PATCHES
last updated 2011 March 18

.
INTRODUCTION After completing reading this unit, and listening to the lecture in class, students will have information about:

    o Why they exist
    o What they are, how they are used
    o "Patches" How do you hear about them
    o From where do you get a Patch
    o software patching  continues to lag far behind discovered vulnerabilities

.
KEY
POINTS
"Patches" Why they exist

It is mainly a consequence of the competitive environment.

Most large and medium sized IT companies are often forced to release products on the market before they are thoroughly tested - due to the pressues of the Competitive Environment. As a result, there are often bugs, glitches, errors, etc in these programs. However the developers of the programs are not too concerned because they trust that the most profficient customers will be involved in circumstances where these errors will be found - and then complain to "tech support" - whereupon a "patch" can be made and then released.

nn

.
.
http://www.youtube.com/watch?v=boQkxs_FJBQ Prof. Richardson made a simple "intro to patches" video in class (MRK619) March 8th 2010 - thanks to Stephanie who held the camera.

In his narrative, Richardson used the analogy of a TV commercial describing how a car could be broken in to - watch it to understand how this relates to the way people are informed about patches.

Microsoft is famous for sending out many patches for their bugs and if you follow the sequence of some of the screen captures below you can see how it happens.
.
Patches: How do you hear about them? How are you informed a Patch is required?

There are a select small number of institutional, associations, and government and academic web sites within which security topics are discussed in an intelligent and authoritative manner.SANS Institute is considered one of the elite sources of IT security information. One can subscribe to their email list for patch info, and a typical message looks like the screen capture below.

c
"Patches"
resources

What is a patch?
 
 
 
 
 
 
 
 
 
 
 
 

 

.
.
MRK 410 students Allen H., Chris A., and Ashley N. found a great page on Patches in March 2004
 www.softwarepatch.com
.
What is a patch?
"A patch can be an upgrade (adding increased features), a bug fix, a new hardware driver or update to address new issues such as security or stability problems."

"While most patches are free to download, ultimately the developer will determine which versions of their software will be updated for free (older releases of a program usually get fewer updates). In some cases, only registered users may get certain upgrades, and at other times the only way to upgrade is to purchase the newer version at a discounted upgrade price (and requiring a reinstallation of the program). Typically, a patch can be installed over the top of an existing program, but again this will depend on the supplier and the nature of the patch."

The site softwarepatch.com have a note on their site that gives permission to anyone to do a basic link to their site. Emailed them in May 2005 and Scott gave permission to use a screen capture for the course. Copy of the email on file in the permissions binder.

.
http://www.softwarepatch.com/ This page
is a great resource for patches
Th
 

Anielyn B., a UTM student in MGD415 in March 2007 sent an informative and useful email about how patches are 
used / ignored at UTM
..
. Anielyn wrote

I was reading through the Patches section on the website and realized that there wasn't much information about how consumers felt about them. So, I thought I should share my two cents. From my experience, many people don't even bother to download patches specifically students.

At UTM, if students want to connect to the UTM wireless network, they have to pass the ESP (Endpoint Security Policy System) scan. This scan checks whether the student's laptop has all Microsoft updates and a working antivirus program. Since I've been working at the UTM library, I've realized that most laptop problems come from insufficient Microsoft updates, which result in failing the ESP scan. When I asked students why they didn't just update it normally (since there are messages that pop up telling people to update their computer when new patches are available), they usually replied by saying they simply ignored it because 

(1) they didn't have time to do it, 
(2) they didn't even know what it was, 
(3) they didn't think it was necessary, or 
(4) they didn't want it to use up space or bandwidth. 

Essentially, the only reason these students updated their computers was to have Internet access, not because they wanted to fix security issues. If anything, they found having to update their computers a hindrance, not a benefit. It wasn't unusual for me to be updating a student's computer for over an hour.

..
. Anielyn concludes

Although patches are supposed to be important, some users may feel that they don't make a difference. If anything, they take space and time lots of time for the students who were missing over 10 patches. Unless it's an absolutely critical patch, downloading a new, small patch isn't worth the hassle. Funny enough, sometimes people don't even download critical patches as long as their system appears to be working fine.

Take care,  Anielyn

..
 
"Patches"

Where you get them

.
KEY
POINTS
Sometimes the patch is so important that circulation is not confined to specialty sites - they go to the media. In the example below , Yahoo carried info about a Microsoft patch in November 2002 - this patch was apparently for a giant sized vulnerability
The screen capture to the left was taken off the Yahoo.com website Nov 21st, 2000
What can happen?

"The vulnerability involves what's known as an "unchecked buffer" in the Remote Data Services (RDS) component of MDAC. The faulty code is in a function called the RDS Data Stub, which  is used to pull information from incoming HTTP requests and create RDS commands,   according to Microsoft.   An attacker could exploit the security weakness by sending an improperly formatted HTTP  request to the Data Stub that contained extra data. The surplus would cause the buffer to overflow, and in the process would place and run the attacker's data on the victim's PC."

Permission to quote from Yahoo!, use the Yahoo! logo, and use screen captures, was given in an email by Debbie Macleod, Yahoo! Marketing Manager Jan 21st, 2005. Copy of the email is kept in the permissions binder

.

.
"Patches"
- they aren't keeping pace with the threat
.
.
Jennie, Mark and Josh in MRK 410TT March 2004, found a page regarding the fact that patches are not keeping pace with the discovered vulnerabilities.
.
Original Article by  Jay Lyman,  NewsFactor Network,  August 16, 2002 
 www.newsfactor.com/perl/story/19023.html
 
"software patching  continues to lag far behind discovered vulnerabilities" says Lyman

"Analysts typically blame the lag on  the sheer number of patches, which are issued with increasing  frequency. Indeed, patching remains  a dreaded chore in most IT departments, where a lack of  resources means many companies have fallen behind. 

Lyman explains "Quite simply, patching isn't all that sexy a task to do," Forrester analyst Laura Koetzle told NewsFactor. "There's no real incentive for IT folks  to focus on patches. It's sort of an ad hoc effort." 

Lyman, quoting "Koetzle stressed that companies are too shorthanded in IT to keep up, but she also  blamed software vendors for failing to flag software patches and communicate the need  to install them.   "Software vendors -- and Microsoft is a big culprit here -- give you a lot of patches, and they issue them frequently," Koetzle said. "It's for you to figure out which ones you  need, which ones are important. You also have to test them."   Giga Information Group research director Mike Rasmussen agreed that the sheer quantity  of patches is perhaps the biggest challenge to keeping software holes closed. "

.
 
KEY
POINTS
There is a problem with software not being "done right" in the beginning so we have to have a patch - and this problem is compounded with the scenario that there are too many patches, and it is too time consuming to install them all.

The problem is simply a consequence of the competitive environment - this is a competition thing not a technical thing. If the software vendors were not in such intense competition with each other, they could take more time, before a product is released, to check it for bugs so a patch would not be necessary.

..
 
 
 
witiger.com
  CONTACT I MAIN PAGE I NEWS GALLERY I E-BIZ SHORTCUTS I INT'L BIZ SHORTCUTS I MKTG&BUSINESS SHORTCUTS I TEACHING SCHEDULE
.
  MISTAKES ITEXTS USED I IMAGES I RANK IDISCLAIMER I STUDENT CONTRIBUTORS I FORMER STUDENTS I
.
.

  Prof. W. Tim G. Richardson © www.witiger.com