In my Security Absurdity article, I mentioned the window of exposure which occurs when new, unpatched computers connect to the internet for the first time before they have a chance to download required patches.
In 2003 I mentioned the idea of a Patch-Friendly Boot Mode in the Patch Management mailing list as a possible solution to address this window of exposure.
I wrote, “One possible solution is a Patch-Friendly Boot Mode. Similar to booting into Safe-Mode, there could be an option to boot into a Patch-Friendly Boot Mode. During this mode, the computer would boot into a minimalist mode – or even DOS mode with all non-essential services disabled. The hard drive could boot in read-only mode, except for a single writable directory [to store the patches].
During this boot mode, the computer would connect to windowsupdate or a local patch management server (to minimize the time required to be connected to the internet) and then retrieve all the necessary patches. The patches could then be installed upon next reboot when the hard drive is back into read-write mode and prior to establishing a connection to the internet.”
Has such a solution ever been proposed? What are the potential downsides of this solution? What other solutions/workarounds are there to address the patch window of exposure?