Slashdot Mirror
Patching Paranoia - How Fast Do You Patch?
selfassembled asks: "I work for an IT group in the Boston area called Thrive Networks. After the most recent exploit was revealed, my company scrambled to get our client's servers patched within 48 hours. This is extremely difficult because no customer wants to be interrupted by a reboot during business hours. Our staff worked after hours to get this patch installed ASAP. How fast do you (or your IT group) install patches for major exploits like this? What do you consider to be an acceptable turn around time for a vulnerability patch that may not even have an exploit yet? After Blaster and Welchia we decided it's better to be safe than sorry, and our customers seem to agree."
We have constant problems with patches where I work because Hpaq/Sun seem to think that the versions of certain software they ship with Solaris/Tru64 are sacrosanct.
Every time we patch our primary DNS server (on an E-250) Sun's patch stomps on our custom build of BIND. Similarly, HPaqs patch kits won't install properly if they involve any patches for sendmail because we got tired of waiting for patches for 8.9.3 (even under 5.1A they stay with 8.9.3!) while we prefer to run our own build of 8.12.10. HPaq is also bad about making security patches depend on their version of the software unnecessarily. As a f'rinstance, I recently installed Aggregate Patch Kit 5 for Tru64 5.1A. It included about a half-dozen patches to fix weaknesses in the init scripts. The patches for the init scripts REFUSED to install until I downgraded sendmail to 8.9.3 configured as it was during the system installation! After the patches were installed, I had to re-upgrade sendmail to our preferred version. To the best of my ability to determine there was absolutely NO reason for those patches to depend on sendmail being at v 8.9.3.
utter rubbish
It's a side-effect of the DOS legacy that still hangs over Win2000/XP. Unix separates files and inodes, so you can delete a file and replace it with a new one whilst the existing services are still using it, then restart the services to pick up the update. Windows has no such split, which means if a file is 'in use' you can't delete/overwrite it - this is what requires a reboot.
They could have fixed this in NTFS but chose not to, presumably to keep compatibility with DOS. TBH it's about time they sorted it out.
I just wish we had 1/3 of the balls of that company and that fucking up with the company computer was seen as destructive and damaging as it actually is.
The countless whining we get over passwords ("My boss says I dont hafta have one.."), applying updates to desktops(!), removing shit like comet cursor, and the people that toss laptops around and then bitch that they don't have the right laptop after they've broken it.
I'd love to see 2 or 3 people in particular have to sit down in front of the CFO and be told:
1) The computer you broke won't be replaced until you pay for the old one.
2) If you can write a check today, we won't dock your paycheck, but if we do, we'll spread the payment over at least 4 paychecks.
3) Any work you don't get done due to no computer will be considered against you in your next performance review and may be considered grounds for dismissal.
There's lots of reasons not to do it that way, but geeze, if there were real consequences (financially especially) for being a fuckup with computers, I think the users would toe a much tighter line.