"Something has to happen," says Rambus. "There’s going to be a backlash if it doesn’t improve. I’d suggest that this patching problem is the responsibility of the vendors, and the costs are being taken on by the customers."

There’s good news and bad news for Rambus. The good news is that vendors are motivated to try and fix the patch process. And they’re earnest—one might say even religious—about their competing approaches. And the fervent search for a cure has intensified markedly since Slammer.

The bad news is that none of what’s happening changes the economics of patching. Customers still pay.

Patch More or Patch Less: A Hobson’s Choice

There are two emerging and opposite patching philosophies: Patch more, or patch less.

Vendors in the Patch More school have, almost overnight, created an entirely new class of software called patch management software. The term means different things to different people (already one vendor has concocted a spinoff, "virtual patch management"), but in general, PM automates the process of finding, downloading and applying patches. Patch More adherents believe patching isn’t the problem, but manual patching is. Perfunctory checks for updates and automated deployment, checks for conflicts, roll back capabilities (in case there is a conflict) will, under the Patch More school of thought, fix patching. PM software can keep machines as up-to-date as possible without the possibility of human error.

The CISO at a major convenience store chain says it’s already working. "Patching was spiraling out of control until recently," he says. "Before, we knew we had a problem because of the sheer volume of patches. We knew we were exposed in a handful of places. The update services coming now from Microsoft, though, have made the situation an order of magnitude better."

Duke University’s Rice tested patch management software on 550 machines. When the application told him he needed 10,000 patches, he wasn’t sure if that was a good thing. "Obviously, it’s powerful, but automation leaves you open to automatically putting in buggy patches." Rice might be thinking of the patch that crashed his storage array on a Compaq server. "I need automation to deploy patches," he says. "I do not want automatic patch distribution."

The Patch Less constituency is best represented by Peter Tippett, vice chairman and CTO of TruSecure. Based on 12 years of actuarial data, he says that only about 2 percent of vulnerabilities result in attacks. Therefore, most patches aren’t worth applying. In risk management terms, they’re at best superfluous and, at worst, a significant additional risk.