Slashdot Mirror

← Back to Stories (view on slashdot.org)

Patching Paranoia - How Fast Do You Patch?

Posted by Cliff on from the closing-the-holes dept.

selfassembled asks: "I work for an IT group in the Boston area called Thrive Networks. After the most recent exploit was revealed, my company scrambled to get our client's servers patched within 48 hours. This is extremely difficult because no customer wants to be interrupted by a reboot during business hours. Our staff worked after hours to get this patch installed ASAP. How fast do you (or your IT group) install patches for major exploits like this? What do you consider to be an acceptable turn around time for a vulnerability patch that may not even have an exploit yet? After Blaster and Welchia we decided it's better to be safe than sorry, and our customers seem to agree."

18 of 681 comments (clear)

  1. I wait until... by Bull999999 · · Score: 4, Funny

    I wait until I get feedbacks from sites such as The Register to make sure that the patch doesn't break anything.

    --
    1f u c4n r34d th1s u r34lly n33d t0 g37 l41d
    1. Re:I wait until... by Bull999999 · · Score: 4, Informative

      I guess you didn't hear about the patch for XP that disabled Internet access for hundreds of thousands of users. And while I had good luck with service packs, many others did not.

      BTW, you may want to change your sig because at first, I thought that it was part of the message. Most mods won't know the differents and will mod you flamebait.

      --
      1f u c4n r34d th1s u r34lly n33d t0 g37 l41d
    2. Re:I wait until... by croddy · · Score: 4, Funny
      I guess you didn't hear about the patch for XP that disabled Internet access for hundreds of thousands of users.

      well they should have POSTED about it! jeez!

    3. Re:I wait until... by ninewands · · Score: 4, Interesting
      Quoth the poster:
      When was the last time a patch broke something?


      We have constant problems with patches where I work because Hpaq/Sun seem to think that the versions of certain software they ship with Solaris/Tru64 are sacrosanct.

      Every time we patch our primary DNS server (on an E-250) Sun's patch stomps on our custom build of BIND. Similarly, HPaqs patch kits won't install properly if they involve any patches for sendmail because we got tired of waiting for patches for 8.9.3 (even under 5.1A they stay with 8.9.3!) while we prefer to run our own build of 8.12.10. HPaq is also bad about making security patches depend on their version of the software unnecessarily. As a f'rinstance, I recently installed Aggregate Patch Kit 5 for Tru64 5.1A. It included about a half-dozen patches to fix weaknesses in the init scripts. The patches for the init scripts REFUSED to install until I downgraded sendmail to 8.9.3 configured as it was during the system installation! After the patches were installed, I had to re-upgrade sendmail to our preferred version. To the best of my ability to determine there was absolutely NO reason for those patches to depend on sendmail being at v 8.9.3.
      --
      utter rubbish
    4. Re:I wait until... by hoggoth · · Score: 4, Funny

      > We used to have Groupwise, and pretty much every MS patch broke Groupwise

      I think "Breaking Groupwise" is an MS patch all by itself.
      "CRITICAL UPDATE: SOME SYSTEMS HAVE GROUPWISE INSTALLED ON THEM. THIS PATCH WILL BREAK GROUPWISE."

      --
      - For the complete works of Shakespeare: cat /dev/random (may take some time)
    5. Re:I wait until... by merger · · Score: 4, Informative

      The recent problems with Apple's Mac OS X 10.2.8 update are a good example of a patch breaking things (ie. killing network connections). Now the problem I see with how updates are administered is that in many cases you can't select between a security update and a feature update. 10.2.8 addressed the OpenSSH, OpenSSL bugs that were recently reported on in addition to sendmail and a couple of others. At the same time, it installed new USB 2.0 drivers and NIC drivers for G4 desktops.

      One solution I believe is to make every patch and update available separately. In addition provide an update tool with presets that choose only the latest security fixes or feature updates or all updates, and allow administer's to customize their own presets. You are then faced with the issue of dependencies however these can be easily addressed by warnings letting you know what additional software is required and will be installed.

  2. MS by Anonymous Coward · · Score: 5, Informative

    Constant re-booting seems to be an exclusive MS-phenomenon. Installing patches on Linux only requires a restart of the affected services unless a kernel upgrade is involed - and even this can be worked around in some cases.

    You will reboot less when patching a Linux machine. Guaranteed.

    1. Re:MS by Tony+Hoyle · · Score: 4, Interesting

      It's a side-effect of the DOS legacy that still hangs over Win2000/XP. Unix separates files and inodes, so you can delete a file and replace it with a new one whilst the existing services are still using it, then restart the services to pick up the update. Windows has no such split, which means if a file is 'in use' you can't delete/overwrite it - this is what requires a reboot.

      They could have fixed this in NTFS but chose not to, presumably to keep compatibility with DOS. TBH it's about time they sorted it out.

    2. Re:MS by wfberg · · Score: 4, Informative

      It is as much a technical legacy as a mental legacy. For example, many setup programs tell you to shut down all other programs before installing, and tell you to reboot when the install is done. This isn't necessary, and savvy windows users know this. Also, with NT/2K/XP/2K3 it's often sufficient to restart a service rather than the system when installing stuff that actually *does* get into the internals. It works somewhat crummier than /etc/init.d scripts (though it does handle dependencies, yay), but even so.

      The "file in use" problem does exist however, and it is completely braindead. In fact, I've seen this error multiple times relating to files that were put there by *virusses* rather than the OS. Interestingly, it's usually sufficient to drop down to a CMD.EXE prompt to DEL files that are supposedly "in use". ATTRIB is also a useful command, even in NT/2K/XP. I believe this is down mostly to the crapfulness that is explorer.exe, rather than to the OS per se.

      Also, checkout pslist and pskill from http://www.sysinternals.com/ - these tools will kill processes that the "Task Manager" won't. Again, including virusses/trojans! (the cygwin ps and kill tools probably will work just as well).

      --
      SCO employee? Check out the bounty
  3. Patches by Chanc_Gorkon · · Score: 4, Informative

    Depends on the patch....security patches get applied, ASAP. If it's a patch fixing something that is not used much or that we don't have an issue with, it gets applied when the next Maintenence Level (IBM speak for Service Pack) comes out. Luckily, AIX does not have very many security issues. That covers the OS. Our application we are way behind in patches and we only can pacth after hours. Since we're in the middle of conversions, there are processes constantly running on the server and we also cannot patch when we have reps from the vendor in working on the conversion because the expect thigns to be the same while they are there and patches can really mess them up. So, needless to say, we are WAY behind on app patches but we are reasonably caught up with OS level patches.

    --

    Gorkman

  4. Better safe than sorry? by Soulfader · · Score: 4, Insightful
    After Blaster and Welchia we decided it's better to be safe than sorry, and our customers seem to agree.
    To many people, however, that means that you wait to install a patch until it has been tested. It is going to depend on your environment and needs; there is no one correct answer on this one.
  5. Re:Paraniod? by sphealey · · Score: 4, Insightful
    I run a SUS server for my organization, and it checks for patches nightly. The next day, my servers and workstations are patched.
    Serious question: what do you do when (a) the patch breaks {may or may not cause Windows to become unusable} (b) the patch breaks critical applications?

    How do you know? What do you do when a Critical Update does in fact break something (as a recent Critical Update broke Citrix)?

    sPh

  6. Re:Answering a question with a question.... by sphealey · · Score: 4, Informative
    NTBugTraq has been doing a survey on this question.

    sPh

  7. Re:Quick fix at the firewall by easyfrag · · Score: 5, Insightful
    For a lot of these advisories, you can plug the hole at the firewall, or maybe the mail server.



    There's one big gotcha here: notebooks. Your users are firewalled at work but once they get home they're probably wide open. Plug an infected notebook into your network of unpatched machines and a worm will bring you down in seconds.

  8. Depends on the patch by Medievalist · · Score: 4, Insightful

    We don't EVER install a patch on a production machine without testing it first on some less crucial machine.

    Any machine that accepts connections from outside the firewall (SMTP, IMAPS, HTTPS, & SSH are all we take, and only to specific machines) gets any remotely exploitable bug patched ASAP. Typically I will run the patch on a non-production machine for 24 hours to make sure it's reasonably stable, then patch.

    Once the patch has proved itself in production on the remotely accessible machines, say for a week or so, we load it everywhere else.

    Stuff that's not remotely exploitable is dealt with on a more relaxed schedule, generally at least two weeks after the patch has begun testing on a non-production machine. Sometimes longer.

    We also always test our backup strategies before loading MS or HP patches, since sometimes they completely trash the system.

    HP-UX patches come out months or years after the exploit, Microsoft patches come out weeks or months late, DEC patches used to come out within days (Oh, how we miss ye DEC) and BSD and linux come out within hours, usually.

  9. Lie about it. by EvilJohn · · Score: 4, Funny

    If it's windows patch early, and patch often. If anyone asks why you rebooted a box, lie about it and say "It crashed." That's one everyone will believe.

    --

    Less Talk, More Beer.
  10. Re:Paraniod? by amembrane · · Score: 5, Informative

    I'm the network admin/windows/active directory guy for a healthcare company. We run multiple SUS servers, several for desktops, and one for servers. Our procedure is, when a patch is released, that day I.T. downloads and installs it on our desktops and test servers. If it's successful, it gets approved on our desktop SUS servers. If those work OK, the next day it gets approved for our severs. So far we've had no problems with that process.

    --
    They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.
  11. Re:Quick fix at the firewall by swb · · Score: 4, Interesting

    I just wish we had 1/3 of the balls of that company and that fucking up with the company computer was seen as destructive and damaging as it actually is.

    The countless whining we get over passwords ("My boss says I dont hafta have one.."), applying updates to desktops(!), removing shit like comet cursor, and the people that toss laptops around and then bitch that they don't have the right laptop after they've broken it.

    I'd love to see 2 or 3 people in particular have to sit down in front of the CFO and be told:

    1) The computer you broke won't be replaced until you pay for the old one.

    2) If you can write a check today, we won't dock your paycheck, but if we do, we'll spread the payment over at least 4 paychecks.

    3) Any work you don't get done due to no computer will be considered against you in your next performance review and may be considered grounds for dismissal.

    There's lots of reasons not to do it that way, but geeze, if there were real consequences (financially especially) for being a fuckup with computers, I think the users would toe a much tighter line.