Scrutinizing Security Patches

Before you go grab and install a security patch, you may want to get to know a few basic facts about it — where to get it, what it does, whether it’ll cost you, that sort of thing. Most software makers have this process figured out, more or less, even if they don’t collectively take what I’d call a consistent approach to the matter.

Some software programs periodically “call home” to see whether patches are available for them. They’ll even download and install their own updates if you let them. Other software makers are kind enough to send you e-mail if they release a new security patch. Some offer mailing lists that inform members automatically about new developments (including security patches) via e-mail. Other software makers make you find — and periodically visit — the company Web site to check for any new patches.

And then you have the clueless software makers who don’t seem to know what patches are. Fortunately, they’re the minority. If you’re using software made by the rest (those who understand the need for patches and act accordingly), here’s a general rundown on security patches from some of the major software companies.

A few companies don’t publicize their patches at all, but wait until you call with a specific problem addressed by their (ahem) secret patch. Fortunately, few companies do that anymore. It’s better for business to just fess up to one’s mistakes and show customers where to find the fixes.

The Microsoft Security page

When it comes to notifying users about critical security patches, Microsoft is very well organized (they get lots of practice), and you have a number of options available to you. They have a nice Web page dedicated to the latest security information about their products — and a mailing list you can join that lets you know the minute any new security patches are available. You have two ways to get the goods:

• To see the Microsoft Security Web site, go to www. microsoft.com/security . There you’ll find a great number of features and information.
•  To get on Microsoft’s mailing list for critical patches, go to their Security Web page and click the Get e-mail about new security updates link. You’ll be taken to a sign-up screen where you put in your e-mail address. From that point forward, you’re notified via e-mail whenever any critical situation is going on.

Non-Microsoft programs

Companies other than Microsoft use a variety of methods to inform their customers about available security patches (such as mailing lists and Web sites). Some companies have figured out that viruses are bad for all Internet business, and go beyond simply offering patches for their own products. Most of the antivirus companies offer downloadable fixes for specific viruses — to everybody, even the folks who aren’t using their software. (Are they altruistic? Are they nuts? Nope, just smart.)

Other sources of security information

A couple of other high-quality sources of security information are well worth a look — and I recommend you consider viewing them on a regular basis (or, easier yet, getting on their mailing lists). Some of the better ones include these:

•  US-CERT. The United States Computer Emergency Readiness Team manages the National Cyber Alert System. You can subscribe to security alerts written for non-computer experts (which includes most people on the planet). Go to www.us-cert.gov to view cyber- security tips and sign up for the bulletins.
•  AusCERT. This is the Australian Computer Emergency Response Team. Yes, they get viruses down under too. You can view alerts and subscribe to their mailing list. Go to www.auscert.org for more information.

Posts to Review:

Configuring E-Mail Protection Scanning outbound e-mail Figuring Out Why You Need Security Patches