Microsoft opens its grab bag of patches

Last week it was time for the monthly present from Microsoft: brand-new security patches.

Each month the Redmond gang gathers up various patches for its products and sends out security alerts to help its users avoid viruses, bots, and system downtime.

This time the release included patches for vulnerabilities impacting Windows, Internet Explorer, Word, and Messenger. Microsoft also issued a warning about a flaw affecting its Exchange Server software, used on networked computers to manage and store e-mail traffic.

If all this patchwork makes you want to throw up your mouse pads in despair, don't be so glum. Things are better than they were, according to Michael Sutton, a director at iDefense Labs. iDefense Labs is a computer security intelligence firm that worked with Microsoft to uncover four of the new vulnerabilities.

"I think Microsoft is starting to do a lot of things right in the security area. They're not at their destination yet, but they're on the right path," Sutton says.

Sutton adds Microsoft is now working with companies such as his to find and fix flaws. "That they are now willing to work with researchers and others who uncover flaws and vulnerabilities makes it much easier to work with them. Now you know you are going to be heard," Sutton says.

Sutton says if you look at the list of vulnerabilities provided by Microsoft, you'll see many "thank yous" noted throughout. "That may seem like a small thing, but believe me, it's not," Sutton says.

It's definitely no small thing. I listened to a report about the anniversary of Dr. Jonas Salk's polio vaccine last week. The report noted that when Salk's vaccine was announced and Salk was hailed as a hero (rightfully so, by the way), he failed to acknowledge the many, many associates who had toiled with him to come up with the vaccine. It drove a permanent wedge between Salk and other members of the medical-research community. If Microsoft has learned that Emily Post lesson, it's encouraging.

Although Sutton is effusive in his praise of Microsoft's attitude toward patches, he adds that some areas could still use improvement.

"Microsoft needs to shorten the patch time frame. It's now at about 145 days from when something is brought to their attention to when a patch is released. That's nearly five months, and that's probably too long," Sutton explains.

Sutton also said Microsoft needs to publicly address vulnerabilities for which no patches currently exist. "It puts a company in a bad position, because we don't know if Microsoft is going to address [a vulnerability], and we need to know so we can recommend a work-around or not," he says.

Nevertheless, the improvements he's seen so far lead Sutton to give Microsoft a big pat on the back. "I hope a lot of software vendors follow Microsoft's lead on issuing patches," Sutton says. "I think it would go a long way to improving computer security."