Microsoft Patch Tuesday: Another Angle

To the uninitiated, Microsoft has one day monthly, "Patch Tuesday," they call it, where they release bug fixes and patches to their software.

A recent blog at IT World on Patch Tuesday talks about the once monthly cycle and asks if this is often enough.

They claim, perhaps accurately, that most IT security pros claim to like the once monthly cycle because it lets them plan better and it lets upper management "manage better." Further, they claim, it actually makes things, "more secure," by making things regular.

This is total, complete, utter garbage. Garbage on multiple fronts at that. Here's why:

Just because you as a home user or an IT security pro have updates available by Microsoft (or any other software vendor for that matter) does not mean you have to apply them the same day they're released!

Let me put it another way...
If Microsoft were to continually release updates as they were ready for release to the public by their developers (rather than sitting on the patches for the arbitrary "Patch Tuesday,") then individual home users and companies alike could choose when to patch things according to their own schedules and computer security needs.

If you're a web hosting company with dozens, hundreds, or even thousands of servers under management, you have a very different set of concerns than a home user with three machines, right?

You also have a different ability to execute tasks, too. Rightly so.

With that in mind, why not put the power--and the security--in the hands of the customers and let them choose when to patch.

If a company wants to patch on the second Tuesday of each month, they by all means certainly can; however, if a company--or an individual user--has a particular exploit that is of concern to them, and they need to patch their server(s) today, they by all means certainly can.

Plan it. Manage it. It's easy.

But to say that the once monthly cycle makes it easier for IT shops to manage is absurd bordering on delusional. It literally takes management decisions away from the managers and IT pros and shifts the burden of decision making onto Microsoft.

How does that possibly make sense?

That's akin to saying it's easier for you as a company (or an individual) to plan paying your bills if your bank only makes your money available to you on the second Tuesday of the month!

As an individual--and especially as a business--who knows how many times you get paid in a given month (i.e. the developers said the patches were ready), but the bank (i.e. Microsoft) instead sits on the money (i.e. the patches) 'til the second Tuesday.

For most desktop PCs security at a fairly basic level boils down to: solid firewall software, good antivirus software installed and updated, OS patches applied, and if you're smart other software patched, too. Maybe you throw in anti-spyware, too, to be on the safe side. Fine. (If you're really smart, don't run as Administrator, either.)

But at least let home and business users make the decision themselves about their respective security... I'll schedule my own bill payments, thanks.