[ISN] 'Patch Tuesday' on hold, but no break for IT staff

From: InfoSec News (alerts@private)
Date: Sun Mar 11 2007 - 23:07:32 PST


http://www.twincities.com/mld/twincities/business/16872927.htm

BY LESLIE BROOKS SUZUKAMO
Pioneer Press
Mar. 10, 2007

Microsoft will skip its monthly release of security patches Tuesday for 
the first time in over a year, giving harried IT workers one less thing 
to fix after weeks of patching office computers to recognize the earlier 
than usual start of daylight-saving time this weekend.

Thousands of computers ranging from servers and desktops to laptops and 
BlackBerries needed software patches in order to automatically switch to 
daylight-saving time at 2 a.m. Sunday, three weeks earlier than they 
were programmed for.

The frenzied work comes the weekend before what has come to be known and 
dreaded in the IT world as "Patch Tuesday"  the second Tuesday of the 
month when Microsoft regularly releases software to plug vulnerabilities 
in Windows. The last time the company didn't issue a security patch was 
18 months ago, but that doesn't mean there are no potential security 
problems.

Computer security outfits like eEye Digital of California have 
identified five unpatched vulnerabilities in various Microsoft software 
that hackers might use.

Rick King, chief operating officer for legal publishing giant Thomson 
West in Eagan, said his technicians have toiled since January on the 
daylight-saving time problem to make sure things operate smoothly on 
Monday when his employees return to work.

Not having a security patch to install on top of that is nice but it 
doesn't save him any money, he said. Patch Tuesday, he said, is "a 
routine pain in the neck" already built into his budget.

Microsoft in a statement Friday said it occasionally has months when it 
does not release patches and all of its software updates must pass 
testing standards in order to be released.

"I don't think Microsoft is holding off on security; they know better 
than that," said Eric Schultze, chief security architect for 
Roseville-based Shavlik Technologies, which makes software that helps 
companies manage Microsoft patches.

Schultze, who used to work at Microsoft on security, said the software 
giant works on dozens of patches at a time, and some take months to 
write.

The patchless Tuesday is "a happy coincidence" that could give IT staff 
who have been working around the clock solving the daylight-saving time 
problem a breather, Schultze said.

Some Twin Cities IT managers are taking the absence of Microsoft 
security patches in stride.

"We got by yesterday without any patches and we can get by another day," 
said Shih-pau Yen, deputy CIO for the University of Minnesota.


_________________________________________
Visit the InfoSec News Security Bookstore
http://www.shopinfosecnews.org



This archive was generated by hypermail 2.1.3 : Sun Mar 11 2007 - 23:13:54 PST