It seems like several times a month various software vendors release patches for their particular brands of software. One week it's Microsoft, the next it's Oracle, the next it's Adobe, then it's Thunderbird and Firefox. How can you keep up?

It's not actually your imagination. Most software vendors have a published monthly patch schedule during which they release updates to their software. These releases are often publicized in advance so that system administrators and users can decide which patches they need to apply and to prepare for them.

But once you have the list of patches, how do you decide which ones you really need to apply? An easy way to prioritize patches is to use the following list. This list allows you to get an idea of how important a given patch is and what the impact of not applying it might be.

Patches fall into 4 categories:

  • Critical
  • High
  • Medium
  • Low

A Critical patch is a security-oriented patch rated Critical by the vendor of the software (Microsoft, Adobe, Oracle, etc). The vulnerability that the patch addresses can be exploited remotely, meaning, over the network or Internet. Exploits for the vulnerability have been seen being actively used and there is a real danger of compromise. Failure to apply a patch like this can result in a hacked system and a loss of data or personal information within the foreseeable future. You should apply the patch immediately.

A patched with a rating of High is also a security-oriented patch. All the conditions that make a patch Critical also make it High EXCEPT that there is no evidence of exploits existing for the vulnerability. Failure to apply a High importance patch can result in a hacked system and a loss of data or personal information in the near future if an exploit is released. You should apply the patch as soon as possible.

Medium patches are also security-oriented patches, however these types of patches only address vulnerabilities that can be exploited locally, meaning, an attacker needs to have local access to the machine. In other words, they need to be sitting in front of it. While vulnerabilities like this are important in an open environment such as the University, they are not as dangerous as having the millions of people on the Internet having access to a flaw in your system. Failure to patch a vulnerability of this type could result in a compromised system and a loss of information, however the chances are much lower than those of a High or Critical vulnerability. You should apply this patch when convenient.

Finally, patches of a Low priority encompass all other types of patches. The software vendor has stated that the patch is NOT a security-oriented patch (it might add new functions to a program, for example), it is not addressing any kind of vulnerability, and it does not have any severity rating. Failure to apply Low priority patches can result in you not being able to use the coolest new program feature or smiley. You can choose whether or not to apply the patch depending on your need for the new features.

The University Information Security office is happy to assist you in applying these priorities to patches for your systems.