Will You Patch This Tuesday?

The Microsoft security sleigh will be laden with patches this coming Tuesday, a bag full of 17 bulletins patching 40 different vulnerabilities in Windows and Office products. With this being a hectic time of the year for many companies, it can bring up some tough choices. What is your company's policy for applying these patches in December?There are some pretty serious issues fixed by this batch of patches. Putting off this December batch for a month may not be such a good idea, certainly on desktop PCs. Many companies have a skeleton crew in place over the holidays, so this might be the perfect time for bad guys to stage an outbreak based on one of the patched exploits. And, whether company policy allows it or not, employees may be browsing to recreational and non-business sites while so many of their co-workers have taken time off. Those are the kind of sites that may mean trouble.

On the other hand, if your company has significant holiday-driven traffic, for example e-commerce on on web servers, security risks need to be weighed against the risks of downtime or other problems when updating those servers. It's often easier to control server environments or mitigate the risks of these exploits via firewalls and other security measures.

A few years back, I worked with a company that put their public-facing web servers into lockdown starting in mid-November. Their concern was that any configuration changes past that date might endanger their post-Thanksgiving traffic and holiday sales, which made up almost half of their annual sales. Nobody wanted to apply a patch that brought down any of their servers for any amount of time.

Given all the variables and risks, I'm wondering what policy your company has for managing these upcoming patches -- and whether you think it's reasonable.