But even a short 20 days can seem long when compared to today’s zero-day exploits. The disclosure of the Windows Metafile (WMF) flaws in December 2005 immediately led to the discovery of over 80 active exploits. By the time Microsoft released a patch ten days later, enterprises were already at high risk of infection and there was no time to spare in getting the necessary patches in place.

What’s a company to do?

By taking an enterprise-wide approach to security assessment, companies need to evaluate internal patch management processes, understanding the potential risk to network systems and data and ultimately adopting a proactive approach to patch management. New tools are available to help companies of all sizes eliminate many of the manual aspects of security patch management, allowing IT professionals to automate time-consuming aspects of patch management, while also accessing key features designed to help workers better understand, test, deploy and validate the right patches, in the amount of time required.

The most effective patch management software should provide a straightforward approach to patch scanning and remediation, ensuring accurate, secure processes that can protect every computer within the enterprise. Important features to look for include: automatic or scheduled installation of missing patches, the ability to rollback or uninstall patches, knowledge about the patches including the vulnerability severity and links to third party information about the issue, and summary reports for executive reporting.


A good patch management software package should also include a shared back-end database to facilitate collaboration and patch management tracking to compare progress against existing enterprise-security initiatives. Such features are important because the first step in the patch process often requires wading through ad-hoc releases, service packs and temporary fixes, to determine what patches are applicable to the enterprise.

After needed patches are identified, a relatively easy set of steps helps ensure that the patch process benefits the enterprise, and doesn’t cause more harm than good:

1. Patch Testing – Once a patch is identified, it must be tested to evaluate the potential impact on a particular computing environment. Installing the patches to a control group and subjecting them to normal use prior to deployment is one option.

2. Scan and Assess – Because computing environments are complex and dynamic, simply knowing that a patch is likely needed somewhere in the enterprise provides little conclusive evidence as to exactly where holes still remain. To identify such holes, systems need to be scanned and assessed, identifying all systems that require patches while accepting systems that need to be left alone.