Feeds

Patching is a pain...

...but misconfiguration is worse

  • alert
  • submit to reddit

Beginner's guide to SSL certificates

Sysadmin Blog After a couple of pretty bad weeks, in which virtually everything that could conceivably have gone wrong has, things are finally starting to settle down.

Despite a couple of “weeks from hell” in which my network survived virtually every “network down” scenario back to back, none of that actually bothers me. Some of these worst case scenarios were covered off by a bit of planning; others weren’t. Of those that weren’t, the vast majority of these problems could have been avoided if the network upgrades and maintenance currently on the drawing board had been completed. (Completion date for most of it is the end of July, go figure, eh?)

What bothers me are the little things that I have discovered wrong with my network these past few weeks. As my previous article revealed, last week I discovered a virus on my network. It was largely contained by my edge defences, and given all that decided to erupt at the same time, it was really little more than a minor inconvenience. Still, it irks me. Minor misconfigurations can have a dramatic effect on your network by allowing attackers or malware to gain a foothold.

The first issue I would like to address is that of patch management. Not the overall operating system patch management, but patching your individual applications. Most operating systems have an update mechanism built in. Microsoft Update will patch Windows as well as some other Microsoft products, but let’s be honest - compared to either of the two major Linux package managers it can only be described as unbelievably primitive.

Sadly, despite all the facilities built into the iStore that have simplified application updates on iPhoneOS devices, full-fat OSX users suffer the same level of third-party neglect that Windows users do. Even on Linux; if you install an application without registering it with the system package manager, you regular updates will not update that app.

Where this leaves us then is sadly right were we were a decade ago; the operating system will patch itself, some applications (such as Firefox) will do so, but an unfortunate amount of software you can run on your desktop will require you to individually hunt updates. For those applications that do update themselves, many do so via their own background update mechanism. These updaters can all be sitting in the background consuming resources and waiting for the next patch.

The end result of this approach to patching is that it is virtually impossible to centralise, yet because of the security ramifications of running unpatched software, (a certain PDF reader springs immediately to mind,) patching third party applications is absolutely critical to proper network security. Users won’t update applications; they become very quickly annoyed at the whole process, and who can blame them? Whether it be Adobe updater informing you of a patch, Java bleating that yet another version has arrived to break your application compatibility or Google delivering yet another refinement to its user tracking toolbar, there are quite simply always updates to be run.

For this, I wish I had some secret sauce to solve the problem. You can’t make users update, and neither Apple nor Microsoft have been particularly keen on making the lives of their users actually easy by opening their patch management systems to third parties. There are some systems management applications out there that claim to be able to help - but the list of applications they support never seems to cover what you actually have deployed.

If you are lucky enough to be able to run only applications with their own third-party patching tools, then take the time to configure them. Several can be set up to automatically patch themselves, and the better designed ones can be configured to report errors in patching to an email address. They aren’t all so helpful, and I am going to take a moment to pick on Adobe. I recognise that the chances my gripes about Adobe being read by anyone there are slim, but they really deserve a right good kicking, and frankly I need the catharsis.

Adobe brings to the table everything that is wrong in an updater. It doesn’t have a centralised management function, it doesn’t have an auto-install option, it doesn’t even have the ability to email if things go pear-shaped. What it does do is consume a lot of resources, slow application launches, pop up right in the middle of reading a PDF, take absolute ages to do patches of any kind and it looks awful to boot.

The only thing it does right at all is this: all Adobe applications can be patched in from this one updater. In all other respects it is an abomination; it actually just asked me to restart my computer in order to update a PDF reader. I am absolutely floored; I wonder how many millions of dollars of systems administrators’ salary have been wasted in how many hundreds of thousands of companies babying updaters like this? Adobe (and all other companies with crap or worse yet no updaters) - get your house in order.

Things aren’t all bleak, though. Two of my favourite programs (Firefox and Notepad++) have what I consider to be excellent updaters. When I launch the program, the updater pops up quickly (without noticeably degrading application launch) asks me if I would like to update, does so, and then relaunches the application for me. Even the slowest updates don’t seem to take very long. Because it is integrated into the launching of the application (rather than Yet Another Tray Icon that users ignore), I find that these applications do in fact get updated on a regular basis.

Secure remote control for conventional and virtual desktops

More from The Register

next story
Just don't blame Bono! Apple iTunes music sales PLUMMET
Cupertino revenue hit by cheapo downloads, says report
The DRUGSTORES DON'T WORK, CVS makes IT WORSE ... for Apple Pay
Goog Wallet apparently also spurned in NFC lockdown
Cray-cray Met Office spaffs £97m on VERY AVERAGE HPC box
Only 250th most powerful in the world? Bring back Michael Fish
Microsoft brings the CLOUD that GOES ON FOREVER
Sky's the limit with unrestricted space in the cloud
'ANYTHING BUT STABLE' Netflix suffers BIG Europe-wide outage
Friday night LIVE? Nope. The only thing streaming are tears down my face
Google roolz! Nest buys Revolv, KILLS new sales of home hub
Take my temperature, I'm feeling a little bit dizzy
Cisco and friends chase WiFi's searing speeds with new cable standard
Cat 5e and Cat 6 are bottlenecks for WLAN access points
CAGE MATCH: Microsoft, Dell open co-located bit barns in Oz
Whole new species of XaaS spawning in the antipodes
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.
Business security measures using SSL
Examines the major types of threats to information security that businesses face today and the techniques for mitigating those threats.