John Dvorak has a rant on patching and the state of IE that has a statement that is somewhat misleading in my opinion. In speaking of the announcement this week of 10 security updates for Windows and IE, Dvorak said:
It would be nice if there were more options than patching software, but unless you are willing to get a Macintosh or run a Linux computer you are just going to have to patch your machine over and over, probably weekly. And these patches are almost always necessary.
I sincerely hope that Dvorak isn’t suggesting that Mac and Linux users don’t need to patch their machines. In fact, perusing the archives of the SANS.org @Risk security newsletter makes it clear that there are plenty of vulnerabilities being found in Linux, Mac OS X, and other *nix operating systems.
I can certainly sympathize with Dvorak’s point about the pain of keeping up with patches, but I don’t think it helps anyone to suggest that this is a Windows-only problem. There’s no such thing as an operating system that doesn’t require patches. What’s important is trying to make it easier for users to keep their machines up-to-date. Windows XP Service Pack 2 is an important step in the right direction on that front. It’s true that there have been some compatibility issues with SP2, and hopefully we’ll be able to resolve those. But it also includes a number of changes that can help preemptively prevent vulnerabilities from being exploited. It also strongly recommends that users enable automatic updates, which can greatly simplify the process of keeping a computer updated for end users.
Dvorak is right to keep the heat on Microsoft on security…not because I think the company I work for is doing a bad job…but because the more pressure that’s applied, the better when it comes to security. Where I disagree with Dvorak is his presenting a misleading picture of other operating systems as not requiring regular patching. It’s not true, and he does a disservice to his readers by leaving that impression. I’m all for pushing hard on security…I’d just like it to be fair and accurate.