Slashdot Mirror
Microsoft Takes a 'Patch Tuesday' Break
Phill0 submitted a ZD story about
Microsoft's week off which says
"Microsoft has no new security updates planned for Tuesday, despite at least five zero-day vulnerabilities that are waiting to be fixed.
The patch break could be a welcome respite for IT managers still busy testing the dozen fixes Microsoft released last month. Also, many IT pros may be occupied with the switch to daylight saving time, which at the behest of Congress, is happening three weeks earlier this year. "
Yeah, we're all tired this month. Zero-day, shmero day.
So they were allowed an extension to their "Avoid Releasing Decent Software" Decade vacation?
At least they can't break anything new this week!
09 f9 11 02 9d 74 e3 5b d8 41 56 c5 63
Stupid congress and their DST. How much energy do they think we will save by moving up DST 3 weeks? How much economic loss will be caused by companies all over the place busting their ass trying to get all kinds of systems pathced and working right...?
Idiot congresspeople.
I clicked on the no new security updates planned link and I got this, which doesn't actually say anything at all:
Microsoft Security Bulletin Advance Notification
Updated: February 13, 2007
Security Bulletin Advance Notification
The next security bulletin advance notification is scheduled for March 8, 2007, and will outline information for the March 13, 2007 security bulletin release.
Are we going to have to re-patch everything in a year or two when they change it back?
On the good side, we found out what doesn't come back up automatically after a reboot on the Sun systems that needed the libc patch, too.
500GB of disk, 5TB of transfer, $5.95/mo
Linux has to to be patched as well for DST.
Maybe nothing needs patching!? Ya, that must be it.
Libertarian Leaning Political Discussion Forum.
Hey I can agree that Congress does alot of messed up crap and I would also agree that it may not help much but you should really put blame where it is due: Microsoft. Why? Well mainly because they decided to HARDCODE it into Windows. That is about as silly as when the clock chip makers hardcoded the calendars into the chips for the Y2K incident. Anything that could POSSIBLY change should be treated like the variable it is and make some register for it to be changed in...even things in science we call constants get changed every once in a blue moon so simply making them variables would have made this switch so much easier for everyone. I know when I was in programming 101 my professor would mark my programs into oblivion when I didn't have my variable declarations for everything possible and then initialize them. Somehow or another though Microsoft didn't have such a structure for their coders and now we are left with this mess. I'm sure another instance will arise in the future as well. I hope the coding behind Vista is better. I know alot of people enjoy blaming M$ for alot of crap and usually it is unfounded but this time I think we can all razz them for screwing the pooch on this one.
Enable ntpd. I don't know if ms windows has a similar capability, but I'm bet there are at least utilities.
Ah, the sad life of a Windoze admin. So busy testing endless and useless security patches that they never have time to look at anything else. It's almost like M$ planned it that way.
Friends don't help friends install M$ junk.
"Microsoft has no new security updates planned for Tuesday, despite at least five zero-day vulnerabilities that are waiting to be fixed. The patch break could be a welcome respite for IT managers still busy testing the dozen fixes Microsoft released last month. Also, many IT pros may be occupied with the switch to daylight saving time, which at the behest of Congress, is happening three weeks earlier this year. "
Maybe it's because they don't have any patches to release?
That will only updated your system clock. It will not fix any date calculations in software (now - 1500). The time will be wrong. That's what all the patches are about. Updating your system clock is easy, it's making sure the time calculations show the appropriate time is what everyone is worried about.
Check out my lame java blog at www.javachopshop.com
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
What Company A spends in costs to upgrade systems for DST, Company B receives. It isn't a loss, it is an economic stimulant.
As a contractor, I've been working extra hours upgrading telecom switching systems and while it is a pain-in-the-ass, I'm happy to have the extra work. Extra work is extra money.
So far, every upgrade I've done includes more than just DST patches. Like the whole Y2K bit, companies are using this as an opportunity to squeeze out more funding for upgrades.
Learning HOW to think is more important than learning WHAT to think.
You don't know how ntpd works. It uses differentials from UTC. How is it going to know to adjust your clock if your time zone is still standard time? FYI: Windows has had integrated NTP since Windows 2000.
Gamingmuseum.com: Give your 3D accelerator a rest.
Looks like strange because they have many known flaws that need to be fixed. I can't understand why the f* they don't releases patches but, well, is the problem with closed source software vendors.
They had since August 2005 to address this, but the software patch only came out in early February of 2007. Then, they had the gall to change the instructions no less than four times while I was preparing to upgrade (KB930879 was updated three times while I was reading it two Thursdays ago), along with a new version of the upgrade tool that were substantially different from what the instructions said. Even the consulting firm we hired only got it to work this past Sunday night.
Microsoft blew it, folks. This is not to say that OSS does it much better, although Red Hat and FreeBSD (two other OSs we use) nailed the patch months ago. But when you are a $50B company and could only produce the detritus that is the DST patch, there is no excuse for it.
Daylight Savings time is there so that those of us who don't fly can still experience the joy of jetlag twice a year!
(wierd capcha today, is there supposed to be a space between "frag" and "rant"?)
For linux it's one file and that can be automated.
For Windows it seems that half the software needs to be patched, plus the OS (reboot required of course).
I mean... Exchange? Oracle? You'd think the authors of software like that would have a frikkin clue. Harcoding DST routines into user applications? WTF??
Most Linux Computers are already fixed for DST thru Apt-get/urpmi etc etc
http://chimpbox.us
which is probably the real reason for no patches this Tuesday..........
Perhaps they need a good lawyer like the ones at http://www.bozolawyers.com/
You're illustrating the broken window fallacy, which assumes that since money for repairs is spent somewhere, it isn't lost and is entirely stimulative.
The problem with that is that the opportunity cost of not having that money elsewhere. Of course money never vanishes, it recirculates. If the $1 spent on Y2K7 compliance isn't spent there, it is spent elsewere to earn a return, or as profits to be retained and reinvested or given to shareholders as dividends. All involved would no doubt prefer to spent the money A) increasing widget production, B) developing a new widget, or C) reinvesting it in a profitable opportunity elsewhere. None would choose to spend it D) on updating DST calculations.
Now, when an economy is in a depression or deep recession, sometimes their is a stimulative effect of bad spending (hence the Keynesian stimulation of deficit spending), because the economic loss of unemployed resources is such that the economy may get a lift from spending to bring it out of the depression... that's how WWII ended the great depression... in a non depressed economy, few would argue that the best use of scare resources is to blow up the cities of other countries and send a chunk of your workforce to go into combat half a world away, but in a depression, reducing unemployment through war spending and by removing conscripts from the potential labor force may be stimulative enough to get the economy growing.
However, right now, this isn't economically beneficial. That said, I can't wait for the extra hour of sunshine Monday night!
Alex
A good admin doesn't need to do any of that because the patches worked without a hitch.
Tell me what a good admin can do to make sure M$ does not break someone else's program. Even if M$ were not malicious, they can't know what other non free companies have done on any given computer and will break things with changes.
A good admin will also keep up with the ever changing tools M$ and others throw out, and this causes even more wasted time. I've seen ambitious young admins spending months of weekends reading four inch thick books on things like Visual Studio, knowing .NET is just around the two year away corner.
Friends don't help friends install M$ junk.
How can they be zero day if they are publicly known? Oh, I know, zero day sounds so much more 'dangerous'.
What with the High Def photography standards and all...
Definitions aside, you'd think the HD Photo site could at least show some examples, blowups of a given resolution with different codecs and graphs of the files size implications so we could be interested in using the standard.
Instead, one dry page. And seamonkey at that: it starts out by saying it's new, ends by saying it's really just the new name for wmphoto and in between claims "more than twice the quality of jpeg". Huh? Are they using smaller pixels? Will my quality slider in Photoshop now go to 24?
With implementation and marketing like this, you can see why the Zune will soon be the AMC Pacer of gadgets.
They need to stick to incremental moves for the products that already have users by the neck.
There. All better.
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
I'll apologize in advance if this is a redundant post, but it is just too good to not read. This is full of the usual Microsoft doublespeak and PR. http://www.eweek.com/article2/0,1895,2102366,00.as p
It was not so hard to update my Red Hat systems.
Maybe they just need a little more time to start The Wow. I'm still waiting, and I'm using Vista.
Always someone has power over you. The thing to consider is this: Is the power good, or bad?
Thank you for your time.
I've never really understood why they didn't just make DST permanent. In other words, get rid of the whole spring-forward/fall-back business, and just move the time zones in the U.S. up an hour, if that would give us more daylight in the evenings, when apparently we want it.
It's all just a psychological game, anyway; the actual amount of daylight obviously never changes, it's just that people really hate having to get up before their clock says they should, and thus it's necessary to fudge the clocks so that people get up earlier, and don't waste daylight and end up having it dark in their (clock-proscribed) "evening."
If we want it to show something different on the lock when the big warm ball starts to rise in the morning, which is apparently what we want, I don't get why we don't just push all the U.S. time zones forward an hour and leave them there, and get rid of this fall/spring switching.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
It's not about energy, regrdless of the name of the bill it was in, it's about money- more specfically, commerce. Not as many people go shopping when it's dark out. That downtown just isn't as much fun to walk around when it's dark out. Conversely, when it's still light out (after work) people are more likely to go out and... that's right, spend money shopping. Bean counters figured out that the economy will generate [x] more dollars a year with an extra hour of daylight. That's tax revenue folks.... the retail sector wins, government coffers win, the only ones that gets hosed are those of us with toddlers trying to adjust thier bedtimes 1 hour. =P
So, "zero-day vulnerabilities" means what? Unpatched vulnerabilities? Who could patch unknown vulnerabilities? Why are people referring to unpatched vulnerabilities as "zero-day"??
..attacks simultaneous to or before a vulnerability is publicly announced.
The term zero-day used to refer to attacks.
The term zero-day attack means something. Zero-day vulnerability is mindless, sensational jargon!!! A publicly announced vulnerability that is unpatched is an unpatched vulnerability!!! Public unpatched vulnerabilities can typically be mitigated against.
Know what you are talking about!!! Lets not dilute the term to the point it is totally meaningless. At this rate, we will be referring to frozen hot-pockets as "zero-day lunch".
UUGGGGG!!!!
Microsoft: "These are not the flaws you are looking for"
Customer: "These are not the flaws I was looking for"
Microsoft: "Go home and rethink your life"
Customer: "I will go home and rethink my operating system decision"
Microsoft: "What??? No! Your Life! Rethink your Life!"
Customer: "Rethink my li.... nux. I need Linux."
yeah, that's it, they all switched to vista and their computers won't access the MS codebase any more.
thank you, glad to have cleared that up.
if this is supposed to be a new economy, how come they still want my old fashioned money?
This still doesn't help out the problems with the TZ environment variable usage under countless apps written in MS Visual C, Visual C++, .NET Studio, etc, where timezone logic has been hard-coded into all those MSVCRT.DLL and MSVC*.DLL files. Microsoft's usage of the TZ environment variable, depending on who you ask, might or might not obey the POSIX standard syntax for modifying the start and stop dates for DST encoded into the TZ variable's string (e.g. TZ=EST6EDT,M3.2.0,M11.1.0). I cannot find any official MS documentation on their implementation of how they read and interpret the TZ string for any version of Windows older than Vista, which purportedly does support the full POSIX syntax for TZ. There seems to be a mostly complete absence of official documentation for older Windows versions' TZ variable supported syntax.
To give an indication of how big of a problem this might become, a quick search on one of my servers shows no fewer than FIVE different versions of the Visual C runtime DLLs that could be affected, and some of my apps are written to use the TZ environment variable in lieu of obtaining the timezone info from elsewhere in the system. The vendors of those apps are clueless about the problem and are trying to feign ignorance about it too.
Microsoft does have a knowledge base article listing some replacement DLLs for each version, but they were just announced very recently (less than two weeks ago) and the DLLs are not downloadable... you must have a paid support agreement with them to get these.
The situation totally sucks.
I'm leading the charge on DST for my company and well.... let's just say that I manage over 350 servers with over 4000 users. It's going to be ugly though, if I do my job properly it should mean some good kudos afterwards :)
The price is always right if someone else is paying.
Also, many IT pros may be occupied with the switch to daylight saving time, which at the behest of Congress, is happening three weeks earlier this year.
As a European, what mostly occupies me is deleting all those "field notices" that Cisco mails me about the DST issue. It looks like they send a separate mail for every product they sell and have ever sold, telling me that it needs to be patched. Not all on a single day or all in a single mail, but spread over a month time.
And the profiles that you can define for the kind of notices you want to receive by mail does not allow the selection of an affected region, or to remove field notices about some specific subject.
Well, you have to have something to complain about...
I don't understand why this is such a problem, just as I never had trouble in 2000. I ran Win95 throughout and it never cost me 5 minutes. If nothing else, I can adjust my time zone 1 hour, but I know large businesses and those with servers won't be satisfied with that. This is mainly an issue for them; why some home users are getting all bent out of shape is beyond me.
Only SNTP I'm afraid, which is much less accurate. Accoring to wikipedia, Windows 2003 SP1 finally implements NTP, eleven years after the NTPv3 RFC was published.
I really don't understand this. All software should support arbitrary dates for DST start and end.
I am from Brazil and here we don't have fixed dates for DST. The stupid government change them every year. But at least every single piece of software produced here supports changing the DST period. You shouldn't have to patch anything but just change some configuration file (ok, changing the configuration file is still patching, but you got my point). How hard is this?
And probably most of those new patches *still* have hardcoded dates for the new DST period. So if it ever changes this whole mess happen again. Sigh... Won't they ever learn? Y2K, anyone?
One of my biggest fans misses the point again:
It really shows you've never done any systems administration or anything, considering you seem to think testing is "useless". Do you seriously think F/OSS is completely perfect and magically heals itself if things go wrong?
The testing, of course, is required. It's the patch that's useless. It should be obvious by now that patching will never fix Windows security problems. The whole exercise is a waste of time and that may be intentional.
There's no magic to free software working right. When people co-operate and share code, they are less likely to break each other's work. They can also be tested by the distributor before they are released, so that users can install with much greater confidence.
Friends don't help friends install M$ junk.
"0 Day" comes from the Warez scene, it was for warez that were released as warez before they were officially released.
In this context, "0 Day" refers to vulnerabilities that are known but not patched. In other words, anyone who knows how to exploit them right now can 0wn your computer, and there's not a damn thing you can do about it.
This is to distinguish it from vulnerabilities for which there is a patch. That's NOT a trivial distinction. After all, there might be 3rd party patches out there before the official Microsoft ones.
Please don't claim that things are meaningless when you don't actually understand them.
Windows admins can't install patches next tuesday, because they're too busy installing patches which have to be done by this Saturday to be of any use.
What, are they going to go on a 4-day bender after the DST upgrades?
This space for rent. Call 1-800-STEAK4U
Since when did Congress control DST?
Knowing Google's lust for data collection, the Soviet Union is still alive and well inside the psyche of Sergey Brin....
To be fair, Windows doesn't require a reboot. The Exchange patch doesn't require a reboot either (unless something's in use at the time) but it does require the services to restart. However, I agree that there should be absolutely no patches required for the applications. Unfortunately, it may be more of a function of the programming language and the way the application is linked than a problem with the OS. For example, there is an update for glibc for the locales. Any application that statically linked the locale information would need a patch. Dynamically linked applications would only need the locale update for glibc. However, for something like Exchange where it only runs on a single OS, you'd think that they'd use the time zone info built into the OS. I suppose that there may be other reasons why an application might require its own update.
doesn't matter rite.. patch or no patch.. break or no break.. it just the same.. still lots of vulnerabilty..
~live a life without regret~