NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > InfoSec News> 2007-q1

[ISN] 'Patch Tuesday' on hold, but no break for IT staff

From: InfoSec News (alertsinfosecnews.org)
Date: Mon Mar 12 2007 - 02:07:32 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.twincities.com/mld/twincities/business/16872927.htm

BY LESLIE BROOKS SUZUKAMO
Pioneer Press
Mar. 10, 2007

Microsoft will skip its monthly release of security patches Tuesday for
the first time in over a year, giving harried IT workers one less thing
to fix after weeks of patching office computers to recognize the earlier
than usual start of daylight-saving time this weekend.

Thousands of computers ranging from servers and desktops to laptops and
BlackBerries needed software patches in order to automatically switch to
daylight-saving time at 2 a.m. Sunday, three weeks earlier than they
were programmed for.

The frenzied work comes the weekend before what has come to be known and
dreaded in the IT world as "Patch Tuesday" the second Tuesday of the
month when Microsoft regularly releases software to plug vulnerabilities
in Windows. The last time the company didn't issue a security patch was
18 months ago, but that doesn't mean there are no potential security
problems.

Computer security outfits like eEye Digital of California have
identified five unpatched vulnerabilities in various Microsoft software
that hackers might use.

Rick King, chief operating officer for legal publishing giant Thomson
West in Eagan, said his technicians have toiled since January on the
daylight-saving time problem to make sure things operate smoothly on
Monday when his employees return to work.

Not having a security patch to install on top of that is nice but it
doesn't save him any money, he said. Patch Tuesday, he said, is "a
routine pain in the neck" already built into his budget.

Microsoft in a statement Friday said it occasionally has months when it
does not release patches and all of its software updates must pass
testing standards in order to be released.

"I don't think Microsoft is holding off on security; they know better
than that," said Eric Schultze, chief security architect for
Roseville-based Shavlik Technologies, which makes software that helps
companies manage Microsoft patches.

Schultze, who used to work at Microsoft on security, said the software
giant works on dozens of patches at a time, and some take months to
write.

The patchless Tuesday is "a happy coincidence" that could give IT staff
who have been working around the clock solving the daylight-saving time
problem a breather, Schultze said.

Some Twin Cities IT managers are taking the absence of Microsoft
security patches in stride.

"We got by yesterday without any patches and we can get by another day,"
said Shih-pau Yen, deputy CIO for the University of Minnesota.

_________________________________________
Visit the InfoSec News Security Bookstore
http://www.shopinfosecnews.org

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]