Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Patches Arent to Be Trusted

    By
    Jim Rapoza
    -
    May 10, 2004
    Share
    Facebook
    Twitter
    Linkedin

      Its the beginning of your regular workday. You sit down at your desk and start going through the breaking tech news and looking through e-mail alerts. A big story about a new and dangerous Internet worm immediately catches your attention because the worm exploits an old security problem in Windows servers and you know that you havent applied the patch for that specific hole. Thinking theres no time like the present, you head to the data center to apply the patch to your systems.

      You download and apply the necessary patch, and since the systems dont require constant uptime, you decide to reboot them just to make sure the patch is applied properly. But something is wrong, and the systems wont boot up.

      Did the systems fall afoul of the worm? Were you too late in applying the patch, or did you apply it improperly?

      Nope. The problem isnt the worm—its the patch.

      Something very close to this scenario recently played out for many IT managers who were attempting to protect their systems but instead damaged them. A patch that Microsoft provided to fix the SSL vulnerability in Windows servers contained a bug that would prevent certain systems from booting up properly.

      You probably think Im planning to bash Microsoft here for releasing a faulty patch, but Im not. Yes, Microsoft should have done a better job testing the patch, but this isnt the first time a patch has had a bug in it.

      /zimages/1/28571.gifFor insights on patches and other security issues, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.

      Part of the problem is the term “patch” itself. It brings to mind things such as Band-Aids or spackling, and people think of it as an easy fix. But most patches arent like Band-Aids; they are more like open-heart surgery. Often, patches are essentially full rewrites of an application or program—and any time you rewrite a program, theres a chance it will have bugs.

      Its bad enough that many users have this perception of patches as a simple fix, but Im starting to see the same attitude from software vendors. Microsoft officials have said that they plan to implement automatic software patching for forthcoming versions of Windows, stating that it will take the burden of keeping systems up-to-date off users.

      Whenever Im presented with automatic patching schemes during a vendor presentation, I inevitably mention that many of our readers say they wont implement patches until theyve had time to test them, often waiting months to make sure there are no hidden problems with the patch.

      When I mention this, vendors typically respond that the automatic patching can be turned off. But this response often is accompanied by a little chuckle and a shake of the head, as if to say, “When will these old-school admins learn?”

      Well, guess what: These old-school admins are right. Patches arent to be trusted.

      When Microsoft announced it would include automatic updating as a preferred (meaning default) option in the forthcoming Windows XP Service Pack 2, many in the security community applauded the move. I can understand their enthusiasm. I, too, find it very frustrating when a worm or virus wreaks havoc on the Internet by exploiting a security hole that has had a patch available for months.

      But while automatic patching sounds like a good idea, the recent problem with the SSL patch should be a wake-up call. Maybe this will remind people that patches arent to be taken lightly; they arent simple fixes that can be distributed and deployed without users even knowing their system has been changed.

      Yes, nine times out of 10, automatic patching will be a benefit and will prevent the spread of viruses and worms that would have exploited holes that users wouldnt have patched manually. But what about that tenth time?

      Imagine a buggy patch being automatically deployed and instantly bringing down and damaging millions of systems. Something like that would make most worms and viruses look like a minor annoyance.

      This is a worst-case scenario, of course. But recent history has shown that worst-case scenarios can happen. So lets keep patching in perspective and stick with education and persistence to help users keep their systems secure. And lets leave “automatic” out of patching.

      Labs Director Jim Rapoza can be reached at jim_rapoza@ziffdavis.com.

      /zimages/1/28571.gifCheck out eWEEK.coms Security Center at http://security.eweek.com for security news, views and analysis.
      Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page: http://us.i1.yimg.com/us.yimg.com/i/us/my/addtomyyahoo2.gif

      Jim Rapoza
      Jim Rapoza, Chief Technology Analyst, eWEEK.For nearly fifteen years, Jim Rapoza has evaluated products and technologies in almost every technology category for eWEEK. Mr Rapoza's current technology focus is on all categories of emerging information technology though he continues to focus on core technology areas that include: content management systems, portal applications, Web publishing tools and security. Mr. Rapoza has coordinated several evaluations at enterprise organizations, including USA Today and The Prudential, to measure the capability of products and services under real-world conditions and against real-world criteria. Jim Rapoza's award-winning weekly column, Tech Directions, delves into all areas of technologies and the challenges of managing and deploying technology today.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×