So here we are at the end of yet another year. It's always a whole lot easier
to look back than to look forward, but if there's one thing that stays with
us from year to year, it's security, or, rather the lack of it in many cases.

A year ago at this time, I was just returning from Microsoft's Redmond campus,
after getting an immersion treatment into Windows Vista security. Zillions of
dollars were spent completely re-architecting the way Windows handled security.
Dozens of experts from around the world were flown to Redmond for conferences
over Vista's five-year gestation period with the express mission of breaking
into the code and finding every last possible weakness. It would all be different
from the checkered pasts of XP, IE 6, and Office 2003 and the hundreds of security
patches issued on their behalf over the last several years.

True enough, the past torrent of updates has slowed under Vista, IE 7, and
Office 2007, but not to a rate I'd characterize as anything close to a trickle.
The second Tuesday of each month is still "patch day" and soon afterward
we get an interpretive analysis statement from Symantec. To pull just one recent
second Tuesday out of the hat, on Aug. 14, Microsoft issued nine patches, six
of which it considered "critical." Trickle? Uh, no.

Despite their necessity, which ranges from "isn't that nice" to "drop
everything and do it right now," patches (regardless of which software
vendor issues them), are not always perfect. No doubt you'll remember the near-worldwide
Skype outage of late August, which the telephony subsidiary of eBay blamed on,
yep, a patch issued by Microsoft leading to system restarts that in turn created
a flood of login requests to Skype. Whatever. "Trusted computing"
is not always completely trustworthy.

Though Microsoft gets most of the news story coverage about patches, the fact
is the company is not at all alone. It just happens to be the biggest company
with, by far, the largest installed base. And Microsoft is the company that
many users (and journalists) love to hate, fair or not. You've got to admit,
it does sell newspapers and drive Web hits.

It should not be overlooked that cute, cuddly Apple, the company that people
love to love, also issues patches, though certainly not at a pace anything close
to Microsoft's. Is that because Apple software is better-designed and built?
Maybe, but I tend to doubt that. The fact is, the Apple installed base is miniscule
compared to Microsoft's, and a smaller target simply isn't as alluring.

Apple issued three security updates just a couple of days ago (Dec. 17) and
two others on Nov. 14. Not bad. Other patches and updates are routinely issued,
but you've got to remember that Apple makes a lot more than software. It is
a computer maker, too.

Red Hat, to name another, is also in the security patch business and has a
Security Updates section of its Web site devoted to what it charmingly refers
to as "security errata." Similarly, Novell has an updates and patches
service for its SUSE Linux servers and desktops. The point is that equating
Microsoft with operating system security vulnerabilities is neither true nor
fair.

As I look around the office and my lab, many of the devices I see, including
printers, MP3 players, cameras, firewalls, routers, RAID arrays, mice, cell
phones, telephone system, and even a remote weather station all had firmware
or driver updates issued by their manufacturers -- some more than once. Some
updates were downloaded and applied, others we declined based on the "if
it ain't broke don't fix it" school of thought.

The weather station, curiously has no way to accept the update, which handles
the new Daylight Saving Time schedule. The manufacturer is willing to rent some
sort of gizmo that will allow the update to be applied. There's not much chance
I'll be shelling out any green to do this.

So, what should you expect in 2008? Not much change. Second Tuesdays will continue
to be patch debut day. Other vendors, however quietly, will continue to issue
patches. For those customers with enterprise patch management systems, keeping
tabs and applying them is somewhat simplified. For smaller businesses, extra
vigilance may be needed. And when we get that "do I need to apply this
patch" phone call, it remains essential that we all provide informed answers.

Alas, I can't wish you a patch-free 2008, but I am looking forward to dozens
of exciting new products in the coming year. Best wishes for a high-margin year.

ITworld.com

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine