News

Meet the Patch Man

• By Keith Ward
• 06/01/2005

Eric Schultze is to patching what J.K. Rowling is to fantasy fiction: the Big Kahuna. As chief security architect at Shavlik Technologies, Schultze helps develop patch solutions for the high- profile Roseville, Minn.-based security company. Before that, he was a program manager for the Microsoft Security Response Center and a senior technologist in the Trustworthy Computing team at Microsoft. He answered questions from Redmond Managing Editor Keith Ward on the state of patching today.

What are your chief duties with Shavlik?
I architect Shavlik solutions, build new features for products, architect spyware and other security products we'll be putting out this year, and research all Microsoft patches.

What do you think of Windows Server Update Services (WSUS)?
I think it will be a viable solution for a large number of customers. Certainly [there are] improvements over SUS (Software Update Services) 1.0 in that it can update more products, especially Office products.

Is Shavlik afraid that Microsoft's patching strategy will put it out of business?
It's certainly something we think about, but we don't see an issue. WSUS is limited in its abilities. It doesn't cover Windows NT. [The earliest version of Office it supports is] Office XP SP2. It doesn't cover Office 2000. It starts with Exchange 2003. We have yet to see it support SQL Server. We've added [support for] WinZip and Apache and will be adding Firefox, Adobe, Google and more.

Shavlik's Eric Schultze: "Hackers are getting lazier now. Pushing a button gets you to the first machine, but not to the machines behind the first machine." (Click image to view larger version.)

Microsoft field reps use our tools for their customers because they weren't getting the support from the Microsoft toolsets. The reporting in WSUS is still very, very weak. We just announced a report server offering, [that includes] rich reporting pieces, for companies that need compliance reporting; they won't get it from WSUS.

You participated in the famous Trustworthy Computing initiative. Why are so many holes still being found in Microsoft products?
The bug scrub, and [companion] training and knowledge, was really exciting. Developers weren't in the mindset of even looking for bugs. There were loads of bugs that were identified and fixed. Had that not occurred, that number [of typical fixes on patch days] would be much larger. Also, [there's still] legacy code from Windows 3.11 and NT.

What are the greatest security threats facing network admins today?
Simply not knowing what's out there. How do they know their machines are secure? How do they know there's not a hacker on their network? I'd be concerned about spyware since it's no longer benign—Trojans and keystroke loggers are now automated, where they used to be manual. There's also the constant problem with keeping up with the patches Microsoft is releasing. Nimda woke people up, SQL Slammer woke people up, but they were [just] patching their servers. With the Blaster worm, people said, "We'd better start patching our desktops."

What's happening in the hacker community these days?
Hackers are getting lazier now, because [so many attacks are] automated. I call it ‘push-button hacking.' Pushing a button gets you to the first machine, but not to the machines behind the first machine.

If you could make consumers do just one thing to make their computers safer, so that the Internet is safer for the rest of us, what would it be?
Turn on their personal firewall. Without a doubt, that's the No. 1 thing. Get that implemented, make that box effectively disappear from the network. The next thing is to turn on Windows Update.