Details

• ID: CM0067
• Version: 1.0
• Created: 14 March 2025
• Modified: 14 March 2025
• Type: Refresh
• Status: Active

Intended Outcome

Installing critical software security updates restricts adversary execution, persistence, credential access, lateral movement, collection, privilege escalation, and initial access techniques that exploit unpatched and vulnerable software.

Introduction

A security update is a patch or modification to software or systems released by developers to correct vulnerabilities. A critical security update is often announced by a vendor to correct a zero-day/0-day vulnerability. Organizations that experience an incident involving exploitation of one or more vulnerabilities by an adversary should ensure that security updates are applied as soon as possible.

Preparation

• Acquire and review documentation and guidance provided by the manufacturer and follow recommended steps when applying and configuring a security update.
• Ensure periodic backups are taken and restore points are available. It may be necessary to create a new backup or create a restore point before installing the update.
• Identify the software, operating system, or appliance that critical security updates will be applied to. An existing inventory of software and assets may be needed to ensure emergency software updates are installed to all relevant systems and software appliances.

• Understand how the security update may affect the functionality of the organization's environment. This may involve testing the update before rolling it out to a production environment or using canary assets to confirm the patch is neither corrupted or breaks the software.
• Verify the authenticity and integrity of the security update, ensuring it came directly from the manufacturer.
• Prioritize the installation of critical software security updates based on risk, likelihood, and severity if multiple updates are needed.

Risks

• Installing a critical security update may affect the functionality of the product or service.
• Patching a vulnerability by applying an update alone is insufficient to fully remediate an incident, as a threat actor may have already established persistence in the environment or gained access to sensitive information or credentials that may be used to facilitate follow-on actions.
• Emergency software updates may inadvertently align with the adversary's goals if the software's supply chain is compromised. In this is the case, organization's should be prepared to roll back said patch to a secure baseline.
• Inability to update certain codebases like Java due to backwards compatability issues.

Guidance

Software, systems, and appliances may have different steps to correct vulnerabilities. The exact process of implementing a critical software security update will depend on the instructions advised by the manufacturer, characteristics of the environment the software resides in, and the circumstances (e.g. urgency, environment scale) responders are operating in. Further detailed guidance concerning enterprise patch management may be found within the most recent revision of the National Institute of Standards and Technology (NIST) Special Publication 800-40.

Apply Critical Security Update

Organizations should apply the emergency update as soon as possible. In some cases where a security update will disrupt operations, it may be necessary to schedule the update, notifying the affected parties in advance if appropriate. Prioritized installing security updates when adversaries are known to have exploited current software versions.Verify the software patch has been installed successfully.

Monitor Software and Environment

After applying the update, monitor the software environment to identify unintended side effects, as well as instances where the update was "rolled-back" by the adversary, whether unintentionally or intentionally.

Document Patching

Document the patch process and track progress. Validate through vulnerability scanning.

Implement Compensating Controls

If a security update is not yet available or the software has reached end-of-life, organizations should implement compensating controls until a fix is made available or a replacement solution can be acquired. This may include taking the affected software or appliance offline.

Enable Automatic Updates

Enable automatic updates, if not already configured.

References

• NIST SP 800-40 Rev. 4: Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology | https://csrc.nist.gov/pubs/sp/800/40/r4/final
• Quest: Developing a zero-day patching strategy | https://csrc.nist.gov/pubs/sp/800/40/r4/final
• CISA Insights: Remediate Vulnerabilities for Internet-Accessible Systems | https://csrc.nist.gov/pubs/sp/800/40/r4/final