RE: Microsoft's Early Xmas Present.

From: Cloppert, Michael (Michael.Cloppertat_private)
Date: Thu Jan 03 2002 - 05:56:31 PST

  • Next message: H C: "RE: Microsoft's Early Xmas Present."

    > <snip>
    > > normal people to keep up on patches is.  I'm starting to 
    > think more and
    > > more that a 3-month expiration date on Windows is a good 
    > idea.  If you
    > > haven't patched in 3 months, then your machine will refuse 
    > to do anything
    > > but download patches...
    > I second that idea. I don't think it will be implemented 
    > however, unless
    > the installer allows for that. Then again, I don't like my machines
    > updating themselves without my permission. (Yeah, I'm the geek that
    > knows what I'm doing and keeps stuff patched on my servers. Thankfully
    > I'm not the LAN admin, but I usually get to fix infected 
    > machines before
    > the LAN admins can get to figure out that they are infected by a worm
    > that yesterdays antivirus patch won't fix).
    
    One thing that irritates me is the notion that "the patch has been out for x
    months and companies should be patched."  Keep in mind that MANY MANY
    companies have custom software, or older software, that they rely on for
    business critical applications, which are occasionally incompatible with MS
    patches.  Sure, these companies COULD buy the latest and greatest at a price
    tag potentially in the tens of millions of dollars range... but if it's
    custom software one could still run into this problem a few months down the
    line.  Not only that, but in larger environments patching isn't simply a
    matter of slapping an executable on a machine and running it.  On
    mission-critical servers, this must be tested extensively before rolling
    out.  Each and every service that runs on some servers needs to be verified
    before DLL and kernel changes are made, otherwise VERY costly downtime could
    result.  If MS ever wants to be taken seriously in the server market, they
    need to understand these problems and write code that's not going to require
    constant babysitting in the form of patches every few weeks.
    
    Should admin's be dilligent in patching?  Absolutely.  Laziness is really
    the only reason for not working on patches.  However, keep in mind that
    while a shop with 20 servers can be patched carefully in a week or less, a
    shop with 300 can take significantly more time.
    
    Mike Cloppert
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Jan 03 2002 - 08:31:44 PST