The January China vs. Google hacking incident bought to the headlines once again the threat that un-patched exploits pose. In this instance a vulnerability in Internet Explorer was used to execute compromising code on a targeted user’s PC. This is nothing particularly new, zero-day exploits appear in software all the time; however the IT community seems to have adopted of feeling of protection by the slickness of automated patching products such as Windows Server Update Server (WSUS), Lumension and Altiris. The successful passing of each “Patch Tuesday” gives a “we’re protected again so all is well” feeling.
But is this enough? The media coverage of the Google Internet Explorer exploit forced even Microsoft to break their patching schedules. What if the exploit was actually in Firefox, Acrobat Reader, IIS or SQL Server? Do we have the processes and technology in place to rapidly rollout patches for these products?
What potentially adds more complexity is where more than one person owns the responsibility to patch. If you’re using a hosted/managed services/cloud provider deployment the responsibility may not entirely be yours, some parts of the software stack maybe automated but you might be on your own for others. Those of us familiar with the hosting world have seen for years the service name of “managed operating system” which often includes patching. But what does this actually include? Are you comfortable with who will patch Windows, IIS, SQL Server or Outlook? If your service provider will do all of this are your developers and vendors happy with this?
Most of the time patching goes well, it’s transformed from being a hands-on tactical activity to a strategic background service, the question is does your strategic service still allow tactical updates?