Types of Patches

Types of Patches

Microsoft releases patches to provide updates to the Windows OS and Microsoft applications. These patches fix known problems, or bugs, in an OS or application and are shipped in three formats:

• Hotfixes

  These updates address a single problem or bug encountered by a customer. They are developed in a short period of time and are released with less testing than other update types. Some hotfixes are referred to as security fixes. Security fixes differ from hotfixes in that the issues related to hotfixes are identified by the Microsoft Security Response Center (MSRC), rather than identified by Microsoft Product Support Services (PSS). Hotfixes are sometimes referred to as Quick Fix Engineering (QFE) fixes.

• Roll-ups

  As the name suggest, a roll-up fix combines the updates of several hotfixes into a single update file. Roll-up fixes are run through more testing than single hotfixes but are released more frequently than service packs (discussed next).

• Service packs

  At fairly regular intervals, Microsoft produces a collection of all hotfixes released since the OS s or application s release, including hotfixes released in previous service pack versions. These collections include fixes not previously released and occasionally introduce new functionality. Service packs undergo extensive testing before their release to ensure no deployment issues exist. Microsoft might issue several beta releases of a service pack before it is ready for the public.

Microsoft strives to not release new functionality in service packs. Instead, a new class of update to the OS or application, known as a feature pack, now exists. A feature pack extends the functionality of the OS or application by adding new features, options, or functionality.

When a security fix is released, MSRC issues a security bulletin that identifies the addressed vulnerability. In addition, a severity rating is applied to the security bulletin. If a security fix is a roll-up fix, the highest security rating of the individual hotfixes in the roll-up is applied.

This is the ratings system implemented by the MSRC in November 2002:

• Critical

  A vulnerability that might allow the propagation of an Internet worm without user action. You should always apply critical rating updates after testing.

• Important

  A vulnerability that might compromise the confidentiality, integrity, or availability of user data, as well as the integrity or availability of processing resources. You should always apply important rating updates after testing.

• Moderate

  A vulnerability that might be mitigated by good security measures, such as implementing a security baseline configuration or performing regular network auditing. This rating can also be applied to vulnerabilities that are difficult to exploit. You should evaluate a moderate update to determine whether the vulnerability addressed is relevant to your company before testing and deployment.

• Low

  A vulnerability that is extremely difficult to exploit or whose impact is minimal. You should determine whether a low rating update is necessary before testing and deployment.

  Many exploits that affect networks are based on previously known vulnerabilities. For example, the Code Red and Nimda worm virus attacks of early 2002 took advantage of known application vulnerabilities. However, if you had already applied the previously released updates to your OS and applications, your computers were not vulnerable to these attacks.