Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • IT Management
    • Networking

    Should Microsoft Take You out of the Patching Question?

    By
    Larry Seltzer
    -
    February 17, 2009
    Share
    Facebook
    Twitter
    Linkedin

      When Microsoft went to the regular monthly patch cycle many years ago it seemed counter-intuitive to many. Turns out it’s very popular among enterprises. But it still rubs some people the wrong way, including Wolfgang Kandek, chief technology officer at security company Qualys.

      Kandek has been quoted in more than one publication recently arguing that Microsoft should abandon the monthly patch cycle, at least for Internet Explorer, and follow the Mozilla model. That model has the application searching for and installing updates automatically when it is launched.

      It’s not for nothing that Kandek says this; the success of the Conficker worm confirms his assertion that many companies don’t apply patches as quickly as they should. The security advisories on the particular vulnerability exploited by that worm were about as explicit and dire as they could be. I said at the time: This vulnerability is one of those rare ones that could result in a true network worm, where a system could be successfully attacked over the network with no user action at all.

      There are plenty of mitigating circumstances for this worm; for instance, while Vista could theoretically be attacked, in practice defense-in-depth features make it almost impossible to do so. All the exploited systems in the real world are XP and earlier. But the large majority of enterprise systems run those older platforms, so any conscious network administrator should have prioritized this patch. Many did not.

      Of course, the schedule isn’t the problem here. Very few outbreaks of any vulnerability happen before the patch, and when something is urgent Microsoft can go out of band. The real problem, as Kandek sees it, is that network admins have chosen to centralize administration of patches and to go slow with them. Thus the key to Kandek’s proposal is not to change the schedule, although he does say that IE patches should come out as soon as available, but that IE should have its own independent patch mechanism, and that administrators should not control it.

      Updates to IE, Kandek says, should just be installed automatically. No testing by you.

      No doubt this would increase patch frequency in the enterprise, and I sympathize with Kandek. I definitely think that the odd application compatibility problem introduced by a patch have to be minor in comparison to the potential security problems of not patching. But that’s not my decision to make. I have no business making your patch decisions for you and neither does Microsoft. It’s your job. And if your decision not to rush the MS08-067 patch resulted in a Conficker outbreak in your enterprise, well you and whoever else is responsible deserve to suffer the consequences. It’s not Microsoft’s fault; they made a patch available and told you how serious the matter was.

      As for single users and unmanaged networks, once again I don’t see the advantage. Automatic Updates is on by default in Windows for many years, so end users should be getting these updates, too. Unless they turn off automatic updates, which a stunning number of users do.

      So if we move the patch decision from Windows to IE, won’t those same users defer patching because they heard somewhere that these patches actually make things worse?

      The only alternative, where Kandek appears to be going, is to take the decisions out of the hands of the users. Do what Google’s Chrome does, and what Firefox comes close to doing: patch without asking. Chrome doesn’t bother to ask; Firefox asks, but they ask over and over again until you say yes. And there’s no way to manage the updates at a network level.

      And Firefox’s pushiness may not be the be-all and end-all of this; A German study using Google user-agent data showed that “…the maximum share of the latest, most secure version never exceeded 80% for Firefox users…” Even for Firefox some users blow off the updates. Sounds like user freedom is a loser and Chrome’s forced patching model is the only alternative.

      I really want to hear from you, either through e-mail or with a comment below: how do you feel about losing the decision-making power on whether to patch IE?

      Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

      For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer’s blog Cheap Hack.

      Larry Seltzer
      Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×