This month's Black Tuesday -- Sept. 10, 2013 -- enters the record books as Microsoft's most patch-botching month in history. That's quite an accomplishment, frankly. Having followed Microsoft's bungled patch efforts since long before the ascendancy of Patch Tuesday, I think there's a better -- if rather unorthodox -- way to manage patching.
The release dilemma is quite straightforward: Microsoft has to test the patches without letting them leak to the bad guys. Conventional wisdom dictates that if the bad guys can reverse engineer the patches before they roll down the Automatic Update chute, Windows as we know it will cease to exist. However, given the recent revelations of governmental stockpiling of zero-days, the ascendancy of companies that specialize in selling such zero-days to governments and corporate spies alike, and the fascinating proposal that the U.S. government share its zero-day trove with private companies (for a fee, of course), I think the day-and-date exposure threat is way overblown.
Here's my proposal: Instead of rolling all the patches out via Automatic Update on Black Tuesday, engulfing an unsuspecting public and creating all sorts of buggy havoc, I think Microsoft should let volunteers test the patches one day earlier. Call it Patch Monday. That would give software manufacturers, corporate customers with patch testing capabilities, enthusiasts and, yes, hackers, a one-day head start on the pandemonium that invariably ensues upon unleashing Automatic Updates.
Microsoft would put together all of the patches as it now does for Black Tuesday. But instead of keeping the security patches under wraps until the fateful moment on Tuesday when millions and millions of machines get hit almost simultaneously, it should let volunteers take a swing at them 24 hours earlier.
That would've given Kaspersky Antivirus, for example, a chance to test KB 2823324 a day before its release and to discover that older versions of Kaspersky would freeze. It would've given ambitious Outlook 2013 users a chance to see before KB 2817630 hit that their folders disappeared. It would've offered Office Starter Edition users a chance before KB 2589275 got rammed down the Automatic Update chute to scream about the fact that they're being told to buy Office 2010. The Brazilian manufacturer of the banking security plugin "G-Buster" might've avoided the massive meltdown of PCs in Brazil after KB 2823324 hit. And on and on.
Of course, the immediate argument is that, by opening up an all-volunteer Patch Monday, you're giving the bad guys a head start -- an extra day to reverse-engineer the patches and wipe out the Internet. To which I say, "baloney," or something less printable.
The really bad guys already have hundreds of zero days at their disposal. Chances are very good that the most tied-in government-sponsored crackers already know about the holes that Microsoft is going to patch. The real vulnerability lies with bad guys who aren't working for the government. They don't have enough money to buy a zero day, but they're capable of reverse engineering and distributing a massive malicious attack in 24 hours. Yes, such people do exist.
Microsoft already has a rating system that can pinpoint patches vulnerable to those kinds of attackers. Every security bulletin these days has three key components, described in a TechNet article, which you can see readily on the SANS Internet Storm Center listing for each Black Tuesday. Each security bulletin (and presumably each individual patch) gets rated with a severity level, an exploitability level, and a description of whether the hole has already been publicly disclosed.
My proposal for Patch Monday has some wiggle room for Microsoft: If a particular patch (not a security bulletin, but an individual patch) has a severity rating of critical, an exploitability rating of 1, and it has not yet been publicly disclosed, Microsoft may (that's the operative word) choose to withhold the patch from Patch Monday volunteer testing.