Internet Fixes

When the Cure Is Worse Than the Disease

The trouble with software patches is that they are themselves software. As a result, like the programs that they're intended to fix, the patches sometimes have glitches or security holes of their own.

Case in point: Office XP Service Pack 2. Shortly after Microsoft released this update in August 2002, people who installed it found that Outlook crashed after downloading certain e-mail messages. Microsoft didn't release a patch until December, so some people had to deal with an unstable e-mail client for a few months.

Security-conscious users, then, are caught on the horns of a dilemma: install patches as soon as they come out (and before any bugs are discovered), or wait and leave your system open to a known vulnerability?

Even the security experts punt on this question. Richard M. Smith, an independent Internet security and privacy consultant in Cambridge, Massachusetts, says that he regularly updates his Windows system--but tries to avoid using Windows XP's Automatic Updates. "There's a risk here that an update may get rushed out and not be fully debugged," Smith explains. "[The update] might actually make things worse rather than better."

System administrators don't have much use for Automatic Updates--or, for that matter, the Windows Update site. "Windows Update does not lend itself nicely to the corporate world," says Don Mungovan, vice president of IT for QST Industries, a textile supplier in Chicago. "An administrator still needs to be logged on to [each] machine, and I do not have the luxury to have someone touch every machine in a timely fashion." Instead, Mungovan relies on Ecora Patch Manager to partially automate software patching.

What's a Windows user to do? It depends on how much you trust Microsoft--and how much footwork you're willing to do on your own. For the easiest updates, Windows XP Home Edition users should put Automatic Updates to work (see " Operating Systems" for details). When configuring the feature, limit your selection to "critical updates," which will ensure that you're fixing the most serious holes.

If you don't trust Automatic Updates--or can't use it because you have an older version of Windows--consider using the semiautomated Windows Update site instead; Smith says he follows that strategy.

Anyone who worries about potential problems with a new patch or service pack shouldn't install patches as soon as they come out. Wait a week or two. Check Microsoft's site to find out about any emerging caveats. For problems with non-Microsoft patches, you'll need to monitor the vendors' sites for updates. Remember to read our monthly Bugs and Fixes column for advice about dealing with troublesome patches from Microsoft and others. You can also search discussions on Google.

If a patch causes problems, you may or may not be able to remove it. "The reality is that sometimes patches simply are not uninstallable," says Iain Mulholland, security program manager in Microsoft's Security Response Center. So check the download notes (if any) for details about whether you can back out.

--Dylan Tweney