Your references to Code Red and Nimda are fair; admins who still get bit by them deserve it for being slow (glacial)to apply patches.

However, I know *many* Windows admins who don't bother patching right away because Microsoft has a history of releasing patches that solve one problem and create others. Sometimes to the point that the OS becomes unusable. To fault these folks for not jumping immediately on the patch bandwagon is unfair. They're slow to react because they've been burned before.

It's not enough for a company to simply release a patch. Despite the pressure to post a fix ASAP, it's also equally important to ensure the fix (a) solves the problem and (b) does not cause any others.

Of course, none of this addresses the larger issue of "we don't trust it but we actively deploy it". Perhaps it's market factors (customer who *have* to have Microsoft for their server platform) or organizational ("so-and-so says we can only do it with Microsoft products"). I guess we won't know why until someone orders that survey ;)

Scott Sorrentino
scott@kill-hup.com
http://www.kill-hup.com/

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/152/19194#19194