Patching Paranoia - How Fast Do You Patch?

selfassembled asks: "I work for an IT group in the Boston area called Thrive Networks. After the most recent exploit was revealed, my company scrambled to get our client's servers patched within 48 hours. This is extremely difficult because no customer wants to be interrupted by a reboot during business hours. Our staff worked after hours to get this patch installed ASAP. How fast do you (or your IT group) install patches for major exploits like this? What do you consider to be an acceptable turn around time for a vulnerability patch that may not even have an exploit yet? After Blaster and Welchia we decided it's better to be safe than sorry, and our customers seem to agree."

Re:Better safe than sorry?

[Overly+Critical+Guy]

What sort of testing is required just to plug a security hole? What, your network environment was based around that hole?

This is the same argument the people who got hit by Blaster made. I just had to wonder, was their network so precariously designed that a simple ~500kb patch that plugged a tiny DCOM hole would upset the entire balance? I think a lot of sysadmins use the "testing" thing as an excuse to put off installing patches. "Well, everything works right now so I don't really want to mess with it."

Re:I don't apply these kinds of patches

[__past__]

Well, you apply other kinds of patches then, hopefully. Which also can break things and should be tested (even if both massively exploited holes and broken patches tend to be rarer).

I certainly didn't like patching OpenSSH on a machine I can only reach via SSH.