Patching Paranoia - How Fast Do You Patch?

selfassembled asks: "I work for an IT group in the Boston area called Thrive Networks. After the most recent exploit was revealed, my company scrambled to get our client's servers patched within 48 hours. This is extremely difficult because no customer wants to be interrupted by a reboot during business hours. Our staff worked after hours to get this patch installed ASAP. How fast do you (or your IT group) install patches for major exploits like this? What do you consider to be an acceptable turn around time for a vulnerability patch that may not even have an exploit yet? After Blaster and Welchia we decided it's better to be safe than sorry, and our customers seem to agree."

As fast as ...

[billstr78]

... I am to post to a new Slashdot article

Re:As fast as ...

[DeputySpade]

I have l33t z3r0 day patches! I patch before the bugs are even discovered. :)

Seriously. Yeah. Let's have a bunch of people describe for us exactly where they work and what their window of vulnerability is. That would rock. I've got paper and pencil handy.

I bet the boss of the guy who submitted this is thrilled to see this information broadcast to the whole /. crowd.

I wait until...

[Bull999999]

I wait until I get feedbacks from sites such as The Register to make sure that the patch doesn't break anything.

Re:I wait until...

[compwizrd]

RAS was broken with a recent NT 4.0 server update, took a few weeks for MS to fix it.

Re:I wait until...

[maddskillz]

We used to have Groupwise, and pretty much every MS patch broke Groupwise

Re:I wait until...

[hoggoth]

> We used to have Groupwise, and pretty much every MS patch broke Groupwise

I think "Breaking Groupwise" is an MS patch all by itself.
"CRITICAL UPDATE: SOME SYSTEMS HAVE GROUPWISE INSTALLED ON THEM. THIS PATCH WILL BREAK GROUPWISE."

Re:I wait until...

[__past__]

To be honest, that would definitly be one of their more useful patches.

Re:I wait until...

[maddskillz]

Every patch for MS Office broke groupwise. It was actually the address book that it broke.

Re:I wait until...

[Bull999999]

I guess you didn't hear about the patch for XP that disabled Internet access for hundreds of thousands of users. And while I had good luck with service packs, many others did not.

BTW, you may want to change your sig because at first, I thought that it was part of the message. Most mods won't know the differents and will mod you flamebait.

Re:I wait until...

[croddy]

I guess you didn't hear about the patch for XP that disabled Internet access for hundreds of thousands of users.

well they should have POSTED about it! jeez!

Re:I wait until...

[Bull999999]

But they did. That story even made it to CNN.com. I did not apply that patch until MS released a fixed patch.

Re:I wait until...

[crawling_chaos]

You're lucky. Windows 2000 Service Pack 3 mis-detected the RAID controller in my primary server and left the OS unbootable. It was tricky getting it back, too. I guess that's what I get for buying hardware from a tiny company in Armonk, NY. SP3 also played hob with MS-SQL Server, as I recall.

Let's just say that I approached Service Pack 4 with a great deal of apprehension. I've had good luck with workstation upgrades, but my server experience is decidely mixed.

Re:I wait until...

[delus10n0]

If your ATA/IDE controller is no longer properly recognized by Windows and you can no longer boot because of that, you can usually put the drive right onto the motherboard's built-in IDE adapter and boot successfully, so you can install the drivers for your controller and reboot with them switched back again. Of course this will only work if you're just using an ATA controller or have a RAID1 setup. There's other ways (using the recovery console) to install/load drivers, but I agree, it's pretty tricky.

I d

Re:I wait until...

[GSloop]

Goodness - perhaps you don't realize.

He's got an IBM server - probably a big production machine. It's almost certainly a SCSI Raid setup.

It's not possible to plug the array into the regular controller.

In any case, doesn't matter if this would fix it or not. It shouldn't happen EVER.

I'm not sure which is worse, I take the box down to patch, and get heart palpatations when it goes down catestrophically, or someone roots my box.

Either case, I'd be pissed.

Cheers,
Greg

Re:I wait until...

[crawling_chaos]

SCSI RAID arrays don't plug into ATA controllers. Microsoft's installer thought my IBM controller was a generic Adaptec and installed the wrong drivers. As soon as 2k got rid of the BIOS and moved to its internal routines it went blotto. Then the recovery console refused to load the old drivers or the latest one downloaded from IBM. I ended up doing a bare metal recovery of the system disk. I think there might have been another way, but I'm real confident in my backups, so it was the path of least resistanc

Re:I wait until...

[EastCoastSurfer]

As pointed out by others the guy is refering to a IBM server, most like with SCSI. Outside of that point, a service pack should *NEVER* overwrite 3rd party drivers without at least warning you. 3rd party drivers were installed for a reason...*hint* b/c the drivers that are in windows were either not available or not working.

Re:I wait until...

[Nightlight3]

Let's just say that I approached Service Pack 4 with a great deal of apprehension.

SP4 broke, among others, the Terminal Services (for win2k TS servers) -- the logins now take over 30 seconds (from 5 sec earlier). During TS sessions the TS freezes few times an hour for around 20-30 seconds at a time, making it unusable for some tasks and wasteful (of time and nerves) for the remaining ones.

Other patches and "upgrades", especially those for IE, have been degrading win98se performance and stability (such a

Re:I wait until...

[Crockerboy]

My USB Ports mysteriously stopped working immediately following a patch I applied to Windows XP about a month ago. Then I installed Steam, which basically destroyed my Windows installation (choppy sound, extended periods of no system response, etc..) so I reformatted the partition and reinstalled XP with all the patches..this time my USB ports kept working with the patches.

Just goes to show how touch-n-go a windows patch can be..sometimes it borks your system, sometimes it doesn't. There's really no log

Re:I wait until...

[Aliencow]

Service Pack 3 broke a workstation we have that runs EDI and is uh well, pretty critical.

Re:I wait until...

[ninewands]

Quoth the poster:

When was the last time a patch broke something?

We have constant problems with patches where I work because Hpaq/Sun seem to think that the versions of certain software they ship with Solaris/Tru64 are sacrosanct.

Every time we patch our primary DNS server (on an E-250) Sun's patch stomps on our custom build of BIND. Similarly, HPaqs patch kits won't install properly if they involve any patches for sendmail because we got tired of waiting for patches for 8.9.3 (even under 5.1A they stay with 8.9.3!) while we prefer to run our own build of 8.12.10. HPaq is also bad about making security patches depend on their version of the software unnecessarily. As a f'rinstance, I recently installed Aggregate Patch Kit 5 for Tru64 5.1A. It included about a half-dozen patches to fix weaknesses in the init scripts. The patches for the init scripts REFUSED to install until I downgraded sendmail to 8.9.3 configured as it was during the system installation! After the patches were installed, I had to re-upgrade sendmail to our preferred version. To the best of my ability to determine there was absolutely NO reason for those patches to depend on sendmail being at v 8.9.3.

Re:I wait until...

[Anonymous Custard]

When was the last time a patch broke something?

There was a "slow-down-your-system" windows patch [updatexp.com] in April 2003. Took them a while to release a working version of it, too.

Re:I wait until...

[Tony Hoyle]

There was one patch about 6 months ago that broke the login prompt on about a dozen machines here... they just wouldn't log in - had to reinstall them from scratch & lost 2 days work over it.

Now we have a junk machine that gets the patches first and if it breaks anything we don't roll it out - no matter what it claims to fix (a lot of recent patches haven't actually fixed the bugs they claim to fix... MS don't seem to test them before releasing them).

Mac OS X 10.2.8

[EvilStein]

..broke all KINDS of things. On my home machine, I now get 5 USB power errors that I didn't get with 10.2.6, as well as unexplained freezes & crashes.
I reverted to 10.2.6 and all was well once again.

And this was 10.2.8 redeux - remember the first time that it came out, machines were breaking all over the place. (ethernet issues, IDE oddities..)

Re:I wait until...

[merger]

The recent problems with Apple's Mac OS X 10.2.8 update are a good example of a patch breaking things (ie. killing network connections). Now the problem I see with how updates are administered is that in many cases you can't select between a security update and a feature update. 10.2.8 addressed the OpenSSH, OpenSSL bugs that were recently reported on in addition to sendmail and a couple of others. At the same time, it installed new USB 2.0 drivers and NIC drivers for G4 desktops.

One solution I believe is to make every patch and update available separately. In addition provide an update tool with presets that choose only the latest security fixes or feature updates or all updates, and allow administer's to customize their own presets. You are then faced with the issue of dependencies however these can be easily addressed by warnings letting you know what additional software is required and will be installed.

Re:I don't apply these kinds of patches

[__past__]

Well, you apply other kinds of patches then, hopefully. Which also can break things and should be tested (even if both massively exploited holes and broken patches tend to be rarer).

I certainly didn't like patching OpenSSH on a machine I can only reach via SSH.

Paraniod?

[grasshoppa]

Or common sense?

I run a SUS server for my organization, and it checks for patches nightly. The next day, my servers and workstations are patched.

Re:Paraniod?

[sphealey]

I run a SUS server for my organization, and it checks for patches nightly. The next day, my servers and workstations are patched.

Serious question: what do you do when (a) the patch breaks {may or may not cause Windows to become unusable} (b) the patch breaks critical applications?

How do you know? What do you do when a Critical Update does in fact break something (as a recent Critical Update broke Citrix)?

sPh

Re:Paraniod?

[smellystudent]

SUS allows you to approve a patch before distributing it. In practice, this means applying it to your test lab (or test cupboard in my case) before approving it for everyone else.

Re:Paraniod?

[Anonymous Coward]

I also run an SUS server at my organization.

SUS allows you to choose which patches you want installed on your client. We have the patch server check patches nightly, and install those on a testbed IT machine we have set apart (it's actually the machine I use).

If I notice any problems I try to figure out which update did it and I just don't approve that update, if I can't figure it out in time I don't aprove any updates until I find out what happened.

Turn around time ends up being 48-72 hours on non criti

Re:Paraniod?

[amembrane]

I'm the network admin/windows/active directory guy for a healthcare company. We run multiple SUS servers, several for desktops, and one for servers. Our procedure is, when a patch is released, that day I.T. downloads and installs it on our desktops and test servers. If it's successful, it gets approved on our desktop SUS servers. If those work OK, the next day it gets approved for our severs. So far we've had no problems with that process.

Re:Paraniod?

[sphealey]

I fix it. Now, granted, we only have ~10 apps ( all critical tho ), and when this has happened, it's been due to other factors that the patch simply brought to light. Usually, a wipe and reload will do the trick, and while this is not pleasant in an organization of this size, it's the cost of bussiness I am afraid

The problem is that very few small- and mid-sized organizations have that level of expertise. And the vendors of the vertical apps such orgs tend to use are not very responsive when it comes to

Re:Paraniod?

[Bull999999]

I use a SUS server for my organization as well. I set my domain policy to have the workstations and servers check the SUS server once a week so it will give me some time to test out and get feedbacks on patches. If there is a chance of imminent attack, I can alway patch them manually.

Re:Paraniod?

[Overly Critical Guy]

Exactly. My networks have never been hit by anything because we're patched the night the patch comes out.

I didn't even know about Blaster until Slashdot reported it (and reported it and reported it).

Re:Paraniod?

[aldousd666]

that only works if it's ok to reboot those machines at night. Some of our machines are processing 24/7, and we have to wait until they can afford to reboot. And if some patches are waiting in queue, then the new ones don't get deployed until after the existing (waiting) patches are applied. SUS isn't meant for machines that need to do real processing, or at least it doesn't work well for them. (Then again, neither does windows, but I'm only one man in a 1400 man company)

MS

[Anonymous Coward]

Constant re-booting seems to be an exclusive MS-phenomenon. Installing patches on Linux only requires a restart of the affected services unless a kernel upgrade is involed - and even this can be worked around in some cases.

You will reboot less when patching a Linux machine. Guaranteed.

I reboot anyway. I like to reboot.

[Medievalist]

I like to know that I haven't screwed up the machine's ability to boot properly.

And since I'm not the only person with superuser privs, I like to make sure my cohorts haven't screwed up the machine's boot process, either.

You don't know unless you test. Patching's a good excuse to do a test boot - you're logged on anyway, and you can justify any interuption of services by pointing to the need for the patch.

Re:MS

[Tony Hoyle]

It's a side-effect of the DOS legacy that still hangs over Win2000/XP. Unix separates files and inodes, so you can delete a file and replace it with a new one whilst the existing services are still using it, then restart the services to pick up the update. Windows has no such split, which means if a file is 'in use' you can't delete/overwrite it - this is what requires a reboot.

They could have fixed this in NTFS but chose not to, presumably to keep compatibility with DOS. TBH it's about time they sorted it out.

Re:MS

[wfberg]

It is as much a technical legacy as a mental legacy. For example, many setup programs tell you to shut down all other programs before installing, and tell you to reboot when the install is done. This isn't necessary, and savvy windows users know this. Also, with NT/2K/XP/2K3 it's often sufficient to restart a service rather than the system when installing stuff that actually *does* get into the internals. It works somewhat crummier than /etc/init.d scripts (though it does handle dependencies, yay), but even so.

The "file in use" problem does exist however, and it is completely braindead. In fact, I've seen this error multiple times relating to files that were put there by *virusses* rather than the OS. Interestingly, it's usually sufficient to drop down to a CMD.EXE prompt to DEL files that are supposedly "in use". ATTRIB is also a useful command, even in NT/2K/XP. I believe this is down mostly to the crapfulness that is explorer.exe, rather than to the OS per se.

Also, checkout pslist and pskill from http://www.sysinternals.com/ [sysinternals.com] - these tools will kill processes that the "Task Manager" won't. Again, including virusses/trojans! (the cygwin ps and kill tools probably will work just as well).

Re:MS

[asdfghjklqwertyuiop]

If you delete a file while it is in use, like the grandparent is talking about, the file still exists on disk. It is just not being referenced from that directory any more, so you won't see it anywhere in the filesystem. It will still exist on disk until the process closes it. At that point it is marked as available disk space. But the file will still be available on disk as long as it is opened or has links to it (ie, you see it in a directory).

This is just like anonymous temporary files. You open a new t

Re:MS

[Kobold Curry Chef]

Most of the patches to Apple OS X also require a reboot. Even for patches to things like iCal, iTunes, and what not. It's one of the more disappointing things about OS X. You'd think that a BSD-based OS wouldn't require so many reboots. Maybe they just wanted to carry on the old Mac tradition of "you have just touched your computer; do you wish to reboot?"

That being said, there are FAR fewer patches to install on OS X than on Windows.

Re:MS

[cperciva]

Ah. Now your inexperience in the *nix world shines through. There IS no guessing. Upgrade apache, restart the apache service (httpd .. maybe slightly confusing..). Upgrade mysql, restart mysqld.

I just upgraded libc. What do I have to restart?

Microsoft Software Update Services

[deviator]

Have you guys looked at MS SUS 1.0 to automatically deliver critical updates? It's kinda lame--not the greatest management capabilities--but it does work. I have a company similar to Thrive & use it to deliver patches to end-user desktops at several clients.

Re:Microsoft Software Update Services

[Infernon]

SUS is great in theory, but its drawbacks are its system requirements and cost. They require a pretty heavy box to run it, and Microsoft recommends that you do not run it on a machine that shares another function (DNS, ISA server, etc.) so they're basically bilching another server license fee out of you. They're not charging you for SUS, I know, but c'mon man...

Re:Microsoft Software Update Services

[deviator]

SUS works fine on a DC - it really doesn't have heavy requirements. I haven't had any problems with it in that respect.

Re:Microsoft Software Update Services

[TheMidget]

Have you guys looked at MS SUS 1.0 to automatically deliver critical updates? It's kinda lame--not the greatest management capabilities--but it does work.

Yeah, it's great. Until it applies that infamous update that breaks the corporate database server.

But I guess even that is a blessing in disguise: after explaining to the boss that these 3 days downtime could have been easily avoided with a more stable operating system, he was no longer as opposed to Linux as he used to be.

Why the 'Microsoft' icon for this story?

[goldspider]

Surely the Slashdot editors haven't become so blind in their zealotry to suggest that bugs and security flaws are exclusive to Microsoft products! The use of the Borg-Gates icon is inappropriate for this story, and demonstrates (IMHO) poor judgement and journalistic integrity.

And no, I'm not new here!

Patches

[Chanc_Gorkon]

Depends on the patch....security patches get applied, ASAP. If it's a patch fixing something that is not used much or that we don't have an issue with, it gets applied when the next Maintenence Level (IBM speak for Service Pack) comes out. Luckily, AIX does not have very many security issues. That covers the OS. Our application we are way behind in patches and we only can pacth after hours. Since we're in the middle of conversions, there are processes constantly running on the server and we also cannot patch when we have reps from the vendor in working on the conversion because the expect thigns to be the same while they are there and patches can really mess them up. So, needless to say, we are WAY behind on app patches but we are reasonably caught up with OS level patches.

Better safe than sorry?

[Soulfader]

After Blaster and Welchia we decided it's

better to be safe than sorry, and our customers seem to agree.

To many people, however, that means that you wait to install a patch until it has been tested. It is going to depend on your environment and needs; there is no one correct answer on this one.

Re:Better safe than sorry?

[TheMidget]

To many people, however, that means that you wait to install a patch until it has been tested.

To others yet, it means that you ditch that bug ridden OS alltogehter, and upgrade to something it to something that is a little bit more appropriate for an enterprise environment, such as Solaris, or even Linux.

Re:Better safe than sorry?

[Chazmyrr]

It has nothing to do with network environment. It has to do with the fact that the operating system and software are rarely kept in a default install configuration. Some of these patches can go south in bizarre ways when the configuration isn't what the patch expected. You simply have no idea what is going to happen when you install the patch. That may be fine in a mom and pop operation. It is clearly not acceptable for an enterprise.

In my company, a bad patch can mean 10,000 reps sitting around with nothi

my case

[Dreadlord]

I have 6 machines at home to administrate, all are connected to the same LAN, 4 are RedHat Linux, and the rest are Windows 2K/XP, I have no problem for the RedHat boxes, as up2date automatically detects new updates and notifies me, so I download and patch, and as you know, no need for reboots, one of the reasons I love Linux.
As for the 2 Windows machines, I try to apply critical updates as soon as possible, I download them off MS Download Center [microsoft.com] so I reinstall them in case of a format.

On a Windows network,

[RgrRmjt]

Middle of the day reboots are normal, so we patch whenever we want.

Quick fix at the firewall

[GGardner]

For a lot of these advisories, you can plug the hole at the firewall, or maybe the mail server. Do you really need to allow MS messenger service to be running outside your LAN? Sure, it is a good idea to quickly patch the systems, but it may take days to get them all patched. Fixing the problem outside the Windows boxes can be done within minutes of reading the advisory, depending on where the problem is.

Re:Quick fix at the firewall

[easyfrag]

For a lot of these advisories, you can plug the hole at the firewall, or maybe the mail server.

There's one big gotcha here: notebooks. Your users are firewalled at work but once they get home they're probably wide open. Plug an infected notebook into your network of unpatched machines and a worm will bring you down in seconds.

Re:Quick fix at the firewall

[i.r.id10t]

Yup. Thats how we got Blaster and variants - repeatedly.

Re:Quick fix at the firewall

[sehryan]

So don't let laptops back onto the network until they have been scanned.

I honestly have no idea if this is possible, but it would seem that a network could track when machines leave the network, and when they are reconnected. Can you have a program that forces a scan of the machine before it allows that machine full access back to the network? Or couldn't it be installed directly on the machine, so that when it goes to login, if it sees that it is back on its home network, it limits itself until it can r

Re:Quick fix at the firewall

[Albanach]

So you use something like symantec's corporate firewall so you can send firewall policies to the individual machines that work whether they're in the office or not.

They're your machines, whether they're in the office or not, it's your job to keep them secure. If you need a firewall to protect them in the office you equally need a firewall to protect them when they're on a broadband connection in someone's home - hell you probably need it even more then.

Re:Quick fix at the firewall

[swb]

I just wish we had 1/3 of the balls of that company and that fucking up with the company computer was seen as destructive and damaging as it actually is.

The countless whining we get over passwords ("My boss says I dont hafta have one.."), applying updates to desktops(!), removing shit like comet cursor, and the people that toss laptops around and then bitch that they don't have the right laptop after they've broken it.

I'd love to see 2 or 3 people in particular have to sit down in front of the CFO and be told:

1) The computer you broke won't be replaced until you pay for the old one.

2) If you can write a check today, we won't dock your paycheck, but if we do, we'll spread the payment over at least 4 paychecks.

3) Any work you don't get done due to no computer will be considered against you in your next performance review and may be considered grounds for dismissal.

There's lots of reasons not to do it that way, but geeze, if there were real consequences (financially especially) for being a fuckup with computers, I think the users would toe a much tighter line.

Pretty much immediately.

[Godeke]

I first patch my local systems and try them for a few hours as I run similar configurations to my clients for development. If I survive the patch, I patch the development systems at my client sites. If those remain stable for a period of time, I patch production clients, and then finally production servers.

If at any point a glitch appears, I stop at that point, minimizing damage. Usually that means I have a glitch locally and my clients would never know that there was a glitchy patch unless I tell them. Pretty much a similar approach that a big company would take (patch the test LAN) except I am the test LAN.

My solution

[El Cubano]

...This is extremely difficult because no customer wants to be interrupted by a reboot during business hours.

I run Debian Woody servers, so I apt-get update && apt-get upgrade every morning. Since I never have to reboot, that is not an issue.

Re:My solution

[Speare]

I run Debian Woody servers, so I apt-get update && apt-get upgrade every morning. Since I never have to reboot, that is not an issue.

Blind trust and ultimate faith is an admiral trait for a priest, but the accountant likes accountability, the engineer likes to minimize design dependencies, and the scientist likes empirical evidence and repeatable results.

I prefer to know what the patch contains, and who signed the bundle, even if I don't hand-compile it myself. I prefer to see if others choke

Re:My solution

[El Cubano]

I prefer to know what the patch contains, and who signed the bundle, even if I don't hand-compile it myself.

That is great. I'm glad to hear that you don't run any non-opensource software. Neither do I. I also check the patches, when I can. But sometimes I just have faith that the Debian Developers know what they are doing.

Answering a question with a question....

[bmooney28]

I suppose this would be better suited for an "ask slashdot" question, but *how* do you roll out the patches? There are several solutions out there, involving central local server dedicated to the job and using Norton Ghost among others.... How do you do it?

Re:Answering a question with a question....

[sphealey]

NTBugTraq has been doing a survey [ntbugtraq.com] on this question.

sPh

You have to reboot?

[GreyWolf3000]

I didn't know patching apps in Windows required a reboot. I know a lot of cl00less developers got in the habit of asking for a reboot to make them feel like their app is important enough to warrant one, but I remember back in my Windows days choosing not to reboot after ie upgrades and whatnot and not experiencing problems.

But it has been a while, so I may be wrong.

Re:You have to reboot?

[Waffle Iron]

I don't know for sure, but I get the impression that some patches aren't immediate; they register with the OS to shuffle stuff around on the next boot. That would cause those strange little dialogs and messages that sometimes pop up briefly during the next Windows startup.

If I'm right, it probably means that some patches aren't actually activated until after a boot, even if the system still seems to work fine.

Reboot?

[Apreche]

Reboot? Who the hell needs to reboot? Oh yeah, Windows. And seriously, even if you need to reboot, if your computers are fast, it takes what, 30 seconds? less? If that amount of time is going to interrupt you that much you have a problem. And if your computers take longer to reboot than that, you have another problem. Using network installers that will patch and reboot all the systems from a central location it should take you this long to patch

1) download patch depends on connection, 1 minutes for

If you ran openBSD servers then

[cdn-programmer]

If you ran openBSD servers then

1) you would save your clients money
2) you would not likely have to reboot
3) you would probably not have the exploit in the first place

Windows is a big make work project.

Re:If you ran openBSD servers then

[digitalsushi]

I'd run openBSD if they would release a version of Gator for it.

My exp.

[MoeMoe]

I have to manage a server farm and lord knows how many workstations (about 130+)... I make life easy on myself and use remote patching on all our systems. Right before lunch time (a solid half hour) I use the intercom to let everyone know that they will have to reboot their machines. Only real pain in the butt for us was Blaster and Nachi... A different tech from another division said he already patched the system.... the problem was he was only referring to his one freakin machine!

We test first

[MarkusQ]

We test first. In general, we respond to a vulnerability by first checking to see if it effects us (for example, ssh has had some recent problems that did not effect us because we did not use the features that were compromised). If it is some thing that we need to worry about, we make do some testing to make sure it doesn't break anything. Then we determine the best way to patch the effected systems on a case by case (or class by class) basis; in general, we try for minimal disruption (only patch what n

At least where *I* work ...

[dbarclay10]

At least where I work, the general turnaround time is about six months. And even then, they only do the servers, and they only patch the most critical of vulnerabilities.

We're looking at 2,500 servers here, but still - six months? Absurd.

(No, I'm not directly involved in the process, though I *did* write many of the docs about it that they use. They take forever to do the simplest of tasks.)

Depends on several factors

[Qzukk]

Critical patches for important services get applied ASAP. If I can't turn it off or firewall it off, then we notify clients of impending emergency downtime and go at it.

That said, if I can firewall it off or turn it off, the patch can wait until its well tested.

My schedule

[Bendebecker]

I hardly ever install patches. I run Windows ME and it makes more sense for me to just let the thing sit and wait till it gets so screwed over that I need to completely reinstall. Then I do so and repatch and repeat the process. I just keep a firewall andnorton around to make sure I don't get any already know viruses, etc but beyond that patching isn;t going to really help taht much, especially since WinME crashes even quicker with patches than it does if I just leave it alone.

mypc

[Anonymous Custard]

I don't manage any servers, but on my personal Windows XP pc, I patch asap. There's nothing critical on there that would be impacted by a lousy patch, and I know enough that I can always unpatch it if need be.

The only patches I hold off on are motherboard bios patches, cause those are such a bitch to debug if something goes wrong :-)

I wish there weren't so many WIndows XP patches, but you have the admit they've got an amazing patch delivery service. It must help for them to have so much practice deliver

Subjective Weighing

[4of12]

Between

• how much disruption and lost time will be caused by a potential exploit of the vulnerability and
• how much disruption and lost time will be caused by patches that break your mix of applications.

The only thing you can do is to start testing patches in a micro-environment as soon as they're released.

That, and check your firewall rules to insure potential exploits can't enter via the easy routes.

Why reboot after patching?

[GillBates0]

What part of the Windows design requires you to reboot after patching the OS? Let's say a patch fixes a DLL, parts of which are in memory. Why can't the administrator reload the fixed functions into memory on the fly?

Linux, on the other hand doesn't require reboots after installing the patches. I think this is due to the fact that the required modules can be installed on demand without bringing the system down (feel free to correct me if I'm wrong here).

What prevents Windows from doing the same?

Re:Why reboot after patching?

[thebatlab]

Not a whole hell of a lot from what I've seen. I apply a lot of patches without restarting and the patch takes effect. It seems like putting in the ol' "Your computer must be restarted for the changes to take effect" thing is just to cover their bases to ensure that the patch has taken effect. One thing to note, sometimes if you don't restart and you go back to Windows Updated, it'll list some of the patches you've already applied. I'm not too sure why. I thought it was just registry entries that indica

We don't have to patch...that often

[ducomputergeek]

Our shop is 90% Mac, 5% OpenBSD, and 5% FreeBSD. We run Apple update once a week. Its not a problem after we got them employees in the mind set that all they have to do is log out and leave the machine running 24/7. Then on friday nights before I leave, I go around to all the machines and click apple update and let them go, reset, and leave.

We usually let our people go about 3PM on Fridays if there isn't a major project do, so I usually am gone by 4:30.

Now on the FreeBSD machines, we haven't patched

reboot?

[harlows_monkeys]

Maybe you should get your clients to run servers that don't require a reboot for most application patches.

Impact on downtime statistics

[G4from128k]

It would seem that patching is becoming the biggest source of downtime for MS-based systems. How can any hosting place claim a bazzilion-9s uptime when they need to patch'n'reboot for the security flaw of the week? I suppose all OS types have this issue. Anyone have comparitive data on patches-per-year for different OS species and the associated downtime to install and reboot for each patch?

On the other hand, I suppose a hosting company could maintain seemlingly high uptime by never patching -- a grea

Re:Impact on downtime statistics

[Bull999999]

It is kinda sad, acutally. I find that Windows 2000 Server is pretty stable when used with good hardware, but it is indeed hard to test the endurance of the Windows 2000 servers because most critical patches do require a reboot. MS did reduce the amount of reboots with 2003 Server but did not eliminate them.

Only time that you'll need to reboot on GNU/Linux OS for the kernel updates, and I'm pretty sure it's the same way for UNIXes, and *BSDs.

In Stages

[EkiM in De]

I never patch the live servers immediately but follow this regime
1. My local development machine. ( This is done as soon as I get the reports that the patch is out.)
2. Our development servers
3. Our staging server
4. Live web servers
5. Database server

The time from top to bottom is usually about 2 - 3 days, unless a problem was found ( which there was with KB824141)

My University

[jeffkjo1]

My university patches things only when something goes wrong. When the whole campus went down because of blaster, they then decided it would be a good idea to patch all of the lab computers with windows update. They're still running lots of old Apache incarnations as well... from 2.0.40 to 1.3.6. I'm consistantly amazed by their seeming retardation.

It depends.

[supabeast!]

I tend to follow at least the following criteria when deploying patches:

1- If the patch is a Microsoft patch, I deploy it immediately, regardless of severity, because Microsoft has repeatedly lied about the severity of security flaws that were actually quite critical.
2- If the patch is for a very theoretical problem, such as many of the recent OpenSSL patches, I tend to let it wait for the next big update. Good examples are those problems where key-breaking time is reduced to only 50 years or so on a $10,000,000,000 budget.
3- Patches that fix vulnerabilites that are only a problem in stupid configurations (Such as recent OpenSSH problems.) get ignored until the updates have been tested.
4- Patches from Sun go out immediately, because they seem to take so long that the exploits for bugs have been integrated into script-kiddie toolkits.

Re:WTF?

[supabeast!]

http://www.securityfocus.com/archive/1/272695/2002 -05-13/2002-05-19/0

Depends on the patch

[Medievalist]

We don't EVER install a patch on a production machine without testing it first on some less crucial machine.

Any machine that accepts connections from outside the firewall (SMTP, IMAPS, HTTPS, & SSH are all we take, and only to specific machines) gets any remotely exploitable bug patched ASAP. Typically I will run the patch on a non-production machine for 24 hours to make sure it's reasonably stable, then patch.

Once the patch has proved itself in production on the remotely accessible machines, say for a week or so, we load it everywhere else.

Stuff that's not remotely exploitable is dealt with on a more relaxed schedule, generally at least two weeks after the patch has begun testing on a non-production machine. Sometimes longer.

We also always test our backup strategies before loading MS or HP patches, since sometimes they completely trash the system.

HP-UX patches come out months or years after the exploit, Microsoft patches come out weeks or months late, DEC patches used to come out within days (Oh, how we miss ye DEC) and BSD and linux come out within hours, usually.

Lie about it.

[EvilJohn]

If it's windows patch early, and patch often. If anyone asks why you rebooted a box, lie about it and say "It crashed." That's one everyone will believe.

patch?

[dakkon1024]

This is one of those grand broad questions with no answer. If you have an entire redundant system to test with, you can patch that instant, test it, and roll it out. But then again the new patch might fail in some way you never expected. If you are talking a 100+ servers, then you might need to test a group, before you patch your core group. Then there are the questions you need to ask. Is someone likely to break in? Did it work for someone else? Is it a MS product? What do your clients want? When will

Asking for trouble

[L-s-L69]

This guy posts the URL to slashdot then informs everyone how great he is because his company patch. I guess he need either a new webserver or wants to see how long it takes someone to break in.

Working late into the night?

[Awptimus Prime]

Why not run the patch, then have someone reboot the systems after hours?

Just have a spare engineer, or two, on standby in the event a system doesn't come back.

I forgot, that's too easy and wouldn't have resulted in a /. article.. :)

subscription

[I8TheWorm]

I subscribe to ntbugtraq.com and read what others are saying about the patches. Inevitibly, there are some that patch immediately, and a few of them are kind enough to report their findings.

Why Windows has a Higher Cost of Ownership

[darkonc]

Not only do you have cheaper acquisition costs, but things like this don't get in your way. You can patch 'live' and rarely need to reboot.

I've got roommates who've moved to the Linux desktop. I usually do the upgrades from my desktop. The only reason why I tell them that I'm doing upgrades is that it's annoying if they shut down the system in the middle of an RPM Install. (one dual boots to Windows so he's more likely to reboot, the other runs solely on Linux he really only powers off if he's heading out. I think I've installed one or two kernel upgrades in the last year (which require reboots to enable), but since my roommates reboot so often, I can just wait for their next reboot.

There's also much less need to do testing with Linux patches... You generally know EXACTLY what subsystems are being affected by a patch, so if it's not a critical component, you can often install blindly. Even if it is a critical component, the patches are often well defined and if you have any questions you can read the source code.

The problems with Windows is that it's the large-scale version of spaghetti code. The relationship between various pieces are ill-defined and numerous. Patches spider into various areas and it seems like nobody (even at Microsoft) knows precisely what a patch fixes (or what it breaks).

This doesn't just apply to desktops. I'm in the middle of putting together scripts to enable controlled push of patches to a large number of varied servers. In truth, the hardes part is going to be figuring out which patches go to which boxes -- not figuring out if the patch is going to break things.

Yep. I'm spoiled. Linux makes life both easy and cheap.

Let Your Customer Decide

[reallocate]

Once upon a time, I worked at a large content organization with the usual large IT infrastructure, supported by a single large firm. Per the requirements of the support contract, these guys were compelled to down the system and install patches as soon as they got their hands on the code. No-notice outages eere the rule. Managers, customers and employees pitched fits until someone finally woke up and explained that the support vendor would be in violation of contract if he didn't move that fast.

So, we changed the contract. Unscheduled downtime projected to last more than 30 minutes required getting permission from several designated management types. Any one of those managers could postpone the maintenance.

This worked because the support contractor always made sure that those designated managers understood the implications of delaying the maintenance.

Real examples of why its sometimes good to wait

[hellfire]

My company writes enterprise software, albeit badly. The QA process I feel could be much better, but at least it gives a support rep like me a job.

Twice a month, we release patches which fix any number of bugs we may have found since the original release of the software. About 1/3 of the patches we release introduce NEW bugs that weren't there before the patch! These new bugs can easily and often cripple important parts of the software.

I knew a 4 month stretch where this happened on every release for those 4 months, 8 patches in a row!

Most of our customers update every few months, and they keep an eye on our website, and the public customer email lists constantly throw out emails which the bleeding edge leaders complain of problems introduced on new builds (which they have every right to complain about).

Now I can't speak for any other company, including Microsoft, but sometimes upgrading right away when you aren't really currently experiencing an active problem is worse than not upgrading at all.

What is this rebooting of which you speak?

[Boatman]

• no customer wants to be interrupted by a reboot during business hours

Hm, rebooting. Rebooting. Oh yeah, I remember now. I had to do that to my GNU/Linux system once when I upgraded my motherboard.

1 day

[Unregistered]

I have emerge rsync && emerge -U world in cron.daily you insensitive clod.

Patches?

[Quixadhal]

Whare are these "patches" of which you speak?

Just run a VAX/VMS system as your firewall... it's so old and obscure that no hacker will have any hope of remembering how to hack it. :)

Re:Throw caution to the wind

[harmgsn]

I work for a rather large webhosting company and on the M$ side of things, we normally update all of the shared M$ boxes within 12 hours of learning of the patches (be it windows patches or software specific patches), but only if it's a security-sensitive update. Major version updates can take up to a month (ie: PHP 4.2.x - PHP 4.3.x). On the other client machines, it can be anywhere from 24 hours to a week. It all depends on how severe the patch is. The Blaster patch was applied within 36 hours on all

Re:So?

[tmasssey]

You're kidding, right?

I too am a consultant. I do *not* get the right to tell them, "You are going to do this. You are going to do it now. And you are going to pay me for it." It's their money, it's their company. My job is to present them with options (and one option is *always* to do nothing), and make them aware of the consequences.

I make that point as strongly as I can, but in the end, I do not have the right to spend their money for them.

As much as I'd like to, when the client who *just* had