Microsoft Skips Patch Tuesday

maotx writes "According to their recently released security bulletin, Microsoft will skip this month's Patch Tuesday. Patch Tuesday, also known as Black Tuesday amongst Administrators, is the second Tuesday of every month, in which Microsoft releases a series of patches and critical updates for its various operating systems and applications."

They have decided

[guildsolutions]

That security on there software is too expensive, and that they can lower the TCO and become cheaper tha linux by forgoing security completely.

Re:They have decided

[PunkOfLinux]

Hey, you know what? The average user still doesn't give a damn. And that's why windows is so insecure -- it's not because it has market share, it's because the average user doesn't feel the need to update.

Re:They have decided

[guildsolutions]

Very true. Microsoft could help the cause by making updates simpler, and requiring less restarts. Have you seen a mac when it needs its OS updated? Its much simpler.

Re:They have decided

[needacoolnickname]

I just had to restart my Mac to install iTunes 5 and always have to for an OS update. Some security updates don't require a restart, but many of them do as well.

Re:They have decided

[MightyMartian]

Would putting a microkernel in Linux even leave you with Linux? Linus Torvald's opinions on microkernels is well known.

Re:They have decided

[l0ungeb0y]

That's complete BS. The average user does give a damn.
The problem is that the average user is scared as hell to update their Windows OS because when they have in the past it broke things and caused all sorts of problems.

There's an old saying: "Once bitten, twice shy".
You do the "right" thing only to get bitten in the ass because of it, you learn quickly not to do that again.

The average user isn't a geek and while so many geeks can't understand this fact and rant how most people are clueless.
This works both ways. How would you like it if every trip to the auto-mechanic you were chided for having certain tires, not using a particular brand/weight of motor oil, not being timely enough in getting a tune up, why didn't you change your own oil, your tire pressures too low? Or if you went to a lawyer, you were spoken down to and treated like a schmuck because of your ignorance of legalese?

So when these people run Windows auto-update in their attempt to "be good" and then need to call in some geek to fix it, only to get an ear-full of crap about IE this and Outlook that and VB-de blah de blah, you think they really want to suffer that indignity again?

It's a two fold problem really -- Running MS Auto-update is like playing Russian Roulette and if you lose, you've got to fork over cash for a lecture from some holier than thou sociopathic computer geek that's lost all perspective of life outside /.

So for many, the best option is to ignore the patches to avoid the headaches they've learned by experience to associate with negative experiences.

And it's people like you that help reinforce that associative perception. Good job.

Yes!

[MyLongNickName]

Finally, all of the Microsoft vulnerabilities have been fixed. No more work to do.

In your face, LINUX!

Memo to all employees:

[freetipe]

"Patch Tuesday" has cancelled.
"Hawaiian Shirt Friday" will continue as normal.
"Executive Chair Throwing Saturday" is uncertain, but quite likely.

What happens for patch-quick operations ?.

[Gopal.V]

A patch every month ?. Do they hold onto the patches if it happened to be one that slipped a schedule and became available on the thursday after the first release. Do they wait an entire month before shipping in the next ?.

I've often heard tuesday mid-morning was the best time to release a new package - mostly hearsay. Any bit of truth in it ?

Tuesday's are considered unlucky in Indian lore - to undertake new things. Wednesdays are the day of beginnings - but it's already Wed here by the time it's released worldwide.

Re:What happens for patch-quick operations ?.

[Saven+Marek]

The whole idea of releasing patches only once a month and on a set date is ridiculous.

Vulnerabilities aren't discovered and exploits aren't written to respect the timing of Microsoft in this regard.

What happens if a vulnerability is discovered and an exploit written for it a couple of days after patch tuesday? Microsoft's whole bug fixing scheme is then set to only handle it 28 days later.

And we all know what happens in 28 days later.

What happens when a vulnerability is fixed that needs more testing for many people, but also comes attached to vulnerabilities that can be simply exploited? do we wait for the former before applying the latter, or apply the latter and to hell with the consequences in the former?

I think this is moron thinking. Each patch should be one small patch to fix that vulnerability and only that vulnerability. no other bug fixes with regards to non security issues, no combining patches, no waiting for days to fix a patch.

Then the monthly updates can be set client side however the client wishes to handle it. daily or weekly or monthly. whatever they wish to handle. at the time.

Re:What happens for patch-quick operations ?.

[lseltzer]

Just so it gets said, they set this schedule because large corporate customers demanded it, and they're happy with it. In case this is the first time you noticed, they've been doing this for almost 2 years I think. Oracle does something similar, on a quarterly basis. Having a regular schedule (with some warning in advance of which products are affected and how many updates there are) allows them to plan for patching in advance.

The fact that they have a schedule doesn't preclude them from issuing an "out of cycle" update, which they have done 2, maybe 3 times.

Re:What happens for patch-quick operations ?.

[Keeper]

Vulnerabilities aren't discovered and exploits aren't written to respect the timing of Microsoft in this regard.

Correct and incorrect at the same time. Patches are reverse engineered and exploits are written based off of the changes in the patch. Which means once you release a patch, the clock is ticking for your customers to pick it up and deploy it before some script kiddie writes a worm that brings down your network.

What happens if a vulnerability is discovered and an exploit written for it a couple of days after patch tuesday? Microsoft's whole bug fixing scheme is then set to only handle it 28 days later.

Depends on the nature of the exploit. If it is serious, they'll release the patch out of cycle.

I think this is moron thinking. Each patch should be one small patch to fix that vulnerability and only that vulnerability. no other bug fixes with regards to non security issues, no combining patches, no waiting for days to fix a patch.

What do you do when two patches apply to the same binary? Your "single patches" trash each other. Do you propose deploying untested patches? When is a bug a non-security issue?

What happens when a vulnerability is fixed that needs more testing for many people, but also comes attached to vulnerabilities that can be simply exploited? do we wait for the former before applying the latter, or apply the latter and to hell with the consequences in the former?

A vulnerability is a vulnerability. Wanting to run a partially patched system is idiotic.

Then the monthly updates can be set client side however the client wishes to handle it. daily or weekly or monthly. whatever they wish to handle. at the time.

No, they can't. The changes in Microsoft's patches are reverse engineered. Exploits are written against a patch within 72 hours. Once the patch is released, you MUST deploy it or your are vulnerable to every bot author who wants to add your machine to their zombie army.

The screen is so wide

[ReformedExCon]

In Firefox, the linked website is wider than the screen. Did anyone try it with IE?

As far as it goes, Black Tuesday is only a means for hackers to learn vulnerabilities in Windows by analyzing the dropped bits. It's very infrequent that an exploit is released before the updates are.

Windows is sure to have many problems, but if hackers are only willing to investigate changed bits and then attack not-yet updated systems, then not putting any updates out will keep those hackers at bay.

I don't think they should do this. Security through obscurity is very temporary. But I understand the reasoning behind not giving hackers hints. Maybe Microsoft's next update release will make things really good.

Re:T... F... A!

[MyLongNickName]

I am glad to know that if Microsoft gets Slashdotted, we have this cut and paste to refer to. We all know Saturday morning in the U.S. is the heaviest traffic time, and that Microsoft runs its servers off of 486's with 32 megs of ram.

We have no idea how you beat out all the subscribers, and got around the 404's. But somehow, undoubtedly through minutes of perserverence, you were able to get the job done. And in your rush to provide this service, you were STILL able to make sure it was formatted nicely. Well done.

If it weren't for you, therer is absolutely no way I could have read this fine article. I Thank you and your country thanks you.

Jeez, miss the key point why don't you...

[Zocalo]

It's not so much that there isn't a patch this month, as that Microsoft has decided to hold off on releasing a patch due to stability concerns, which is laudable. So, while we have no patches this month, we also have a known unpatched, remotely exploitable hole in Internet Explorer until the eventual release. The big question is, will Microsoft release an out of cycle patch to fix the issue, or will be have a full month of PCs getting owned just because they visited the wrong URL using IE6?

Re:Jeez, miss the key point why don't you...

[maskedbishounen]

(...) or will be have a full month of PCs getting owned just because they visited the wrong URL using IE6?

And how is that different from any other month?

*ducks*

Sometimes Microsoft does beat Open Source

[Henry+V+.009]

"Late in the testing process, Microsoft encountered a quality issue that necessitated the update to go through additional testing and development before it is released. Microsoft is committed to only releasing high quality updates that fix the issue(s) in question, and therefore we feel it is in the best interest of our customers to not release this update until it undergoes further testing."

That is one positive thing about Microsoft. When they release a patch, you can be sure that it has been tested through the roof. It's a rare open source project that can match Microsoft on that.

Re:Sometimes Microsoft does beat Open Source

[JamesTRexx]

It's a rare open source project that can match Microsoft on that.

It's a rare open source product that's being used on ~95% of the desktops.

Re:Sometimes Microsoft does beat Open Source

It's a rare open source project that can match Microsoft on that.

It's a rare open source product that's being used on ~95% of the desktops.

Uh, your TCP/IP stack?

Re:Sometimes Microsoft does beat Open Source

[Pink_Weasel]

"Microsoft is committed to only releasing high quality updates..." as opposed to releasing high quality products

Re:Sometimes Microsoft does beat Open Source

[kalidasa]

Yeah, the fact that I had to back out a patch the other day because it broke security auditing is a great example of Microsoft testing patches "through the roof." That's just me: another satisfied MS enterprise customer . . .

What about the critical vulnerability out Sep 9?

[farbles]

The Inquirer has a story saying that there was a critical update and the software tool coming out September 13.

WTF?

No, from TFA, they're NOT skipping Patch Tuesday

[bearl]

TFA article clearly says that they're issuing several updates right on schedule this coming Tuesday.

They are delaying a security update that was previoiusly scheduled for Tuesday. They're delaying it because they found some problems during late testing. Good on 'em for that.

Aside from that, the rest of the updates will be issued as scheduled.

No Patch? Skipped a month?

[marktwen0]

Microsoft announced they had omitted the patch

Funny--my girlfriend also said something about not needing to use the patch this week...and something else about a missed month...

Oh, wow! Cigars, anyone?

Re:No Patch? Skipped a month?

I guess that'd be funny if you actually had a girlfriend.

Re:No Patch? Skipped a month?

[maelstrom]

I always suspected people were getting fucked by Microsoft, but this isn't quite what I had in mind.

That Time of the Month

[Mad+Man]

Patch Tuesday, also known as Black Tuesday amongst Administrators, is the second Tuesday of every month in which Microsoft releases a series of patches and critical updates for its various operating systems and applications.

I always refer to it as "That time of the month for P.M.S.: Patching Microsoft Servers."

("Patching Microsoft Systems" also works).

Vulnerability Wednesday

[soloport]

"CERT and other vulnerability watchdogs have noticed an continuous increase in new exploits which are released, almost synchronously, on the second Wednesday of each month." -- Phrak News

Vulnerability "maximizes shareholder value".

[Futurepower(R)]

Microsoft software is insecure because that is a way of "maximizing shareholder value", in my opinion.

When people have problems with their computer, they often buy a new computer. Then Microsoft sells another copy of Windows, which, of course, still has huge security risks.

That also seems to be why Microsoft software is so... unfinished. If they ever finished the job, no one would need to buy another copy. So maximizing shareholder value means minimizing quality as much as possible, considering what customers will accept, and trying to introduce new hassles that can be fixed by even later versions.

If there were any bugs, why would we replace it.

[barfomar]

If your present vehicle is working, what incentive do you have to buy a new one?
It's only after it becomes unreliable (or really ugly from rust etc) that you think about replacing it.

Software (despite what M$ would have us believe) doesn't wear out.

The only way to sell new stuff is have it break down. They only fix a few vulnerabilities at a time to make us believe they're trying to keep it safe, but they really built the "rust" at the factory.

Add a few new "features" (read code bloat) and the replacement cycle starts all over again.

They're probably secretly supporting a few exploits the keep the damand up.

Re:What about the critical vulnerability out Sep 9

[Karma_fucker_sucker]

"The Inquirer"

You know, I have never heard of that site before and I though you were making a joke. I had to go there thinking I would see something like, "Bill Gates has alien's child!" or "Bill Gates gives all of his money to Linus Torvalds!"

Is Microsoft SERIOUS about security? You judge.

[Futurepower(R)]

Microsoft: We're so great that there is nothing to do this month! Oh, don't worry about those High Severity Remote Code Execution vulnerabilities.

Macromedia and Real Networks have been competing with Microsoft, but Microsoft is considerably ahead in being insecure.

Re:T... F... A!

[MyLongNickName]

High School? I'm in my thirties! I've been out of high school for three years now.

Bumper sticker

[leonbrooks]

"My other computer is your MS-Windows box"