Many programs today have self-updating technology built right in the program. Add-on programs will scan every so often to an update server to see if the application needs updating. A few of these programs that have these mechanisms are Adobe (reader, flash) and Apple (iTunes, QuickTime) client programs.
These programs do help home users keep their products patched. But in a corporate network, these self-updating programs are not solutions to patch management. These programs are basically left to mercy of the end user and client system.
- Users can simply decline the update / Users may not know the importance of patching and ignore the updated needed message
Not all users on a corporate network are security savvy, especially with patching. Users are bombarded with messages each day on their computer. A reminder pops up for a business meeting. UAC in Windows Vista asks for user permission to run a program. If a pop up comes up asking for patching, how can you be sure if he/she has actually accepted the update?
- The update program can fail at any time
An update program can simply fail to execute at any time. These failures are more common than you think. I have a test machine that has Adobe Reader installed on it. The installation method I chose installed the self updating application. One problem: for three straight months, the program has failed to work. The machine does not specify that I am missing patches (3 versions to be specific), and only presents this error message each time when checking for updates.
Note: This program initially worked, and I have done nothing on my machine to tamper with this update program.
- There are no reporting measures
As an administrator, how do you know the machine is patched? Did the user accept the update? Is the updater program actually working as intended? Leaving programs in self patching mode does not allow any type of roll up reporting to occur. Managing patches on a single system is easy with manually checking a system’s patch state. But for small businesses up to large corporations, patch management systems with reporting is key to ensure compliance.
In my example above, we have a case of an update program failing for no apparent reason on a target machine. If this was a computer somewhere on my network, a vulnerable version of a highly targeted program exists. This could have been identified months ago through a true patch management solution.
Plain and simple: Don’t put blind trust in self updating software.
– Jason Miller