Patch Lady – Does Woody tell you to not patch?

So over on Twitter Dave Kunkle is taking Woody (and I for that matter as I use the same wait to patch philosophy) to task for telling people to not patch.  With all due respect to Dave, Woody doesn’t tell people to not patch ever…. he just says (as I do) to hold back and wait for the dust to settle.  There is a balancing act one has to do with patching.  When the risk of attacks from attackers rises to a level higher than the risk of side effects of updates, that’s the perfect time to patch.  Right now attackers tend to use either zero day (for which we have no patch) browser exploits, Office exploits, or they go after tried and true entry points like email and phishing attacks.  Targeted attackers will do recon on a network and target the system for unpatched entry points and often use older operating systems to wiggle in.

One of the problems I see in helping people is that they see someone getting hit with side effects of a patch and consider that it’s widespread for all.  It honestly is not.  Just because person X using Computer Y and having Z printer and whatever else installed gets an issue doesn’t mean you will.  Also many times the act of rebooting will expose and issue that was hiding all along.  Patching wasn’t the root cause, rebooting the machine finally exposed the issue.  But time and again I see people skipping over KB whatever because at one point in time it was noted in the news as causing issues for someone.

Patching your systems should be an exercise in making sure you are ready for recovery of your system.  If you can’t restore from a backup, you can’t not only deal with an update side effect, you can’t deal with the bigger problem of ransomware.

Woody does not tell people to NEVER patch ever.  He tells people to wait.  He and I realize the reality of the follow up process.  Security Patches are released on the second Tuesday of the month.  By the time people install them and realize there are issues it’s the end of the week.  Enterprises opening up support cases with Microsoft take time to get to the root problem.  So it’s typically the following week that issues are identified and noted on the Windows health release dashboard.  If there is a major problem with a release, whereby the problem is in Microsoft’s code and there’s a major bug,  Microsoft always will pull the update and re-release it.  But here’s the thing.  That honestly and truly rarely happens.

The reality is that we beat up our Windows machines pretty badly.  We install multiple antivirus programs (please don’t do that), we install third party software that mangles our registries (I am not a fan of CCcleaner because of this) and every time we uninstall and reinstall software, it often doesn’t clean up itself well at all.

Furthermore, if you look at the articles that have been posted, none of us are recommending browsing from a Windows 7 computer if you don’t get updates for it.  Woody, myself, Amy and Ted have gone out of our way to ensure that small businesses could make sure that IF they wanted to continue to get update after January they could.  This offer is still open and you can still purchase Windows 7 extended support patches by filling out this form.  Even small businesses who need only 1 license can purchase one.  We’re over 200 small businesses (and counting) that will be protected come February’s patch Tuesday.  We do not want you to use Windows 7 for online banking, tax preparation or ANY sensitive info.  I’ve even urged folks to change the DNS settings and take it off the web and isolate it.

So Dave?  Read those Woody posts again.  He never says to NOT patch ever.  He’s just letting those of us without Technical Account managers, support contracts and extra IT support arms to not be the beta testing process for everyone else.  Just hold back a little bit and truly and honestly those of us that are not nation states, Governmental targets or Jeff Bezos will be (and historically have been) just fine waiting until the dust settles.  And if you have an old old update that you’ve not installed and it’s still in your hold list, by all means list the KB number here and I’ll give you my historical perspective on it.  Unless it’s an optional update like a later .NET release, if it’s security related I’ll urge you to install it.  Because by now it’s fine and we’ve figured out any issues with the update and dealt with it.