Microsoft's new patch strategy is not up to scratch, say HK administrators Hong Kong information security professionals have raised the red flag over Microsoft's new strategy to release alerts for security holes in Windows products each month. They said the move would leave many enterprise computer networks exposed to malicious programs and possible infection, as information technology administrators needed more lead time to deploy the required software patches. Organisations such as the government-funded Hong Kong Computer Emergency Response Team (HKCert) and the non-profit Professional Information Security Association (Pisa) are expected to call on Microsoft this week to seek a satisfactory resolution. The urgency of this situation surfaced last week when Microsoft issued seven software patches in the first of its new monthly security bulletins. Five of the patches were designated as critical, meaning that 'vulnerabilities' in Microsoft applications could provide malicious program authors direct access to computers - either via a virus similar to this year's Blaster worm attack or receipt of an e-mail that carries a hidden 'payload'. Leung Siu-cheong, senior consultant at HKCert, said dealing with the number of alerts in Microsoft's latest bulletin would challenge IT administrators to identify quickly the necessary patches for their networks, test their systems and roll the patches to all servers and workstations. 'To those managing corporate computer networks, quick response time is critical,' he said. 'IT administrators need to be updated every day because they must make sure that the patches will not cause problems with the existing applications running on their networks.' He said HKCert, which has close co-operation with Microsoft and anti-virus software vendors in Hong Kong, would soon call on Microsoft to discuss the issues against the company's new monthly security bulletins. Sang Young, chairman of Pisa, said his group planned to make the same call to Microsoft. 'As part of 'best practices' in information security, IT administrators must have early warning on all security issues to protect their networks,' he said. The inability of many IT administrators to get patches deployed in time was illustrated when the Blaster worm infected thousands of computers in Hong Kong even though Microsoft issued a patch on the software loophole a month before the virus struck. Allan Dyer, president of the Association of Anti-Virus Asia Researchers, said infected networks showed a glaring oversight by IT administrators. 'Obviously, there are a large number of systems that got infected, but the administrators of those systems could have prevented it.' Microsoft announced on October 9 what it called 'significant improvements' that would help reduce the complexity of patch management, including a move to monthly patch releases. Addie Luk, Hong Kong general manager of anti-virus software maker Trend Micro, said a key concern for many IT administrators was patch management. 'For a company with any number of servers, applying patches can be time-intensive and potentially disruptive to business,' he said. Robbie Ray Wright, director of Microsoft Hong Kong's business marketing organisation, said the move to monthly releases was in response to customer feedback. 'The vast majority of attacks are launched once vulnerabilities are released to the public via security bulletins,' he said. 'So Microsoft has been working towards a strategy that stresses patch application rather than patch development.' The new process is supposed to make patching more predictable and easy to deploy, as all Microsoft security bulletins will now be released on the second Tuesday of every month. Microsoft would issue a single security advisory per product to address security patches of 'all severities', Mr Wright said. The security bulletins will explain how to deploy critical patches and risk-assessment for malicious attacks. Amid the issues raised by local information security professionals, Microsoft claims the longer time between releases will allow users enough time to evaluate and install patches. Previously, Microsoft patches were typically released on Wednesdays. Mr Wright said that set-up did not provide customers with sufficient time before the next patch release arrived. He said Microsoft would continue to release fixes 'out-of-band' - sooner rather than later - if its customers faced 'imminent threats'.