[ISN] Microsoft Patches: Too Much of a Good Thing?

[InfoSec News]

http://www.microsoft-watch.com/article2/0,1995,1567937,00.asp

By Mary Jo Foley 
April 14, 2004  

It's like clockwork these days: Every second Tuesday of the month, 
Microsoft releases its amalgamated security patches and fixes.

Microsoft's customers have come to plan on this monthly happening. And 
many of them have programmed their systems to automatically download 
the patches when they appear - usually around 10 a.m. PST.

So what's the problem? Too many users hitting too few servers. The 
result? Problems connecting to Microsoft's Windows Update site, where 
the downloadable patches reside.

"Now that more people are aware that updates are due on the second 
Tuesday - I'm seeing what I thought would happen...Denial of service 
of Windows Update from their own customers," said one Microsoft 
customer, systems engineer Rafael Cappas.

"I checked Windows Update at 5 p.m. PST last night and it was 
unresponsive and received many 'server too busy' messages. I checked 
Windows Update at 9 a.m. EST this morning and the same problems were 
present," he said.

"Microsoft can add more servers to clusters but that would not be the 
solution, especially as more and more home users, small business users 
and even corporate customers schedule updates on that monthly update," 
Cappas continued. But "what happens to out of schedule updates once 
they set it and forget it?" Internet watchers at Netcraft noticed the 
bottleneck yesterday, April 14, right after Microsoft released its 
latest collection of Windows fixes. Users were especially anxious to 
obtain the April fixes, as three of the four collections of them were 
marked as "critical" by the Redmond software giant.

"Microsoft's Windows Update web site has been experiencing slow 
response times in the wake of yesterday's release of critical security 
updates," noted the Netcraft researchers. However, "a browser request 
through Internet Explorer eventually raises the site after an extended 
wait, and in some cases it is possible to successfully download and 
install updates over a broadband connection."

Microsoft acknowledged the problem. The company's security response 
and Windows Update teams noted that following this Tuesday's security 
bulletin release, requests to Windows Update "nearly doubled in volume 
from typical release days."

A company spokeswoman admitted that the demand caused "some 
performance slowdowns yesterday." But she added that "Microsoft has 
put into place additional resources and increased capacity to ensure 
that the increase in volume will not affect customer experience on 
Windows Update."

At the end of day on Wednesday, she noted that Microsoft was "not 
currently seeing any problems meeting the increase in volume."

The spokeswoman added that "Microsoft attributes this significant 
increase in update downloads to the recent move to a monthly release 
schedule which makes security more predictable for customers, as well 
as the increased use of Windows Update and Auto Update."

Netcraft officials said that the DNS for windowsupdate.microsoft.com 
isn't managed by Microsoft itself. Savvis Communications, which runs 
the former Digital Island content distribution network (CDN) it 
acquired from Cable & Wireless earlier this year, oversees the site, 
Netcraft said.

"CDNs help manage Internet traffic (including distributed 
denial-of-service (DdoS) attacks) by using large, geographically 
distributed networks of servers to move files closer to the end user," 
Netcraft explained.

Microsoft customer Cappas offered a suggestion to help alleviate the 
bottleneck.

"Manual downloads of the patches still work if you go through the 
security bulletin links," Cappas said. "Microsoft should allow admins 
the ability to manually download patches and include them in Software 
Update Services (now renamed Windows Update Services) without having 
the SUS server always connected to the Internet and automatically 
downloading (or not being able to) updates.

"Automation can be a good thing, but when things go wrong, you should 
always have a way to do things manually," he concluded.