Network Computing is part of the Informa Tech Division of Informa PLC
Regular Patch Schedules "Two-Edged Sword"
A security analyst Thursday took aim at the practice of some vendors to roll out patches on regular schedules, calling the practice a "two-edged sword."
A slowly-growing number of major software developers, in particular but not limited to operating system makers now schedule hard dates for patch releases, rather than roll them out when they're finished. Such regularly patching has been popularized by Microsoft, which began the practice in October, 2003, but it's been mimicked by the likes of Apple and Oracle. Thursday, Adobe added itself to the group, saying it would begin monthly patching in 2006.
"For maintenance releases -- small bug fixes, new features -- that's ideal. But it's a two-edged sword in security," said Chris Andrew, the vice president of product management and research at PatchLink, a Scottsdale, Ariz.-based enterprise patch management company. "One the one hand, it helps the administrators make the best of the situation. They have just one downtime window for patching. It's predictable and more manageable.
"But it's also artificially delaying the release of a patch," he argued. With attackers becoming both faster reacting and more sophisticated, that spells can spell trouble.
Some of the firms which hew to a regular schedule, such as Microsoft, say that they'll release important fixes outside that cycle, but in practice -- at least with Microsoft -- it's very rare. Since the Redmond, Wash.-based developer began its second-Tuesday-of-the-month patch day, now dubbed "Black Tuesday" by many security professionals, it's only gone out-of-cycle 4 times. During that stretch of more than two years, the company released 112 security bulletins.
Andrew also warned companies against deploying patches automatically, without testing. While some vendors -- again, noticeably Microsoft -- have been pushing automatic updating on customers as a way to ensure as many users are protected as possible, that practice comes with risks.
"Some scenarios have shown automatic patching to be disastrous in the past," argued Andrew. "Just look at what happened with Windows XP Service Pack 2."
In 2004, when Microsoft rolled out Windows XP SP2, a major security upgrade to its current operating system, so many companies balked at automatic updating that Microsoft was forced to provide tools that turned off the update for eight months.
Recommended For You
What skills do network managers really need to properly secure industrial networks? What new protocols, frameworks, and regulations are important? And what conferences and certifications can help? Here are five tips to get started.
A full-stack approach to retail edge offers retailers a way to optimize operations and adapt to changes in a post-pandemic world.
Network management tool sprawl is getting in the way of network management. It’s time for IT to do something about it.