FUD Watch | Patch Tuesday Panic? No Thanks

Are security vendors right to bang the alarm bell every Patch Tuesday? Yes. But only to a point.

. What's this?

By , Senior Editor

June 13, 2008

About FUD Watch: Senior Editor Bill Brenner scours the Internet in search of FUD - overhyped security threats that ultimately have little impact on a CSO's daily routine. The goal: help security decision makers separate the hot air from genuine action items. To point us toward the industry's most egregious FUD, send an e-mail to bbrenner@cxo.com.

The public relations folks love the second Tuesday of each month.

That's when Microsoft releases its latest batch of security updates, and It's a time for security vendors to drum up a little publicity by issuing grim warnings about the attack potential of this flaw or that.

This month, Redmond gave them fresh ammunition with seven security updates for 10 flaws, including "critical" vulnerabilities in Internet Explorer, DirectX and Bluetooth wireless software for Windows.

Qualys Vulnerability Lab Manager Amol Sarwate told IDG News Service reporter Robert McMillan that desktop users must install the critical Internet Explorer and DirectX updates as soon as possible, since the bad guys could exploit them in Web-based attacks where a criminal tricks the victim into visiting a malicious Web page and then takes advantage of the bug to install malicious software on the Windows machine.

When I was reporting on Patch Tuesday each month in my previous job, my e-mail inbox would start clogging by 10 a.m. with messages from PR reps eager to get me on the phone with one of their clients to discuss the latest cause for alarm. Then I'd get on the phone with the vendors and hear pretty much the same grim scenario - regardless of the flaw - that I heard the month before. Most of the time, the warnings were not followed by the big attack.

I don't hold this against the PR machine. These people are just doing their jobs. I don't necessarily hold it against the vendors, either. Most of the people I talk to are researchers who try to call it as they see it.

But when I talk to the IT admins dealing with this from the trenches, many of them wonder aloud what the fuss is all about.

Most of them have a patching process that stretches across several days. The first couple days are for running the patch on test systems to see if any compatibility problems would result from a full deployment. The answer is often yes, requiring the IT staff to make the right network adjustments so the patch will play properly with business-critical applications. A full week often passes between Patch Tuesday and when IT shops deploy all the patches across the network.

What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
RESOURCE CENTER