On most top ten mitigation lists is the need to keep systems patched. The articles and comments below indicate that patching is not always effective. Read one of the articles below and provide a unique and relevant comment supporting patching or describing its cons.
Microsoft Patch Tuesday (November 11 & 12, 2014)
On Tuesday, November 11, Microsoft released 14 bulletins to address 33 vulnerabilities in a variety of products. Two bulletins that were originally scheduled for release have been held back due to concerns that they did not adequately address certain security issues in Microsoft Exchange Server.
-https://technet.microsoft.com/library/security/ms14-nov -http://www.zdnet.com/ms-exchange-updates-delayed-until-december-7000035755/ -http://www.scmagazine.com/microsoft-remediated-33-vulnerabilities/article/382691 / -http://www.computerworld.com/article/2846448/november-patch-tuesday-a-massive-up date-with-a-few-misses.html
Among the vulnerabilities addressed is a critical flaw that affects all versions of Windows since Windows 95 and has existed for nearly 20 years. This particular flaw could be exploited to launch drive-by attacks and run code remotely. It also circumvents Microsoft's Enhanced Mitigation Experience Toolkit (EMET).
http://www.darkreading.com/vulnerabilities---threats/microsoft-fixes-critical-19 -year-old-schannel-bug-but-no-patch-for-xp/d/d-id/1317423? -http://www.theregister.co.uk/2014/11/12/driveby_unicorn_0day_beats_emet_affects_ all_windows_versions/ -http://www.bbc.com/news/technology-30019976
[Editor's Note (Ullrich): This was not only a large, but also a very "tricky" patch Tuesday. First of all, with MS14-066 (SCHANNEL), Microsoft dropped the first unauthenticated remote code execution vulnerability in years. This fall could become a huge problem, even though it looks that up to this point, exploitation will be a bit more difficult. To make things worse, Microsoft's bulletin and patch quality seems to be waning. Two of the bulletins announced for November have been moved to December without further announcement. The bulletin for MS14-066 is lacking significant details, for example the fact that this patch covers multiple flaws (a certificate evasion flaw plus at least two buffer overflows). MS14-064 is another incomplete attempt to fix the ongoing "sandworm" OLE issue, and apparently it is still not complete (the first attempt, MS14-060 fell short as well). Microsoft used to do better then that. (Murray): Does the risk really go up simply because support ends on a mature product or is the risk, if any, in the continued use of an obsolete product? I am reminded that ShellShock was at least twenty-five years old. While it made systems in which it was used vulnerable, it seems to me that it operated the way that it was intended to operate. It was an embedded escape mechanism, one of many. The real vulnerability was in the use of a component that was not fully understood. "Software Engineering" is a contradiction in terms if it does not include the concept of "strength of materials." It may be an over constrained problem, but if so, we should not call it engineering. ]