Primer: Patch Management

  • What is it? Patch management ensures that vendor-supplied software patches are distributed to and installed on all computers that require a particular update. Patching system vulnerabilities properly has emerged as a critical information security issue, particularly for Windows desktop computers. Patch management software products automate the process on a large scale.

  • Why is it important? About 90% of information security breaches are related to a known system vulnerability that was not properly patched, by an estimate from Gartner. Microsoft alone has been releasing software patches at the rate of more than one a week since 2002, so it’s no wonder organizations have trouble keeping up. Software patches have the potential to cause their own problems, and can sometimes even damage existing applications.

  • Who are the vendors? In addition to patch management specialists such as PatchLink, BigFix and Shavlik Technologies, patch management capabilities are available from configuration management software vendors such as Altiris, BMC Software (through the Marimba software distribution technology it acquired in 2004), LANDesk and ManageSoft, as well as security and vulnerability management firms like Citadel Security Software and Configuresoft.

    Microsoft supports patch management through its Systems Management Server (SMS) product, as well as a free offering called Software Update Services, which uses the automatic update component embedded in Windows 2000, Windows XP and Windows 2003 Server.

  • Is this just a Windows issue? No. System vulnerabilities also appear periodically in Unix, Linux and popular open-source software such as the Apache Web server. Other types of patches need to be implemented to improve system performance or stability. However, the large number of Windows desktop computers and occasionally connected laptops at most corporations makes it a bigger challenge to patch those systems reliably. Windows patch management also receives more attention because most Internet worms spread by exploiting Windows vulnerabilities, even after patches were available, because many systems had not been patched properly.

    Jim Richardson, a network consultant with CPI Solutions in Camarillo, Calif., got his introduction to patch management while he was employed at Dole Foods. The patch management project there, he says, revolved around Microsoft’s SMS because it started after “we got hit pretty hard by one of the Windows Internet worms.” Microsoft’s product worked well there, and he continues to recommend it in his consulting work, “but there was a lot of trial and error to get the system to be finely tuned.”Systems administrators need to concentrate on minimizing the network congestion and downtime from system reboots that can accompany patch distribution, he says.

  • Can configuration management software do the job? Many configuration management products now include patch capabilities. Patch management-specific vendors distinguished themselves by helping systems managers analyze and test patches to ensure they don’t cause more problems than they solve before they are released. Gartner analyst Mark Nicolett notes, however, that because configuration management vendors have improved their patch features, he generally recommends them for organizations that have established, or are in the process of establishing, an enterprisewide software distribution and configuration system.