Microsoft promises to patch up patches

Microsoft is cutting the number of ways software patches are installed, improving the security of its products and easing the burden placed on IT directors to manage version control.

Scott Charney, Microsoft's chief security strategist, speaking at the company's TechEd 2003 conference in Dallas, admitted that patching systems is often difficult and that their variable quality means that people do not always feel they can safely install them immediately.

"About 95 per cent of exploits occur after bulletins and patches are put out," Charney explained. "As a result, the reason the exploit is effective is because the patch uptake is too low."

Microsoft will tidy up its patching systems this year, he added.

Currently, the company uses eight systems to distribute patches to customers, but "by the end of the year, instead of eight installer technologies we will have two; one for operating systems and one for applications," Charney said.

In the future this will be consolidated to just one consistent user interface which will look at all a user's Microsoft products and tell them what they need.

Charney also said Microsoft would add "things you would expect" to its patches, such as an installer and an uninstaller, and ensure that patches register with the operating system.

He acknowledged that users often avoid early versions of its software for fear of encountering problems with the product. "When I put this group together, some of the developers came to me and said, 'We can have some improvements for you in about four months.' That's too fast," he said.

"I know our reputation. Version one: forget it; version two: forget it; version three: maybe. The bad guys are going to continue to innovate just like we do, so we have to do a really good job on this."