Slashdot Mirror
Microsoft Skips Patch Tuesday
maotx writes "According to their recently released security bulletin, Microsoft will skip this month's Patch Tuesday. Patch Tuesday, also known as Black Tuesday amongst Administrators, is the second Tuesday of every month, in which Microsoft releases a series of patches and critical updates for its various operating systems and applications."
In Firefox, the linked website is wider than the screen. Did anyone try it with IE?
As far as it goes, Black Tuesday is only a means for hackers to learn vulnerabilities in Windows by analyzing the dropped bits. It's very infrequent that an exploit is released before the updates are.
Windows is sure to have many problems, but if hackers are only willing to investigate changed bits and then attack not-yet updated systems, then not putting any updates out will keep those hackers at bay.
I don't think they should do this. Security through obscurity is very temporary. But I understand the reasoning behind not giving hackers hints. Maybe Microsoft's next update release will make things really good.
Jesus saved me from my past. He can save you as well.
TFA article clearly says that they're issuing several updates right on schedule this coming Tuesday.
They are delaying a security update that was previoiusly scheduled for Tuesday. They're delaying it because they found some problems during late testing. Good on 'em for that.
Aside from that, the rest of the updates will be issued as scheduled.
Just so it gets said, they set this schedule because large corporate customers demanded it, and they're happy with it. In case this is the first time you noticed, they've been doing this for almost 2 years I think. Oracle does something similar, on a quarterly basis. Having a regular schedule (with some warning in advance of which products are affected and how many updates there are) allows them to plan for patching in advance.
The fact that they have a schedule doesn't preclude them from issuing an "out of cycle" update, which they have done 2, maybe 3 times.
Vulnerabilities aren't discovered and exploits aren't written to respect the timing of Microsoft in this regard.
Correct and incorrect at the same time. Patches are reverse engineered and exploits are written based off of the changes in the patch. Which means once you release a patch, the clock is ticking for your customers to pick it up and deploy it before some script kiddie writes a worm that brings down your network.
What happens if a vulnerability is discovered and an exploit written for it a couple of days after patch tuesday? Microsoft's whole bug fixing scheme is then set to only handle it 28 days later.
Depends on the nature of the exploit. If it is serious, they'll release the patch out of cycle.
I think this is moron thinking. Each patch should be one small patch to fix that vulnerability and only that vulnerability. no other bug fixes with regards to non security issues, no combining patches, no waiting for days to fix a patch.
What do you do when two patches apply to the same binary? Your "single patches" trash each other. Do you propose deploying untested patches? When is a bug a non-security issue?
What happens when a vulnerability is fixed that needs more testing for many people, but also comes attached to vulnerabilities that can be simply exploited? do we wait for the former before applying the latter, or apply the latter and to hell with the consequences in the former?
A vulnerability is a vulnerability. Wanting to run a partially patched system is idiotic.
Then the monthly updates can be set client side however the client wishes to handle it. daily or weekly or monthly. whatever they wish to handle. at the time.
No, they can't. The changes in Microsoft's patches are reverse engineered. Exploits are written against a patch within 72 hours. Once the patch is released, you MUST deploy it or your are vulnerable to every bot author who wants to add your machine to their zombie army.