Patching Paranoia - How Fast Do You Patch?

← Back to Stories (view on slashdot.org)

Patching Paranoia - How Fast Do You Patch?

Posted by Cliff on Tuesday October 21, 2003 @03:33AM from the closing-the-holes dept.

selfassembled asks: "I work for an IT group in the Boston area called Thrive Networks. After the most recent exploit was revealed, my company scrambled to get our client's servers patched within 48 hours. This is extremely difficult because no customer wants to be interrupted by a reboot during business hours. Our staff worked after hours to get this patch installed ASAP. How fast do you (or your IT group) install patches for major exploits like this? What do you consider to be an acceptable turn around time for a vulnerability patch that may not even have an exploit yet? After Blaster and Welchia we decided it's better to be safe than sorry, and our customers seem to agree."

30 of 681 comments (clear)

Min score:

Reason:

Sort:

As fast as ... by billstr78 · 2003-10-21 03:34 · Score: 3, Funny

... I am to post to a new Slashdot article
I wait until... by Bull999999 · 2003-10-21 03:35 · Score: 4, Funny

I wait until I get feedbacks from sites such as The Register to make sure that the patch doesn't break anything.

--
1f u c4n r34d th1s u r34lly n33d t0 g37 l41d
1. Re:I wait until... by Bull999999 · 2003-10-21 03:48 · Score: 4, Informative
  
  I guess you didn't hear about the patch for XP that disabled Internet access for hundreds of thousands of users. And while I had good luck with service packs, many others did not.
  
  BTW, you may want to change your sig because at first, I thought that it was part of the message. Most mods won't know the differents and will mod you flamebait.
  
  --
  1f u c4n r34d th1s u r34lly n33d t0 g37 l41d
2. Re:I wait until... by croddy · 2003-10-21 03:50 · Score: 4, Funny
  
  I guess you didn't hear about the patch for XP that disabled Internet access for hundreds of thousands of users.
  well they should have POSTED about it! jeez!
3. Re:I wait until... by ninewands · 2003-10-21 03:54 · Score: 4, Interesting
  
  Quoth the poster:
  
  When was the last time a patch broke something?
  
  We have constant problems with patches where I work because Hpaq/Sun seem to think that the versions of certain software they ship with Solaris/Tru64 are sacrosanct.
  
  Every time we patch our primary DNS server (on an E-250) Sun's patch stomps on our custom build of BIND. Similarly, HPaqs patch kits won't install properly if they involve any patches for sendmail because we got tired of waiting for patches for 8.9.3 (even under 5.1A they stay with 8.9.3!) while we prefer to run our own build of 8.12.10. HPaq is also bad about making security patches depend on their version of the software unnecessarily. As a f'rinstance, I recently installed Aggregate Patch Kit 5 for Tru64 5.1A. It included about a half-dozen patches to fix weaknesses in the init scripts. The patches for the init scripts REFUSED to install until I downgraded sendmail to 8.9.3 configured as it was during the system installation! After the patches were installed, I had to re-upgrade sendmail to our preferred version. To the best of my ability to determine there was absolutely NO reason for those patches to depend on sendmail being at v 8.9.3.
  
  --
  utter rubbish
4. Re:I wait until... by hoggoth · 2003-10-21 04:18 · Score: 4, Funny
  
  > We used to have Groupwise, and pretty much every MS patch broke Groupwise
  
  I think "Breaking Groupwise" is an MS patch all by itself.
  "CRITICAL UPDATE: SOME SYSTEMS HAVE GROUPWISE INSTALLED ON THEM. THIS PATCH WILL BREAK GROUPWISE."
  
  --
  - For the complete works of Shakespeare: cat /dev/random (may take some time)
5. Re:I wait until... by merger · 2003-10-21 04:32 · Score: 4, Informative
  
  The recent problems with Apple's Mac OS X 10.2.8 update are a good example of a patch breaking things (ie. killing network connections). Now the problem I see with how updates are administered is that in many cases you can't select between a security update and a feature update. 10.2.8 addressed the OpenSSH, OpenSSL bugs that were recently reported on in addition to sendmail and a couple of others. At the same time, it installed new USB 2.0 drivers and NIC drivers for G4 desktops.
  
  One solution I believe is to make every patch and update available separately. In addition provide an update tool with presets that choose only the latest security fixes or feature updates or all updates, and allow administer's to customize their own presets. You are then faced with the issue of dependencies however these can be easily addressed by warnings letting you know what additional software is required and will be installed.
6. Re:I wait until... by __past__ · 2003-10-21 04:42 · Score: 3, Funny
  
  To be honest, that would definitly be one of their more useful patches.
  
  --
  Programming can be fun again. Film at 11.
Paraniod? by grasshoppa · 2003-10-21 03:35 · Score: 3, Interesting

Or common sense?

I run a SUS server for my organization, and it checks for patches nightly. The next day, my servers and workstations are patched.

--
Mod me down with all of your hatred and your journey towards the dark side will be complete!
1. Re:Paraniod? by sphealey · 2003-10-21 03:39 · Score: 4, Insightful
  
  I run a SUS server for my organization, and it checks for patches nightly. The next day, my servers and workstations are patched.
  Serious question: what do you do when (a) the patch breaks {may or may not cause Windows to become unusable} (b) the patch breaks critical applications?
  How do you know? What do you do when a Critical Update does in fact break something (as a recent Critical Update broke Citrix)?
  sPh
2. Re:Paraniod? by smellystudent · 2003-10-21 03:48 · Score: 3, Informative
  
  SUS allows you to approve a patch before distributing it. In practice, this means applying it to your test lab (or test cupboard in my case) before approving it for everyone else.
  
  --
  Predictive text is shiv!
3. Re:Paraniod? by amembrane · 2003-10-21 04:02 · Score: 5, Informative
  
  I'm the network admin/windows/active directory guy for a healthcare company. We run multiple SUS servers, several for desktops, and one for servers. Our procedure is, when a patch is released, that day I.T. downloads and installs it on our desktops and test servers. If it's successful, it gets approved on our desktop SUS servers. If those work OK, the next day it gets approved for our severs. So far we've had no problems with that process.
  
  --
  They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.
4. Re:Paraniod? by aldousd666 · 2003-10-21 04:14 · Score: 3, Interesting
  
  that only works if it's ok to reboot those machines at night. Some of our machines are processing 24/7, and we have to wait until they can afford to reboot. And if some patches are waiting in queue, then the new ones don't get deployed until after the existing (waiting) patches are applied. SUS isn't meant for machines that need to do real processing, or at least it doesn't work well for them. (Then again, neither does windows, but I'm only one man in a 1400 man company)
  
  --
  Speak for yourself.
MS by Anonymous Coward · 2003-10-21 03:36 · Score: 5, Informative

Constant re-booting seems to be an exclusive MS-phenomenon. Installing patches on Linux only requires a restart of the affected services unless a kernel upgrade is involed - and even this can be worked around in some cases.

You will reboot less when patching a Linux machine. Guaranteed.
1. Re:MS by Tony+Hoyle · 2003-10-21 04:06 · Score: 4, Interesting
  
  It's a side-effect of the DOS legacy that still hangs over Win2000/XP. Unix separates files and inodes, so you can delete a file and replace it with a new one whilst the existing services are still using it, then restart the services to pick up the update. Windows has no such split, which means if a file is 'in use' you can't delete/overwrite it - this is what requires a reboot.
  
  They could have fixed this in NTFS but chose not to, presumably to keep compatibility with DOS. TBH it's about time they sorted it out.
2. Re:MS by Kobold+Curry+Chef · 2003-10-21 04:12 · Score: 3, Insightful
  
  Most of the patches to Apple OS X also require a reboot. Even for patches to things like iCal, iTunes, and what not. It's one of the more disappointing things about OS X. You'd think that a BSD-based OS wouldn't require so many reboots. Maybe they just wanted to carry on the old Mac tradition of "you have just touched your computer; do you wish to reboot?"
  That being said, there are FAR fewer patches to install on OS X than on Windows.
3. Re:MS by cperciva · 2003-10-21 04:34 · Score: 3, Funny
  
  Ah. Now your inexperience in the *nix world shines through. There IS no guessing. Upgrade apache, restart the apache service (httpd .. maybe slightly confusing..). Upgrade mysql, restart mysqld.
  
  I just upgraded libc. What do I have to restart?
  
  --
  Tarsnap: Online backups for the truly paranoid
4. Re:MS by asdfghjklqwertyuiop · 2003-10-21 04:36 · Score: 3, Informative
  
  If you delete a file while it is in use, like the grandparent is talking about, the file still exists on disk. It is just not being referenced from that directory any more, so you won't see it anywhere in the filesystem. It will still exist on disk until the process closes it. At that point it is marked as available disk space. But the file will still be available on disk as long as it is opened or has links to it (ie, you see it in a directory).
  
  This is just like anonymous temporary files. You open a new temporary file for creation and then immidiately delete (unlink) it. But you can still read/write to it from the process that has it opened. But as soon as that process closes the file, it will be "deleted".
5. Re:MS by wfberg · 2003-10-21 05:26 · Score: 4, Informative
  
  It is as much a technical legacy as a mental legacy. For example, many setup programs tell you to shut down all other programs before installing, and tell you to reboot when the install is done. This isn't necessary, and savvy windows users know this. Also, with NT/2K/XP/2K3 it's often sufficient to restart a service rather than the system when installing stuff that actually *does* get into the internals. It works somewhat crummier than /etc/init.d scripts (though it does handle dependencies, yay), but even so.
  
  The "file in use" problem does exist however, and it is completely braindead. In fact, I've seen this error multiple times relating to files that were put there by *virusses* rather than the OS. Interestingly, it's usually sufficient to drop down to a CMD.EXE prompt to DEL files that are supposedly "in use". ATTRIB is also a useful command, even in NT/2K/XP. I believe this is down mostly to the crapfulness that is explorer.exe, rather than to the OS per se.
  
  Also, checkout pslist and pskill from http://www.sysinternals.com/ - these tools will kill processes that the "Task Manager" won't. Again, including virusses/trojans! (the cygwin ps and kill tools probably will work just as well).
  
  --
  SCO employee? Check out the bounty
Microsoft Software Update Services by deviator · 2003-10-21 03:36 · Score: 3, Interesting

Have you guys looked at MS SUS 1.0 to automatically deliver critical updates? It's kinda lame--not the greatest management capabilities--but it does work. I have a company similar to Thrive & use it to deliver patches to end-user desktops at several clients.
Patches by Chanc_Gorkon · 2003-10-21 03:38 · Score: 4, Informative

Depends on the patch....security patches get applied, ASAP. If it's a patch fixing something that is not used much or that we don't have an issue with, it gets applied when the next Maintenence Level (IBM speak for Service Pack) comes out. Luckily, AIX does not have very many security issues. That covers the OS. Our application we are way behind in patches and we only can pacth after hours. Since we're in the middle of conversions, there are processes constantly running on the server and we also cannot patch when we have reps from the vendor in working on the conversion because the expect thigns to be the same while they are there and patches can really mess them up. So, needless to say, we are WAY behind on app patches but we are reasonably caught up with OS level patches.

--
Gorkman
Better safe than sorry? by Soulfader · 2003-10-21 03:38 · Score: 4, Insightful

After Blaster and Welchia we decided it's better to be safe than sorry, and our customers seem to agree.
To many people, however, that means that you wait to install a patch until it has been tested. It is going to depend on your environment and needs; there is no one correct answer on this one.
On a Windows network, by RgrRmjt · 2003-10-21 03:39 · Score: 3, Funny

Middle of the day reboots are normal, so we patch whenever we want.
Re:Answering a question with a question.... by sphealey · 2003-10-21 03:45 · Score: 4, Informative

NTBugTraq has been doing a survey on this question.
sPh
Re:Quick fix at the firewall by easyfrag · 2003-10-21 03:46 · Score: 5, Insightful

For a lot of these advisories, you can plug the hole at the firewall, or maybe the mail server.

There's one big gotcha here: notebooks. Your users are firewalled at work but once they get home they're probably wide open. Plug an infected notebook into your network of unpatched machines and a worm will bring you down in seconds.
It depends. by supabeast! · 2003-10-21 03:51 · Score: 3, Interesting

I tend to follow at least the following criteria when deploying patches:

1- If the patch is a Microsoft patch, I deploy it immediately, regardless of severity, because Microsoft has repeatedly lied about the severity of security flaws that were actually quite critical.
2- If the patch is for a very theoretical problem, such as many of the recent OpenSSL patches, I tend to let it wait for the next big update. Good examples are those problems where key-breaking time is reduced to only 50 years or so on a $10,000,000,000 budget.
3- Patches that fix vulnerabilites that are only a problem in stupid configurations (Such as recent OpenSSH problems.) get ignored until the updates have been tested.
4- Patches from Sun go out immediately, because they seem to take so long that the exploits for bugs have been integrated into script-kiddie toolkits.
Depends on the patch by Medievalist · 2003-10-21 03:52 · Score: 4, Insightful

We don't EVER install a patch on a production machine without testing it first on some less crucial machine.

Any machine that accepts connections from outside the firewall (SMTP, IMAPS, HTTPS, & SSH are all we take, and only to specific machines) gets any remotely exploitable bug patched ASAP. Typically I will run the patch on a non-production machine for 24 hours to make sure it's reasonably stable, then patch.

Once the patch has proved itself in production on the remotely accessible machines, say for a week or so, we load it everywhere else.

Stuff that's not remotely exploitable is dealt with on a more relaxed schedule, generally at least two weeks after the patch has begun testing on a non-production machine. Sometimes longer.

We also always test our backup strategies before loading MS or HP patches, since sometimes they completely trash the system.

HP-UX patches come out months or years after the exploit, Microsoft patches come out weeks or months late, DEC patches used to come out within days (Oh, how we miss ye DEC) and BSD and linux come out within hours, usually.
Lie about it. by EvilJohn · 2003-10-21 03:53 · Score: 4, Funny

If it's windows patch early, and patch often. If anyone asks why you rebooted a box, lie about it and say "It crashed." That's one everyone will believe.

--

Less Talk, More Beer.
Mac OS X 10.2.8 by EvilStein · 2003-10-21 04:28 · Score: 3, Informative

..broke all KINDS of things. On my home machine, I now get 5 USB power errors that I didn't get with 10.2.6, as well as unexplained freezes & crashes.
I reverted to 10.2.6 and all was well once again.

And this was 10.2.8 redeux - remember the first time that it came out, machines were breaking all over the place. (ethernet issues, IDE oddities..)
Re:Quick fix at the firewall by swb · 2003-10-21 04:46 · Score: 4, Interesting

I just wish we had 1/3 of the balls of that company and that fucking up with the company computer was seen as destructive and damaging as it actually is.

The countless whining we get over passwords ("My boss says I dont hafta have one.."), applying updates to desktops(!), removing shit like comet cursor, and the people that toss laptops around and then bitch that they don't have the right laptop after they've broken it.

I'd love to see 2 or 3 people in particular have to sit down in front of the CFO and be told:

1) The computer you broke won't be replaced until you pay for the old one.

2) If you can write a check today, we won't dock your paycheck, but if we do, we'll spread the payment over at least 4 paychecks.

3) Any work you don't get done due to no computer will be considered against you in your next performance review and may be considered grounds for dismissal.

There's lots of reasons not to do it that way, but geeze, if there were real consequences (financially especially) for being a fuckup with computers, I think the users would toe a much tighter line.