Chapter 30 · Helper 2

Concept Map

OS vulnerability categories, the patch management process, and the patching race.

OS Vulnerability Categories

May 2023 Patch Tuesday
CategoryWhat It AllowsSeverityMay 2023 Count
Remote Code ExecutionAttacker runs arbitrary code on target remotelyCritical12
Elevation of PrivilegeAttacker gains higher access than permittedHigh8
Information DisclosureSensitive data exposed to unauthorized partiesMedium–High8
Denial of ServiceSystem/service made unavailableMedium5
Security Feature BypassBuilt-in security controls circumventedMedium–High4
SpoofingAttacker impersonates legitimate user or systemMedium1
Total~50

Patch Management Process

6 Steps
1

Patch Released

Vendor publishes security update (e.g., Patch Tuesday). Vulnerability details become public. Clock starts: attackers begin reverse engineering.

2

Assess

Security team reviews patch details: which systems are affected, severity ratings, whether exploits are known in the wild. Critical patches may skip the normal schedule.

3

Test

Deploy patches to isolated test environment. Run application compatibility tests. Check that business-critical software still functions. Typical window: 3–7 days.

4

Pilot

Roll out to a small representative group (5–10% of endpoints). Monitor for issues 24–48 hours before proceeding.

5

Deploy

Full production rollout. Schedule maintenance windows for systems requiring reboots. Track restart-pending status separately from installation status.

6

Verify + Backup

Confirm all systems show patched AND restarted. Maintain pre-patch system images as rollback capability. Document any patches excluded due to conflicts.

The Patching Race — Timeline

Defender vs. Attacker
Time After Patch ReleaseDefender ActivityAttacker Activity
Day 0 (Patch Tuesday)Patch published, assessment beginsPatch downloaded, reverse engineering begins
Day 1–2Test environment deploymentVulnerability analysis completed
Day 3–5Compatibility testing, pilot rolloutProof-of-concept exploit code being developed
Day 5–7Full production deployment beginsExploit code may be publicly available
Day 7+Stragglers and exceptions handledAutomated scanning for unpatched systems begins

The window between patch release and working exploit code is shrinking. For some vulnerabilities it is measured in hours. Organizations that have not patched within this window are increasingly likely to be targeted.