disclosure" of a Windows XP software flaw was the only way to get Microsoft to act in a timely way to fix it.