Saturday, March 17, 2007

Cup of Hot Cocoa: Patch Warfare II

What to do?

First

Either update you machines religiously on every Black Tuesday (the second Tuesday of the month when Microsoft releases security patches). I don't trust Microsoft update. I have seen too many machines that have it running and are still unpatched days after new patches are released. I know many of these machines where left running over night to update. So my conclusion is the the Microsoft update services are overwhelmed by the shear numbers to properly serve all the machines clamoring for update.

Third Party Software

Microsoft has no mechanism to update non-Microsoft programs, and who doesn't have those? These must be kept up to date as well. Some offer automatic silent updates, automatic notices of updates or nothing at all. Oh I almost forgot about the automated update notice that is broken... I ran in to this with several versions of Sun Java JRE.

Well there is an option for some of the more popular software out there. Secunia Software's fee online assessment which I wrote about in How to Find Bad Apps (http://sec-soapbox.blogspot.com/2007/02/how-to-find-bad-apps.html) will scan your computer for vulnerable non-Microsoft applications.

Cruft

Not all applications clean up after themselves. Sun Java for one leaves old versions in place, which can be usefule for those few who actually need multiple versions. For the rest of us it leaves security holes on our systems and takes up disk space. I have more details including how to automate the install and de-installation of Sun Java posted here: Do you Java? (http://sec-soapbox.blogspot.com/2007/01/do-you-java.html).

Stay tuned for the next "Cup of Hot Cocoa" episode where I discuss default.

No comments: