Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Microsft Patch Management - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Microsft Patch Management
For Microsoft, it is important to patch before the next patch is released. The new patches sometimes replace the old patches (in particular for the monthly IE rollup patch), and the old patch will no longer apply with WSUS once the new patch is released. But 30 days should be the upper limit.

Other then that, in my opinion 1 week is a good goal to aim for. But other then that, you need to make decisions for each patch individually:
- are there current exploits?
- what other controls do you have in place?
- what are the risks to availability?

For example, there may be a Java flaw that allows arbitrary code execution and sandbox escape. So a "pretty bad" Java bug. But if you run Java for JSP on an intranet accounting system server, then you may want to delay rolling out the patch. Loosing the system will be a big deal, and the flaw isn't easily exploited agains the system plus you can limit access to the system to a few internal users.

On the other hand, a XSS vulnerability in a public facing website that holds confidential customer information may require special effort to be patched quickly as it is easily exploited and it my be difficult to find other means to protect yourself from exploitation (maybe a web application firewall, but XSS can be tricky to protect against).
Johannes

2900 Posts
ISC Handler
I second the 1 week limit, especially given the past 3 months where at least one update had to be pulled and reissued at a later date. PW

60 Posts

Sign Up for Free or Log In to start participating in the conversation!