The problem of enterprise patching

A colleague was talking to me yesterday about his recent experience in implementing Microsoft System Center Configuration Manager (SCCM) for a customer. He is using the System Center Updates Publisher (SCUP) to deliver Dell firmware and software to clients. This got me thinking again about the best tools to use for keeping your non-Microsoft software up to date.

Keeping something like Adobe Flash Player up to date, for example, is a small problem that encapsulates a much larger one: how to ensure that the clients in an enterprise that have access to corporate data are adequately secure? Adobe Flash Player is ubiquitous. Updates come out frequently, and some of them are for critical security vulnerabilities like this. One way or another you will need to make sure that clients in the enterprise either don’t use Flash Player, or are reasonably up to date.

It is not easy to do.

  • Updates come out frequently, so you need to know that an update is required
  • There are Flash Players for Windows, Mac, Linux and Solaris
  • There are different trains. Train 10 is current, but train 9 is required on older operating systems.
  • Even when you know an update is required, you need the mechanism to perform the update on computers that require it.

Flash Player is probably one of the simplest products to update. Something like Adobe Reader is much more complicated. You can’t just run the latest patch. Version 9.2 will update 9.0 and 9.1, but version 9.3 will only update 9.2. That’s even before we get onto security patches like 9.3.3.

Windows Server Update Services (WSUS) takes care of patching for Microsoft products. The WSUS server component is free. It uses an online catalogue to determine what patches are available, and the built-in Windows Updates client to determine what is required on a given machine. But what about third party products, or different operating systems?

Any desktop systems management tool will perform an update that is given to it, but what is missing is:

  • alerting that the update is available
  • producing a dynamic collection or definition of computers that need it
  • specifying the command line to use when installing it.

BigFix Patch Management is a product that aims to do all this. What’s different about BigFix is that it provides the patching tasks for you to run. You just need to approve them for the update to be distributed to computers that need it. BigFix is highly suited to a heterogeneous environment because it works across different applications and operating systems. The company came onto the Gartner Magic Quadrant in late 2009 and was acquired by IBM in July 2010.

If you have a more uniform client base (say, mainly Windows clients) and you are already using WSUS for Microsoft patching, then you may not want to add another client management agent.

EminentWare is an interesting product that supports third party application patching on Windows clients using WSUS. EminentWare currently supports a fairly small range of products, but they accounts for probably the largest number of patches that need to be distributed. With EminentWare you can also create your own patches to distribute through WSUS. This is very handy for something like a Lotus Notes Fix Pack.

Secunia Corporate Software Inspector (CSI) also uses WSUS to push out security updates. Secunia’s main focus is on advisories, through their Vulnerability Intelligence services. Since earlier in 2010 they have added a capability to push out patches through WSUS. although I don’t have a list of which products can be updated this way.

The advantage of both the EminentWare and Secunia CSI approach is that you don’t need to run another client agent. The client for both detection and remediation is the built-in Windows Updates mechanism.

If you already use SCCM to manage clients, then the free SCUP extension enables you to add catalogues from other publishers to obtain and publish updates. This relies on the software vendors publishing a catalogue for SCUP. Unfortunately Adobe does not. Currently Citrix is the only software vendor that does. But at least it is a standard mechanism, and there is an opportunity for third parties to add to it.

If you already use Altiris to manage clients, then:

  • Patch Management Solution is available for Windows, Mac and Linux
  • Altiris maintains the catalogue for Microsoft and Adobe products, but not others
  • The Altiris client identifies where the patch is required and installs it.

Ideally what we want is a combination of these things:

  1. a public catalogue of patches from different vendors, independent of the distribution tool
  2. a generic query filter to identify machines where the patch is required
  3. integration with existing distribution and reporting tools.

That shouldn’t be hard, but it doesn’t exist.

0 thoughts on “The problem of enterprise patching

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.