Patching Paranoia - How Fast Do You Patch?

selfassembled asks: "I work for an IT group in the Boston area called Thrive Networks. After the most recent exploit was revealed, my company scrambled to get our client's servers patched within 48 hours. This is extremely difficult because no customer wants to be interrupted by a reboot during business hours. Our staff worked after hours to get this patch installed ASAP. How fast do you (or your IT group) install patches for major exploits like this? What do you consider to be an acceptable turn around time for a vulnerability patch that may not even have an exploit yet? After Blaster and Welchia we decided it's better to be safe than sorry, and our customers seem to agree."

Re:MS

[gregmac]

Note that uptime != availability, and it's only availability that counts.

Good call. But downtime definately == no availability.

Perhaps you've only been 50% available in those 280 days due to all the time you've spent mucking about trying to work out which services need restarting.

Ah. Now your inexperience in the *nix world shines through. There IS no guessing. Upgrade apache, restart the apache service (httpd .. maybe slightly confusing..). Upgrade mysql, restart mysqld. There's no guessing of what "svchost.exe" is running or why you're not allowed to restart certain services. (though maybe my windows inexperience shines through now?)

Re:Better safe than sorry?

[AstroDrabb]

What a load of bull. It is the piss-poor job MS does with testing those patches. The admins where I work applied patches as soon as they came out a few times. However, those patches hosed other applications and even MS ones. They now have a mini data center and ALL patches go through there, well at least the MS one. I guess you didn't read any of the posts above about all the MS patches breaking things or slowing down the network. Our Linux patches get applied as soon as they come out since we have never seen one patch hose the system or more importantly hose other non-releated applications.

was their network so precariously designed that a simple ~500kb patch that plugged a tiny DCOM hole would upset the entire balance?

First, the DCOM hole was not tiny, no hole is tiny. Second, stop being an MS weeine and get a clue. The patch size does not matter. It is the CODE CHANGES. Hell, I can patch one of my own apps with a 1kb patch that will cause it to stop working. It has nothing to do with the network design and only to do with piss-poor MS testing. The MS marketing machine wants to be able to say how fast they get patches out, though they never mention how bad those patches really are.