Patch management critiques

Scott Berinato’s article in CIO Magazine about the dangers of patch management, “FrankenPatch,” discusses the issues around patch management, the problems that come about with trying to keep on top of patches, what happens when patches break things, etc.

It suggests that the right approach is to be watchful, and to patch selectively and late after others have worked out the kinks, and to not disclose vulnerabilities so as not to give hackers a roadmap to exploit the problem.

Eminently sensible.

Except for this one small problem: in a highly networked world, where worms can infect all the world’s vulnerable systems in less than ten minutes, it’s hard to make a case that selective patching and risk management makes things better. In fact, I’d argue that it gives virus writers a broader target.

And not disclosing vulnerabilities? Smells like liability lawsuit to me. Even if it didn’t, though, I think we as software makers have an ethical obligation to fix vulnerabilities and tell customers about what we fixed.

An interesting factual error too: Berinato mischaracterizes MSDE (the Microsoft SQL Desktop Engine) as embedded database connection software. It’s actually a database engine that a developer can embed in a desktop application.

That said, applying the patches that prevent Slammer was a truly painful process.