Over the last week I've had two clients who've had computers broken into because their computers were not appropriately patched. One client's Internet-facing server lacked a critical system patch, and the other was exploited by an unpatched client system infected by a "trusted" Web site.
I know at times that I sound like a broken record about this issue, but I've yet to visit a client (and I consult, on average, about three per month) that has acceptable patching practices in place. They all have patch management software, but for various reasons, my spot-check auditing usually reveals significant deficiencies.
[ Related from security news: "New Web attack exploits unpatched IE flaw" | Earlier this week, Microsoft released this year's final set of patches, bringing the total for 2008 to 77 patches ]
A study by Secunia showed that only 1.91 percent of the computers scanned by their Software Inspector product were completely patched. Even worse (see table below), nearly half of the PCs inspected had 11 or more unpatched programs.
0 Insecure Programs 1.91% of PCs
1 - 5 Insecure Programs 30.27% of PCs
6 - 10 Insecure Programs 25.07% of PCs
11+ Insecure Programs 45.76% of PCs
And you have to believe that the people running the Software Inspector program are among the security-savvy.
Why don't people -- and in particular, administrators -- patch properly? First, it's a difficult job to keep on top of. The patches come frequently throughout the week. Microsoft may only release patches on one Tuesday a month, but most vendors release them ad hoc, often without warning. You may hate Patch Tuesday, but I've heard Linux and Apple administrators complaining about how they get their teams together and apply a patch, only to discover yet another new patch the day after, and another the day after that. If you live in that world, Patch Tuesday doesn't seem so bad. And that's only one vendor's software. Add in every software product you have, each with a different patching cycle, and it's a plan for chaos.