Instead, Tippett says, improve your security policy—lock down ports such as 1434 that really had no reason to be open—and pay third parties to figure out which patches are necessary and which ones you can ignore. "More than half of Microsoft’s 72 major vulnerabilities last year will never affect anyone ever," says Tippett. "With patching, we’re picking the worst possible risk-reduction model there is."

Tippett is at once professorial and constantly selling his own company’s ability to provide the services that make patching less viable. But many thoughtful security leaders think Tippett’s approach is as flawed and dangerous as automated patch management.

"He’s using old-school risk analysis," says Burns. "How can you come up with an accurate probability matrix on blended threat viruses using 12 years of data when they’ve only been around for two years?"

An additional problem with the Patch Less school is the feeling of insecurity it engenders. Not patching is sort of like forgetting to put on your watch and feeling naked all day. Several information executives described an illogical pull to patch, even if the risk equation determined that less patching is equally or even more effective.

There’s also an emerging hybrid approach—which combines the patch management software with expertise and policy management. It also combines the costs of paying smart people to know your risks while also investing in new software.

Hernan says, "I can understand the frustration that can lead to the attitude of, ’Forget it, I can’t patch everything,’ but that person’s taking a big chance. On the other hand, he’s also taking a big chance applying a patch."

"I don’t have much faith in automated patching schemes," says Rambus. "But I could be convinced."

Wynn is ambivalent too. "If you think patch management is a cure, you’re mistaken. Think of it as an incremental improvement. I have to take a theory of the middle range," he says vaguely.

It’s Alive! The Persistence of Slammer

On Monday after Slammer hit, Microsoft rereleased MS02-061 to cover up the memory leak and update ssnetlib.dll, and it was much easier to install. Of course, by then, Slammer was already pandemic. Microsoft itself was infected badly, prompting a moment of schadenfreude for many. ISP networks had collapsed; several root DNS servers were overwhelmed; airlines had canceled flights; ATM machines refused to hand out money. In Canada, a national election was delayed.

The patches had, at best, a miniscule effect. What ended up preventing Slammer from worming its way into the workweek and causing even more damage, it turns out, was a rare and unusual gesture by ISPs. That same Monday, they agreed to block Internet traffic on UDP port 1434, the one Slammer used to propagate itself. "That’s what allowed us to survive," says Cooper.