RE: Microsoft's Early Xmas Present.

From: Cloppert, Michael (
Date: 01/03/02

From: "Cloppert, Michael" <>
To: "''" <>
Date: Thu, 3 Jan 2002 08:56:31 -0500 

> <snip>
> > normal people to keep up on patches is. I'm starting to
> think more and
> > more that a 3-month expiration date on Windows is a good
> idea. If you
> > haven't patched in 3 months, then your machine will refuse
> to do anything
> > but download patches...
> I second that idea. I don't think it will be implemented
> however, unless
> the installer allows for that. Then again, I don't like my machines
> updating themselves without my permission. (Yeah, I'm the geek that
> knows what I'm doing and keeps stuff patched on my servers. Thankfully
> I'm not the LAN admin, but I usually get to fix infected
> machines before
> the LAN admins can get to figure out that they are infected by a worm
> that yesterdays antivirus patch won't fix).

One thing that irritates me is the notion that "the patch has been out for x
months and companies should be patched." Keep in mind that MANY MANY
companies have custom software, or older software, that they rely on for
business critical applications, which are occasionally incompatible with MS
patches. Sure, these companies COULD buy the latest and greatest at a price
tag potentially in the tens of millions of dollars range... but if it's
custom software one could still run into this problem a few months down the
line. Not only that, but in larger environments patching isn't simply a
matter of slapping an executable on a machine and running it. On
mission-critical servers, this must be tested extensively before rolling
out. Each and every service that runs on some servers needs to be verified
before DLL and kernel changes are made, otherwise VERY costly downtime could
result. If MS ever wants to be taken seriously in the server market, they
need to understand these problems and write code that's not going to require
constant babysitting in the form of patches every few weeks.

Should admin's be dilligent in patching? Absolutely. Laziness is really
the only reason for not working on patches. However, keep in mind that
while a shop with 20 servers can be patched carefully in a week or less, a
shop with 300 can take significantly more time.

Mike Cloppert

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see:

Relevant Pages

  • Re: Changes in IDS Companies?
    ... Things like port scans and DoS attacks very often ... >> If people are running insecure web servers, ... when people don't update their patches at ... > downplay the vulnerability to save face, so admins even if they are trying ...
  • RE: Betr.: Re: MS Patches Management software: SUS vs 3rd party
    ... We are also currently looking at a solution for updating our clients and servers. ... The major drawback is that if a new unpatched client connects to it, it retrieves all patches at once. ... There is no management in SUS, ... >The Presidio integrates PGP data encryption and XML Web Services security to ...
  • Re: [Full-disclosure] Getting Off the Patch
    ... There are something like 800 heterogeneous servers where I work. ... As for having to spend a lot of cycles testing patches, ... engineer who has been playing this patching game for 20 years. ... who want audit verification of how vulnerabilities are being mitigated. ...
  • Re: Betr.: Re: MS Patches Management software: SUS vs 3rd party
    ... > it retrieves all patches at once. ... There is no management in SUS, ... > If they are planning to include the Windows NT 4.0 servers for the ... >> simplify the management and deployment of PGP and reduce overall PGP ...
  • Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)
    ... But you'd still patch either way, ... of home users who don't even know what a security patch *IS*, ... But how many organisations firewall off internal servers from ... administrators have the time to watch the IDS given the number of patches they ...