Does Microsoft's Patch Tuesday Need Fixing?

[Peaches]

Does Microsoft's Patch Tuesday Need Fixing?

Bill Brenner, CSO

Sunday, February 15, 2009 1:38 PM PST

It's been about six years since Microsoft as the day to release security patches, and most IT administrators have come to appreciate a consistent schedule to plan around.

But every so often, zero-day vulnerabilities and attacks materialize outside the cycle, causing more than a little heartburn for Windows-based businesses.

In December, for example, Microsoft was forced to release an emergency, out-of-cycle patch for Internet Explorer (IE) to close a security hole that allowed attackers to infect more than 2 million machines. The malware allowed the bad guys to steal such personal data as passwords when the user visited one of at least 10,000 compromised websites.

Days later, Microsoft had another critical flaw on its hands: an SQL Server database software bug attackers could exploit to run unauthorized software on systems running versions of Microsoft SQL Server 2000 and SQL Server 2005.

Cases like these beg the question: Has Patch Tuesday outlived its usefulness? Is a more frequent update process in order to match the increased sophistication and speed of attackers?

The answer is no, according to most IT security pros CSO polled recently. The increase in zero-day threats is a problem to be sure, they say. But IT shops run with a lot less chaos thanks to a monthly schedule they can count on and plan around.

PCWorld for full story: http://www.pcworld.com/businesscenter/arti...eed_fixing.html