Patches, updates or other vendor mitigations for vulnerabilities in drivers are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.
Topic
When to patch vulnerabilities
Applicable to
all
History
Dec 2023
Patches, updates or other vendor mitigations for vulnerabilities in drivers are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.
The existing control relating to applying patches, updates or other vendor mitigations for vulnerabilities in drivers and firmware within 48 hours where vulnerabilities are assessed as critical by vendors or when working exploits exist was split into two separate controls. [ISM-1879, ISM-1903]
Sep 2023
Patches, updates or other vendor mitigations for vulnerabilities in drivers and firmware are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.
The existing controls relating to patching, updating or applying other vendor mitigations for vulnerabilities within two weeks of release, or 48 hours of release when working exploits exist, were all split into two separate controls to allow for separate assessment of standard patching practices (i.e. within two weeks) and quick response patching practices (i.e. within 48 hours). In addition, scenarios in which vulnerabilities are assessed as critical by vendors (e.g. they facilitate remote code exploitation without user interaction, or facilitate authentication bypasses that grant privileged access) have been included within the quick response patching window. Typically, vendors or the ACSC will release ‘critical alerts’ for situations that require a quick response. [ISM-1690, ISM-1694, ISM-1697, ISM-1751, ISM-1876, ISM-1877, ISM-1878, ISM-1789]