Depends on the risk profile of the vulnerability and its exposure to be compromised but usually sooner than later
Depends on exposure of attack surface, availability of exploit, compensating controls. And patching need not be the only answer to mitigate vulnerabilities eg it could be WAF, a configuration change, ACL tightening or as simple as disabling a module or service.
All depends on the exposure we have and the criticality of the system.
According to MSFT this is especially nefarious: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 as it can allow an attacker to then install programs; view, change, or delete data; or create new accounts with full user rights. I would not only install the correct patches immediately as it could lead to non-compliance to HIPAA, and GDPR, as well as California's CCPA rules regarding privacy of consumers, but if medical records are involved it's even more serious. I would additionally look to access control lists to the terminals as an extra precaution by installing solutions like the following: https://colortokens.com/wp-content/uploads/Healthcare-Industry-solution-brief.pdf
Agree with others, the action::response to the event, action::remediation certainly depends several variables in addition to the exposure and overall criticality of the system.
Depends on exposure and level of vulnerability. Still runs through same process either way. Time tables may vary.
First, patching any vulnerability is the tactical aspect that needs to be driven by an overall security strategy that continuously maps exposure and risk to known vulnerabilities. You need to have proper context in order to make the decision about when to tactically patch. Otherwise your team will *always* be in reactive mode and will rapidly burn out from "alert and vulnerability fatigue"
Critical security patches should be applied to your most critical systems first (like immediately) and then rolled out to the least critical systems. Normally within 24 hours, usually that same night. Of course you should have a change control process in place that are being followed. You don't want to apply patches that will break your system and stop production, so change control process is very important.
Depends on the patch. If it is critical and applies to us same day, if not then sometime in the future and when perform regular maintenance. Eg: the mentioned patch doesn't even apply to our environments so totally ignored, nothing to patch.
Depending on the severity but in most cases I would install the patch ASAP.
Agree with others here. We set policies based on severity and CVSS score. Critical is immediate if it applies. Lower than critical severities are prioritized within 30 days or less depending on patch cycles.
I would say if you have a strong emergency change management process, I would say it should be applied immediately.