Slashdot Mirror

← Back to Stories (view on slashdot.org)

Patching Paranoia - How Fast Do You Patch?

Posted by Cliff on from the closing-the-holes dept.

selfassembled asks: "I work for an IT group in the Boston area called Thrive Networks. After the most recent exploit was revealed, my company scrambled to get our client's servers patched within 48 hours. This is extremely difficult because no customer wants to be interrupted by a reboot during business hours. Our staff worked after hours to get this patch installed ASAP. How fast do you (or your IT group) install patches for major exploits like this? What do you consider to be an acceptable turn around time for a vulnerability patch that may not even have an exploit yet? After Blaster and Welchia we decided it's better to be safe than sorry, and our customers seem to agree."

7 of 681 comments (clear)

  1. MS by Anonymous Coward · · Score: 5, Informative

    Constant re-booting seems to be an exclusive MS-phenomenon. Installing patches on Linux only requires a restart of the affected services unless a kernel upgrade is involed - and even this can be worked around in some cases.

    You will reboot less when patching a Linux machine. Guaranteed.

    1. Re:MS by wfberg · · Score: 4, Informative

      It is as much a technical legacy as a mental legacy. For example, many setup programs tell you to shut down all other programs before installing, and tell you to reboot when the install is done. This isn't necessary, and savvy windows users know this. Also, with NT/2K/XP/2K3 it's often sufficient to restart a service rather than the system when installing stuff that actually *does* get into the internals. It works somewhat crummier than /etc/init.d scripts (though it does handle dependencies, yay), but even so.

      The "file in use" problem does exist however, and it is completely braindead. In fact, I've seen this error multiple times relating to files that were put there by *virusses* rather than the OS. Interestingly, it's usually sufficient to drop down to a CMD.EXE prompt to DEL files that are supposedly "in use". ATTRIB is also a useful command, even in NT/2K/XP. I believe this is down mostly to the crapfulness that is explorer.exe, rather than to the OS per se.

      Also, checkout pslist and pskill from http://www.sysinternals.com/ - these tools will kill processes that the "Task Manager" won't. Again, including virusses/trojans! (the cygwin ps and kill tools probably will work just as well).

      --
      SCO employee? Check out the bounty
  2. Patches by Chanc_Gorkon · · Score: 4, Informative

    Depends on the patch....security patches get applied, ASAP. If it's a patch fixing something that is not used much or that we don't have an issue with, it gets applied when the next Maintenence Level (IBM speak for Service Pack) comes out. Luckily, AIX does not have very many security issues. That covers the OS. Our application we are way behind in patches and we only can pacth after hours. Since we're in the middle of conversions, there are processes constantly running on the server and we also cannot patch when we have reps from the vendor in working on the conversion because the expect thigns to be the same while they are there and patches can really mess them up. So, needless to say, we are WAY behind on app patches but we are reasonably caught up with OS level patches.

    --

    Gorkman

  3. Re:Answering a question with a question.... by sphealey · · Score: 4, Informative
    NTBugTraq has been doing a survey on this question.

    sPh

  4. Re:I wait until... by Bull999999 · · Score: 4, Informative

    I guess you didn't hear about the patch for XP that disabled Internet access for hundreds of thousands of users. And while I had good luck with service packs, many others did not.

    BTW, you may want to change your sig because at first, I thought that it was part of the message. Most mods won't know the differents and will mod you flamebait.

    --
    1f u c4n r34d th1s u r34lly n33d t0 g37 l41d
  5. Re:Paraniod? by amembrane · · Score: 5, Informative

    I'm the network admin/windows/active directory guy for a healthcare company. We run multiple SUS servers, several for desktops, and one for servers. Our procedure is, when a patch is released, that day I.T. downloads and installs it on our desktops and test servers. If it's successful, it gets approved on our desktop SUS servers. If those work OK, the next day it gets approved for our severs. So far we've had no problems with that process.

    --
    They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.
  6. Re:I wait until... by merger · · Score: 4, Informative

    The recent problems with Apple's Mac OS X 10.2.8 update are a good example of a patch breaking things (ie. killing network connections). Now the problem I see with how updates are administered is that in many cases you can't select between a security update and a feature update. 10.2.8 addressed the OpenSSH, OpenSSL bugs that were recently reported on in addition to sendmail and a couple of others. At the same time, it installed new USB 2.0 drivers and NIC drivers for G4 desktops.

    One solution I believe is to make every patch and update available separately. In addition provide an update tool with presets that choose only the latest security fixes or feature updates or all updates, and allow administer's to customize their own presets. You are then faced with the issue of dependencies however these can be easily addressed by warnings letting you know what additional software is required and will be installed.