Category: Information Technology
Responsible Office: Information Security Office
Responsible Executive: Vice President and Chief Information Officer (VPCIO)
Date Established: April 16, 2018
UBIT strongly recommends that system administrators and/or end users apply software patches as indicated by their category.
Most software vendors publish a monthly patch schedule. The schedule identifies when the vendor releases, or makes available, software updates. Releases are usually publicized in advance. This helps system administrators and users decide which patches they need to apply. UBIT recommends prioritizing and applying patches based on the importance of a patch, the patch category, and the potential risk and impact that may result if the patch is not applied.
Software vendors divide patches into four categories:
A Critical patch is security oriented and addresses a vulnerability exploit that is known to have occurred. Critical patches pertain to vulnerabilities that can be remotely exploited, for example, over the network or Internet. Therefore, there is a real danger of compromise to the software. Failing to apply a Critical patch may result in a hacked system and a loss of data or personal information. Microsoft recommends applying critical patches immediately. UBIT recommends testing and applying Critical patches within 3 days of the vendor releasing them.
A patch rated High/Important is also a security-oriented patch. Like a Critical patch, a High/Important patch addresses a vulnerability that can be remotely exploited, for example, over the network or Internet. The difference between a Critical and a High/Important patch is that there is not yet evidence that a vulnerability has been exploited for a High/Important patch. Failure to apply a patch rated High/Important can result in a hacked system and a loss of data or personal information in the near future if an exploit occurs. Microsoft recommends applying High/Important patches at your earliest opportunity. UBIT recommends that High/Important patches are tested and applied within one week of release.
Moderate patches are generally also security-oriented patches. However, Moderate patches address vulnerabilities that can only be exploited locally. This means an attacker must have local access to the machine, or be sitting in front of the machine, in order to exploit the vulnerability. While vulnerabilities like this are significant, especially in an open environment such as a university, they are not as critical as millions of people on the Internet having access to a flaw in your system. Failure to patch a Moderate vulnerability can result in a compromised system and loss of data or personal information. However, the chances of a breach are much lower than those of a Critical or High vulnerability. UBIT recommends that Moderate patches are applied within 1-2 months of release.
Low priority patches encompass all other types of patches. Low priority patches are not security-oriented, do not address any kind of vulnerability, and do not have a severity rating. A Low priority patch might add new functions or the latest features of the product. A system administrator or user can choose when and whether or not to apply the patch, depending on the need for the new functions and/or features.
This standard applies to:
Exploit: A piece of software, a chunk of data, or a sequence of commands that takes advantage of a vulnerability and causes unintended or unanticipated behavior to occur on computer software/hardware, or electronic equipment.
Patch/update: A piece or component of software designed to update, fix, or improve a computer program or its supporting data. Patches/updates may be included as part of an upgrade.
Upgrade: A new version of the software that offers a significant change or major improvement over the current version. It is usually more extensive than an update.
Information Security Officer
Office of the Vice President and Chief Information Officer
517 Capen Hall
Buffalo, NY 14260
Information Security Office
201 Computing Center
Buffalo, NY 14260