Well, Microsoft announced yesterday that it was going to release two critical vulnerability patches next Tuesday. This after deciding to release an emergency WMF patch. I lament a bit in this WMF article:
Pete Lindstrom, an analyst at Spire Security in Malvern, Pa., said the patch should give Windows users peace of mind, but it could also lull them into a false sense of security. Instead of focusing on individual flaws, users need to look at overall security issues to better protect themselves and their companies, he said.
"I think people focus on individual vulnerabilities because the jury is out on what a strategic vulnerability approach should look like," Lindstrom said. "There’s no reason for people to focus on this particular vulnerability except that this is the one we’re focusing on."
Releasing a patch to a critical vulnerability a week before releasing patch(es) for two more critical vulnerabilities is an interesting conundrum. We already know that for any patch the expected loss must be greater than the actual costs of testing and deploying the patch itself (and if you add in lost opportunity, then you should double it).
Now the question is, is the extra x days of being patched from this particular vulnerability worth that same amount of money (patch costs). (Assuming that the costs would be the same to test three patches as it is to test two). For large enterprises in particular, that have high costs of patching and are experiencing extremely low "infection" rates from WMF, the answer is to delay the patch and combine them all a week later.