Microsoft Takes a 'Patch Tuesday' Break

Phill0 submitted a ZD story about Microsoft's week off which says "Microsoft has no new security updates planned for Tuesday, despite at least five zero-day vulnerabilities that are waiting to be fixed. The patch break could be a welcome respite for IT managers still busy testing the dozen fixes Microsoft released last month. Also, many IT pros may be occupied with the switch to daylight saving time, which at the behest of Congress, is happening three weeks earlier this year. "

Re:That's one of the reasons I use OpenSource

[lostwars]

Linux has to to be patched as well for DST.

Re:Zero Day

[SilentChris]

You obviously don't work in an enterprise.

These last 2 weeks have been crazy. Monstrous. Patches for Windows, patches for Exchange, patches for Outlook, patches for Java, patches for Oracle, patches for Act, patches for Blackberries, patches for Treos, patches for that weird-ass cell the COO uses and no one else does. Patches to replace patches. Patches to undo the damage other patches have made. I firmly place blame on the software companies for waiting this long to sort things out, but this says it all: http://support.microsoft.com/kb/914387 [microsoft.com] NINETEEN REVISIONS. That's the most for an MS KB article ever.

Yes, there are zero-day vulnerabilities out there. However, considering the potential trainwreck that's going to happen Monday, no admin in their right mind would install new patches on Tuesday. No admin worth their salt would do so anyway: usually you wait a few days for the early adopters to fish out the bugs and MS to release any new versions. You let your security hardware and software (which has barely needed to be patched) deal with any potential problems. That's just smart business sense.

For those of you admining a handful of servers, serving basic stuff like webpages, laughing at the work some people have to do for this, that's great. Enjoy yourselves. For the rest of us with a real workload: hundreds of servers and tens of thousands of desktops, all with software on top of software that may or may not be compatible with each other patchwise, this last few weeks have been a living hell. A couple people getting their Word documents hosed is nothing compared to payroll systems not working, trade systems coughing up blood, etc. I'll hand that responsibility off to Symantec and friends -- I've got more important stuff to worry about.

Re:Don't bust Congress' chops...

[Anonymous Coward]

http://support.microsoft.com/kb/914387 [microsoft.com]

Doesn't look very hard coded to me...

Re:That's one of the reasons I use OpenSource

[Tony Hoyle]

For linux it's one file and that can be automated.

For Windows it seems that half the software needs to be patched, plus the OS (reboot required of course).

I mean... Exchange? Oracle? You'd think the authors of software like that would have a frikkin clue. Harcoding DST routines into user applications? WTF??

Re:Zero Day

[SilentChris]

If you haven't been following the mayhem, the original DST patch for Windows XP/2003 came out very late last year. That was coupled with a call to edit the timezone files manually in 2000. Fine.

Then Microsoft released another update in January, replacing the existing. That had to be regression tested and rolled out. Then they released a cumulative update with that and a new fix for a specific timezone (think it was Nova Scotia - can't remember). Fine.

Then, Exchange team came out and said "Guess what, now you need to update your servers as well." But you also need to update Outlook, because if you tell Exchange to fix calendars it'll screw them up in other countries that *aren't* changing this Sunday.

All the while, people are creating appointments that will become off by an hour when the time switches over. The Outlook update has gone through multiple revisions and just got a silent installer about a week ago. The earlier you did the system patch, the more likely appointments will be off.

On top of this, Blackberry and Treos didn't get their patches until late, and you need to do those AFTER the Exchange/Outlook patches. So we had to wait for MS to sort this nonsense out.

And I'm just talking messaging here. This doesn't even begin to go into the other software that's affected.

Re:Zero Day

[wordsnyc]

http://www.word-detective.com/101800.html#factoid [word-detective.com]

Blame it on CNN -- they started the whole ruckus by taking a perfectly good word and twisting it.

"Factoid" is one of those rare words that were undeniably invented by an identifiable individual, in this case Norman Mailer, in his book "Marilyn," published in 1973. The Oxford Dictionary of New Words defines "factoid" thus: "A spurious or questionable fact; especially something that is supposed to be true because it has been reported (and often repeated) in the media, but is actually based on speculation or even fabrication." Norman Mailer himself defined "factoids" as "facts which have no existence before appearing in a magazine or newspaper, creations which are not so much lies as a product to manipulate emotion in the Silent Majority."

Mailer invented the word by combining "fact" with "oid," a scientific suffix meaning "resembling or having the form of, but not identical to." Needless to say, "factoids" in Mailer's sense are the antithesis of serious reporting, and to accuse a journalist of trafficking in "factoids" was a grave insult, at least until CNN came along.

Re:Why not just fudge the timezones permanently?

[mandelbr0t]

I don't get why we don't just push all the U.S. time zones forward an hour and leave them there, and get rid of this fall/spring switching.

Because you share them with Canada, and we really need the spring-forward/fall-back. If we stuck with summer time, the sun would set at 3:30pm in mid-winter. If we stuck with winter time, the sun would rise at 4:30am in mid-summer. Either way, I'm glad the clock changes back and forth. That being said, I don't think there's anything to be gained by moving only 3 weeks, except to put some money in IT consultants' pockets.

Doesn't do a damn thing for TZ env var usage.

[Anonymous Coward]

This still doesn't help out the problems with the TZ environment variable usage under countless apps written in MS Visual C, Visual C++, .NET Studio, etc, where timezone logic has been hard-coded into all those MSVCRT.DLL and MSVC*.DLL files. Microsoft's usage of the TZ environment variable, depending on who you ask, might or might not obey the POSIX standard syntax for modifying the start and stop dates for DST encoded into the TZ variable's string (e.g. TZ=EST6EDT,M3.2.0,M11.1.0). I cannot find any official MS documentation on their implementation of how they read and interpret the TZ string for any version of Windows older than Vista, which purportedly does support the full POSIX syntax for TZ. There seems to be a mostly complete absence of official documentation for older Windows versions' TZ variable supported syntax.

To give an indication of how big of a problem this might become, a quick search on one of my servers shows no fewer than FIVE different versions of the Visual C runtime DLLs that could be affected, and some of my apps are written to use the TZ environment variable in lieu of obtaining the timezone info from elsewhere in the system. The vendors of those apps are clueless about the problem and are trying to feign ignorance about it too.

Microsoft does have a knowledge base article listing some replacement DLLs for each version, but they were just announced very recently (less than two weeks ago) and the DLLs are not downloadable... you must have a paid support agreement with them to get these.

The situation totally sucks.