On Friday, Microsoft gave notice of an out of cycle patch coming for the Windows shortcut flaw that has been exploited in the wild. Since August’s Windows Vulnerability Tuesday is just 8 days away, enterprises face a decision: push this out of cycle patch out now and then push more Windows patches next week, or just wait until next week for one patch push.
There are a number of factors that go into that decision:
- How automated is your patch pushing?
- Are your Windows machines well shielded?
- Are the active, effective attacks out?
- Is the patch likely to cause business disruption?
The answers to the first two questions are enterprise-specific. A definite “yes” to the third question.
The fourth question is generally the trickiest. First off, this patch does require a reset, so that always causes some level of business disruption and general user crankiness. However, for the past several years most Windows desktop patches have caused minimal, if any, impact to any applications. Beyond requiring a reset, the likelihood of “self inflicted wounds” is generally low – but exists.
It is sort of like AV signature/DAT file updates – most businesses just push them out as soon as they come in and do little or no QA testing. The vast majority of times that works out OK, but once every few years every AV vendor has a horror story about updates crashing customer machines. But that is generally less than .5% of the time, and Windows PC patches are running about the same.
I think in the future it will be more important to patch rapidly, using this out of cycle patch for a critical Windows flaw that has active attacks against it will be a good reason to establish a precedent and start updating your processes to be more able to do “continuous” patching in the future.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.