Honey Dipped Patch Tuesday

I have never really understood Microsoft’s Patch Tuesday from a security perspective. Sure from an IT management perspective it makes a lot of sense. The ability to actually plan for events and effectively allocate resources in IT is a rare commodity. So much of IT management is reacting instead of planning that Patch Tuesday almost becomes a calming ritual performed once a month that can be rather comforting. Download, Test, Apply, eat your donut, repeat next month. From a security perspective though it makes absolutely no freaking sense.
So what happens when a hole is discovered on the Wednesday after Patch Tuesday? Thats right, nothing happens until the next patch Tuesday. Well, at least you hope nothing happens. You hope the bad guys haven’t already found and are actively exploiting the hole.
Some companies like Apple, Sun, HP, OpenBSD, etc., do not patch on a schedule, instead they patch when needed. From a security point of view this is preferred as it greatly minimizes the time you are at risk. Unfortunately this can also lead to the situation where you are rolling out patches for five of the last ten days, like Apple did earlier this month. Patching every other day from an IT perspective is bad, it means your fighting fires, it means you can’t plan, or allocate resources. It means you actually have to do your job and manage your IT! It means no honey dipped for you! Oh no, the horrors!
The reporters over at ComputerWorld evidently felt like it was a good time bring up this ancient argument again and found a couple of clueless Windows Admins who claim to be “Security Researchers” who wanted to bitch about how they actually have to do work and manage Apple’s patches. Waaaaah. It must be Apple who is not ready for the Enterprise. Since Apple is the one making them do work and apply patches on a Thursday it must be Apple who is wrong. Sun, and HP and OpenBSD, and everyone who patches when needed, according to these “security researchers”, must be wrong.
Most people in the security industry understand the double edge sword of patching on a schedule and making the enterprise IT drones happy versus patching when needed and making the (real) security guys happy. There really is no right or wrong answer, it depends on which side of the fence you stand and what is more important, being secure or having time on Wednesday to eat your honey dipped donut.

This entry was posted in Apple, Commentary by Space Rogue. Bookmark the permalink.

About Space Rogue

Space Rogue is widely sought after by journalists and industry analysts for his unique views and perceptions of the information security industry. He has been called to testify before the Senate Committee on Governmental Affairs and has been quoted in numerous magazine and newspaper articles as well as appeared on such TV shows as News Hour with Jim Lehrer, CNN Nightly News, ABC News Online with Sam Donaldson, and others. A recognized name within the industry, Space Rogue has written articles that are often quoted or refered to by other major media outlets. He has spoken before numerous audiances including the Digital Messageing Association, Defcon, Pumpcon, HOPE, H2K, and others. As a former member of L0pht Heavy Industries, Space Rogue ran the widely popular Hacker News Network which quickly became a major resource on the Internet for daily information security news. Before HNN he ran the The Whacked Mac Archives, which at the time, was the largest and the most popular Macintosh security site on the net. Currently Space Rogue does consulting for various companies.
Add Comment Register



Leave a Reply