After last summer's Blaster outbreak - which would have been much shorter-lived if users patched more Windows machines - there's been considerable debate about why users are slow to apply necessary security patches.

One reason is the time and effort required to determine which machines need patches, test those patches and roll them out across the network. Microsoft is developing new tools that might help automate these processes (see story ), but there are also more elementary reasons why Johnny can't - or doesn't - patch.

One is that vendors aren't providing clear-cut information about when, why and how to adopt security updates. Both commercial and open source software vendors make it difficult to track what security updates apply to our machines.

When Microsoft announced numerous security updates in October, its announcement was unclear at best and downright confusing at worst. Microsoft's Web site, depending on what page you looked at, gave you different versions of what patches were available. Adding to the confusion were separate and irregularly cross-referenced notices. The Windows summary for last October covers MS03-041 through MS03-045. There is no mention of how to find announcements about other Microsoft products, and therefore it totally misses the Exchange announcements, which were labeled MS03-046 and MS03-047  (note these are labeled from the same naming system, adding further to the confusion).

There is no single, definitive place to look on the Microsoft Web site for patch information.

Not only does Microsoft make it hard to find the right information, but the information can change overnight. Just last week, when Redmond rolled out its security patches for the month of March, it announced three patches for various products on Tuesday  and had to turn around and revise both the severity rating and the client update package less than 24 hours later.

This patch confusion issue is not unique to Microsoft or to commercial vendors in general for that matter.

Open source projects are not exempt from this charge; take the slew of OpenSSH updates  issued last fall, for example. The OpenSSH team released three updates in two days (3.6.1p1, 3.7.1p1 and 3.7.1p2) before they finally got one of the known vulnerabilities corrected.

You can subscribe to vendor announcement services, monitor SANS Web sites and hang out on security mailing lists, but these are not reasonable ways to learn about security updates. Why should we have to rely on the kindness of strangers to learn what patches we need to apply?