Friday, October 24, 2008

I just don't get it.

I just don't get it. Microsoft issues a critical patch out of cycle and people are running around like mad, the sky is falling and stuff- but every month we deal with up to a dozen patches and take it in stride.  Yes, there are exploits in the wild. Yes, it could be ugly if something exploiting this got loose in your network.  We have the tools to make this relatively painless, so what's the problem?

I suppose there may be situations where the patch breaks things, but since this seems to overlap a previous patch- probably not too many.  I know reboots of some systems have to be scheduled and can be tricky to arrange. 

I suppose it is even possible that there are networks without patch management tools, but there isn't really an excuse for that in most environments.  I even have a workaround for this one- grab an evaluation copy of some nice patch management software and use it.  Really, some are pretty simple to set up and run.  I have been a big fan of Shavlik's tools for many years, if you don't know where to look, start there.  You just need a spare machine running Windows 2000/XP/2003/2008 (but not Vista)- and that's right, it doesn't have to be a server OS.  After you scan your network and do some test deployments, schedule the rest of the deployments and relax.  Pay attention, but relax.  And when that's done, scan your network and see what else needs patching.  Any of the commercial tools do more than just Windows OS patches, (Shavlik really shines here) and some can also manage application deployment- so testing the trial version may show you enough to justify the expense of buying the product even in these trying times.

I could even go off on the Patch Management vs. Vulnerability Scanning rant, but that's a post for another day.