Patch Management Reality

Posted on 2014-04-15
Last Modified: 2014-05-07
I’m after a bit of information on what happens in the real world when it comes to patch management in larger companies.

I have no experience of other companies other than the one I currently work for.  I’ve been looking into our patch management processes and have found that only windows operating systems (generally Win 7 and Server 2008) are patched (on patch Tuesday), meaning even MS Office is not patched.  I understand it can be hard to keep track of all the different types of software on employees PC’s but I was really expecting more to be patched.  

So in companies that don’t necessarily have a huge IT section, what is patched and what is left?  My concern is that software like Adobe and Quick Time that have in the past had serious vulnerabilities are not being patched and could potentially cause a security incident of some sort in the future.  I would like to go to management and say that what we are not doing enough to protect our network but wasn’t sure if this is just the norm or just how much effort is required in patching operating systems, third party applications and other software.
Question by:jdc1944
  • 2
LVL 38

Accepted Solution

Rich Rumble earned 500 total points
Comment Utility
3rd party software, everywhere I've ever audited, is the worst. Getting better though, Java for instance, big security nightmare if it's not patched, now has an auto-updater by default. Adobe, even with the auto-updater somehow isn't patched... The OS, Microsoft in particular is much better these days, but still missing patches all the time from company to company, my own included. There are always reasons/excuses, and some are legit, but most 3rd party software like adobe, java, flash, office don't need the excuses for the most part.
The worst part about companies is who they let be the local administrators of their machines, even thous windows 7 by default doesn't place users there like before, and extra care has been taken to make sure that users can do more things safely without the need for admin. Don't allow your users to be admin's of their machines, it never ends well.
Quicktime... I haven't had to install that in a long time, if you do, then you probably have Mac's and we have virtually no Mac's, and those we do have I don't know if our users even need QT.
I would say, by and large, what you see is the norm. While we might not have every patch applies as soon as they come out, we do get them applied soon thereafter, but that isn't the case with most others.

Author Comment

Comment Utility
Thanks for that, it's useful to know.

In your experience how is testing conducted?  I would have liked to have seen testing conducted outside of the production environment but was told we don't have any type of testing network.  Instead, patches are applied to test or development servers and all users in the IT department.  If no conflicts arise after a few weeks then it is rolled out to all live servers and the rest of the estate.  This seems to be a fair way of doing it in the absence of any test network.

Also you mention Java auto updating.  I know a few other pieces of software that also does this but does this not introduce a risk in itself by allowing updates to be applied without testing?  Or is it the case that it is better to allow auto updates to be applied and then roll them back if issues do occur rather than leaving them unpatched with known vulnerabilities?  I have often tried to update software myself but it would appear that this has been blocked as they always fail.
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
That sounds like a lot of organizations as well, no dedicated QA/Testing environments, or no full ones for anything other than Prod. User patches often get rolled out without testing, but production typically sees a delay so that someone can attempt to test the patches. I think things used to break a lot more before 2010 when new patches came out of the OS and some 3rd parties, but their QA and testing seems to be getting better in most cases.
JAVA, if you depend on it for your applications should undergo testing and scrutiny, but if your users only need to when surfing, auto-updating should be fine in most cases.
It's up to the individual org's to weigh the security risks, for instance, a lot of folks, like Expert-Exchange itself, were not running the latest openSSL at the time, and were not vulnerable to the Heartbleed exploit that has been making the past few weeks hell for IT all over. So in that case for some, not being fully up2date, or 2 years out of date actually, was a security "win" for them. Those cases are few and far between however.

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

This article summarizes using a simple matrix to map the different type of phishing attempts and its targeted victims. It also run through many scam scheme scenario with "real" phished emails. There are safeguards highlighted to stay vigilance and h…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now