The Usual Tech Ramblings

Software Patching...

The Last In - First Out blog has an interesting post on on software patching, or more specifically the complexities behind maintaining updated systems. The post brings attention to the numerous security issues, and how hard it is to build a secure patched system, even for the tech savvy folks. He doesn’t call out just one vendor…

Responsible network administrators and home users have been placed into patch hell by software vendors that simply are not capable of writing software that can stand up to the Internet.

  • There is no operating system or platform that has built in patch management technology that is both comprehensive and easy for network administrators and home users to understand or use.
  • There is no reason to expect that even if software vendors were actually able to release good code, that the release would make it out to users desktops.
  • Some vendors (Microsoft) have robust and easy to use patch distribution systems, but those systems only distribute patches for their software. Each other vendor must re-invent the software distribution wheel, and each does it in a random and arbitrary way, with flags, popups, silent installs, noisy installs, click here to continue, arbitrary re-boots...

It’s not a Microsoft problem, it’s not an Adobe problem, it’s a software development problem, and as far as I can tell, all vendors have the problem.

The post goes on to cite some examples from Google Analytics showing browser and flash versions, showing that over 40% of the visitors are using unsafe flash versions. My users seem to be about the same too.

It does bring up a good question on how to make a good patching/software management solution. With the number of platforms some administrators have to support, as well as software dependency issues, patching on a large scale is a complex task, and gets a whole lot more complicated when you factor in multiple applications.

As was stated, Microsoft has a pretty solid solution, WSUS can patch most of the Microsoft applications, which is great, and easy to manage, point and click type updates. Combined with some good group policies, your users have no choice but to get the updates. But handling other updates is a little more tricky, there is no unified solution to managing it. Whilst you could roll all the updates to MSIs and use Microsoft Systems Center, it still requires the administrator to have knowledge of what is on everybody’s machines, as well as be on top of security distributions from various vendors. Something most administrators don’t have time for.

What’s the next solution? Vendors forcing updates. That is the case now for some applications.

  • Firefox, for example, will tell you there are updates, and if you don’t install them right then, it’ll install them when you reopen it.
  • Chrome runs a regular update program (at least on Windows) that checks, and updates quietly behind the scenes.
  • Flash is problem area. There appears to be nothing available there, and I myself fell into an “insecure” version until I went to a website, and they told me they wouldn’t load the pages without me upgrading.
  • Java also has its own updater that runs in the background, popping up to tell you there are updates, but does nothing to force security updates. You can even turn it off too.

What do we need to do? Hound vendors to get them to bundle something into their apps. Call home to check for updates. Forcibly install security updates when the user is not using the application1.

In an ideal world, several of the large vendors would get together and build a standard, with that standard, a service/shell company would be setup to manage all updates from various vendors.

  • All platforms could “check-in” there to find updates for their applications.
  • System administrators would be able to build local update systems based on the control services from that major service, allowing local repositories for quicker updates2.
  • It’d have to be platform agnostic, supporting anything the vendor supports.
  • The service on the client side should do anything possible to bug the hell out of the user to make them install the updates, or silently install security updates3.

As I said, a perfect world. That’s not going to happen any time soon, or ever. So we need to work with vendors on getting better update stuff out of them.

I like the closing for the mentioned post… So I’ll leave it here too…

If technical people either cannot or are not keeping up with patches, why would we expect ordinary users to keep up?

Very true.

  1. I get enough complaints about pushing Windows security updates in the middle of the night 

  2. Think mirroring services for things like Debian repository 

  3. This will require vendor to build updates based on existing versions, ala Debian or any other package system