Microsoft patching has finally matured, say security pros

Security professionals say Microsoft's Trustworthy Computing initiative may finally be improving their lives because the latest patches and fixes being distributed by Redmond rarely break other applications.

Just over two years ago, Bill Gates fundamentally changed the way Microsoft approached software development by making security the highest priority. The company has spent millions of dollars to train staff in privacy concerns and secure programming, while building new tools and processes to help create reliable software. Although even Microsoft executives admit there is a long way to go, the investment seems to be paying off.

Security professionals attending a security event organised by non-profit organisation ISSA UK, which was held at Microsoft's headquarters in Reading on Wednesday, said that although Microsoft still has a lot of work to do before its patching system even meets basic requirements, the patches themselves have improved.

David Merry, senior network engineer at UK consultancy Polar Computer communications, said the change in Microsoft's policy is working well, so far: "We see that Microsoft's patches do tend to be more reliable and cause less interference with our client's machines than they did in the past. We are all seeing that security is a bigger issue - in Windows 95, accessibility was the key but there is more focus now," he said.

A senior consultant from a major financial institution, who asked to remain anonymous, said that over the past nine months Microsoft patches have not caused any problems with existing applications: "Historically, in my department the view is that you don't trust Microsoft patches, but over the past eight or nine months, we haven't had any integration problems at all. Yes, I'd say there is a definite improvement there," he said.

Graham Titterington, principal analyst at Ovum, said he had heard of "very few" reports where patches were breaking systems because Microsoft's testing procedures has improved. However, he warned companies to not get complacent with their own internal testing: "This is quite an achievement when you think that they are being applied to systems with varying levels of previous patching. However, good system management practice says that you shouldn't make any changes to a working system without testing the system in its new form and every large organisation has a system that is to some extent unique - so a risk remains," he said.

However, there are still problems. In February Microsoft released a patch for Internet Explorer outside of its monthly cycle to stop the company's browser from being used to fix a URL spoofing flaw. But the update also stopped certain URLs from being used to access password-protected internet resources, which was a relatively common practice.

Munir Kotadia writes for ZDNet UK