5 min read

Patch management: full steam ahead – cautiously

Exploiting security holes in applications is becoming easier as malware becomes ever more dangerous. Applying security patches is a must for all administrators. But it's best to proceed with caution

With the ever-increasing amount of malware prowling the Internet, sniffing at every network and system it can find, hoping to slip in and wreak its particular brand of havoc, administrators have become more and more paranoid about unpatched software.

Even an apparently innocuous flaw can often be exploited by the bad guys, to their profit and our loss, so it’s rarely safe to ignore a security bulletin.

Timing is critical. Recent exploits have been released even before a patch for the underlying vulnerability was available (the Microsoft WMF problem is a prime example), and even those that could be nipped in the bud by timely patching appear closer and closer to the patch release. Zero-day exploits, where an exploit appears at virtually the same time as the announcement of the problem it exploits have become a reality.

Yet patching isn’t cheap. A 2004 report by the Yankee Group pegged the cost at US$119 per desktop in companies from 100 to 5,000 employees in a year. It’s no wonder that the Yankee Group has estimated that the global patch management market will grow to US$300 million in 2008.

Vendors have pounced on the opportunity. Dozens of tools have been released, varying from basic point solutions to components of enterprise management suites.

Not simple
But patching, even with these tools, isn’t simple. Patches can break enterprise applications, and some rushed out by vendors have been known to harm the systems they were meant to fix. This means that IT departments must install the patch on test machines before even thinking about wide deployment.

Administrators also need to consider what products the tool can patch, and whether it can roll back a patch that causes problems. They need to know whether it can audit machines to see which of available patches they need, and which patches succeeded or (more importantly) failed. And, they need to be able to squeeze the product into their budget.

Prices for products vary, and the amounts here are for the minimum number of seats. Quantity discounts can pare the cost considerably as volume grows.

CDN Editor’s Choice: Scriptlogic Patch Authority Plus
Price: US$160 for 10 seats
Eval available: Yes
OS support: 3
Application support: 4
Average: 3.7

Scriptlogic’s list of patched products is extensive, even updating Microsoft products that WSUS does not do, such as BizTalk Server. It also has the largest list of non-Microsoft products, ranging from Firefox 1.0 and higher through Adobe Reader and Winzip. Administrators can even generate custom patch deployments using XML, so they can update in-house or third-party applications. The license price includes a year of patch database updates.

Patches can be deployed upon receipt (Microsoft patches come via Microsoft Update), or be scheduled for later installation. Reboots requested by patches may be controlled by the administrator to avoid disrupting the client system. However, since the product is agentless, each client machine needs a suitable administrative account that the program can access to do its work.

Scriptlogic says that the product can be scaled even to a 100,000 machine enterprise by using Distribution Servers for localized deployment, deployment templates, and by grouping machines (using Active directory, IP ranges, system type or other criteria) into Patch Groups.

Ecora Patch Manager
Price: US$20 per node
Eval available: Yes
OS support: 4
Application support: 2.5
Average: 3.2

Ecora patches Windows 2000 or higher, Microsoft Office 2000 or higher, Microsoft Exchange 5.5 or higher, and a long list of other products ranging from Windows Media Player to SQL Server. It supports virtually all patches from Microsoft that have been released with a Security Bulletin, and it also supports publicly available patches from Sun for Solaris 7 – 9.

Patches can be deployed either through an agent installed on the client system, or in an agentless environment, as long as there’s a suitable administrative account configured on each machine. Patches may be rolled back if necessary, as long as the vendor supports the function.

The reporting system is browser-based, and offers reports on things like the success or failure of patching, inventory of applications installed, and patch history by machine.

The license price includes one year of maintenance and support; three year licenses are also available, or customers can purchase perpetual licenses without bundled support.

Shavlik NFNetChkPro
Price: US$125 for 5 seats
Eval available: Yes
OS support: 3
Application support: 3
Average: 2.7

Shavlik’s highly regarded engine is actually the foundation of Microsoft’s Baseline Security Analyzer and Patch Authority Plus as well as driving Shavlik’s own branded product. It patches Microsoft products and some non-Microsoft products such as Winzip and Apache. It, like Patch Authority Plus and Ecora, is agentless; desktop firewalls must be configured to allow its scans (as they must for any agentless product), and there must be a suitable administrative account on each machine for the software to use while patching.

Its interface is designed to be quick and easy for the administrator. One click will deploy all missing patches if you like, or you can select which patches to deploy, and where, with a simple drag and drop. Extensive reporting, available from the console, or a Web-based reporting server, let you know the status of each patch on each client.

Microsoft Windows Server Update Service (WSUS)
Price: Free
Eval available: N/A
OS support: 3
Application support: 2.5
Average: 3.5

WSUS builds on Microsoft’s SUS, expanding the number of products patched from operating system only to OS plus selected Microsoft applications, and adding functionality. WSUS gets its patches from the Microsoft Update Web site, so it can only patch software supported there. Administrators can set up multiple WSUS servers and either replicate patches internally from server to server or have each machine connect to Microsoft Update to grab patches. Client systems use the Windows Automatic Update to receive their patches from the WSUS server. Administrators can select patches and choose which group or groups of clients to push them to, using Active Directory OUs. Every patch must be approved; pre-approvals can be set up as well to, for example, automatically patch a test group without intervention. A detect-only mode checks systems to see if they require a given patch and reports on their status without applying any updates.

There’s no such thing as ‘free’ Patch Management
You can’t just quote the price for a tool of this sort and assume that’s the price you will pay for patch management. Even “Free” has a cost.

The savings can be substantial too. They may not translate into hard dollars, but will be manifested in systems that are protected from exploits, saving the cost of recovering from infections, and in IT staff time that can be spent on tasks other than running around patching systems.

All of the products discussed here offer free evaluations, and it’s best to try before you buy. Every environment is different, and it’s impossible in the space we have to list all of the nuances of each product. It’s especially important to make sure that your product of choice will patch all versions of software installed on your machines; if it can only go down to Office XP, for example, and you have a large installed base of Office 2000, many systems will still be vulnerable despite supposedly successful patching.

Also bear in mind that very old operating systems — typically, NT 4.0 and earlier — are not supported by Microsoft any more, so no new patches are available and some products won’t even apply any patches for them that you have. Older versions of Microsoft Office suffer the same fate. Ecora offers an interesting mix with its support of Windows and Solaris. The optional agent would be handy in situations where scans are impractical.

Shavlik is a bit pricey, for all that it updates both Microsoft and other products. You can’t beat the price of WSUS, which is functional, easy to use, and ideal in an all-Microsoft shop. If you have to update third-party products, it falls down, as it also does with some Microsoft products – the promise, yet unfulfilled, is that Microsoft will add more of its software to the supported list as time goes on.

For sheer breadth of support Scriptlogic tops the group. Its ability to allow the administrator to define additional patching scenarios is a major plus in shops with custom software or niche products that are unsupported by management software. Its price is reasonable.