Patchy years ahead for software users

Microsoft, for example, has said that it is rolling out technologies to protect customers from problems such as buffer overruns which are often exploited by hackers to takeover computers, and to offer protection against attacks on communications ports.

The Redmond, Washington, software maker has said that its upcoming desktop operating system, code-named Longhorn, will be more secure. Longhorn isn't due until mid-2005, however.

"That's at least two more years of patching on the desktop," Gartner analyst John Pescatore said at the Gartner Security Summit in London. "And there will still be problems."

While vendors work to deliver more secure products, users are being advised to put a patch management process in place.

In a research note released in March, Gartner analysts advised companies to prioritize patch installations based on how critical the security vulnerability is, and to evaluate the patch installation requirements. Some patches may require other patches to be applied at the same time, Gartner said, and can be superseded by more-current patches or service packs.

Companies should classify server and desktop configurations as standard and nonstandard so they can be patched according to their specific needs and all patches should be tested before deployment, Gartner said. Furthermore, companies should only accept official patches and the patch management infrastructure should be as secured as the company's outward-facing Web and application servers.

If all that is enough to make the IT department's head spin, a host of vendors has stepped in to offer patch management tools which, among other things, log system configurations and automate some installation and update functions.

While these tools offer administrators some much needed help with the symptoms of software insecurity, the problem for now, remains.

"Since software was first developed, there have been patches," Ecora's Bakman noted. "And that won't change anytime soon."