"Despite all our best efforts, all vendors in this industry still have vulnerabilities," Steven Adler, senior security strategist
for Microsoft in Europe, the Middle East and Africa (EMEA), told an audience of IT administrators at Gartner Security Summit
in London last month.
While the patch situation doesn't look set to improve anytime soon, vendors say they understand the administrators' frustration
and are working to improve the situation.
Oracle Corp. Chief Security Officer Mary Ann Davidson said that her company sees patching as the last phase in its security
efforts.
"We try to do things right the first time but to err is human," Davidson said.
Oracle has a rigorous policy in place for testing and delivering patches, she said, and notifies customers of severe problems
which can be exploited.
"Otherwise, we don't want to yank their chains. People don't have time to apply a lot of patches," she said.
Patching is also a big concern for Sun Microsystems Inc., according to Gilles Gravier, the company's managing director of
operations for platform infrastructure and security in EMEA.
Sun combines patches with the upgrades of its Solaris and Orion software, so customers can update and fix their systems on
regular schedules. However, for more pressing security issues, the company releases stand-alone patches. Sometimes these are
temporary patches -- what Sun calls t-patches -- that have not gone through a thorough testing program, Gilles said.
"People installing t-patches know that they haven't gone through full testing and that they could break something," he said.
However, the company feels it is necessary to issue patches for exploitable problems as soon as possible, Gilles said, noting
that full testing can sometimes take a few weeks or longer.
Despite all the efforts put into delivering timely and high-quality patches, Davidson added that all vendors think they can
do better. Users don't seem to expect a miracle, but are looking for a lessening of their patching problems.
Microsoft's recent decision to simplify the process by delivering patches once a month and combining fixes when possible is
at least a sign that the industry is taking the problem more seriously, some users say.
Andreas Wuchner-Brühl, head of Global IT Security for Novartis Pharma AG, said that the changes were a "step in the right
direction."
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
