Debunking the Patch Tuesday hype machine

A familiar pattern reared its ugly head in my e-mail inbox Tuesday afternoon. And while I mean no disrespect toward my PR friends, it's starting to annoy me.

The second Tuesday of each month has become something of a holiday for PR firms whose clients include all the big security software vendors -- Patch Tuesday, when Microsoft releases security updates for the latest attack-prone flaws in Windows, Internet Explorer, etc.

[ Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]

The e-mails I get tend to play up the latest flaws as if the apocalypse is at hand. Patch immediately, their clients warn, or doom will almost certainly befall your company computer networks. This past Tuesday was no exception, when Microsoft rolled out a fix for three bugs in its Windows Server Message Block (SMB) file and print service.

To make the tone graver still, Oracle and Research In Motion released critical security updates Tuesday as well.

My PR friends will probably get angry as they read this. My response: I know you're just trying to do a job, and I even believe you when you say the goal isn't to stir up FUD, but to simply raise awareness and ensure companies install security patches quickly. That's an admirable goal, and there's no doubt such a message is necessary on the consumer side, where the not-too-tech-savvy masses are tearing up the Internet on laptops, PCs and mobile devices with no thought about security.

But my observation in the business world is much different, making the need for alarmist Patch Tuesday announcements unnecessary.

I've visited a lot of IT shops in recent years, including those at Children's Hospital, the Papa Gino's pizza chain and the Boston Celtics. The purpose of the Children's Hospital visit was specifically to observe their monthly patching procedures. At the other places, the mention of Patch Tuesday sparks the same response: They have a standard patching procedure that stretches over seven days from the initial patch release. It's all a routine for them. No butterflies in the belly.

The first day is for evaluating the patch load and which ones are most important for the organization to install first. The order of importance is not the same from place to place. Next comes a few days of putting the patches on test machines to see if they break other programs on the network. Patching ASAP is not useful if the patch causes critical business applications to misfire and grind to a halt. Usually about a week in, after those glitches have been tweaked, the patches are rolled out. Thanks to Microsoft's automatic update machinery, the process is as straightforward as clicking on boxes next to the patches you want.