[ISN] No Christmas patches from Microsoft

From: InfoSec News (isn@private)
Date: Thu Dec 11 2003 - 01:12:08 PST

  • Next message: InfoSec News: "Re: [ISN] Voting-Machine Makers To Fight Security Criticism"

    http://www.computerworld.com/securitytopics/security/story/0,10801,88045,00.html
    
    Story by Joris Evers
    DECEMBER 10, 2003 
    COMPUTERWORLD 
    
    Microsoft Corp. has an early holiday gift for systems administrators:
    no monthly security patch release this month.
    
    "It is a happy coincidence, but it is not related to Christmas," said
    Iain Mulholland, security program manager at Microsoft. "We have made
    a commitment to release [the monthly patch package] when we're ready,
    when we have quality patches. There is simply nothing that has passed
    the bar yet from a quality perspective for release in December."
    
    In October, Microsoft moved to a monthly cycle for security patches,
    replacing a system of weekly updates that the company said had become
    too burdensome and complex for customers. The monthly updates also
    allow Microsoft to reduce the number of patches by folding multiple
    vulnerabilities affecting a single platform into one patch.
    
    Systems administrators can expect a security update from Microsoft on
    Jan. 13, Mulholland said. However, that doesn't mean patch managers
    can sign off and hit the shopping mall or relax at home. If there's an
    immediate risk to customers, Microsoft will break its monthly cycle
    and issue an emergency patch.
    
    Skipping a month doesn't mean all systems are secure. There are
    security vulnerabilities that Microsoft is working to patch, which
    means systems are at risk. For example, Microsoft is still
    investigating several flaws in Internet Explorer that were detailed
    last month by security company Secunia Ltd.
    
    However, hackers don't seem to be exploiting any of those
    vulnerabilities right now, said Russ Cooper, surgeon general at
    TruSecure Corp. and moderator of the NTBugtraq security mailing list.
    
    "Christmas or not, we all monitor constantly and keep our ears to the
    ground. Should we see some activity over the next few weeks targeting
    a specific vulnerability and that needs to shake Microsoft up a bit, I
    am sure they would be responsive," he said.
    
    Jupiter Research senior analyst Joe Wilcox agreed that systems
    administrators need to remain on guard.
    
    "For many security managers, no new patches to test and deploy will be
    like getting an early Christmas present. Ho, ho, ho, Santa's here,"  
    Wilcox said. "But that's no guarantee they won't later find coal in
    their stockings. Microsoft still has to get through December without
    some unexpected vulnerability necessitating an unscheduled patch."
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Dec 11 2003 - 03:46:51 PST