Microsoft, Analysts Team Up to Improve Patch Management | eWeek

Microsoft, Analysts Team Up to Improve Patch Management

Écrit par
Brian Prince
Brian Prince
Apr 15, 2009
2 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

Ever wonder how it was that the Conficker worm spread so rapidly even though there was a patch available for the Microsoft vulnerability it exploited?

As it turns out, the patch management process is not as straightforward or simple as outsiders might imagine. With that in mind, Microsoft is teaming up with security consulting company Securosis to create metrics that can be used to assess the efficiency of an organization’s patching process. In an effort called Project Quant, the duo will give organizations a model with which to calculate the total cost of patch management.

“Most of the medium to larger businesses that I have worked with have at least some sort of a good patch management process in there, particularly for their desktop patches,” said Rich Mogull, founder of Securosis. “But home users, small businesses [and] all these other organizations definitely are a lot worse.”

Even the big guys don’t get it perfect, however.

“A lot of the server stuff is handled separately from desktops, so these patches go out way slower because they are worried about when can they take the server down, those kind of things,” Mogull said. “[Also] there’s a lot of times a misperception that, ‘Oh, we’re behind the firewall so we’re safe.'”

The consequences of being unpatched can be dire. In its Intelligence Report for the second half of 2008, Microsoft found that 91.3 percent of attacks against Microsoft Office exploited a single vulnerability that was patched more than two years ago (CVE-2006-2492).

In an e-mail, Qualys CTO Wolfgang Kandek told eWEEK that in general the company sees Microsoft patches being applied quickly in the beginning, reaching about 50 percent after 30 days. At that point, the patching slows down.

“I do not know why so many machines remain unpatched, but people are definitely aware of the state these machines are in through our reporting tools,” Kandek said. “It is possible that these are machines that have just entered an organization and are temporarily unmanaged, i.e. do not have automatic patching enabled. Another explanation would be that patching and potentially impacting on the functioning of the machine poses a greater problem than the risk of exploitation.”

Project Quant will encompass the patching process as a whole and will not just deal with Microsoft fixes. Ultimately, Project Quant will deliver a written report and a spreadsheet-based model. It is slated to be finished around June, according to the Securosis blog.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.