Microsoft's patchwork security blanket

A few days ago, I was asked whether a particular fact being used by an InfoWorld writer was reasonable. The fact, according to the writer’s research, was that Microsoft has issued 60 patches to Windows and related software in the last 18 months. In this case, the writer was referring to critical updates, not just the random (but important) patches that some users consider more or less optional.

Being too lazy to actually research the number myself, I thought about it instead. Sixty critical updates? If anything, the number seemed low. But when I considered the fact that critical updates are often rolled up into service packs and similar conglomerations of patches, perhaps the number was reasonable. So I assured my editors at InfoWorld that it seemed reasonable to me. P.J. Connolly, who actually went and checked, agreed.

Sure seems like a lot of patches, doesn’t it?

But there are two ways to look at all of those patches, and there are factors to consider when you’re contemplating whether Microsoft has had too many -- or maybe not enough. First, things have changed a lot since the current versions of Windows were designed. Second, Windows is an amazingly complex operating system and mistakes are likely.

Dramatic changes in the IT world and subsequent changes at Microsoft over the past few years are responsible for many of the patches. Back when we were starting out in this world, real computing lived on IBM 390s and the operating system was MVS. Operating system security was mostly a nonissue: The computers were kept in fortresses protected by electronic locks, virtually no one in the outside world had the 3270 terminals or the access required to break into a mainframe and even modems were mostly unobtainable.

So we didn’t see security patches in those days. Why would we? Viruses, worms, and spyware wouldn't happen on a large scale for decades.

Unfortunately, those conditions, and the people who were used to them, persisted for a very long time. Only in the last decade did viruses become a problem, and they only affected PCs. They spread slowly. The enterprise was hardly affected.

It wasn’t until Windows became dominant, and then a target, that the enterprise truly came under attack. Microsoft took a while to react, but so did the IT world. In fact, the IT industry is still reacting slowly. As unlikely as it may seem, there are still networks without firewalls or virus protection. So it’s no wonder that Microsoft is playing catch-up -- the world changed; it’s difficult and time consuming to change the software accordingly.

Then, a year ago, Microsoft took a major step to improve the native security of Windows. This caused a significant re-examination of the operating system, and thus more patches. Meanwhile, the other type of patch, the one that fixes bugs, continued to be issued. After all, Windows really is very complex and fixes are a certainty.

Are 60 patches too many? Probably not. They may not be enough, but Microsoft can’t just go issuing patches without checking their impact on the rest of the Windows environment and that slows things down. Sure, you don’t see the number of patches for NetWare or Linux that you see for Windows, but the scale of the problem isn’t the same either. So I’d prefer to take the positive point of view: At least those 60 problems are fixed.