Microsoft Takes a 'Patch Tuesday' Break 151
Phill0 submitted a ZD story about
Microsoft's week off which says
"Microsoft has no new security updates planned for Tuesday, despite at least five zero-day vulnerabilities that are waiting to be fixed.
The patch break could be a welcome respite for IT managers still busy testing the dozen fixes Microsoft released last month. Also, many IT pros may be occupied with the switch to daylight saving time, which at the behest of Congress, is happening three weeks earlier this year. "
Re:That's one of the reasons I use OpenSource (Score:3, Informative)
Re:Zero Day (Score:5, Informative)
These last 2 weeks have been crazy. Monstrous. Patches for Windows, patches for Exchange, patches for Outlook, patches for Java, patches for Oracle, patches for Act, patches for Blackberries, patches for Treos, patches for that weird-ass cell the COO uses and no one else does. Patches to replace patches. Patches to undo the damage other patches have made. I firmly place blame on the software companies for waiting this long to sort things out, but this says it all: http://support.microsoft.com/kb/914387 [microsoft.com] NINETEEN REVISIONS. That's the most for an MS KB article ever.
Yes, there are zero-day vulnerabilities out there. However, considering the potential trainwreck that's going to happen Monday, no admin in their right mind would install new patches on Tuesday. No admin worth their salt would do so anyway: usually you wait a few days for the early adopters to fish out the bugs and MS to release any new versions. You let your security hardware and software (which has barely needed to be patched) deal with any potential problems. That's just smart business sense.
For those of you admining a handful of servers, serving basic stuff like webpages, laughing at the work some people have to do for this, that's great. Enjoy yourselves. For the rest of us with a real workload: hundreds of servers and tens of thousands of desktops, all with software on top of software that may or may not be compatible with each other patchwise, this last few weeks have been a living hell. A couple people getting their Word documents hosed is nothing compared to payroll systems not working, trade systems coughing up blood, etc. I'll hand that responsibility off to Symantec and friends -- I've got more important stuff to worry about.
Re:Don't bust Congress' chops... (Score:1, Informative)
Doesn't look very hard coded to me...
Re:That's one of the reasons I use OpenSource (Score:3, Informative)
For Windows it seems that half the software needs to be patched, plus the OS (reboot required of course).
I mean... Exchange? Oracle? You'd think the authors of software like that would have a frikkin clue. Harcoding DST routines into user applications? WTF??
Re:Zero Day (Score:3, Informative)
Then Microsoft released another update in January, replacing the existing. That had to be regression tested and rolled out. Then they released a cumulative update with that and a new fix for a specific timezone (think it was Nova Scotia - can't remember). Fine.
Then, Exchange team came out and said "Guess what, now you need to update your servers as well." But you also need to update Outlook, because if you tell Exchange to fix calendars it'll screw them up in other countries that *aren't* changing this Sunday.
All the while, people are creating appointments that will become off by an hour when the time switches over. The Outlook update has gone through multiple revisions and just got a silent installer about a week ago. The earlier you did the system patch, the more likely appointments will be off.
On top of this, Blackberry and Treos didn't get their patches until late, and you need to do those AFTER the Exchange/Outlook patches. So we had to wait for MS to sort this nonsense out.
And I'm just talking messaging here. This doesn't even begin to go into the other software that's affected.
Re:Zero Day (Score:4, Informative)
Blame it on CNN -- they started the whole ruckus by taking a perfectly good word and twisting it.
"Factoid" is one of those rare words that were undeniably invented by an identifiable individual, in this case Norman Mailer, in his book "Marilyn," published in 1973. The Oxford Dictionary of New Words defines "factoid" thus: "A spurious or questionable fact; especially something that is supposed to be true because it has been reported (and often repeated) in the media, but is actually based on speculation or even fabrication." Norman Mailer himself defined "factoids" as "facts which have no existence before appearing in a magazine or newspaper, creations which are not so much lies as a product to manipulate emotion in the Silent Majority."
Mailer invented the word by combining "fact" with "oid," a scientific suffix meaning "resembling or having the form of, but not identical to." Needless to say, "factoids" in Mailer's sense are the antithesis of serious reporting, and to accuse a journalist of trafficking in "factoids" was a grave insult, at least until CNN came along.
Re:Why not just fudge the timezones permanently? (Score:5, Informative)
Doesn't do a damn thing for TZ env var usage. (Score:2, Informative)
To give an indication of how big of a problem this might become, a quick search on one of my servers shows no fewer than FIVE different versions of the Visual C runtime DLLs that could be affected, and some of my apps are written to use the TZ environment variable in lieu of obtaining the timezone info from elsewhere in the system. The vendors of those apps are clueless about the problem and are trying to feign ignorance about it too.
Microsoft does have a knowledge base article listing some replacement DLLs for each version, but they were just announced very recently (less than two weeks ago) and the DLLs are not downloadable... you must have a paid support agreement with them to get these.
The situation totally sucks.