Mark Nicolett, research leader for security at Gartner, said users should start quality assurance (QA) testing as soon as a critical security update patch is released. "Once an attack is in process, organisations are confronted with poor choices if QA testing has not been completed," he said.
Nicolett said user problems with last month's MS04-11 patch followed a typical pattern. QA testing was done by most users, but when an updated version of the patch was released, that configuration was often not tested.
The problems some users faced with the modified patch causing problems on their Windows configuration were an "unfortunate consequence" of the need for speed, said Nicolett. The outages associated with rapid patching are now part of the "carrying cost" of the Windows environment, he added.
Nicolett said best practice for patching was to adopt a wait-and-see approach, but this was not possible for critical alerts. "[Generally, users should] wait for a period before production installation to allow time for the discovery of secondary effects by others and the documentation and generation of fixes for secondary effects," he said.
Jan Sundgren, an analyst at Forrester Research, said users should narrow down the pool of patches to a small set of those that the organisation needs to apply quickly.
"Interim measures will also be necessary," he said. "Sometimes blocking a certain [firewall] port on enterprise and personal firewalls might be best even if it disrupts some services for a period of time."
Sundgren said policy enforcement technology that denies network access to computers that have not been updated or properly configured could also help.