Microsoft, of course, offers its own patch-management tools. An automated tool called Windows Server Update Services (WSUS), released in June, lets administrators control deployment of patches and updates to Windows and other Microsoft products.

For some, WSUS does the trick—and it's free, compared with $15 to $75 per system for patching software from specialists like BigFix and PatchLink.

The Microsoft update service "is good enough for what we see," says Matt Speare, chief information security officer at Buffalo, N.Y.-based M&T Bank, which has 13,300 employees. "About 90% of the patches we put in are Microsoft-based anyway."

But shouldn't Microsoft shoulder some of the blame for the problem? After all, many of the debilitating bots, viruses and worms on the Net exploit security holes in Windows, which IDC says runs 94% of the world's desktop computers.

For its part, Microsoft two years ago launched the Trustworthy Computing initiative, through which the company says it is "committed to building software and services to better help protect our customers and the industry."

Not everyone points the finger at Redmond, and Microsoft earned kudos for its move in October 2003 to a once-a-month release cycle for critical Windows patches—including those that fix security vulnerabilities—rather than releasing them as they were discovered.

"It's been tremendous in helping us plan and test," says Lynda Fleury, chief information security officer at insurance company UnumProvident. Microsoft's patch-release day is the second Tuesday of each month, which some network managers sardonically refer to as "Black Tuesday."

Sometimes, though, the cure is worse than the disease. In October, for example, one of Microsoft's critical patches disabled some Windows networking features, which among other things prevented users from logging on. As a result, most information security managers extensively test any patch before updating their systems.

For Lockheed Martin, ensuring patches don't disrupt systems is especially crucial. "Some of our systems are controlling space launches," says Rich Faulkner, program manager for patching. "We can't just go and slap something in. We'd get killed."

The defense contractor largely uses Microsoft's WSUS for desktop patching. But for servers, Faulkner and his team saw a benefit in PatchLink's quality-assurance testing for patches from Microsoft, Oracle, SAP and other software vendors. "PatchLink is in the business of patching," Faulkner says. "We wanted to offload some of that testing work."