Patchy years ahead for software users

IT administrators struggling to keep up with patch work

Sun combines patches with the upgrades of its Solaris and Orion software, so customers can update and fix their systems on regular schedules. However, for more pressing security issues, the company releases stand-alone patches. Sometimes these are temporary patches -- what Sun calls t-patches -- that have not gone through a thorough testing program, Gilles said.

"People installing t-patches know that they haven't gone through full testing and that they could break something," he said. However, the company feels it is necessary to issue patches for exploitable problems as soon as possible, Gilles said, noting that full testing can sometimes take a few weeks or longer.

Despite all the efforts put into delivering timely and high-quality patches, Davidson added that all vendors think they can do better. Users don't seem to expect a miracle, but are looking for a lessening of their patching problems.

Microsoft's recent decision to simplify the process by delivering patches once a month and combining fixes when possible is at least a sign that the industry is taking the problem more seriously, some users say.

Andreas Wuchner-Brühl, head of Global IT Security for Novartis Pharma AG, said that the changes were a "step in the right direction."

Wuchner-Brühl, who is on Microsoft's security advisory board, said that the software maker is paying closer attention to customers concerns.

However, the company's most recent security changes will be of little help to him. Wuchner-Brühl manages a system of over 3,000 mixed servers in a "qualified" environment, meaning that detailed reporting of any changes to the files and systems must be documented. Novartis is a pharmaceutical firm and must comply with detailed healthcare industry regulations.

In addition to the 30 minutes it takes to apply a patch, his staff has to do two to three hours of paperwork to document the patch.

"In a qualified environment there is a lot of work behind the scenes, you don't just apply a patch," Wuchner-Brühl said.

The company already collects patches for a monthly update and combining multiple fixes in one patch can actually create more work in qualified systems because administrators have to document all the changes, whether they thought they needed them or not, Wuchner-Brühl said.

Even administrators working in an unqualified environment have to do more work than simply applying a patch implies. Most companies test the patches on an isolated system first to make sure it doesn't "break" an application, especially if that application is customized.

In fact, fear of breaking applications deters many companies from applying patches that they need, according to Ecora's Bakman. Companies will put off patching, and certainly won't go through the process at critical times, like before a big retail or holiday season, he said.

Oracle's Davidson added that, "people won't apply patches for anything in the last three weeks of the fiscal year because they don't want to risk their systems going down."

Still, patching is just a symptom of underlying problems with software, Wuchner-Brühl noted. To address vulnerability issues, software vendors are increasingly looking to offer more secure products from the outset under "secure computing" initiatives.