[ryanburk]

the microsoft process cost for many individual patches versus larger collections isn't the real issue. behind the scenes, it should be essentially the same. it is a real issue for customers, particularly in IT, to deal with and manage all of those micropatches. especially in a world where you are responsible for validating every patch against your countless internal apps, deployments of updates are not trivial, and you have scenarios like finance where there is SOX compliance, auditing, etc. this is why the model of patch tuesday and the predictability of knowing when the patches were coming (regardless of number) and ability to plan your testing & deployment was loved by IT departments.

the additional tradeoff you need to consider is that the smaller you make the patches, the larger the number of variations you need to test for later patches, updates, app compat, etc. that is why service packs were a thing - you could baseline after a period of many patches getting out there, and start the process again.

(full disclosure: I used to work on and around some of this at microsoft many moons ago)

[dielel]

ryanburk, thanks a lot for your comment. We at 0patch are big fans of MS Patch Tuesday from it's very beginning. It was a huge improvement for appsec for more than decade and it still is. But as active pentesters with more than 15 years of experiences we just noticed that our enterprise customers can not apply patches timely and usually their (also critical) systems remain unpatched for several months. It looks they cannot cope with the amount of update changes and testing so they rather decide not patch. That was even worse than not to have a patch from official vendor.

There is one important technical difference between small pre-PatchTuesday patches and micropatches: pre-PatchTuesday patches were installed binaries (actually complete new version of the product) that are here to stay forever – or at least until patch uninstall or product upgrade. Imagine how hard is patch uninstall on CEO's patch-corrupted system on a business travel, for instance. Micropatches only live in memory, they die with the process. They don’t change file system and installed product, just redirect maliciously used instruction (just instruction, not the whole function) to correct path, if possible. It’s just couple instructions any admin could review by himself and switch of, if there is a problem. I wish I could say that for today’s patching procedures. For us it is the idea worth trying. We just have to simplify updating process for users (and software vendors, too).

p.s.: we are aware Microsoft gave up the idea of hot patching some years ago, but as I know they were not changing just couple of instructions. Please correct me if I’m wrong.

[j_s]

It sounds like you should include this brief 'how it works when applied/how this affects your machine' explaination of your tech even in this super-technical deep-dive blog post.

[dielel]

You're absolutely right - we have this information scattered around blog posts and other material but it should be laid out in one place and in not-too-techy language. Thanks for pointing it out.