28 June 2017
I don't have time for a long blog post, but let me toss out one thought: even though I noted that patching is hard, sometimes you have to take the risk and do it without the normal testing. This is one of those times.
The calculus is simple: per my last post, applying a patch carries some risks; you have to weigh that risk against the risk of the vulnerability being used against you. In a situation where the vulnerability is already in active use by bad guys—and that's the case right now with EternalBlue—the answer is simple: if you don't patch, you will get hit. You have to patch, and patch immediately, or take other remediative measures. If you can't, e.g., because you know your own software will fail, it's time to start writing your technical last will and testament. It's just that simple.