Patch bundles under fire

Patch management specialist PatchLink has said that the regularly scheduled patch bundles from Microsoft, Oracle and other vendors are harming firms' security and should be abandoned.

PatchLink's product management vice-president, Chris Andrew, argued that situations such as this month's "patch Tuesday", when Microsoft released 12 bulletins covering 17 security flaws, are bad for firms because they leave systems vulnerable for too long. It also puts pressure on security vendors to prepare patches in time for the set release dates.

"It would be better releasing the alerts as [IT vendors] found them, because by holding on to the information Microsoft is effectively making the window for action smaller," said Andrew. "It's usually hackers that find the problems in the first place, so keeping the vital information away from customers is not good for them."

Andrew added that many PatchLink customers would like to be able to choose their own patch times and isolate vulnerabilities themselves to manage patch deployment. However, Ruth Bowen, European alliance director of security firm Sygate, argued that the scheduled bundles help administrators to plan how and when to test and apply patches.

But Bowen added that, whether security updates are released monthly or at other times, firms still face a big logistical problem to ensure all their systems are covered. "The Sasser worm last year struck during a bank holiday, for example, so that people cleared up their networks but then others came back after the break not having patched up and reintroduced vulnerabilities when they logged on," Bowen commented. Bowen recommended that companies should therefore invest in end-point security systems to check that patches are in place before users can access a network.