Product Reviews

Conquering Patch Madness

UpdateEXPERT eases the task of keeping servers patched.

• By Douglas Mechaber
• 10/01/2001

UpdateEXPERT, formerly SPQuery, manages updates and patches to servers, including Windows 2000 and NT Servers, Terminal Server, IIS, SQL Server and Exchange; workstations (NT, 2000, and XP only), and some specific programs (Internet Explorer, Media Player, NetMeeting, NetShow, Office and Outlook). UE does this by comparing the machines on your network with a secure database of patches. Most hotfixes can be scheduled for installation from the UE interface. One particularly attractive feature is that potential patches and hotfixes are grouped by OS and category, along with a brief description of the vulnerability, with the bottom pane showing the Knowledge Base article describing the fix. You have the option of adding any patches or hotfixes to a required list, so you can compare your patching policy to the software installed on a particular server. The missing patches for that system are listed when the computer name is highlighted.

UE worked as designed, but there are some quirks. If you manually enter a computer name but misspell it, or otherwise want to delete an entry that doesn't exist, your only recourse is to reset the entire list of machines. Some interfaces could be improved: for example, under View|Manage Required Updates, the panels can't be resized, and your only option is to scroll horizontally to read the entire patch description. The default view shows required updates only. No manual is included; most information is in Help. And, since the sequence matters when setting up UE, a quick "up and running" guide would make sense. There is, however, a short, important readme file on the CD that covers some of these issues.

UpdateEXPERT lets you easily browse all the updates available for software on your computer. (Click image to view larger version.)

Among the unique features of UE are the ability to schedule and push patches out to various systems, after downloading the patch once to the computer running UE; the ability to quickly find descriptions for newly released patches; and the ability to generate reports both before and after, validating the installation of selected patches.

[Version 5.1, out after this writing, adds Smart Boot Elimination, which combines multiple patches for the same computer to minimize reboots. —Ed.]

What's missing? I found myself wanting some features from the similar Config Reader program for NetWare servers. UE doesn't analyze any error logs for potential causes of system crashes; it doesn't allow direct comparison of patches on two servers side by side; and you can't sort patches or program components by date, indicating where a newer component may be available.

There are an average of two to three releases per week of the patch database, and St. Bernard runs a respectable one to two days behind the Microsoft release of the patch, for testing. Normally, the database download frequency is set from the console, with a default of once an hour. You have the ability to create your own set of patches to install, and create a report detailing which servers need which updates.

This product will be of most use to security consultants, or in larger environments where there are multiple and diverse Microsoft servers or workstations to manage. UE provides a solid way to manage the increasing number and urgency of software patches from Microsoft.