More on MS SQL worm and responsibility

by Andy Oram

Related link:

Last week I posted a provocative
saying I could understand why system administrators failed to install the Microsoft patch that would have halted the SQL Server worm. (Unlike many commentators, I was not bashing Microsoft.) This weblog has drawn more comments than any weblog or article I've posted before, I believe--and many comments are excellent; I recommend reading them.

Another C|NET article posted yesterday provides a very different perspective from the one I cited in my weblog--a perspective that I think supports what I said in my weblog. Here are some relevant paragraphs.

"This shows that the notion of patching doesn't work," said Bruce Schneier,
chief technology officer for network protection firm Counterpane Internet
Security. "Publicly, they are saying it's not our fault, because you should
have patched. But Microsoft's own actions show that you can't reasonably
expect people to be able to keep up with patches."

For years, system administrators have complained about their inability to
keep up with the steady stream of patches that have poured out of Microsoft
and other software companies. In October, the software giant even raised the
bar for what's considered a "critical" vulnerability, so that administrators
wouldn't have to deal with so many patches that seemingly required immediate

"Seems like every time I install a system patch, something else goes wrong
with my system," said Frank Beier, president of Web design firm Dynamic
Webs. The designer said many system administrators won't patch for many
months, because they don't trust Microsoft to fix the problem without
breaking some other function of the software.

And another
with a similar message (thanks to fellow editor Brian Jepson for pointing it out):

But not only are there too many patches to keep up with, people are reluctant to install them for fear they will interfere with their systems.