While very small companies can handle the task themselves, even midsized companies find themselves with a very big problem—one that is often too difficult and time consuming to handle internally. That problem has created a small industry of patch-management consultants and services. These companies, like BigFix and Lumension Security (formerly PatchLink and SecureWave)—as well as Microsoft itself, with Windows Server Update Services—provide software that assess systems' vulnerabilities and allow corporations to properly categorize and prioritize patch installation.

But given the complexity of deciding which patches to install and in what order, sometimes automated solutions don't do the trick. To address this problem, yet another small industry of security experts has sprung up—experts who can do the analysis and testing necessary to quickly give businesses the answers they need.

At the same time that companies are beginning to grapple with the released patches, security vendors like Symantec and McAfee are rushing to document the vulnerabilities. At Symantec, for example, Patch Tuesday sets a flurry of activities in motion; one group documents the vulnerabilities, a second writes signatures that prevent exploitation attempts, and a third team works on file-based detection of any client-side vulnerabilities that may have been patched.

The teams work as quickly as possible to send content to customers as soon as possible—sometimes, within minutes, says Ben Greenbaum, a senior research manager at Symantec of Cupertino, Calif.

But as quickly as businesses and vendors get to work on interpreting and installing the patches, hackers intent on exploiting the vulnerabilities are hard at work trying to reverse-engineer the patches, which help them create new attacks. Some people derisively call this "Exploit Wednesday".

Microsoft's attempts to keep security patches as narrow as possible and to change as little of the binary code as possible to avoid creating compatibility and stability problems, actually helps hackers, says Ryan Russell, a professional hacker who helps decode the world of hackers and is director of information security for BigFix, a security management software company in Emeryville, Calif.

"A typical Microsoft patch updates only a couple of DLL files, which is helpful to the bad guys because they can compare the two binary files and find the one difference between the two, which is the vulnerability," he explains.

What's more, the face of the hacker is changing, compounding the problem. While the previous breed of hacker was looking to disrupt things, get famous or just have fun finding loopholes, the new threat is how companies, organizations or even countries are looking for vulnerabilities to profit more from corporate assets like servers than personal devices like desktops and laptops. That makes the problem even more insidious, says Don Retallack, a lead analyst at Kirkland, Wash.-based Directions on Microsoft, a research firm focused on Microsoft.