Skip to main content

This section of the ISM provides guidance on system patching.

Patching approaches

Patches for security vulnerabilities are provided by vendors in many forms, such as:

  • fixes that can be applied to pre-existing application versions
  • fixes incorporated into new applications or drivers that require pre-existing versions to be replaced
  • fixes that require the overwriting of firmware on ICT equipment.

When patches are not available

When patches are not available for security vulnerabilities there are a number of approaches that can be undertaken to reduce security risks. In priority order this includes resolving the security vulnerability, preventing exploitation of the security vulnerability, containing the exploitation of the security vulnerability or detecting exploitation of the security vulnerability.

Security vulnerabilities can be resolved by:

  • disabling the functionality associated with the security vulnerability
  • engaging a software developer to resolve the security vulnerability
  • changing to different software or ICT equipment with a more responsive vendor.

Exploitation of security vulnerabilities can be prevented by:

  • applying external input sanitisation (if an input triggers the exploit)
  • applying filtering or verification on output (if the exploit relates to an information disclosure)
  • applying additional access controls that prevent access to the security vulnerability
  • configuring firewall rules to limit access to the security vulnerability.

Exploitation of security vulnerabilities can be contained by:

  • applying firewall rules limiting outward traffic that is likely in the event of an exploitation
  • applying mandatory access control preventing the execution of exploitation code
  • setting file system permissions preventing exploitation code from being written to disk.

Exploitation of security vulnerabilities can be detected by:

  • deploying a Host-based Intrusion Prevention System
  • monitoring logging alerts
  • using other mechanisms for the detection of exploits using the known security vulnerability.

Patch management process and procedures

Applying patches or updates is critical to ensuring the security of applications, drivers, operating systems and firmware in workstations, servers, mobile devices, network devices and all other ICT equipment. To assist in this, information sources should be monitored for information about new patches or updates.

Security Control: 1143; Revision: 7; Updated: Aug-19; Applicability: O, P, S, TS
A patch management process, and supporting patch management procedures, is developed and implemented.

Security Control: 1493; Revision: 1; Updated: Aug-19; Applicability: O, P, S, TS
A software register, including versions and patch histories of applications, drivers, operating systems and firmware for workstations, servers, mobile devices, network devices and all other ICT equipment, is maintained and regularly audited.

When to patch security vulnerabilities

There are multiple information sources that organisations can use to assess the applicability and impact of security vulnerabilities in the context of their environment. This can include information published in vendor security bulletins or in severity ratings assigned to security vulnerabilities using standards such as the Common Vulnerability Scoring System.

Once a patch is released by a vendor, and the associated security vulnerability has been assessed for its applicability and importance, the patch should be deployed in a timeframe that is commensurate with the security risk. Doing so ensures that resources are spent in an effective and efficient manner by focusing effort on the most significant security risks first.

If a patch is released for high assurance ICT equipment, the ACSC will conduct an assessment of the patch and may revise the ICT equipment’s usage guidance. Where required, the Australian Signals Directorate will conduct an assessment of any cryptographic security vulnerability and the ACSC may revise usage guidance in the consumer guide or Australian Communications Security Instruction. If a patch for high assurance ICT equipment is approved for deployment, the ACSC will inform organisations of the timeframe in which the patch is to be deployed.

If no patches are immediately available for security vulnerabilities, temporary workarounds may provide the only effective protection until patches become available. These workarounds may be published in conjunction with, or soon after, security vulnerability announcements. Temporary workarounds may include disabling the vulnerable functionality within the operating system, application or device, or restricting or blocking access to the vulnerable service using firewalls or other access controls. The decision as to whether a temporary workaround is implemented should be risk-based, as with patching.

Security Control: 1144; Revision: 9; Updated: Sep-18; Applicability: O, P, S, TS
Security vulnerabilities in applications and drivers assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users.

Security Control: 0940; Revision: 8; Updated: Sep-18; Applicability: O, P, S, TS
Security vulnerabilities in applications and drivers assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users.

Security Control: 1472; Revision: 1; Updated: Sep-18; Applicability: O, P, S, TS
Security vulnerabilities in applications and drivers assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users.

Security Control: 1494; Revision: 0; Updated: Sep-18; Applicability: O, P, S, TS
Security vulnerabilities in operating systems and firmware assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users.

Security Control: 1495; Revision: 0; Updated: Sep-18; Applicability: O, P, S, TS
Security vulnerabilities in operating systems and firmware assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users.

Security Control: 1496; Revision: 0; Updated: Sep-18; Applicability: O, P, S, TS
Security vulnerabilities in operating systems and firmware assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users.

Security Control: 0300; Revision: 6; Updated: Sep-18; Applicability: S, TS
High assurance ICT equipment is only patched with patches approved by the ACSC using methods and timeframes prescribed by the ACSC.

How to patch security vulnerabilities

To ensure that patches are applied consistently across an organisation’s workstation and server fleet, it is essential that organisations use a centralised and managed approach. This will assist in ensuring the integrity and authenticity of patches being applied to workstations and servers.

Security Control: 0298; Revision: 7; Updated: Oct-19; Applicability: O, P, S, TS
A centralised and managed approach is used to patch or update applications and drivers.

Security Control: 0303; Revision: 6; Updated: Sep-18; Applicability: O, P, S, TS
An approach for patching or updating applications and drivers that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used.

Security Control: 1497; Revision: 0; Updated: Sep-18; Applicability: O, P, S, TS
An automated mechanism is used to confirm and record that deployed application and driver patches or updates have been installed, applied successfully and remain in place.

Security Control: 1498; Revision: 1; Updated: Oct-19; Applicability: O, P, S, TS
A centralised and managed approach is used to patch or update operating systems and firmware.

Security Control: 1499; Revision: 0; Updated: Sep-18; Applicability: O, P, S, TS
An approach for patching or updating operating systems and firmware that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used.

Security Control: 1500; Revision: 0; Updated: Sep-18; Applicability: O, P, S, TS
An automated mechanism is used to confirm and record that deployed operating system and firmware patches or updates have been installed, applied successfully and remain in place.

Cessation of support

When applications, operating systems and ICT equipment reach their cessation date for support, organisations will find it increasingly difficult to protect against security vulnerabilities as patches, or other forms of support, will not be made available by vendors. While the cessation date for support for operating systems is generally advised many years in advance by vendors, other applications and ICT equipment may cease to receive support immediately after a newer version is released by a vendor.

Security Control: 0304; Revision: 5; Updated: Sep-18; Applicability: O, P, S, TS
Applications that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions.

Security Control: 1501; Revision: 0; Updated: Sep-18; Applicability: O, P, S, TS
Operating systems for workstations, servers and ICT equipment that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions.

Further information

Further information on patching evaluated products can be found in the evaluated product usage section of the Guidelines for Evaluated Products.

Further information on what constitutes different levels of security risk for security vulnerabilities can be found in the ACSC’s Assessing Security Vulnerabilities and Applying Patches publication at https://www.cyber.gov.au/acsc/view-all-content/publications/assessing-security-vulnerabilities-and-applying-patches.