Would you buy a new car if you had to repair it every month? Sure, automobiles require regular maintenance, but this isn’t just checking the oil. I’m talking about repairs required to ensure your safety. No, you don’t have to bring your car to the shop. It’s worse: You have to do the repairs yourself from parts shipped to you by the manufacturer. Sounds like a lemon, doesn’t it? Yet this is what each and every Windows user has to put up with!
Every second Tuesday of each month, Microsoft sends out security updates for Windows, as well as Internet Explorer and MS Office. Patch Tuesday occurs with the regularity of lunar phases. If your Windows is set up for automatic updates, then these patches are downloaded and installed on your computer in the background. Hopefully, all goes well.
If your computer has lots of memory and bandwidth, then the Patch Tuesday updates won’t slow everything down to a crawl. If auto-updates aren’t turned on, then you will have to fetch each individual security patch (there are usually half a dozen or more every month) and install them manually. After updates and rebooting, your computer should now be duly reinforced against malware and threats that lurk on the Net.
But sometimes things go wrong and the security fix breaks something else.
After last June’s round of critical patches, many ZoneAlarm users suddenly found they could no longer connect to the Internet. This patch conflict triggered many panicked calls to DSL support centers, to the annoyance of the telcos.
After some finger-pointing between Microsoft and ZoneAlarm, the problem was fixed within days. Still, the incident does highlight the fact that sometimes even the fixes need fixing too! For example, an August MS Powerpoint update was re-issued within days of its Patch Tuesday release. Microsoft’s updates are known to break their own products.
It’s not just Microsoft, other applications need patching too. ZoneAlarm needed an upgrade after the Microsoft patch broke it in June. Other programs need patching after security vulnerabilities are uncovered. Adobe products, such as Flash Player, and Apple’s Quicktime are common targets.
Last year, within roughly a half-year period, Quicktime needed to be patched three times! And regular security updates continue to emerge for both Quicktime (which is a required component of iTunes) and Safari.
Sun’s Java Runtime Environment (needed by some programs and a component of browsers) needs security updates too. And, if you’re not careful with Java patches, the old, unsafe JRE will still reside on your system after you’ve installed the newer one.
If you work in a large corporate setting, then you may have a team of dedicated systems administrators to attend to software security updates and control. They will likely ban high-risk programs, such as the file-sharing application LimeWire, but will attend to the patching rounds and save you the bother.
At best, the security team will test all planned updates in isolation first, in order to ensure that these don’t break any of your existing programs. But if your systems and security people are undermanned or pressed for time, then the quality of the security update job may vary.
Things are a bit better for the ’nixes, the Apple OS X (a variant of OpenBSD Unix), and the various flavors of Linux. They are far more robust to begin with, and the few security updates that are needed are usually handled in the background with little need of user intervention. Unlike Microsoft, I have yet to hear of a Linux patch breaking other software. Still you can’t be overconfident.
At the CanSecWest security challenge, an Apple-running OS X Leopard was the first to fall. Next was a Windows Vista machine that succumbed the next day. At the end of the contest, only the computer running Ubuntu was still unscathed. Note that the Apple was hacked through a flaw in Safari, not OS X itself, while the Vista hack exploited an Adobe Flash vulnerability. This highlights the need to patch all programs, not just the base operating system.
Sick and tired of the patching merry-go-round? Why not just forego any patches altogether and avoid the hassle? Sorry, no, that’s not a good idea either. Malware threats are constantly evolving and multiplying. Unless you intend to treat your computer like a cloistered nun in a convent, completely isolated from any network and never, ever connected to the Internet, then you have no choice but to take precautions and do the security updates.
Software vendors are continuously improving their software patching processes, but they really shouldn’t be releasing programs with security holes in the first place. Point is, no software vendor ever accepts liability for security. They will not even guarantee that their software is usable. That’s what it says in the fine print on the end-user license agreements (EULAs) that you click on when you install software.
It’s caveat emptor to the max! So...would you buy a car like that?