Opinion

FUD Watch | Patch Tuesday Panic? No Thanks

Are security vendors right to bang the alarm bell every Patch Tuesday? Yes. But only to a point.

By Bill Brenner, Senior Editor

June 13, 2008

About FUD Watch: Senior Editor Bill Brenner scours the Internet in search of FUD - overhyped security threats that ultimately have little impact on a CSO's daily routine. The goal: help security decision makers separate the hot air from genuine action items. To point us toward the industry's most egregious FUD, send an e-mail to bbrenner@cxo.com.

The public relations folks love the second Tuesday of each month.

That's when Microsoft releases its latest batch of security updates, and It's a time for security vendors to drum up a little publicity by issuing grim warnings about the attack potential of this flaw or that.

This month, Redmond gave them fresh ammunition with seven security updates for 10 flaws, including "critical" vulnerabilities in Internet Explorer, DirectX and Bluetooth wireless software for Windows.

Qualys Vulnerability Lab Manager Amol Sarwate told IDG News Service reporter Robert McMillan that desktop users must install the critical Internet Explorer and DirectX updates as soon as possible, since the bad guys could exploit them in Web-based attacks where a criminal tricks the victim into visiting a malicious Web page and then takes advantage of the bug to install malicious software on the Windows machine.

When I was reporting on Patch Tuesday each month in my previous job, my e-mail inbox would start clogging by 10 a.m. with messages from PR reps eager to get me on the phone with one of their clients to discuss the latest cause for alarm. Then I'd get on the phone with the vendors and hear pretty much the same grim scenario - regardless of the flaw - that I heard the month before. Most of the time, the warnings were not followed by the big attack.

I don't hold this against the PR machine. These people are just doing their jobs. I don't necessarily hold it against the vendors, either. Most of the people I talk to are researchers who try to call it as they see it.

But when I talk to the IT admins dealing with this from the trenches, many of them wonder aloud what the fuss is all about.

Most of them have a patching process that stretches across several days. The first couple days are for running the patch on test systems to see if any compatibility problems would result from a full deployment. The answer is often yes, requiring the IT staff to make the right network adjustments so the patch will play properly with business-critical applications. A full week often passes between Patch Tuesday and when IT shops deploy all the patches across the network.

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Data Center Directions Virtual Conference

Data Center VCAttend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.

» Learn more and register here

WEBCAST
The Surest Path to Effective and Efficient Compliance

VeriSignIn this webcast, we explore why and how — with best practices, practical tips and solutions that work — to ease your compliance challenge.

» View the webcast

Featured Sponsors
Sponsored Links

Ponemon Study: How Much Does a Data Breach "Cost"?

7 Requirements of Data Loss Prevention

Information Security: Data Drains and How to Prevent Loss

How Are Open Source Development Communities Embracing Security Best Practices?

Forrester Total Economic Impact (TEI) report: Save Millions in Fraud Losses.

Learn how the new Quad-Core AMD Opteron™ processor improves performance

Data Protection: Challenges for the Traveling User

Envision Identity-Based Access Control for the Datacenter

IT Service Management: Metrics That Matter

Configuration Audit and Control for Virtualized Environments

The PCI Data Security Standard

Configuration Audit and Control for Virtualized Environments

Envision Identity-Based Access Control for the Datacenter

Using Likewise to Comply with PCI Data Security Standard

Take our CSO role survey and receive a copy of the results

IDC Defines an Identity and Access Management Submarket

IDC Defines an Identity and Access Management Submarket for Managing Privileged User Accounts and Meeting GRC Requirements

Everything Today's CISO Needs to Know About Using SSO to Succeed in the Web 2.0 Era

E-LOAN Maintains Reputation as a Privacy Leader with Symantec

Data Loss Prevention: Keeping Sensitive Data Out of the Wrong Hands

Prudential Financial Protects its Brand with Symantec

The Case for Business Software Assurance ~ Securing Your Applications

Think your data is safe? Think again. It's time to Outthink the Threat. Get eBook now

Revolutionizing Endpoint Security with a Single Agent

Prepare for (ISC)2® Certification With Villanova - Online

Key strategies for C-level executives and security staff

Configuration Assessment: Choosing the Right Solution

ITCi White Paper: Challenges and Opportunities of PCI

Effective Security with a Continuous Approach to ISO 27001 Compliance

Rolling the dice with your security? Take the Self-Assessment Test now

Digital Identity Protection and Data Security Get Personal

Solving Online Credit Fraud Using Device Reputation

Diebold: Frost & Sullivan Global Physical Security Systems Integrator of the Year

Welcome to the age of Service-Oriented Security (SOS)

Enabling Compliance with Converged Mainframe Security and Storage