In 1984, a fantasy movie involving a young boy, a rock-eater, a weird dog-dragon hybrid, an entity known as The Nothing, and an assortment of other strange characters was released. This movie, titled The NeverEnding Story, is remembered by many people not only because of the story itself but because of the main title track which lingers long after the credits have rolled. After watching the movie, one could be caught belting out "NeverEnding Stooooooryyyyyyyy! Ah, ah, ah!" for anyone nearby to listen. While this song is easily adapted for a number of tasks in everyday life (never ending laundry, dishes, or bills), for those in IT roles it has become "NeverEnding Paaaaaattccheeeeees!"
Although it is true that patches will probably never stop for a product unless the product or the company is no longer around, the constant stream of updates can be controlled. For this to occur, however, several things need to happen. First, it must be decided what patches will be installed and what time frame is considered acceptable. Second, the patches need to be applied as instructed by the software provider. Finally, verification should be performed to ensure the patches were applied as planned.
Deciding what patches should be applied seems like a simple matter at first glance. For Microsoft products, be they Windows operating systems or Office products, the standard process seems to be to only install critical updates. This has become even more common with the patch roll-up process Microsoft shifted to with Windows 10. However, a quick look at Microsoft's Windows Update categories as well as WSUS settings reveals that critical updates have nothing to do with security[1]. Instead, a critical update is an "update which fixes specific, non-security related, critical bug. That bug can cause for example serious performance degradation, interoperability malfunction or disturb application compatibility." Microsoft and WSUS have different definitions and settings for security updates, ranging from critical to unspecified. A critical update addresses a "vulnerability whose exploitation could allow the propagation of an internet worm without user action, and possibly without user interaction" and should be installed as soon as possible. However, the next security update level is defined as important, which addresses "a vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources…include common use scenarios where client is compromised with warnings or prompts" and should be installed at the earliest opportunity. Linux and Unix operating systems must also be updated to address vulnerabilities and this process will vary depending on distribution used.
For third-party products, such as Java, Adobe, and VMware, the patching process is more complicated as one must rely on third-party patching software, user interaction, notifications of updates, or a combination of all three. Regardless of the patch process used, the patch window must also be defined. When dealing with Java or Adobe, it is typically recommended to install as soon as available if at all possible due to the vulnerabilities addressed in each update. For Windows or Office products, a window of 30 days or so is normal. However, issues can arise regardless of patch provider and a cautious admin would test major updates before rolling out to all production systems.
Application of updates is another item for careful consideration. For many patches, a simple process of installation and maybe a reboot will suffice. For others, especially some Microsoft patches, an additional step needs to occur before the installed patch is effective. For example, the initial patch to address the SPECTRE/MELTDOWN vulnerabilities required a registry setting change for KB4056898.[2] This requirement was later addressed in another KB a few months later, but in the meantime, any systems that did not have the correct registry setting could not be fully patched and therefore the vulnerability remained. In short, it is important to review the associated documentation for any major patch to ensure they will be properly applied.
Finally, regardless of provider, patch process, or patch window, any and all updates should be verified as having been successfully applied. There is an often spoken rule of "trust but verify" and that especially applies for patch management. Verification can be performed in a number of ways, ranging from spot checks to internal vulnerability scanning using a number of available tools such as Nessus or GFI LanGuard. Before deciding on a tool, however, some tests should be performed to ensure the information that is obtained is accurate and applicable to the issues at hand.
In summary, while it cannot be guaranteed that one will not be singing "NeverEnding Paaaaaattccheeeeees!" while performing security updates on a myriad of systems, perhaps the steps outlined above can lead to not only a more secure network but a more manageable one as well.
[1] https://blogs.technet.microsoft.com/dubaisec/2016/01/28/windows-update-categories/
[2] https://support.microsoft.com/en-us/help/4056898/windows-81-update-kb4056898