Related link: http://news.com.com/2100-1001-982135.html
On Friday, the world reeled from a single bug exploited by a garden-variety virus. Hundreds of thousands of sites back-ended by Microsoft SQL Server were completely disabled by a bug now known as Sapphire, Slammer, or SQLExp. And blame is being assigned now by both the trade press and the general press, typified by the
C|NET news article
cited above. It’s those system administrators! Whether out of ignorance or plain laziness, they didn’t download a patch that Microsoft had made available as far back as July of last year.
But system administrators have good reason to refuse to install patches: many of them break systems. It’s often a case of one step forward and three back. Granted, a patch that’s out since July has probably been well-tested and the buzz among sysadmin circles could assure knowledgeable professionals that the patch is safe. But the process of keeping a system up to date is much more complicated than the idealists in the press and elsewhere make it seem. I’m not at all surprised that a system administrator might be conscientious and professional and yet not get around to installing all security fixes.
I used to install fixes religiously. Then a security fix came in on my Windows 2000 system that made it impossible to log in. I had to go slinking to one of my company’s system administrators, who spent over an hour undoing Microsoft’s patch. This is not an isolated incident; I hear of such things from other people too.
The usual community of Microsoft-bashers will say that the original sin was not to run an unpatched system but to run a system that used SQL Server in the first place. I do not give in to this easy jibe because I know SQL Server is in use right here at O’Reilly on at least one of our production systems. Anyway, other software has security fixes too.
Please don’t blame the system administrators, or make them think their first priority is to install everything they’re told to install. Instead, urge developers to do a better job of debugging, and set up better channels of communication so the administrators will know what they really need to install.
Is it ignorance, laziness, or something else?