Patch Tuesday is kind of like a monthly holiday for many businesses I work with. It gives employees a chance to kick back while their computers and systems do all the work of updating (Yes, I am joking). But is Patch Tuesday really a good idea? Many have expressed concerns about creating a consistent trend to patching that informs attackers about the update patterns of their targets.
Here are the three main disadvantages to the system of Patch Tuesday:
1. Patch Tuesday, by its very nature, makes exploits public. So while Patch Tuesday may make things easier for those who take the time to patch, it severely damages those who do not. Not only are exploits announced but hackers can analyze the patch to figure out exactly how to take advantage of unpatched systems. For this reason, the existence of Patch Tuesday actually makes the need to patch that much greater.
2. By having so many patches downloaded at the same time by so many systems, there is a definite toll on the bandwidth. This could tie up the bandwidth on your corporate network. But it is a much greater problem on a vendor’s servers who must contend with downloads from everyone who uses their products.
3. If you wait until a set time before patching, then you allow for your software to remain vulnerable until then. It’s not a big problem when the vulnerability is not widely known, but there have been cases where the vulnerabilities were made publicly known for months before patches were available. Either way, hackers have a fair amount of time to take advantage of the exploit before it is corrected with the patch.
Ultimately, whether you participate in Patch Tuesday or not depends on the nature of your unique enterprise. Some organizations cannot afford the risks of waiting to patch and require more vigilant updating to protect their systems. Other organizations may value the fluidity of operations over security and prefer a monthly scheduled time for patching.
Email This Post
Print This Post
{ 1 comment… read it below or add one }
It has not ceased to amaze me how much confusion there seems to be within an Internal Security Team at a firm regarding finding the right “patch cycle”. I have heard suggestions from “patch every 3 days” to “quarterly patching” and with latter the vulnerability threshold exceeding up to 3 Patch Tuesdays, and with a reasonable guess based on the trend, that vulnerability amounts to being 25 critical patches behind on your business critical systems.
Regarding the point # 2 raised in your post. I usually take care of that by using Patch Management Solution that pre-stage the patches internally (such as WSUS) on the Patch Tuesday, so the down-level streaming to the clients happen internally thus consuming no external bandwidth.
-Rick
You must log in to post a comment.
{ 1 trackback }