on Thursday announced it would no longer issue weekly software patches for security vulnerabilities as part of a major plan to avoid issuing updates on a “very unpredictable schedule.”
Instead of software patches issued every Wednesday, Microsoft chief executive Steve Ballmer said the company would release monthly security patches except for emergency situations.
“We have been putting out our patches on a very unpredictable schedule. We will now go to monthly patches — no more than monthly. If we don’t need monthly, we won’t have them. But no more than once a month, except for emergency patches which will be made available essentially immediately,” Ballmer told a gathering at the inaugural Microsoft Worldwide Partner Conference in New Orleans.
“That predictability is something you and our customers have highlighted to us we need to do, because people are feeling like they have to drop everything and deploy every patch at all times,” Ballmer added.
For consumer and small business customers, Ballmer disclosed that the Windows Updated utility would be complemented by a new product called Microsoft Update to create one place on Microsoft.com that all of the patches for all of the Microsoft products. “People won’t have to go searching through our Website to get an integrated view of the patches, et cetera, that are necessary,” he declared.
As part of a major shift in strategy, Ballmer said the patching experience would be improved for all Windows 2000 generation of products — Windows 2000, Windows XP, SQL Server 2000, Windows Server 2003. “Everything that postdates Windows 2000, by May of next year we will have made these improvements in our patching experience,” he announced.
He promised reduced complexity to the patching process, conceding that the software giant’s 68 different patching systems was “a little extreme.”
“Number two, we are going to move to reduce the risk in the patch deployment. That means better quality in the patches where our execution has been imperfect. And, we will provide rollback capability for all patches, so you can roll them out and roll them back if there is an application incompatibility or something unanticipated,” Ballmer announced.
To avoid problems for end users with slow links (dial-up connections), Ballmer said Microsoft would use new Delta patching technology that reduces patch sizes by between 30 percent and 80 percent.
He described the security “crisis” as a defining moment for the software industry and conceded that Microsoft’s patching process has been “low and inconsistent.”
“You’ve told us that you need to know, and our customers need to know, what is the right way from a security standpoint to run an enterprise with Microsoft software in it. You’ve told us that you can’t keep up with new patches, they come too quickly. You’ve told us there’s still too many vulnerabilities in our products,” Ballmer added.
Noting that software security was not an issue for Microsoft or ISVs alone, Ballmer said Microsoft’s security strategy shift would help mitigate vulnerabilities even if users can’t apply patches.
“The number of patches that we’ve put out has proliferated. That’s an issue. Perhaps more important, the time between us issuing a patch and [when] we see a concrete exploit that takes advantage of the vulnerability that the patch highlighted is shortening,” Ballmer added.
Insisting there were very few instances of attacks and exploits preceding a patch, Ballmer said it was clear the hacker community was actually using the patches as blueprints to diagnose and understand vulnerabilities.
We have to prioritize and we have to enable you to appropriately prioritize security. It’s our No. 1 priority…And I’d love to tell you there’s a silver bullet. There is no silver bullet. People say, ‘Well, can’t you just fix all the vulnerabilities?’ Even if all the vulnerabilities were fixed tomorrow morning in all of the products, there’s still 600 million computers, many of them downlevel, many of them on funny versions that wouldn’t have all of these vulnerabilities patched, fixed and up to date,” Ballmer argued.
Ballmer described virus writers as “criminals” and called for jail sentences to serve as a deterrent to hackers. “And no more should it be allowed to create huge damage by sending a worm across the Internet than it would be to blow up a bomb in a building that didn’t have any people in it. It’s a serious crime, and we are working with law enforcement on this, as if it’s a serious crime, and pushing for prosecution,” he declared.