Survey: Many Microsoft Patches Are Going Uninstalled
- By Jabulani Leffall
- 06/24/08
The results of an online
test conducted by U.K. anti-virus firm Sophos found that more often than
not, PC users don't install Microsoft's monthly patches.
The results, released Monday, were gathered from 40 days' worth of data
from a sample group of 580 PCs in corporate environments, 80 percent of which
failed one or more basic security tests.
Moreover, 63 percent were found lacking
at least one Microsoft patch on the OS level, the Office and application levels,
or the browser and media player component levels.
Bill Emerick, Sophos' vice president of product management, said in a prepared
statement, "Machines that fail such a test represent 'low-hanging fruit'
for cybercriminals and [are] a real danger to their corporate networks."
But according to Randy Abrams, director of technical education for IT consultancy
ESET, these reports can sometimes be like "two blind men, touching different
parts of an elephant. [They] may get the same results, but it doesn't cover
the whole body."
"I think we have to remember that the sample sets and control groups in
tests like these need to be taken into consideration," said Abrams, himself
a former Microsoft security pro. "That said, we don't need a survey to
tell us that people are lax about patching their systems. I think the evidence
of that is that there are far fewer zero-day or new patches than there are those
that are responding to a direct set of vulnerabilities."
There are several reasons for IT pros and even individual users to delay, or
altogether skip, patching their systems -- one being the fact that not every
patch may apply to them.
Many enterprises also hold off patching to evaluate the cost, or to avoid either
re-patching
or seeing their particularly tailored systems block
the patches.
There's also some lingering resistance
to Automatic Updates for Microsoft patches, Abrams explained. "In these
cases, the systems sometimes reboot...while you're away to automatically install
the patches," he said. "I think this was a case with a good intention
and bad implementation on Microsoft's part."
About the Author
Jabulani Leffall is a business consultant and an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others. He consulted for Deloitte & Touche LLP and was a business and world affairs commentator on ABC and CNN.