More Patches Arent the Answer

eLABorations: Software vendors should be forced to take responsibility for porous code

Yep. Just a regular, ordinary day. Get up, have some coffee and breakfast, and download and install the latest mega-patch for Internet Explorer. And of course Ill have to do it again tomorrow, since the patch doesnt work as well as Microsoft thought and actually doesnt even fix all the bugs its supposed to.

Does anyone else think this is getting ridiculous? Were pretty much at the once-a-week patch for IE, and the once-a-day plan doesnt seem that far off. Actually, when you throw in all the other applications, operating systems and servers that need regular patching, I am often applying one patch or another every day.

More and more, were hearing that we should accept this, that its just the price of doing business now. From Microsoft officials to some experts in the security business, we are essentially being told that constant patches are a fact of life and, while were trying to write better more secure code, you should get used to using automated updating tools.

Sorry, but that doesnt cut it. First of all, as the broken patch for IE illustrates, patches dont always fix things and can often cause new problems. Using an automated patching tool means you are constantly at risk of introducing new problems without any chance to do testing before the patches are applied.

Of course, the other option is to watch alerts and use patch-scanning tools and update systems yourself. Oh, you have another job that you need to do? Im sure you can squeeze it in between the hours youll spend finding the right patches, testing them, then deploying them.

The other problem is that, because people are becoming so used to patching systems, some malicious people are actually using bogus patches to trick users into putting their systems at risk. Viruses such as W32.Gibe@mm pretend to be legitimate patches, tricking users into triggering a virus when they think they are fixing a problem. Even simpler hoax viruses such as the Jdbgmgr.exe hoax pretend to offer advice to remove a virus, but instead trick a user into removing a needed Windows file.

All of these play on the growing familiarity and acceptance that users have towards patches and regular security problems. When youre patching all the time, it gets harder to tell the real from the fake.

Really, the only solution is to make software vendors as liable for mistakes as any other product vendor is. Commercial PC software has been around for more than 20 years and should be past any special exemptions it may have deserved. Instead, much of the activity in this area is aimed at actually increasing the protections that software vendors have against liability due to poor coding.

Unfortunately, if this progress continues, well be patching for breakfast, lunch and dinner.

Are you sick and tired of constant patching? Let me know at