Installing patches to fix application and system flaws is still a major chore for businesses. With Microsoft's XP SP2, they face their biggest challenge.
In the first three weeks it's been available, businesses have downloaded more than 1 million copies of Microsoft's Service Pack 2 for Windows XP, and consumers have downloaded many more. It's merely a start in what's shaping up to be the most far-reaching and complex software patch ever attempted. Over the next three months, Microsoft's goal is to push SP2 out to more than 100 million PCs.
Few expect it to be easy. Applications already are breaking as software vendors and systems administrators test the security-packed Windows update before rolling it out to users. Microsoft has identified about 50 applications that are incompatible with SP2, and company officials admit that many custom applications are likely to encounter glitches, too. Last week, Microsoft released a 100-page technical document that describes how companies should assess applications for compatibility with SP2 and what they should do when things don't work.
As companies race to stay ahead of system vulnerabilities, they can't let down their guard, Thermo Electron's Kamens says.
Photo by Asia Kepka
Microsoft's mother of all patches is just the latest in what's become a familiar and frustrating industrywide exercise, as software companies and their customers race to stay ahead of the worms and other attacks that seek to take advantage of newly discovered vulnerabilities in operating systems and applications. "You have to take this stuff seriously. You can't let your guard down for a second," says Michael Kamens, global network and security manager with Thermo Electron Corp., which has tested SP2 but hasn't determined a rollout schedule for its several thousand Windows XP machines.
For many companies, patching has been akin to software triage, with IT personnel dropping what they're doing every time a critical security bulletin rings the alarm. A growing number of companies, however, are putting people, processes, and tools in place to bring greater efficiency and control to that ad hoc way of doing things. And technology vendors are making some much-needed changes, too.
Oracle has revealed that it will begin releasing its software patches on a once-a-month schedule, so customers can better plan for them. "We believe a single patch encompassing multiple fixes on a predictable schedule better meets the needs of our customers," Oracle said in a written statement. Oracle also indicated that a security fix would be issued shortly for vulnerabilities that have been discovered in its products but declined to comment further on the pending fix or its revised patch strategy.
Microsoft began issuing monthly patches last October, and Computer Associates and SAP have been on regular schedules even longer. SAP uses its Support Portal to make updates available, including specialized patches for customers who may need help reconciling SAP applications with third-party products. CA delivers patches once a quarter, but it moves faster when necessary. "When I sit down with customers, I seldom get to bring up the issue--it's usually one of the top things they mention," says Sam Curry, VP of CA's e-Trust security-management unit.
Jim Burdiss, VP and CIO of Smurfit-Stone Container Corp., likes the trend toward scheduled patches. "The end game is to get away from fire drills as much as possible," he says. "When those patches happen randomly, you force IT to go into a reactive mode." The randomness of ad hoc patches makes resource and budget planning difficult, he says.
Oracle's policy change and product improvements from Microsoft, including new features in Systems Management Server 2003 that automate aspects of Windows patch management, are steps in the right direction. But challenges remain. The Yankee Group consulting firm estimates that a company with more than 500 PCs spends up to 120 staff hours testing and installing every patch. "The issue is, companies have to test and test before deploying a patch," says Yankee Group senior analyst Eric Ogren.
At the Arkansas Army National Guard, two people work full time patching about 50 Windows servers and 1,500 PCs. "That seems excessive," says senior network manager Lynn Melton. "It's frustrating." The military unit uses several tools to deploy patches, including St. Bernard Software's UpdateExpert, Lieberman Software's User Manager Pro, and Cisco Systems' CiscoWorks. Melton tried an earlier version of Microsoft's Systems Management Server but it required too much effort, he says. He's interested in the vendor's Windows Update Services patch-management system, which promises to let customers handle patches for more products than Windows, including SQL Server and Exchange. But it won't be ready until the first half of next year. "If we could use one tool to do more than one thing, that would be helpful," Melton says.
Building A Mobile Business MindsetAmong 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.
InformationWeek Must Reads Oct. 21, 2014InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.