UC Davis Cyber-Safety Program: Software Patch Updates
If you are a computer user within an academic or administrative department on campus, you may have a Technology Support Coordinator (TSC) who is working to secure your system. Before taking any of the security steps listed below, please check with your TSC.
From the UC Davis Cyber-Safety Program Policy:
"Computers connected to the campus network must use an operating system and application software for which the publisher maintains a program to release critical security updates. Campus units must apply all currently available critical security updates within seven calendar days of update release or be able to mitigate the related security vulnerability.
Exceptions may be appropriate for specialized and/or research
operating systems, patches that compromise the usability of an operating
system or application or for patches for which the installation is prohibited
by regulation."
Learn about Patches | Back to Cyber-Safety Main
To meet this standard...
Update your OS:
- Windows (Windows Update): We recommend turning on Automatic Updates, so critical updates are automatically downloaded and applied without user intervention. For more information, see "How to update or patch Microsoft Windows."
- Microsoft Office Update
- Macintosh: Updates can also be installed by running the "Software Update" utility from within OS X.
- RedHat/Fedora: Use up2date, RedHat's package management utility. Requires a subscription to the Red Hat Network. Apt-Get and Yum are two free alternatives.
- YaST Online Update (YOU): is a tool bundled with SUSE that can be run to upgrade and patch a SUSE system.
- Solaris : Use the Sun Patch Manager tool to analyze your system and determine which patches are needed. Alternatively, individual patches or entire patch sets can be downloaded from the Patches and Updates section.
- OpenBSD: release errata and patch list.
Update other software on your system:
- The Microsoft Baseline Security Analyzer will scan your computer and inform you of available patches for applications such as Microsoft Office, Exchange, and Media Player.
- Visit the Web sites of the distributors for your software programs to download newer versions and security patches.
- Read the Microsoft Support Lifecycle Policy and view lifecycle dates for products running in your department.
Campus sysadmins recommend...
- Cyber-safety Auditing Tools: Use this active Nessus scan to assess the presence of known vulnerabilities andidentify potential signs of compromise on systems on your network. Access restricted. To request access, contact itsecurity@ucdavis.edu.
- Apt: Apt is a tool that automatically determines interdependencies between various programs/packages, and automatically downloads and installs them for you. You can either have APT download and compile the source, or you can just have it install the pre-built binary packages.
- TARA: Tiger Analytical Research Assistant (TARA) is an upgrade to the TAMU 'tiger' program. Tiger is a set of scripts that scan a Unix system looking for security problems, in the same fashion as Dan Farmer's COPS.
- GFI Languard: Automatically detects security vulnerabilities on your network. It also provides in-depth information about all machines/devices, patch management, etc.
Special Considerations...
Some instruments and diagnostic equipment use operating systems that cannot be patched without regulatory approval. In such cases, the product vendor should be consulted on a regular basis to identify vendor recommendations for OS and/or product updates.
With respect to computing application updates, it is acknowledged that:
- Some computing applications do not release product updates but rather require the acquisition of a new product version.
- Some computing applications do not have a mechanism to inform application users of the availability of new versions or security patches.
- Greater security risks may be related to the more ubiquitous computing applications and/or computing applications that use network services.
In such situations, an organization may need to balance its tolerance for security risk with its security program. It may be acceptable for organizations to define an update timeframe in excess of seven days if the security risks are minimal or threat mitigation measures are in place.