Why don’t we patch?

Topic

New Reply

PATCH WATCH By Susan Bradley The vast majority of 2020 and 2021 attacks were not from zero days, but rather were old vulnerabilities for which patches
[See the full post at: Why don’t we patch?]

Susan Bradley Patch Lady/Prudent patcher

3 users thanked author for this post.

rc primak, lmacri, abbodi86

Reply | Quote

Replies

Sorry for being stickler for detail, but the document link gives me http error 404. If it works for other users, please delete my post.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

2 users thanked author for this post.

bassmanzam, Will Fastie

Reply | Quote

doriel wrote:

document link

If you mean the link in the opening post of this thread, it does work for me and appears correct. If you mean from someplace else, let us know.

Reply | Quote

It’s broken for me too:

2 users thanked author for this post.

rc primak, Will Fastie

Reply | Quote

Broken for me too, both onsite and in the mailed Newsletter.

2 users thanked author for this post.

rc primak, Will Fastie

Reply | Quote

I’ll ask Susan. That link was checked by both Roberta and I and found working during the editing process.

Reply | Quote

Fixed on the site. Not much I can do about the email, unfortunately.

2 users thanked author for this post.

rc primak, doriel

Reply | Quote

The reason I first came to this site is because of the Patch Lady.

2 users thanked author for this post.

rc primak, Will Fastie

Reply | Quote

Thinking initially of non-technical users (and not most of the people who hang out at AskWoody):

1. Negative intertia. If a patch has to be applied, unless it’s communicated as “OMG! The world is going to unless this fix is applied 10 minutes ago!”
2. Discounting severity: “I’m insignificant, I don’t have sensitive data, and this problem isn’t going to reach My Little Corner of the Internet”.

For both of these, end users frequently don’t care that much about security, or even administration of their own machines. It’s too easy to expect the computer to be just another appliance, where nothing is required than as with a toaster: insert slices of bread, press button, and in a minute you have toast.

For some, there is the “if it ain’t broke, don’t fix it”, as well as “even if it is broke, don’t fix it”. For the former, there may be perception that fixing isn’t going to make any noticeable changes, and for the latter, not wanting to apply something that forces changes (which are regarded as negative).

For those of us here, there is the common suspicion of changes that just as easily create problems as solve problems, and staying away as a way of trying to prevent big problems by ignoring small problems, but that doesn’t always work, and it’s not always desirable.  Unfortunately, the complexity of it all makes it difficult to evaluate which updates are necessary and desirable, which ones are not, and how to prioritize, when it’s nearly impossible to do realistic threat and risk assessments.

The implied criticism here is with Microsoft and how they handle patching with Windows, but this really applies to really any product and any vendor/developer. With Windows (and current Microsoft offerings, including servers and applications), Microsoft has the stance of “trust us, we know what we’re doing, and what’s best for you” (and equating the two).

Of course, that isn’t true, especially with Microsoft having dumped the bulk of its QA testing operations in favor of AI-driven crowd-sourced testing (and driven by all of the telemetry data generated by individual machines).  In concept, there’s a place for the crowd-sourced testing, as a better way of finding obscure problems that they can’t possibly try to test in the lab.  The problem with that is that they’re using that as primary testing, rather than complementing extensive testing that they do before that.  And the Insider track doesn’t turn up nearly enough.  As an aside, I think that might be part of Microsoft’s reason for the big raise in minimum hardware requirements for Windows 11, as a way of lowering the number of support problems caused by older hardware.

But the real problem is that there is no real way of prioritizing updates, and the mistaken idea that a fully patched machine is “safe” (at least until the next round of patches comes out).  Microsoft’s hierarchy of Critical, Recommended and Optional doesn’t really work well, especially if your particular situation requires something (who knows what, and how to identify it) that may be critical to you, but where it’s otherwise classified lower.

This is especially true for things like bug fixes and sometimes driver updates. I know that some try to avoid all except security patches, but there are times when bug fixes aren’t inconsequential, and applying an update that is bug fixes only (without security fixes) can make a real difference.

With Microsoft, the problem is compounded by the marketing people who can push stuff into the update channel.  I would say that this is less so with the monthly Patch Tuesday updates, but we also get optional C Week updates that eventually make it into Patch Tuesday updates. And then there’s the semi-annual updates.  Fortunately, over the last year or so, they’re mostly limited to roll-ups of Patch Tuesday, but Microsoft always finds a way of slipping in a few small changes, even if it’s as insignificant (at least to them) of changing user prefs back to Microsoft-preferred defaults.

The feature changes are usually presented as “for your benefit”, but too often they’re presented by Marketing, and ultimately, where changes are there to facilitate Microsoft’s needs (especially when familiar things are broken or deprecated) rather than user needs.

For the majority of people who hang out here, there’s a credible apprehension (if not outright fear) of updates imposing new problems that have to get fixed immediately.  That’s one thing if it’s just your own machine, but something else if you have to support machines in quantity (whether a handful, or dozens, especially if some or all of them require remote support).

To me, something that would help is clear designation of updates — which are security fixes, which are bug fixes, what are feature set changes, along with clear documentation of what problems each is intended to fix, and the ability to choose which ones I want, and exclude which ones I don’t want.  And where the documentation is written for a middle user — i.e., somebody who is technically adept, but not fluent as a developer or Microsoft insider, but at the same time, where it’s not written patronizingly, for a non-technical user.

Reply | Quote

I am feeling a bit stupid but in the article on patching you recommend a full operating system backup and I can not remember the process.  How about a little primer for any of use who are in this same boat.  I do have my files backed up on a regular basis.

 

Larry N

Reply | Quote

One possibility why patches are not applied is due to Microsoft’s questionable quality control.  Why else would this site’s MS-DEFCON setting and master patch list be as popular as they seems to be?

In the dim past I used to apply Windows updates as soon as they were available.

But now the application of Windows updates is deferred through various methods and we watch the landscape for signs of trouble, wait for MS-DEFCON to reach an acceptable setting, take image backups and then hold our breath while updates are installed.  Updating Windows has become a risk to be managed.  Its a shame.

1 user thanked author for this post.

doriel

Reply | Quote

In other words: let other unaware users go through all possible problems, so we can be happier later. Nothing personal against you, its not an attack.
The attitude you described is widely accepted, mainly in corporations and larger companies.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

Reply | Quote

This attitude as you call it, was the main reason for the AskWoody DEFCON traffic-light patch rating system. Woody always advocated not being what he called a “pioneer”, and made a remark no longer considered politically correct about how you can tell who the pioneers are. I too prefer to let others take the risks — and the arrows — of early adoption, including immediate patching.

This advice does not apply to business or enterprise computing systems. They are playing a different game on a different field, with much higher stakes. And the malware writers know this.

-- rc primak

Reply | Quote

doriel wrote:

In other words: let other unaware users go through all possible problems, so we can be happier later. Nothing personal against you, its not an attack.

Really?  No insult intended?

Using the public as cannon fodder for testing Windows Updates is Microsoft’s philosophy, not mine.

1 user thanked author for this post.

rc primak

Reply | Quote

Using the public as cannon fodder for testing Windows Updates is Microsoft’s philosophy, not mine.

I understand that, thats why I wrote that its not how it may sound to you. Im not native english speaker, so sometimes my posts may have “side effects”.

I described what DEFCON on this site is for. IT admins usually wait patiently, until patches are tested by public users, then they deploy those patches few weeks/months later.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

1 user thanked author for this post.

rc primak

Reply | Quote

Doriel, no disrespect intended, but I think Susan says it’s the other way around. IT pros in business and enterprise are often under great pressure to get their systems patched as soon as vulnerabilities are reported.

Susan certainly says in this article that she is recommending that IT pros patch or at least test-patch before she recommends that we consumers patch. We can afford to wait a couple of extra weeks — bigger targets like businesses cannot afford to wait so long.

That said, many recent ransomware attacks highlighted the fact that a lot of IT pros are not patching their servers (especially those running Linux) on anywhere near a regular basis. That’s how Big Malware finds and attacks its targets.

Very little Big Malware is aimed at mere consumers and our stand-alone or home networked PCs. So we can afford to wait (but not forever). Enterprise cannot afford such long waits.

-- rc primak

Reply | Quote

They also have more resources than us little guys (and more ability to get support from Microsoft).

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Hello Susan, hello all,

In order to make patching easier (at least detection of missingp atched) for a vast list of 3rd party software, you can test SUMo (Software Update Monitor).

Mentionned a couple of times in AskWoody’s newsletter in the past.

(i’m the developper)

Link : https://www.kcsoftwares.com/?sumo

Any feedback is welcome !

Reply | Quote