Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Microsoft

The Costs of Patching 311

prestidigital writes "vnunet has a brief but interesting article in which Craig Fiebig, general manager of Microsoft's security business unit, is quoted as saying "In dollar terms, patching is the most expensive security measures and keeping your antivirus descriptions up to date is the least." That seems like an important statement coming from a company who's patches are possibly responsible for 45% of traffic on some networks."
This discussion has been archived. No new comments can be posted.

The Costs of Patching

Comments Filter:
  • by Fallen Kell ( 165468 ) on Thursday May 01, 2003 @03:24PM (#5855349)
    ... to realise that it costs more to do things 2, 3, or 4 times then if they had done it right the first time...

    And that is costs more to have a new programmer look at and try to modify code that wasn't written by himself/herself...

    Amazing reality breakthrough!
    • Is this going to be how they justify paying for huge license fees?
    • by Surak ( 18578 ) * <[surak] [at] [mailblocks.com]> on Thursday May 01, 2003 @03:46PM (#5855620) Homepage Journal
      The real cost, aside from downtime, is in the integration testing of those patches. If you don't do the integration testing, the cost is potentially even HIGHER because you don't know what those patches could break. Unfortunately, doing proper integration testing means you end up way behind the curve in terms of the patch cycle, which ultimately means an even greater risk of attack.

      So you're damned if you do and you're damned if you don't.

      Hey, I know, maybe Microsoft could do this new thing called PROPER BETA TESTING, and then maybe the could get it right THE FIRST TIME!

      Nah, that'd be too easy. ;)
      • That is exactly the issue we face at my large coorporation. We finally got to the point that we download the patches centrally, create a mega-patch consiting of the various Qxxxxxx patches from MS, and then test those on a staging server that minics various vital functions thoughout the enterprise. We had problems with loose cannons going around and appling windows-updates to production servers that then had problems with a certain piece of software, or what not. Anyways... you right.. half the time spent b
      • Lets face it-- if the bugs that cause the critical bugs even make it to beta, there is something wrong because there is a good chance they will get through even with the best testing.

        The problem is not the testing or even the coders. The problem is often the application designers/architects who often are thinking "features" when they should be thinking "security."

        I suspect that $1 of design is worth $10 of coding, $100 of testing, and $1000 of patching for Microsoft, let alone the poor customers.
    • My personal feeling is this is due to the development cycles. Now I'm not saying that people can produce bug free code but I can't help think that more quality control would avoid some of these. Surely some automated testing could be done on some sort of security holes

      Rus
  • Also known as... (Score:4, Insightful)

    by Evil Adrian ( 253301 ) on Thursday May 01, 2003 @03:25PM (#5855357) Homepage
    This statement is also known as "an ounce of prevention is worth a pound of cure."
  • by Anonymous Coward on Thursday May 01, 2003 @03:25PM (#5855358)
    Rather than throwing away an otherwise perfectly good pair of pants, patches have allowed me to fix them and extend their life. In some cases, patches can even be fashionable. Sewing is a great skill that all geeks should learn.
  • Patches (Score:2, Funny)

    by Anonymous Coward
    Using the patch is about as expensive as smoking, but will be more benificial in the long run because after a while, you'll be done with the nicotene forevar and not need to buy patches no more.
  • by rhfrommn ( 597446 ) on Thursday May 01, 2003 @03:26PM (#5855378)
    The difficult question is whether the costs of patching outweigh the costs of NOT patching. There's a lot to be said for "if it ain't broke, don't fix it" sometimes.

    However, with security patches usually you have no choice. The only decision for some security patches is how long do you wait before deploying it. Don't wanna be the first ones to put a bad patch on now, do we?
    • by H310iSe ( 249662 ) on Thursday May 01, 2003 @03:39PM (#5855548)
      Whenever deploying new patches OR antivirus DAT files (they cause havok as well) we did a full regression test of the standard desktop image.

      Fist a high level person would look at the patch (usually using install shield's application repackager), read the documentation, etc. and look for possible conflicts with the production environment. This took between 2-4 hours per patch x $60/h. The regression test took one lower-level tech about 2 days to do. We'd lump a few patches together so say 1 tech x $40/h (at least, w/ benefits, etc.) x 2 days / 3 patches per test = about $213/patch + eval ($180 per patch) = around $400 per patch to test. Deployment took another hour to write the install script (rarely did we rely on MS's installer alone), 1 hour to document and send to the regional offices and each office probably spent an hour implementing the thing. Total cost around $600 per patch for a 1,000 desktop, 11 office environment.

      Now you know.

    • The difficult question is whether the costs of patching outweigh the costs of NOT patching. There's a lot to be said for "if it ain't broke, don't fix it" sometimes.

      For the usual "feature" patches ("This patch adds pretty shiny things to the edge of your window"...), you're absolutely right: making any kind of large-scale change (like putting a new patch on 1000 machines) is a big deal. Even if it's all automated via network management tools, you'll need to test, prepare and then support it. Do you really


    • The only decision for some security patches is how long do you wait before deploying it.

      That's not quite the only choice--you have two other choices: adopt Linux; adopt Macs. If the cost of patching is really that great, it raises the cost of the machine--until maybe purchasing a Mac isn't all that expensive after all.
      • you have two other choices: adopt Linux; adopt Macs.

        From a patching perspective. Why would this cost less? Macs and Linux still require patching, because ALL software has bugs.

        Macs especially: Buying a whole new computer is more expensive then using your existing hardware. I don't see where you get the "Mac is cheaper" argument.
        • Because this is Slashdot, where if you suggest migrating *anything* to Linux, you automatically get modded up. Even if it's an organization running on Commodore 64s, 'install Linux' is somehow insightful.

          Considering the ease of use and effectiveness of the latest Samba exploit, anything thinking Linux machines are somehow magically more secure and cheaper than Windows machines is kidding themselves. It's all about how you configure/maintain them.
    • Good grief, I remember the spat between Novell and Microsoft back in '93, IIRC, when Microsoft poked fun at Novell for the number of patches that had been issued. Novell claimed that NetWare was superior because they admitted that no software was written perfectly first time, and faced up to their security obligations responsibly. Now it looks like the positions have reversed!
    • Somehow reminds me of this scene...

      JACK (V.O.)
      I'm a recall coordinator. My job was to apply the formula. It's
      simple arithmetic.

      TECHNICIAN #1
      Here's where the baby went through the window. Three points.

      JACK (V.O.)
      It's a story problem. A new car built by my company leaves Boston
      traveling at 60 miles per hour. The rear differential locks up.

      TECHNICIAN #2
      The teenager's braces locked around the backseat ashtray. Kind makes a
      good "anti-smoking" ad.

      JACK (V.O.)
      The car crashes and burns with everyone trapp
  • by ih8apple ( 607271 ) on Thursday May 01, 2003 @03:27PM (#5855395)
    This document [microsoft.com] was part of an interesting debate over the last year and a half between MS and Novell over whose product was more buggy (measured in terms of number of patches.)

    (Google [216.239.51.100] cache version in html.)
    • by zero-one ( 79216 ) <jonwpayne@[ ]il.com ['gma' in gap]> on Thursday May 01, 2003 @03:50PM (#5855678) Homepage
      Yup, that document was funny. I liked this bit: "Additionally, Novell has neglected to be clear about the fact that GroupWise runs on Windows NT and Windows 2000, so patches that apply to Exchange customers also apply to GroupWise customer running a GroupWise system on Windows systems". So Microsoft are arguing that Novel haven't taken full account of the security issues due to Microsoft in a report bashing Microsoft. I am not sure that is an argument that Microsoft should be shouting about!
    • (measured in terms of number of patches.)

      The number of patches must be the worst possible metric for measuring bugs. A better measure is: (several bugs per 1000 lines of code) X (40,000 thousand lines of code in Windows) = over 100,000 bugs in Windows. Thus, it follows that (100,000 bugs/installation) X (100,000,000 installations) = 10,000,000,000,000 Windows bugs worldwide.....OMG, the plauge of the apocolypse is upon us!
  • by jonfelder ( 669529 ) on Thursday May 01, 2003 @03:27PM (#5855400)
    Well...patching is also one the most important things you can do with regards to security. So at least in this case the expense is justified. Although patching is annoying, until people learn how to write perfect code it is a necessity.

    IMHO getting hacked is much more expensive.

  • NEW MATH (Score:5, Insightful)

    by stratjakt ( 596332 ) on Thursday May 01, 2003 @03:28PM (#5855408) Journal
    responsible for 45% of traffic

    But spam is responsible for, what was it Taco, 60% of traffic on networks?

    I'm at 105% utilization already!

    BTW, it's just as costly, if not more, to have to rebuild your linux kernel, SSL, apache webserver, or samba installation when a bug is found there.

    Quit pretending that MS has some sort of monopoly on software bugs. "Bad code" is a patentless technique used ubiquitously.
    • Re:NEW MATH (Score:5, Insightful)

      by aridhol ( 112307 ) <ka_lac@hotmail.com> on Thursday May 01, 2003 @03:36PM (#5855524) Homepage Journal
      Don't forget the 70% that is porn.

      Let's face it. There's no real way to know for sure what is on those wires unless you monitor them. And I don't think anybody here wants to open that can of worms.

    • As for the utilization, you were probably making a joke, but he did say 45% on _some_ networks.

      The difference of patching on Linux as I see it is that, kernel patches are rare, and are just about the only update that requires a reboot. All other services can be upgraded without affecting the rest of the system.

      Windows seems to give these black box security updates, all of which prompt for a reboot, whether it is technically neccessary or not, I don't know.
    • Re:NEW MATH (Score:5, Funny)

      by clambake ( 37702 ) on Thursday May 01, 2003 @03:41PM (#5855578) Homepage
      responsible for 45% of traffic

      But spam is responsible for, what was it Taco, 60% of traffic on networks?

      I'm at 105% utilization already!


      Didn't you see that the article was about Microsoft? I'm sure there is at least SOME overlap in the spam/patch metrics.
    • 79% of all percentages are made up on the spot.
    • responsible for 45% of traffic

      But spam is responsible for, what was it Taco, 60% of traffic on networks?

      I'm at 105% utilization already!

      We conclude that at least 5% of network traffic is Windows patching spam. Please don't be so narrow minded.

      Windows patching porn spam, actually, incorporating further data from this thread...

      (Actually, there's no problem at all - 100% of traffic on some networks may be Quake, while 100% of the traffic of some other networks may be something else...)

    • by gosand ( 234100 )
      BTW, it's just as costly, if not more, to have to rebuild your linux kernel, SSL, apache webserver, or samba installation when a bug is found there.

      Actually, just the act of patching may roughly equal. But UN-patching a system can be done very easily on a *nix based system. How do you UN-patch a Windows based system?

      Also, when I rebuild apache, I know what I am affecting. When I install a Windows patch, I cross my fingers.

      • Well thats easy. You go from start through settings to control panel and then add/remove programs... select the patch you want to remove from the list and click the button that says uninstall software. And if you want to know what the patch is actually doing just open it up with a package management tool. Installshield makes a gawdy one that you have to pay for, but there are several that you can try for free. Maybe you should stop crossing your fingers and analyze the logic problem before you. It's no
    • Re:NEW MATH (Score:3, Funny)

      by BrynM ( 217883 ) *
      "Bad code" is a patentless technique used ubiquitously.

      Quick! Get Bezos! We've got to file a patent on Bad Code before anyone else does!

    • Re:NEW MATH (Score:5, Insightful)

      by Pyrosz ( 469177 ) <amurray@stage 1 1 . ca> on Thursday May 01, 2003 @03:58PM (#5855766) Homepage
      If your going to bash someone, make sure you are correct first. Taco did not write that comment and you didn't even read the entire comment correctly as it states "...possibly responsible for 45% of traffic on some networks." If Taco had written the comment it would not have been in Italics.

    • responsible for 45% of traffic

      But spam is responsible for, what was it Taco, 60% of traffic on networks?


      Microsoft's patches obviously contain spam! I would consider desktop icons for AOL or MSN count to be spam.
    • RT(F)A. :)

      It said the traffic reached 45% *during* the times M$ released updates.
  • to be honest, I spend a whole lot more time doing patching and regression testing on my Linux systems than I do on the WinXP machine. Granted, the end result is usually more stable on Linux, but it better be for all the mucking about I have to do in /etc and playing line-up-the-library-versions.

    Sometimes I wish there was the equivalent of Windows Update for Linux. If it wasn't worth the effort I wouldn't be using it, of course, but the asymmetry between the Windows patches and Linux patches doesn't seem

    • by BlueTooth ( 102363 ) on Thursday May 01, 2003 @03:34PM (#5855492) Homepage
      RedHat's up2date works pretty well so long as you stick to their RPM releases of the software you want to keep updated.

      It works well for me, and all I need to stay on top of are things I build be hand (typically Webserver and its ilk plus kernel), but all my libraries stay nice and fresh.
    • by Nothinman ( 22765 ) on Thursday May 01, 2003 @03:35PM (#5855499)
      Sometimes I wish there was the equivalent of Windows Update for Linux


      apt-get update
      apt-get upgrade


      I don't run Debian's precompiled kernels though so I don't know what the patch/release policy on them is, but for all userland things it's better than WU.

      • Apt4rpm (Score:3, Informative)

        by hughk ( 248126 )
        apt4rpm works very nicely for RH. It will not auto update kernels (I regard this as a feature) but it will pull them down if you ask specifically.
      • Say it ain't so! (Score:5, Interesting)

        by RealAlaskan ( 576404 ) on Thursday May 01, 2003 @03:52PM (#5855698) Homepage Journal
        apt-get update
        apt-get upgrade

        That's what I do, and I'm not sure what all the fuss is about. Things get fixed, usually before I ever knew they were broken, deamons get restarted, nothing gets interrupted, life goes on ... If I took the trouble to make it a cron job, I'd never even know.

        ... Craig Fiebig, ... is quoted as saying "In dollar terms, patching is the most expensive security measures ...

        Is Mr Fiebig telling us that things don't go so smoothly if you use MS products? Or that MS can't keep up with a bunch of amatures? Do MS patches break non-MS apps? Could all this be why so many worms and viruses manage to spread across unpatched MS products? Could it be that MS patches are as bad as the bugs they fix? SAY IT AIN'T SO, CRAIG!

        • apt-get update
          apt-get upgrade
          If I took the trouble to make it a cron job, I'd never even know.

          I have them in my cron (upgrade -d -qq, so everything gets downloaded) (and another job sends me a mail if need be), but I prefer to be connected to the box and to see that the upgrade goes well (as it has. except for minor details around the one time Debian Woody became Debian stable) Ought to make the cron job run the updates automatically, if they have been laying around for more than a week - probably s

      • I don't run Debian's precompiled kernels though so I don't know what the patch/release policy on them is, but for all userland things it's better than WU.

        Precompiled kernels work just fine and Debian's /etc/modules file makes it easy to change around hardware. Going from 2.2 to 2.4 was easy stuff. I can only imagine that they will use the same kind of upgrade policy for kernels as they do for every other package now, therefore I expect my kernels to be patched if some kind of flaw is discovered.

        The po

    • RedHat has up2date. It will even let you push updates to all the company computers, if you set them up for that. It costs money though.
    • Sometimes I wish there was the equivalent of Windows Update for Linux

      Redhat network works wonders for me. It catalogues all of the software that shipped with Redhat, and lets me know which of my systems requires what errata (updated software). Third party isn't a term that most open source companies recognize. =)

      Best part is, I don't have to be on my actual system to check for available updates. I just log in to the RHN and look at the list of my registered systems. This trounces Windows update IMHO.

    • by MacJedi ( 173 )
      If you use an RPM based system you may want to check out YUM [duke.edu].

      /joeyo

    • Sometimes I wish there was the equivalent of Windows Update for Linux.

      In essence, there is. Just requires (as always) a little manual setup on your own.

      I have one central update box. It runs fmirror every three hours, pulling down the latest Mandrake patches (8.2, 9.0, 9.1) and emails me if there has been a change.

      That box has NFS exports (you could use ftp, if you wish, to avoid the NFS problems) to all the other servers.

      The other servers have the update box defined as an "update" source in urpmi.

      I
  • Nothing new there (Score:5, Insightful)

    by Timesprout ( 579035 ) on Thursday May 01, 2003 @03:28PM (#5855412)
    The software industry has known for years that the later you find a bug the more expensive and messy it is to resolve
  • If you want security on your boxen it is prevalent to install just the components you need and no more than that. For example, it is safer to have a dedicated firewall/router and a seperate desktop machine for accessing the Internet than to just connect with a 'one-size-fits-all' installation. This goes for Windows as well as for GNU/Linux and/or *BSD. Myself, I have an OpenBSD box connected to my DSL-line and patching is seldom needed (at least compared to other OS'es). This way I can fool around on my
  • Not suprising (Score:5, Insightful)

    by Neophytus ( 642863 ) on Thursday May 01, 2003 @03:28PM (#5855417)
    People who say 'they should have patched' do not understand the stress that installing a patch however critical on a few hundred servers, then in many cases rebooting them, can put in a commercial environment.
  • Lamers (Score:5, Funny)

    by grub ( 11606 ) <slashdot@grub.net> on Thursday May 01, 2003 @03:29PM (#5855424) Homepage Journal

    Pff.. you lamers with your fancy-pants Windows or your free Linux or *BSDs are all clueless. I haven't patched my Apple ][+'s DOS3.3 for 20 years and it still has yet to be 0wned.
  • Patches (Score:3, Insightful)

    by zzxc ( 635106 ) on Thursday May 01, 2003 @03:30PM (#5855438)
    If MS wouldn't include so much "junk data" to keep their proprietary data secret in patches, they wouldn't be so large. And, if there was a way to do a patch "rollback", then faulty patches wouldn't bring down a system until a new fix-patch was released. (One of the recent MS patches was found to cause some machines to stop booting)

    -----------
    From Ape to Man: Evolution [turnpike.net]
  • Interesting sidebar. (Score:2, Interesting)

    by Infernon ( 460398 )
    After reading this post, I checked windows update and found two brand new criticals... That makes five in three weeks. If they'd get it right the first time...
  • Relying on Microsoft products for your security.

    rim-shot

    Thank you. I'll be here all week. Tip your waitresses.

  • by allanj ( 151784 ) on Thursday May 01, 2003 @03:33PM (#5855474)

    I've applied my fair share of patches from MS, but lately I've become really nervous about doing so. I'm always thinking "what kind of DRM will they include in this one? [slashdot.org]". It's gotten to the point where I will NOT apply patches for anything but server products, and only reluctantly so. Call me paranoid if you wish, but I can't really shake that feeling. Hey MS, great way to promote security - making users reluctant to apply patches...

    • What are you waiting for? Make a switch!

      Making a switch was hard for me, sp. since i went straight for debian, but an escape from clutches of M$ provides all the motivation.
      • No such luck - I work at an all-MS shop, and apart from the all-MS issue it's a great job.


        At home I've got an old box running RedHat to play around with, so I get out of the clutches once in a while where *I* decide what gets to run on my machine...

  • by geekoid ( 135745 ) <dadinportland&yahoo,com> on Thursday May 01, 2003 @03:33PM (#5855476) Homepage Journal
    ..because one of the many new feature of server 2003 is the ability to update patches auotmatically.
    So they will use this 'cost savings' to push the new product. At the launch event, they bagged on there older products pretty damn hard.

    It's part of there latest slogan
    "do more with less".
    personally, I dln't know who this less guy is, or why I would want to do more with him. Ironically I prefer less to more.
  • I feel the pain (Score:3, Informative)

    by Remlik ( 654872 ) on Thursday May 01, 2003 @03:40PM (#5855550) Homepage
    As the only sys admin in a company of 50 desktops and 4 Win2k Servers I can fully support the notion that patching is expensive...but not for the company...for ME!

    Guess who gets to come in the office between 8 and 10pm to apply these patches to live servers...who has to wait if someone decides to work late. Who has to cross his fingers with every patch hoping that nothing else breaks...ME! And the only thing I get out of it is to be able to leave an hour or two early that friday...woot.

    Sure some things I can and do install from remote, but almost every patch requires a reboot and you just never know when a Win2k system isn't going to boot properly and require you to drive in at 1am wearing your bath robe.

    • If you followed your sigs advice and applied change management and controls to your servers, a script would have kicked off the patch and rebooted w/o a hitch.

      Work smarter.
    • I can fully support the notion that patching is expensive...but not for the company...for ME!


      Nope. It still costs the company. Because if you didn't have to do all those things they could probably pay you less or have you do something else that you don't have the time to do today. At the end of the day, it costs your company money.
    • Jesus you just described me to a t, bathrobe and all. :( Big frown.
    • who has to wait if someone decides to work late.

      Clearly, you have not read enough BOFH. If someone decides to work late, you ensure that he can never leave the office again!

      And what, really, is wrong with kicking everyone off the server at 10:30 AM and not getting the patch installed until 4:30?

      Learn more user-control tips here [ntk.net].

  • Once again, MS generates news by stating (or admitting) the obvious. Patching is a pain! Patching takes ($valuable$) time! Patching hogs bandwidth! Patching doesn't always work or may break things!

    In other news, the sky has been discovered to be blue and the planet has been proven round....

  • System Update Server (Score:5, Informative)

    by mr_z_beeblebrox ( 591077 ) on Thursday May 01, 2003 @03:51PM (#5855688) Journal
    Microsoft has a free product out called SUS (see subject) the SUS works in conjunction with the BSA (no, Baseline Security Analyzer) to determin patch levels of 2000/XP clients and servers it then downloads all neccessary patches in a SIS (single instance storage) at the server. In this way every patch on your network is downloaded only once. If you only have four PCs this cuts update traffic by 75%. This is nearly as effective as ISA server but it is FREE. It is not as effective as coding it write the first time LOL but it is a start.
    • by Lumpy ( 12016 ) on Thursday May 01, 2003 @04:11PM (#5855887) Homepage
      I get the same thing for free with linux by simply configuring a SQUID proxy to heavily cache all http traffic from update.microsoft.com. then have all the W2K boxes automatically run their updates 1 day after the master PC does this. Voila... the squid proxy caches all the updates so every other pc in my WAN get's them from the squid server lightning fast. same as the virus scan and all the other "update" sites we seem to use here.

      Works great and my mrtg graphs prove that it works to me :-)

      • by ostiguy ( 63618 )
        You are onto something, and you don't even fully know it. SUS is free, BTW

        I am playing with SUS server and its group policy settings, and there is no way for end users to initiate downloads. I can make updates happen over night, and force pc reboots, but I am not thrilled with that solution (i feel that may negatively reinforce user's locking their workstations as a routine behaviour). SUS doesn't interact with windows update at all - disabling windows update via group policy isn't an ideal solution either
  • Question? (Score:5, Interesting)

    by Billly Gates ( 198444 ) on Thursday May 01, 2003 @03:57PM (#5855747) Journal
    C/C++ functions like strngcopy have been known to be a cause of overflows for decades.

    Bell labs(now lucent) and various hackers have made string functions that do the same thing but are buffer safe. They are made to create more secure apps.

    My question is if gcc or visualc for that matter switched to more buffer safe libraries would it make a difference? Trusted Debian is compiled with buffer safe string functions.

    It may be time gnuc did this by default assuming all the apps could be recompiled without a problem.

    This would seem to get rid of %90 of holes in user as well as kernel space.

    • Re:Question? (Score:3, Informative)

      by PickaBooga ( 578529 )

      The basic string copy functions in C and C++ don't keep a value for the maximum length of a string.
      (Actually, they don't even keep a value for the current length of a string, it is calculated by scanning the string and looking for the terminating null.)

      The buffer safe string libraries are not designed to be a drop-in replacement for the basic string library, because they demand more information about maximum lengths from the code using them.
  • Between the costs of patching, the two weeks of downtime per user per year, and the flaws that threaten national security, has no one yet found a good way to sue for damages??? WTF?
  • by dwgranth ( 578126 ) on Thursday May 01, 2003 @04:10PM (#5855874) Journal
    Man, I can attest to this... patches... especially ones that screw up systems not only cost time/money/bandwidth but they cost HAIR.. yes thats right... admins lose their hair b/c of the stress this makes them go through..... ::looks in the mirror:: arrhhggghh..
  • Hmmm... (Score:4, Insightful)

    by istartedi ( 132515 ) on Thursday May 01, 2003 @04:15PM (#5855950) Journal

    Well... before the knee-jerk MS-bashing starts, let's think about it.

    If you patch, you have to recompile the component, and possibly re-boot the machine or re-start the application. This is true for Linux too (unless there's a way to fast-swap kernels that I haven't heard about).

    If you update, you don't need to re-start anything.

    If you patch, you could have to patch just about anything on the system.

    If you update, you are working through one application.

    Of course, there's nothing to stop an OSS developer from writing something that just sniffs incoming data for known exploits, like a virus scanner does.

    Ahhh... but that would slow the system down.

    So I think you have to add "better performance" to the pro-patch argument.

    But then, there is probably less effort to updating, especially if it's automated. Is there any OSS system with automated patching that people are willing to trust?

    Either way, I think it's an interesting discussion. In practice, I patch.

    • Re:Hmmm... (Score:3, Interesting)

      by geekoid ( 135745 )
      " Is there any OSS system with automated patching "
      yes
      "that people are willing to trust?"
      errr.. no.

      change it to
      "that corporations are willing to trust?"
      yes..Windows 2003.
  • by crovira ( 10242 ) on Thursday May 01, 2003 @04:39PM (#5856281) Homepage
    Apart from the Music dowload, uh, stuffff, at their web-store, SoftwareUpdate is the right way to do it.

    The download sites are controlled by Apple (and Akamai for all I know) but Apple really serves up the content.

    Also they have a better, more secure OS that's conservatively designed and carefullly implemented so viri scouring and bug fixes aren't quite so desperately required by the system owners.

    M$ may be too anal-retentive for their client base's own good. The only thing they want to conserve is their cash flow.
  • Distinctions (Score:2, Insightful)

    by Heinr!ch ( 631474 )
    I think there's a big difference between AV definitions and OS patches. AV definitions can be loaded and unloaded dynamically and have minimal effect on uptime. OS patches (in Windows) tend to be all over the place. MS' System Update Server is a good idea for now - in reducing traffic due to patches. However, in most of my environments, the only things we patch regularly are IE and IIS. We typically only patch the OS pre-SP1, but after that we only apply service packs. In addition, we have IP filterin
  • by b17bmbr ( 608864 ) on Thursday May 01, 2003 @05:11PM (#5856625)
    since microsoft's patches cause such problems, does their licensing allow for one to install on a non production test server? it would seem to me that they should allow you to install their server software on a spare server, and then patch, and stress test. this would solve alot of problems with apps breaking. i am sure their license doesn't, but it would seem to be a whole lot cheaper for a shop to just buy a backup server, keep it non production, deploy their patches there, test, etc., before applying to the whole network. not that i'd expect that from microsoft, but does anyone do that?
  • by Archfeld ( 6757 ) * <treboreel@live.com> on Thursday May 01, 2003 @05:14PM (#5856666) Journal
    We've never had a virus definition file crash a server, you can pretty much apply them without a clue, M$ patches on the other hand have been responsible for some of our WORST outages, requiring rebuild because of their no backout policy on certain system libraries. It takes a large team quite some time to check and certify each piece of code M$ certifies and clean as ACTUALLY being clean and runable :)
    Not to let SUN off the hook, their patches take some reviewing as well :)
  • by DrSkwid ( 118965 ) on Thursday May 01, 2003 @05:15PM (#5856677) Homepage Journal
    you can't beat a bit of daily patching
    I've got "cvsup ports-supfile" on a cronjob
    Every day I get emailed a list of the applications that have been updated and I can choose when it's worth patching them (they might not be installed - for instance)

    to upgrade my *whole* set of port installed software :

    #portupgrade -ra

    & everything stays in regular updated form

    I magically keep in step with the mozilla builds

    it's great

    that's why FreeBSD ain't dying

HELP!!!! I'm being held prisoner in /usr/games/lib!

Working...