Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
vishybear
Newcomer I
‎06-12-2025 10:57 AM
‎06-12-2025 10:57 AM

Thoughts on Patching for Zero Day

I'm just interested in feedback from people here. My background is sysadmin and I've had MANY people come screaming at me over the last couple of decades when a Zero day comes out to cancel all my plans and suddenly patch the entire infrastructure. 

 

I've had a few arguments with cybersecurity people who haven't worked sysadmin or similar who insist that the patches need to be installed STRAIGHT AWAY and scare the C-Suite about it. 

 

However,  I've seen enough times with Microsoft especially, but also VMWare back in the day where an entire infrastructure was taken down by a bad patch. And don't say - you should test it first, there are PLENTY of clients out there with no test environments and some of these patches that went out didn't display a problem until after reboot or even a couple of days later. 

 

I'm a BIG fan of letting someone else take the risk first. Definitely DON't do it on a Friday night & leave at least 48 hours before even thinking about patching a 0 day, as the patches are usually rushed, badly written & VERY likely to be faulty. 

 

Thoughts? 

Reply
0 Kudos
10 Replies
JoePete
Advocate I
‎08-05-2025 06:38 PM
‎08-05-2025 06:38 PM

@vishybear wrote:

However,  I've seen enough times with Microsoft especially, but also VMWare back in the day where an entire infrastructure was taken down by a bad patch.

Here's a SUG (sweeping unsupported generalization): The patch tends to precede the exploit, often by months. This means that you don't have to be the first adopter of a patch, but you should be in that second wave or so (once the world hasn't collapsed).

 

SUG #2, the severity of some vulnerability or exposure often is only quantified after the exploit occurs. While we try our best, identifying the severity of a flaw is notoriously "not good." How often is the corporate line something like "it's highly unlikely" that a flaw could be exploited? Then, lo and behold, someone does it in a way that no one envisioned (often because it gets combined with just good old social engineering). By the same token, you also get the panicked headlines for vulnerabilities that likely will never be exploited. This is long way of saying, triaging patching (e.g., rush the "critical" ones) isn't reliable.

 

That said, a lot of this comes down to starting with your footprint. Keeping things simple makes patching simple. That's on both a personal level and an enterprise one, which today is one in the same because everyone uses personal devices (and habits) to access enterprise resources. Keep your systems up to date, but also keep those systems as lean as you can.

Reply
0 Kudos