Software Patching: Patch and Pray

Patching-the only way to prevent poorly designed software from breaking everything-no longer works. And there's nothing you can do about it. Except maybe patch less. Or possibly patch more.

Hernan says, "I can understand the frustration that can lead to the attitude of, 'Forget it, I can't patch everything,' but that person's taking a big chance. On the other hand, he's also taking a big chance applying a patch."

"I don't have much faith in automated patching schemes," says Rambus. "But I could be convinced."

Georgia's Wynn is ambivalent too. "If you think patch management is a cure, you're mistaken. Think of it as an incremental improvement. I have to take a theory of the middle range," he says vaguely. PostscriptOn Monday after Slammer hit, Microsoft re-released MS02-061 to cover up the memory leak and update ssnetlib.dll, and it was much easier to install. Of course, by then, Slammer was already pandemic. Microsoft itself was infected badly, prompting a moment of schadenfreude for many. ISP networks had collapsed; several root DNS servers were overwhelmed; airlines had canceled flights; ATM machines refused to hand out money. In Canada, a national election was delayed.

And after all that, the patches had, at best, a miniscule mitigating effect against Slammer. What ended up preventing Slammer from worming its way into the workweek and causing even more damage, it turns out, was a rare and unusual gesture by ISPs. That same Monday, they agreed to cooperatively block Internet traffic on UDP port 1434, the one Slammer used to propagate itself. "That's what allowed us to survive," says Cooper.

And surely, with ISPs blocking the door, companies would seize the opportunity to update, test and deploy the new patches. Or, if they felt up to it, they could upgrade to Service Pack 3. They could use the time to locate and patch all of their MSDE clients and, once and for all, kill Slammer dead.

Ten days later, when ISPs opened port 1434 again, sure enough, there was a spike in Slammer infections of SQL Servers. Six months later, in mid-July, as this story went to press, the Wormwatch.org listener service showed Slammer remained the most prevalent worm in the wild, twice as common as any other worm. It was still trolling for, and finding, unpatched systems to infect.