Patches, updates or other vendor mitigations for vulnerabilities in operating systems of IT equipment other than workstations, servers and network devices are applied within one month of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.
Topic
Mitigating known vulnerabilities
Applicable to
all
History
Jun 2024
Patches, updates or other vendor mitigations for vulnerabilities in operating systems of IT equipment other than workstations, servers and network devices are applied within one month of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.
References to ICT equipment were amended to IT equipment.
Dec 2023
Patches, updates or other vendor mitigations for vulnerabilities in operating systems of ICT equipment other than workstations, servers and network devices are applied within one month of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.
The existing control relating to applying patches, updates or other vendor mitigations for vulnerabilities in operating systems of ICT equipment other than workstations, servers and network devices within two weeks of release was relaxed to within one month of release. Furthermore, this control was amended to note that this relates to situations where vulnerabilities are assessed as non-critical by vendors and no working exploits exist.
Sep 2023
Patches, updates or other vendor mitigations for vulnerabilities in operating systems of ICT equipment other than workstations, servers and network devices are applied within two weeks of release.
References to ‘security vulnerabilities’ were replaced with ‘vulnerabilities’.
Sep 2023
Patches, updates or other vendor mitigations for vulnerabilities in operating systems of ICT equipment other than workstations, servers and network devices are applied within two weeks of release.
The existing controls relating to patching, updating or applying other vendor mitigations for vulnerabilities within two weeks of release, or 48 hours of release when working exploits exist, were all split into two separate controls to allow for separate assessment of standard patching practices (i.e. within two weeks) and quick response patching practices (i.e. within 48 hours). In addition, scenarios in which vulnerabilities are assessed as critical by vendors (e.g. they facilitate remote code exploitation without user interaction, or facilitate authentication bypasses that grant privileged access) have been included within the quick response patching window. Typically, vendors or the ACSC will release ‘critical alerts’ for situations that require a quick response. [ISM-1690, ISM-1694, ISM-1697, ISM-1751, ISM-1876, ISM-1877, ISM-1878, ISM-1789]
Jun 2023
Patches, updates or vendor mitigations for security vulnerabilities in operating systems of ICT equipment other than workstations, servers and network devices are applied within two weeks of release, or within 48 hours if an exploit exists.
The existing control relating to ‘applying patches, updates or vendor mitigations for security vulnerabilities in operating systems of other ICT equipment’ was amended to ‘applying patches, updates or vendor mitigations for security vulnerabilities in operating systems of ICT equipment other than workstations, servers and network devices’ to avoid confusion when the control is read in isolation.
Mar 2022
Patches, updates or vendor mitigations for security vulnerabilities in operating systems of other ICT equipment are applied within two weeks of release, or within 48 hours if an exploit exists.
While existing recommendations covered patching security vulnerabilities in workstations, servers and network devices, they did not cover patching security vulnerabilities in other ICT equipment.