The Patch Tuesday Survival Guide
Tuesday's massive patch release from Microsoft and Adobe hit many IT security practitioners like a punch in the gut.
Microsoft unloaded a record 13 security updates to seal 34 security holes in every version of Windows, including the not-yet-for-sale Windows 7, as well as in Internet Explorer (IE), SQL Server and Office. [See the full breakdown in Microsoft Delivers Massive Patch Tuesday, Fixes 34 Flaws]
Adobe, meanwhile, delivered a security update to fix 29 vulnerabilities in its widely-used .pdf viewing and editing programs. [The full breakdown on that patch load is in Adobe Mimics Microsoft, Issues Mega Patch Update]
The sheer volume left some researchers to declare the day " an administrative nightmare."
In past interviews, IT security practitioners have told CSOonline that too much is often made of Patch Tuesday, that the horror scenarios painted by some security vendors cut against their own, fairly orderly deployment procedures. But this month, some admit they are a bit more concerned than usual.
"Heavy patch months cause 'regulated' patches," said Fresno, Calif.-based network security contractor Susan Bradley. "This in turn causes Windows XP to not properly notify folks that use the 'notify me' function." This month, she said, more people will probably get caught with that download patch bug.
Rick Lawhorn, a Richmond, Va.-based IT security practitioner, isn't worried as much about the particular vulnerabilities patched as he is about the size of the update. "Microsoft architecture, in my opinion, does not lend itself to large updates well," he said. "Updates should be small and manageable so Microsoft can work out the dependencies first. The trade-off is a higher frequency of patches, but the reward is smaller more controllable changes."
The information security director of a large restaurant chain, who requested anonymity because of the sensitive nature of the subject, said, "In our environment this is a challenging week due to the large number of remote systems that we must update. Patching is becoming a non-stop process for most organizations I believe, including ours. Patch Tuesday is just part of the releases for the month and with more and more applications and out-of-cycle releases we are driving hard towards better compensating controls like whitelisting and always seeking to reduce our threat footprint."
To help IT shops meet the challenge, we've compiled this package of content on vulnerability management best practices, along with columns analyzing whether security vendors need a different approach to the patch rollout process:
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
Microsoft
Powered by Twitter
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
