Randy's Patch Analysis Criteria
You have many systems, many patches and little time. You need to know which patches
affect which systems, which patches are urgent and which can wait. You need to know
which vulnerabilities have workarounds so that you can avoid risking the stability
of your environment with a potentially dangerous patch.
Described below are the main critera that factor into these needs which are also
featured in the Fast Facts chart in each Patch Tuesday analysis.
Principle type of system affected
Most patches are limited to a given type or role of system. For instance in
2008 most patches have been for vulnerabilities encountered by end-users on workstations
and terminal servers.
Such "workstation-centric" vulnerabilities
are those whose pre-requisites require you to be engaging in an interactive, end-user
activity such as opening a document, browsing the web, reading email.
end-user activities are extremely important to avoid while logged on to a server
either interactively or via Remote Desktop. If administrators follow this
important best practice of abstaining from such end-user activities on their servers,
such servers essentially immune to these "workstation-centric" vulnerabilities.
On the other hand of course some vulnerabilities are specific to servers and sometimes
to domain controllers specifically. This information helps you quickly determine
which systems are affected by the bulletin.
Exploit details public?
Thanks to the widely supported concept of responsible disclosure most security researchers
report newly discovered vulnerabilities first the software vendor and give the vendor
a reasonable amount of time to develop a patch going public with the "how-to"
details for exploiting the vulnerability.
Sometimes however that doesn't
happen and the how-to details are all over the Internet days or weeks before a patch
is available. When that happens, the urgency to patch your systems increases
and you may need to compress or reduce the amount of stability testing of the patch
in your environment. Even more so if the security hole is being actively exploited
in attacks - see next point.
Exploit being used in attacks?
If there are reports of this, it becomes even more urgent to get that patch out
there. In fact fast deployment of the patch may override the normal stability
testing you peform on the patch in your environment.
Comprehensive, practical workaround available?
Most administrators are understandably reticent about installing new code and risking
the stability of their environment. Workarounds are usually some kind of configuration
change that allow you to mitigate the risk without installing new code and are a
nice option to have.
However the workaround should be comprehensive and practical.
To be comprehensive, the workaround(s) should address all the vulnerabilities and
likely vectors. To be practical, you should be able to push the configuration
change out in an automated way such as through group policy.
Receive Randy's same-day, independent analysis each Patch Tuesday
We will not share your address. Unsubscribe anytime.
"Thank you. I am very glad I subscribed to this newsletter.
Relevant content clearly and concisely. Finally!!!"
- John K.
"I really like the Fast Facts on this Month's Microsoft
Security Bulletins. Do you keep old copies? If yes, please let me know how I can
"Thanks, Randy. Your regular updates have streamlined my
monthly patching. Much appreciated,"
- Steve T.
"Really appreciate your patch observor. In the corporate
IT world, anything we can get our hands on that speeds the process of analyzing
threats and how they may or may not apply to our environments is a God-send.
Thanks so much for your efforts."
- Tess G.
"Many thanks for this Randy"
- Roger G.
"The chart is a REAAALLY good idea :)"
- Phil J.
"I like the table. Your insight is very valuable. "
"I liked your high level overview of patches in the
table. There are so many sources of patch information which can be very specific
or surrounded by other stuff that it’s refreshing to get everything summarised
like this. The “Randy’s Recommendation” comment is useful starting point too.
Please keep up the good work."
- David A.
"Your Patch Tuesday Observer is a very good tool in
making the decision whether to patch or not to patch. And also to patch asap or
to wait a while before patching. Also I do think the use of the table is realy
improving the readability of the provided information."
- Gerard T.