Saturday, February 26, 2011

Patching and updating for home and corporate

We all are well aware of the Microsoft patches and windows update.  Same goes for those of us who use itunes and iOS devices, we know Apple Software Update.  Some of us may even patch our Adobe products, which we should since they have been the largest attack vector (http://goo.gl/bOQ3D) for the past 2 years hands down.  This is just at home.... How do you expect the security experts to keep on top of all of these patches in a corporate environment.  The number of patches for Oracle alone is daunting to understand and analyze.

There are ways to do this, you can use some clever software which I will outline below, or you can read ~25 RSS feeds and analyze vendor security bulletins.  I do enjoy doing some of this, but I don't have time to keep on top of all the releases.  Here is some software for home and corporate use to help manage this.

Corporate Patch Management:

  • Microsoft WSUS and SCCM - This is free and a no brainer for patching your desktops in a corporate environment.  If you need tighter control you can implement System Center Configuration Manager (SCCM, formerly SMS) which does a good job.  Microsoft has invested heavily in these products and brought them a lot way from the old SMS days.
  • Shavlik HFnetchk pro - Great product, but the price hasn't fallen as the competition has heated up.  This product does a good job with other products outside of Microsoft, but doesn't support Linux or other *NIX variants.
  • GFI Languard - Cheap tool and does a good job with patching servers or desktops.  Normally I recommend this for servers since it does a good job with general auditing too.  Works well on Linux as well.
  • Lumension Patch Management (formerly Patchlink) - Used this previously, its a mixture of online services and software in house.  Its a good product, and can handle multiple operating systems.  Cost is medium in range.  I haven't used the other components of the suite, but I would be willing to test them out.  When I was using the product it did a great job on Solaris, Linux, and Windows.
  • Manageengine Security Manager Plus - This product was missing some key features in managing the patch lists, but overall it worked well and it was inexpensive.  I love some of the other tools by these guys who also bring us the zoho products.  The product does support Linux as well as Windows.


Wish list : I wish spiceworks would get into this space!

Home Patch Management:

  • Windows Update - Turn it on, and use it at home.  It also manages updates for other Microsoft products if you follow these directions to enable this feature : http://technet.microsoft.com/en-us/magazine/ff642466.aspx
  • Secunia PSI - If you are a moderately advanced user this product does a great job managing updates to all of your other system software.  Highly recommend using this product.  I haven't tested the commercial versions of the products, I would be willing to test them if someone from Secunia contacts me.
  • Mozilla Firefox/Thunderbird - These products and plugins do a good job with updating themselves, but when there is a new release, they don't auto update.  This is something that Secunia would handle, for example moving from Firefox 3.5 to 3.6... or soon from 3.6 to 4.0.  The extensions update themselves well on any of the products from Mozilla.
  • Chrome - This product has the smartest best update system of any.  Since the application resides not in program files, but within the users home directory it doesn't have restrictions on what it can do to its own files.  This is both a blessing and curse in the security realm.  The downside is that if there is a security issue it could compromise the browser binary itself, versus something which is installed in a "secured" location such as program files.  The product will notify you, via a small icon that it has downloaded a new version.  When you close the browser and start it again its switched to it.  

2 comments:

Ryan said...

Check out CNET's Tech Tracker. Works on both Mac and Windows and checks all of your software for updates.

jkowall said...

Thanks Ryan, I read this comparison.

http://www.howfixcomputer.com/2010/06/02/updaters-revisited-cnet-techtracker-vs-secunia-psi/

I prefered PSI since they are a security company and they focus on security issues with outdated apps.