Patching Paranoia - How Fast Do You Patch?

selfassembled asks: "I work for an IT group in the Boston area called Thrive Networks. After the most recent exploit was revealed, my company scrambled to get our client's servers patched within 48 hours. This is extremely difficult because no customer wants to be interrupted by a reboot during business hours. Our staff worked after hours to get this patch installed ASAP. How fast do you (or your IT group) install patches for major exploits like this? What do you consider to be an acceptable turn around time for a vulnerability patch that may not even have an exploit yet? After Blaster and Welchia we decided it's better to be safe than sorry, and our customers seem to agree."

Better safe than sorry?

[Soulfader]

After Blaster and Welchia we decided it's better to be safe than sorry, and our customers seem to agree.

To many people, however, that means that you wait to install a patch until it has been tested. It is going to depend on your environment and needs; there is no one correct answer on this one.

Re:Paraniod?

[sphealey]

I run a SUS server for my organization, and it checks for patches nightly. The next day, my servers and workstations are patched.

Serious question: what do you do when (a) the patch breaks {may or may not cause Windows to become unusable} (b) the patch breaks critical applications?

How do you know? What do you do when a Critical Update does in fact break something (as a recent Critical Update broke Citrix)?

sPh

Re:Quick fix at the firewall

[easyfrag]

For a lot of these advisories, you can plug the hole at the firewall, or maybe the mail server.

There's one big gotcha here: notebooks. Your users are firewalled at work but once they get home they're probably wide open. Plug an infected notebook into your network of unpatched machines and a worm will bring you down in seconds.

Depends on the patch

[Medievalist]

We don't EVER install a patch on a production machine without testing it first on some less crucial machine.

Any machine that accepts connections from outside the firewall (SMTP, IMAPS, HTTPS, & SSH are all we take, and only to specific machines) gets any remotely exploitable bug patched ASAP. Typically I will run the patch on a non-production machine for 24 hours to make sure it's reasonably stable, then patch.

Once the patch has proved itself in production on the remotely accessible machines, say for a week or so, we load it everywhere else.

Stuff that's not remotely exploitable is dealt with on a more relaxed schedule, generally at least two weeks after the patch has begun testing on a non-production machine. Sometimes longer.

We also always test our backup strategies before loading MS or HP patches, since sometimes they completely trash the system.

HP-UX patches come out months or years after the exploit, Microsoft patches come out weeks or months late, DEC patches used to come out within days (Oh, how we miss ye DEC) and BSD and linux come out within hours, usually.

Re:MS

[Kobold+Curry+Chef]

Most of the patches to Apple OS X also require a reboot. Even for patches to things like iCal, iTunes, and what not. It's one of the more disappointing things about OS X. You'd think that a BSD-based OS wouldn't require so many reboots. Maybe they just wanted to carry on the old Mac tradition of "you have just touched your computer; do you wish to reboot?"

That being said, there are FAR fewer patches to install on OS X than on Windows.