Home > Commentary, Other, Security, Windows > How to Benefit from Microsoft’s Mistake

How to Benefit from Microsoft’s Mistake

December 2nd, 2008 by Charles Gardner
Goto comments Leave a comment

In late October, Microsoft released a software patch to address a problem in Windows operating systems.  Every month Microsoft releases new software patches on the second Tuesday of the month, aka Patch Tuesday.  For most companies Patch Tuesday is followed by Reboot Wednesday which is when the most important of these updates are installed and  systems rebooted.  In larger companies, Patch Tuesday is the beginning of a process to prioritize, test, and stage these updates as needed.

So what’s the big deal about October?  Microsoft released an out-of-cycle patch (MS08-067) for Windows on October 23rd, nine days after Patch Tuesday.  Typically patches are queued up until the next second Tuesday, but this one was so important that Microsoft released it immediately.  The urgency about this patch was directly related to the potential damage that could be caused by the flaw it fixes.  In theory the flaw could be exploited by a worm that would blow through networks like wildfire, causing severe damage along the way.

To be fair, Microsoft’s mistake was the flaw in Windows; their handling of the situation has been very good.

How can you benefit from this?  It’s now over a month past the release of this patch, and it’s time to look at how your business handled the situation.  You can use this event as one method to evaluate your overall IT posture.  If you are in management, this may require digging in with the technical folks to get the details.  Specifically, look at the following areas:

  • Awareness
    • When – When did your organization first become aware this out-of-cycle patch had been released?  Was it within hours, days, a week, or more?
    • How – This is important.  How did your company learn about this?  Was it picked up from active reading of email, blogs, news?  Was it just luck that someone noticed it, or do you have an active process to stay informed?
  • Attention
    • Did this event garner the proper amount of attention from the proper people?  If awareness was high, but the appropriate people were so busy “putting out fires” that they didn’t get to it for a week, you have a problem.
  • Application
    • How quickly was this patch applied?  Given the unplanned nature of it, did this patch take longer than normal to go from awareness to actually being installed?
  • Audit
    • Has the installation of this patch been audited?  You need to know that the patch was actually installed.  Setting a patch management system to deploy the patch isn’t enough.  You must be able to verify that computers have actually installed the patch, and have a plan to deal with any problems.

Take a look at how your business responded.  Use this opportunity to identify any shortcomings and work to fix them.  Oh, and if you look around and see that this was handled well, give your IT people the credit they deserve.

Commentary, Other, Security, Windows

  1. No comments yet.
  1. No trackbacks yet.