News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Patch Severity Ratings & 3rd Party vendors

    Posted on alphakry Comment on the AskWoody Lounge

    Home Forums Admin IT Lounge Patch Severity Ratings & 3rd Party vendors

    This topic contains 3 replies, has 2 voices, and was last updated by  Paul T 2 weeks, 2 days ago.

    • Author
      Posts
    • #2011563 Reply

      alphakry
      AskWoody Lounger

      Hi everyone!  Long time reader, first time poster! 🙂  Please forgive the following wordy post, but I have some questions regarding managing patches based on severity.

      We use a few tools to help manage our environments and I’ve noticed some inconsistencies when it comes to how vendors rate the severity of patches. I’m interested in your input and overall opinion and have a few questions along the way.

      As I understood it, that rating is typically dictated from Microsoft directly –  on a scale of Critical, Important, Moderate and Low.   You can see these ratings within Windows Update and I presume WSUS displays this severity scale as well.  (I have not yet used WSUS or SCCM, which will be the plan in the near future so I will know that answer soon enough…)

      I have also seen the Exploitability Assessment scale typically listed on CVE bulletins that range from 0-3.

      We use Qualys for the majority of scanning, Kenna Security for helping summarize those scan reports and ManageEngine’s software for additional deployment and reporting functions, especially for any 3rd party applications.

      It seems some patches that may be considered “Important” by one, are listed by another as “Critical” or have a higher score rating.  So I’m wondering if there is any rating system that you trust over the other when it comes to classifying patch severity.

      This is important for my use as we write policies that dictate what patches we must schedule for and those we skip based on a lower severity vs a higher risk of patching our production environments.

      Additionally, I remember an old rule that after running a manual WU Check for Update scan, it would return any Critical patches needed with the checkbox automatically checked. However in recent memory, I’ve seen this happen for “Important” updates in addition to Critical.  Should that be the case? Are they now being treated with similar priority in terms of what’s recommended?  (even though I know MS clarifies the differences well)

      What are your thoughts on the aforementioned vendor’s ratings and overall success in patch management?

       

      Thanks!!

       

    • #2011761 Reply

      Paul T
      AskWoody MVP

      Are you asking about Windows patches only or other software?
      For Windows patches I never install “optional” patches, only “important” ones, no matter what the severity rating. For other software I update if the vendor recommends it for security reasons and I haven’t seen any adverse reports.

      cheers, Paul

    • #2011844 Reply

      alphakry
      AskWoody Lounger

      Thanks for the reply Paul!  I am focused primarily on Windows patches, especially since MS tends to do a good job rating their severity via the systems mentioned above.

      When you say you install “Important” – are these different then “critical” or you install both? Am I correct in observing that when running Windows Update manually, you are also seeing it automatically check not only Critical updates but also “Important” ?  Do they distinguish between the two during WU scans?

      That said, we do also treat critical patches for 3rd party software the same:  Critical patches get installed, all others do not. Chrome is a great example recently, going through a handful of critical updates in the last couple months…

      So I guess my overall question is what are you guys using for confirming critical ratings? And do you consider “Important” just as required?

      I use ManageEngine’s Patch Manager Plus for the bulk of our scanning and deployment.  I have recognized a few instances in the last few months where they rated something as critical when it was in fact not.  So that has put some confidence issues into the mix. (See Photo 1)

      Additionally, it appears that Kenna/Qualys are rating PM’s “Important” updates with higher ratings that would match those of a critical patch (See Photo 2)

      So I’m not sure what to trust. Since our policies dictate we only install critical patches and skip the rest, this becomes a bit difficult to manage with confidence.

      Thank you for your input!

      Edit to remove HTML. Please use the “Text” tab in the entry box when you copy/paste.

      Attachments:
      • #2011899 Reply

        Paul T
        AskWoody MVP

        “Important” being as shown in Windows Update and therefore installed by default.

        When managing system wide updates I tend to stick with one source for ratings, but always run them on a test group first, then roll them out in waves.

        As long as you can show due diligence then you have covered the requirements for patching per your organisations rules.

        cheers, Paul

        • This reply was modified 2 weeks, 2 days ago by  Paul T.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Patch Severity Ratings & 3rd Party vendors

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.