RE: Microsoft's Early Xmas Present.

From: Cloppert, Michael (
Date: 01/03/02

From: "Cloppert, Michael" <>
To: "''" <>
Date: Thu, 3 Jan 2002 08:56:31 -0500 

> <snip>
> > normal people to keep up on patches is. I'm starting to
> think more and
> > more that a 3-month expiration date on Windows is a good
> idea. If you
> > haven't patched in 3 months, then your machine will refuse
> to do anything
> > but download patches...
> I second that idea. I don't think it will be implemented
> however, unless
> the installer allows for that. Then again, I don't like my machines
> updating themselves without my permission. (Yeah, I'm the geek that
> knows what I'm doing and keeps stuff patched on my servers. Thankfully
> I'm not the LAN admin, but I usually get to fix infected
> machines before
> the LAN admins can get to figure out that they are infected by a worm
> that yesterdays antivirus patch won't fix).

One thing that irritates me is the notion that "the patch has been out for x
months and companies should be patched." Keep in mind that MANY MANY
companies have custom software, or older software, that they rely on for
business critical applications, which are occasionally incompatible with MS
patches. Sure, these companies COULD buy the latest and greatest at a price
tag potentially in the tens of millions of dollars range... but if it's
custom software one could still run into this problem a few months down the
line. Not only that, but in larger environments patching isn't simply a
matter of slapping an executable on a machine and running it. On
mission-critical servers, this must be tested extensively before rolling
out. Each and every service that runs on some servers needs to be verified
before DLL and kernel changes are made, otherwise VERY costly downtime could
result. If MS ever wants to be taken seriously in the server market, they
need to understand these problems and write code that's not going to require
constant babysitting in the form of patches every few weeks.

Should admin's be dilligent in patching? Absolutely. Laziness is really
the only reason for not working on patches. However, keep in mind that
while a shop with 20 servers can be patched carefully in a week or less, a
shop with 300 can take significantly more time.

Mike Cloppert

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: