This invention relates to computer security, and more particularly, to applying patches to fix security vulnerabilities.
Security vulnerabilities in deployed software are discovered with regularity. Both operating systems and application software are affected. As vulnerabilities are identified by the computer security community, they are often included in a list of common vulnerabilities and exposures (CVE). The CVE list attempts to standardize the names of known vulnerabilities.
Computers in which vulnerabilities are not addressed become exposed to security risks. Often these risks are intolerable, so it becomes necessary to install security patches. Patches (also sometimes called “updates” or “bug fixes”) are used to fix the portion of the software that gave rise to the security vulnerability. When appropriate patches are in place, the security risk associated with the vulnerability is reduced or eliminated.
In modern computer system environments, patch management can be exceedingly complex. In a typical business enterprise, there are often hundreds or thousands of networked computers, each with a potentially different software configuration. As a result, it is practically impossible to test new patches exhaustively. System administrators are reluctant to install patches without testing, particularly on critical machines, so in practice many patches are not installed or are not installed in a timely fashion. This leaves many computer systems at risk of attack.
It is therefore an object of the present invention to provide improved techniques for applying security patches to computer systems.