On 3 June, 2003, Scott Charney, a former Justice Department cybercrime expert and Microsoft's chief security strategist since 1 April, 2002, told the audience at TechEd 2003 in Dallas that he knew Microsoft's patch management "was broken."
"Today there are eight different installer technologies within Microsoft," he admitted. "Some patches register with the OS, some patches don't. Then, when you build tools to see if you're patched, some tools say you're patched because they're looking at registry keys; other products say you're not patched because they're looking for DLLs." Thanks to Charney's efforts, Microsoft not only admits on the record that it needs to improve the way it manages updates to its applications and operating systems, but appears to have made a sincere commitment to fixing the problem.
Both Charney and Microsoft's white paper acknowledged that Microsoft ought to release more secure, better tested code in the first place. To oversee these changes in its update strategy, Charney formed a departmental Patch Management Task Force. As a result, in recent weeks there have been signs that the software Goliath has begun its overhaul.
Notification changes
Microsoft has tweaked its Security Bulletin notifications by adding a less technical Consumer Bulletin geared toward end users. Though not written for tech staff, it might serve IT management and staff both as a model for passing on patch information to employees, and as a quick, easier-to-digest overview of new issues. Both the Consumer Bulletins and the more technical Security Bulletins are available by email subscription: Register for Consumer Bulletins at Microsoft's Web site. Register for Security Bulletins at Microsoft's TechNet
Responding to customers' suggestions, Microsoft also changed its rating system. According to feedback, Microsoft defined too many issues as "critical." The new system has four levels, as shown in Table A, with the most critical reserved for those vulnerabilities that easily allow a virus or worm to propagate.
Table A
| Level | Description |
| Low | Extremely difficult to exploit, or one with minimal impact. |
| Moderate | Less likelihood of exploitation, due to a combination of factors, such as default configuration, auditing, or difficulty. |
| Important | Possibility of system compromise, including "the confidentiality, integrity, or availability of users’ data, or of the integrity or availability of processing resources." |
| Critical | Possibility of Internet worm/virus propagation without any user action. |
Talkback
when you install XP,on a new PC,you have not only got to keep to its very strict rules regarding copyright,only one copy per computer,you then after installing XP,after install Service pack one and its updates and thats a lot of time,and a system thats patched to hell is no good,Microsoft should allow you to go back to your supplier and get a new copy of the software,so it installs with the not a lot of fuss,its clear of patches,an installer not only has to install XP,but anti virus and motherboard stuff,soundcards and ati stuff in my case,regarding graphic cards.also microsoft should let you install XP on more than one computer,and make it easy for you to do this,even paying a small fee extra,i have 4 PCS,and i have bought 2 copies of XP,COSTING SOME £260 QUID.