Thankfully it's been resolved :)

As I'm sure everyone has heard by now that there's an IE 0-day floating around. The result of this 0day is that some people are questioning if the monthly MS Tuesday is really a good idea these days. The alternative is that patches could be released as soon as they are available.

I'm still of the opinion that MS Tuesday is the right way to approach the issue. We've seen other large enterprise vendors follow in Microsoft's footsteps. I'd say there are two main reasons to keep a monthly patch cycle. The first is for system administrators and their already hectic lives. Imagine if patches were released randomly as they were ready. This year saw 77 bulletins for Microsoft products. If they were "released as ready" that would have resulted in more than a bulletin a week... and we're talking about the bulletins, what if each patch was "released as ready". For example, what if every IE vuln was patched individually, or each Office vuln? This month's advisories patched 28 unique CVEs... that's almost one a day over the course of the month. It would be unreasonable to ask admins to maintain a respectable level of patch status.

My second reason is related to consumers. We constantly see reports of unpatched boxes and users who dislike the patching process. If Windows Update starts offering daily or weekly patches, end users are going to give up on patching. It will become a chore for them.

Yet many people want patches as quickly as possible, so how do we solve this problem? Why couldn't the solution be a public beta patch program? I know Microsoft has a patch beta program that enterprises with large deployments can get involved with, people who have the labs to provide feedback on a larger scale. This would be more consumer / small business focused, since they don't qualify for Microsoft's current beta patch program. Although, that's not to say that enterprises couldn't choose to go this route instead. Interested parties can sign up to download the patches themselves. These patches would be available after development and before Microsoft begins QA (or perhaps after initial QA, this point could be decided on in the future).

Admins who want to test serious issues in their labs to ensure a faster rollout once the official patch is released could choose to do so. End users who have been calling out Microsoft for not releasing patches more quickly and for sticking to their monthly schedule, could download these beta patches and make use of them.

Now... I can hear the argument already. Malicious individuals will download the beta patches and reverse them to find the vulnerability. This is true, I'm not going to argue it but they're finding the vulnerabilities right now and making use of them. Perhaps this public beta program is only used for already public vulnerabilities or perhaps we look at the alternatives. To flesh this out a little further... the bad guys will always find the vulnerabilities. Whether they find them today or tomorrow is of little difference, they will find them and somebody will be unpatched. The best we can do is hope to protect as many people as possible. With actively exploited vulnerabilities, I propose that the answer is a beta patch program such as this one.

As I said, maybe that isn't the case with private vulnerabilities. Since they sit quietly without being discovered, sometimes for months on end. However, if it's a choice between a beta program and "release as ready", I would prefer the beta program. It gives users a choice without making the end user feel pressured to patch. If there's valid reason for an out of band advisory (MS08-067 for example) then by all means release it, however we have to weigh the security of the end user with the capability of the end user.

If we make the move to 'release as ready' administrators will have major backlogs and consumers will ignore patches. So the malicious individual will reverse the patch and still have plenty of viable targets. I believe that 'release as ready' is no less dangerous than a public beta program and there's more benefit to the public beta program.

I'm sure that someone somewhere is saying "release as ready" is the same as the beta program, in that people can get the patches earlier than with a scheduled monthly release. This is true... and when I think 'people', I'm thinking hackers. If the "hackers" reverse the beta patch and produce an exploit, then we have an active exploited vulnerability without an official patch and this is a problem. Then again, it's not unlike having a ZERT patch... in fact I consider ZERT to be evidence that a public beta patch program is a good idea. But let's look go back and look at the "release as ready" idea through the eyes of the consumer though.

I come home from work, sit down to use my computer and that little yellow icon is telling me I have updates waiting to be installed. I click install, start typing emails and 5 minutes later I'm told I have to reboot. I save my work, reboot, wait for my computer to come back on, log in, wait for my software to load (I know... you're getting impatient reading this sentence but imagine if you're this end user) and finally I'm back to work typing that same email. Now imagine that this happens more than once a week. What is that end user going to do? They're going to get fed up and disable automatic updates. Now we have a user that is less secure than they were on the monthly update cycle... because once a month they could handle, but this weekly (or even daily) process is unbearable. At this point we have a worse situation then we did with a monthly patch release and a beta patch program.

So in the end, the Pros and Cons of a Public Beta Patch Program are:

Pros:
Monthly Update Cycle is maintained.
Patches are available to those that desire them.
We don't inundate the end user with patch releases.

Cons:
Malicious Individuals could determine the vulnerable condition

As I said though, I believe this con exists with the 'release as ready' program as well, yet it doesn't have the potential pros. That being said, I'm definitely for the idea. Thoughts, Opinions and Comments from others?