UCF STIG Viewer Logo

Security-related software patches are not applied.


Overview

Finding ID Version Rule ID IA Controls Severity
V-3828 2.019 SV-25254r1_rule Medium
Description
Major software vendors release security patches and hot fixes to their products when security vulnerabilities are discovered. It is essential that these updates be applied in a timely manner to prevent unauthorized persons from exploiting identified vulnerabilities. The severity code may be elevated to a Category I if patches deemed Critical have not been applied.
STIG Date
Windows 7 Security Technical Implementation Guide 2018-02-12

Details

Check Text ( C-35r1_chk )
Verify that the site is applying all security-related patches released by Microsoft. Determine the local site method for doing this (e.g., connection to a WSUS server, local procedure, etc.).

Severity Override: If any of the patches not installed are Microsoft ‘Critical’, then the category code should be elevated to ‘1’.

Note: If a penetration scan has been run on the network, it will report findings if security-related updates are not applied. Then, this check may be marked as “Not Applicable”.

Some applications (such as DMS and GCSS) use a system release process to keep systems current. If this is the case, then these systems should be at the current release.
Fix Text (F-63r1_fix)
Apply all Microsoft security-related patches to the Windows system.