Software Patch Scheduling

Category: Information Technology

Responsible Office: Information Security Office

Responsible Executive: Vice President and Chief Information Officer (VPCIO)

Date Established: April 16, 2018

On this page:

Summary

UBIT strongly recommends that system administrators and/or end users apply software patches as indicated by their category.

Background

Most software vendors publish a monthly patch schedule. The schedule identifies when the vendor releases, or makes available, software updates. Releases are usually publicized in advance. This helps system administrators and users decide which patches they need to apply.  UBIT recommends prioritizing and applying patches based on the importance of a patch, the patch category, and the potential risk and impact that may result if the patch is not applied.

Patch Categories & Application

Software vendors divide patches into four categories:

  1. Critical
  2. High/Important
  3. Moderate
  4. Low

1. Critical Patch

A Critical patch is security oriented and addresses a vulnerability exploit that is known to have occurred. Critical patches pertain to vulnerabilities that can be remotely exploited, for example, over the network or Internet. Therefore, there is a real danger of compromise to the software. Failing to apply a Critical patch may result in a hacked system and a loss of data or personal information. Microsoft recommends applying critical patches immediately. UBIT recommends testing and applying Critical patches within 3 days of the vendor releasing them.

2. High/Important Patch

A patch rated High/Important is also a security-oriented patch. Like a Critical patch, a High/Important  patch addresses a vulnerability that can be remotely exploited, for example, over the network or Internet. The difference between a Critical and a High/Important patch is that there is not yet evidence that a vulnerability has been exploited for a High/Important patch. Failure to apply a patch rated High/Important can result in a hacked system and a loss of data or personal information in the near future if an exploit occurs. Microsoft recommends applying High/Important patches at your earliest opportunity. UBIT recommends that High/Important patches are tested and applied within one week of release.

3. Moderate Patch

Moderate patches are generally also security-oriented patches. However, Moderate patches address vulnerabilities that can only be exploited locally. This means an attacker must have local access to the machine, or be sitting in front of the machine, in order to exploit the vulnerability. While vulnerabilities like this are significant, especially in an open environment such as a university, they are not as critical as millions of people on the Internet having access to a flaw in your system. Failure to patch a Moderate vulnerability can result in a compromised system and loss of data or personal information. However, the chances of a breach are much lower than those of a Critical or High vulnerability. UBIT recommends that Moderate patches are applied within 1-2 months of release.

4. Low Patch

Low priority patches encompass all other types of patches. Low priority patches are not security-oriented, do not address any kind of vulnerability, and do not have a severity rating. A Low priority patch might add new functions or the latest features of the product. A system administrator or user can choose when and whether or not to apply the patch, depending on the need for the new functions and/or features.

Applicability

This standard applies to:

  • System administrators of the University at Buffalo’s electronic information resources.
  • University at Buffalo computer users: All employees, faculty, staff and third parties including vendors, contractors, visitors and all others who utilize the electronic information resources of the University at Buffalo.
  • University at Buffalo computing resources: All desktops, laptops, notebooks, and mobile devices, and software owned by University at Buffalo.

Definitions

Exploit: A piece of software, a chunk of data, or a sequence of commands that takes advantage of a vulnerability and causes unintended or unanticipated behavior to occur on computer software/hardware, or electronic equipment.

Patch/update: A piece or component of software designed to update, fix, or improve a computer program or its supporting data. Patches/updates may be included as part of an upgrade.

Upgrade: A new version of the software that offers a significant change or major improvement over the current version. It is usually more extensive than an update.

Responsibility

Information Security Officer

  • Oversee availability of security patches.

System Administrators/End-user

  • Apply security patches in accordance to their category.

Contact Information

Office of the Vice President and Chief Information Officer
517 Capen Hall
Buffalo, NY 14260
Phone: 716-645-7979
Email: vpcio@buffalo.edu
Website: http://www.buffalo.edu/ubit.html

Information Security Office
201 Computing Center
Buffalo, NY 14260
Phone: 716-645-6997
Email: sec-office@buffalo.edu
Website: http://security.buffalo.edu  

Related Information