October 15, 2009, 2:07 PM — Tuesday's massive patch release from Microsoft and Adobe hit many IT security practitioners like a punch in the gut.
Microsoft unloaded a record 13 security updates to seal 34 security holes in every version of Windows, including the not-yet-for-sale Windows 7, as well as in Internet Explorer (IE), SQL Server and Office. [See the full breakdown in Microsoft Delivers Massive Patch Tuesday, Fixes 34 Flaws]
Adobe, meanwhile, delivered a security update to fix 29 vulnerabilities in its widely-used .pdf viewing and editing programs. [The full breakdown on that patch load is in Adobe Mimics Microsoft, Issues Mega Patch Update]
The sheer volume left some researchers to declare the day " an administrative nightmare."
In past interviews, IT security practitioners have told CSOonline that too much is often made of Patch Tuesday, that the horror scenarios painted by some security vendors cut against their own, fairly orderly deployment procedures. But this month, some admit they are a bit more concerned than usual.
"Heavy patch months cause 'regulated' patches," said Fresno, Calif.-based network security contractor Susan Bradley. "This in turn causes Windows XP to not properly notify folks that use the 'notify me' function." This month, she said, more people will probably get caught with that download patch bug.
Rick Lawhorn, a Richmond, Va.-based IT security practitioner, isn't worried as much about the particular vulnerabilities patched as he is about the size of the update. "Microsoft architecture, in my opinion, does not lend itself to large updates well," he said. "Updates should be small and manageable so Microsoft can work out the dependencies first. The trade-off is a higher frequency of patches, but the reward is smaller more controllable changes."
The information security director of a large restaurant chain, who requested anonymity because of the sensitive nature of the subject, said, "In our environment this is a challenging week due to the large number of remote systems that we must update. Patching is becoming a non-stop process for most organizations I believe, including ours. Patch Tuesday is just part of the releases for the month and with more and more applications and out-of-cycle releases we are driving hard towards better compensating controls like whitelisting and always seeking to reduce our threat footprint."
To help IT shops meet the challenge, we've compiled this package of content on vulnerability management best practices, along with columns analyzing whether security vendors need a different approach to the patch rollout process: