September 04, 2003

Batching the Patching. Good or Bad?

Today I read an email from Thor Larholm over at PivX Solutions in which he had some comments about Microsoft's latest Security Updates. (In case you didn't know they released 5 Office updates yesterday.)

He said something that got me thinking:

"Which leads to the positive side, it is definitely great to see Microsoft releasing 5 vulnerabilities in a single day, rather than releasing a new every other day. They must have listened to the feedback from administrators who tired of inefficient and constant patch jobs, and should definitely adhere to this practice in the future. It may be a small step in optimizing the entire patch process, but it's a positive trend."
This is quite an interesting view. Optimizing patch management by sending these patches in batches. It makes a lot of sense because administrators can get more done in a single pass, patching multiple holes in a single session. But it got me thinking about this a bit more.

Traditionally, these patches need to get tested in a "clean room" and have to go through a series of steps before being deployed in the production environment. These steps can easily take a few days as you ensure that the integrity and availability of the services will not be hindered by the upgrade. Anything that is "critical" can be sidestepped and addressed immediately. Along this path, would having one patch every other day make a major difference, other that the roll back in testing (which I believe would be minimal if a structured methodology was used)?

This will be uniquely different in every environment. But I am not sure if I would appreciate any vendor holding back a patch to fit a release cycle. Microsoft used to be bad with that when they would try to put everything to be fixed in service packs, and make critical bugs get cleaned up in unannounced hotfixes. Now adays, it seems once the patch is ready it gets released. I would guess (and its a wild ass guess at that) that these 5 bugs came out of the Office maintainers at the same time, and that is why the patches came out the way they did.

What are your thoughts? Drop me a line (dana@vulscan.com) or comment here. Do you believe that batching the patching is better or worse in your environment? For those windows administrators, do you use a test deployment before it hits the production environment, or do you just cross your fingers and patch?

It's an interesting topic for discussion. Thor ended his email talking about how the patches aren't the problem, it's getting the administrators and end users to actually apply them. And I agree with him. But I am curious to how many administrators actually go through a properly laid out patch management strategy or not. I'll bet most don't (which is why these worms seem to do so much damage) rendering batching no better (or worse) that updating with a blindfold when you can find time.

Posted by SilverStr at September 4, 2003 02:22 PM
Comments

The real killer isn't the number or frequency of releases but the method of deployment. There are many days I wish for something Inferno like for maintaining and deploying Windows and Office patches.

Posted by: fozbaca at September 4, 2003 03:55 PM

Foz - I think that MS has something similar to that, a system that lets you push out patches to systems in your own domain. Forget what it's called though. If I remember right when they changed the windowsupdate.com IP to avoid the bug/worm/virus that was going around, it broke this tool. "oops"

As far as the whole patching thing goes, the problem is not that so much the patching and clean room, but is there a way to revert? IE: if something fucks up, can you go, "oh, I'll just re-install the previous version" or "oh, I'll just uninstall that latest patch". This is something that is very easy in systems like linux (esp gentoo, but doable in just about any other one if you can find the .deb or .rpm), but in a binary only system you are stuck with binary patches, which I don't know if they can be reversed. I know windows has their system restore tool, but I've never used it or figured I'd trust it.

On the other hand I've never (IIRC) had problems with windows updates. I've had problems with windows, but under 98 and XP (never did nt or 2k) I update, and things continue working just fine. Of course, I'm not doing anything more than "common user" stuff. I know that for using windows as a server (like on puropse, not by opening attachments) you need to install your SPs in a certain order, and have the right color chicken on hand for the sacrafice. Similar to working with SCSI I think.

Posted by: Arcterex at September 4, 2003 04:03 PM