Home

How quickly do you patch severe security vulnerabilities, such as the most recent CVE-2019-0708?

How quickly do you patch severe security vulnerabilities, such as the most recent CVE-2019-0708?

Top Comment: Depends on the risk profile of the vulnerability and its exposure to be compromised but usually sooner than later . View poll results (553 responses)

921 views
553 responses
9 upvotes
Day it's announced21%
2-5 days38%
6-14 days15%
Longer than 2 weeks5%
During the regular patch cycle9%
Other (see my answer below)12%
Related Tags
Anonymous Author
Depends on the risk profile of the vulnerability and its exposure to be compromised but usually sooner than later
3 upvotes
Anonymous Author
Depends on exposure of attack surface, availability of exploit, compensating controls. And patching need not be the only answer to mitigate vulnerabilities eg it could be WAF, a configuration change, ACL tightening or as simple as disabling a module or service.
3 upvotes
Anonymous Author
All depends on the exposure we have and the criticality of the system. 
2 upvotes
Anonymous Author
According to MSFT this is especially nefarious: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 as it can allow an attacker to then install programs; view, change, or delete data; or create new accounts with full user rights. I would not only install the correct patches immediately as it could lead to non-compliance to HIPAA, and GDPR, as well as California's CCPA rules regarding privacy of consumers, but if medical records are involved it's even more serious. I would additionally look to access control lists to the terminals as an extra precaution by installing solutions like the following: https://colortokens.com/wp-content/uploads/Healthcare-Industry-solution-brief.pdf
2 upvotes
Anonymous Author
Agree with others, the action::response to the event, action::remediation certainly depends several variables in addition to the exposure and overall  criticality of the system.
2 upvotes
Anonymous Author
Depends on the patch. If it is critical and applies to us same day, if not then sometime in the future and when perform regular maintenance. Eg: the mentioned patch doesn't even apply to our environments so totally ignored, nothing to patch.
2 upvotes
Anonymous Author
It depends on the critical nature based on the business and service impact. There are patches that we do on the same day as well.
2 upvotes
Anonymous Author
First, patching any vulnerability is the tactical aspect that needs to be driven by an overall security strategy that continuously maps exposure and risk to known vulnerabilities. You need to have proper context in order to make the decision about when to tactically patch. Otherwise your team will *always* be in reactive mode and will rapidly burn out from "alert and vulnerability fatigue"
1 upvotes
Anonymous Author
Critical security patches should be applied to your most critical systems first (like immediately) and then rolled out to the least critical systems. Normally within 24 hours, usually that same night.  Of course you should have a change control process in place that are being followed. You don't want to apply patches that will break your system and stop production, so change control process is very important.
1 upvotes
Anonymous Author
Agree with others here. We set policies based on severity and CVSS score. Critical is immediate if it applies. Lower than critical severities are prioritized within 30 days or less depending on patch cycles.
1 upvotes
Anonymous Author
I would say if you have a strong emergency change management process, I would say it should be applied immediately. 
1 upvotes
Anonymous Author
Depends on exposure and level of vulnerability. Still runs through same process either way. Time tables may vary.
0 upvotes
Anonymous Author
Depending on the severity but in most cases I would install the patch ASAP. 
0 upvotes
Anonymous Author
Depending on the environment, depends on the patch and the urgency of the patch. PCI specifically has requirements for patching that must be adhered to. I am always a big fan of the 30/60/90 rule for patching. That said, I have gone into PCI environments that complete an SAQ-D that have claim to patch monthly but have servers that have not been patched in over 3 years. Patching, especially for larger organizations, can be a bear to control. 
0 upvotes