Barney's Blog

Blog archive

UPDATE: Microsoft Security Fixes -- Superstition vs. Best Practices

Patch Tuesday comes tomorrow, and it's looking like a lucky 13 batch. Two patches are expected to be "critical" to apply. All are expected to require a restart.

IT pros, as opposed to home Windows users it seems, are supposed to test each security bulletin first before pushing it out on the network. And then do that 13 times, possibly while wearing wreaths of garlic, or something like that. Well, no. Here's what Microsoft's best practices publication says:

"One of the common misconceptions about Microsoft updates is that they are mandatory and/or urgent. All updates, regardless of their type (whether they are service packs, hotfixes or security patches), are to be applied on an 'as-needed' basis. They need to be evaluated individually and treated as important optional updates."

Well, that sounds nice, but most security bulletins seem to be about basic flaws in Windows or Internet Explorer. So, in practice, wouldn't IT pros be obligated to apply them all each month? Update: a reader pointed out that this advice above from Microsoft is from an old archived Microsoft TechNet library article. To get more current best practices advice from Microsoft, see this article.

What's your approach to the monthly Microsoft patch routine? Do you bother testing them? Do you apply all of them or just some? Share your best practices with Doug and readers at dbarney@redmondmag.com.
-By Kurt Mackie

Posted by Kurt Mackie on 08/08/2011 at 1:18 PM


comments powered by Disqus

Reader Comments:

Sat, Sep 10, 2011 Gerry Cuperino

We all "hate" microsoft because we're computer professionals who have seen the carnage caused by their third-rate engineering, by their nefarious business practices, and by their continual stifling of innovation and quality. And no, we'd actually rather be doing useful work than cleaning up after the results of their con game.

Face it: uSoft is going down. Their days are numbered. BTW you are the only person in the world that went *from* osx *to* vista.

Fri, Sep 2, 2011

Why is there so much hate towars microsoft. I moved my stuff from osx to vista and loved it, 7 was even better

Sat, Aug 20, 2011 Gerry Cupertino, CA

Best practice is to start moving from microsoft towards something more reliable and secure. You have choices. Seriously, year after year, all we get from Redmond is BS and excuses. Do we think that they are suddenly going to get something right? Their fundamental design is flawed and their enginering is third rate, and everyone knows it. And yet, I keep hearing how we "just can't get off microsoft". Can't or don't have the brains or balls?

Thu, Aug 11, 2011 Chuck

What a timely post. I was researching best practices for applying patches and stumbled upon the same article from Microsoft. I believe that critical security patches should be tested on a pilot group first and then deployed the to environment. This process should be started as soon as the patches are released. Of course, in a SCCM world synchronization and evaluation can take a day or two depending on your setup. As for other patches and service packs, I agree that they should first be evaluated and then tested. I believe the quote in the article is still true: "The risk of implementing the service pack, hotfix and security patch should ALWAYS be LESS than the risk of not implementing it."

Wed, Aug 10, 2011 Dan Iowa

In our case we have servers that are used for test and dev. These get the patches a couple days before production servers. In addition we don't deploy all security patches on patch Tuesday, but deploy during the week after. The net affect is Microsoft typically has bad patches reported to them and may pull them or issue advisories before we deploy. If that doesn't detect a bad patch, we may break something on test or dev computers before we deploy to production, so we hope any issues will be discovered then. (Testing doesn't have to be complicated.)

Wed, Aug 10, 2011 Dan Iowa

In our case we have servers that are used for test and dev. These get the patches a couple days before production servers. In addition we don't deploy all security patches on patch Tuesday, but deploy during the week after. The net affect is Microsoft typically has bad patches reported to them and may pull them or issue advisories before we deploy. If that doesn't detect a bad patch, we may break something on test or dev computers before we deploy to production, so we hope any issues will be discovered then. (Testing doesn't have to be complicated.)

Tue, Aug 9, 2011

It's the Microsoft guy who told me to apply every patch and pray. If anything goes wrong? Call them right away.

Mon, Aug 8, 2011 Dan Iowa

Microsoft is much better about articulating which security patches are... well... important, critical, or other. It is still up to you to decide whether you need a patch before the Service Pack comes out. Security patches are hopefully dictated by security policy. Other patches are determined by other needs. Nobody applies all patches, but at least by default Windows update will no longer default to no security patches at all, if you haven't thought about security policy.

Mon, Aug 8, 2011

In all my years of patching I have had only one or two go bad. And I am not convinced testing them beforehand would have picked up the issue. So no..I never test them...if I did I would be doing nothing else. Dream on Microsoft...sounds like the usual disclaimer language

Mon, Aug 8, 2011 canuck geoff

Barnie: That was another era. Note that the link you post is "archived" I've not heard a single MS person articulate that idea in 5 yrs. We distinguish between "critical updates" and security patches (the latter being the important ones) but MS is putting so much into critical updates and so little effort into service packs that dependencies are constantly coming up. I really think MS wants you to apply everything they throw at you. Test, check and Test again but ultimately you are going to find some functionality failing if you don't eventually get most of their patches (including critical) on your systems. Caveat Emptor

Mon, Aug 8, 2011 Matthew Borcherding San Jose, CA

Unless you're some huge corporation, and you have test servers, test computers, and a staff to do the testing, you pretty much have to just approve everything from Microsoft (or Mac or Ubuntu or whomever) and pray a bit. (OK, best to hold off on service packs and other major revisions for a few months.) You *will* get burned every once and a while with an update that's bad, has unanticipated consequences, breaks compatibility, etc. But the risk is generally much less than not applying updates. Stinks, but the idea is reducing your risk as much as possible given your resources (time, manpower, budget, etc.)

Mon, Aug 8, 2011 Matthew Borcherding San Jose, CA

So trust but verify on your cloud provider. If you can check versions and such, see if they're up-to-date or still running some unsecured version from 2007. And if so, give them heck.

Mon, Aug 8, 2011 Matthew Borcherding San Jose, CA

The cloud doesn't save you. It just transfers the main duty of keeping servers and software properly up-to-date and secured to your cloud operators. Who may be dutiful at this. Or maybe not. And this cuts across back-ends -- Windows, Linux, BSD, Solaris, MacOS whatever. Everything, including OpenBSD (probably the most secure OS out there), has had security vulnerabilities in the past and almost certainly will in the future.

Mon, Aug 8, 2011 Ronald Woan

Another myth is that Windows patches are tested against all of their software. I think most enterprises will apply them all to a test server and sanity check that their applications still run properly. Only if there is a problem might they leave off an offending patch. At least that has always been my approach.

Mon, Aug 8, 2011

Test each one?? Is Microsft out of their collective minds? They must have tooooo much time on their hands.

Mon, Aug 8, 2011

I apply them all. No time to eval each one, I'm a one man IT shop. If I find there's an issue I'd back them off (assuming it's not one of the service packs that can't be removed). I've only run into one issue with a patch 6 years ago.

Mon, Aug 8, 2011 Fred James

Man, I just have everything in the cloud so we don’t patch anything. We are impervious to any malicious activity because we are in …….well….you know, the cloud.

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.