Slashdot Mirror
Microsoft Takes a 'Patch Tuesday' Break
Phill0 submitted a ZD story about
Microsoft's week off which says
"Microsoft has no new security updates planned for Tuesday, despite at least five zero-day vulnerabilities that are waiting to be fixed.
The patch break could be a welcome respite for IT managers still busy testing the dozen fixes Microsoft released last month. Also, many IT pros may be occupied with the switch to daylight saving time, which at the behest of Congress, is happening three weeks earlier this year. "
So they were allowed an extension to their "Avoid Releasing Decent Software" Decade vacation?
At least they can't break anything new this week!
09 f9 11 02 9d 74 e3 5b d8 41 56 c5 63
Yeah, I mean, screw it. Who cares about security vulnerabilities, viruses and spyware? If we did, none of us would be using Windows, that's for sure... ;)
My blog
Stupid congress and their DST. How much energy do they think we will save by moving up DST 3 weeks? How much economic loss will be caused by companies all over the place busting their ass trying to get all kinds of systems pathced and working right...?
Idiot congresspeople.
Ya... who needs to patch holes in Windows when people might run their own code on a 360! Oh the humanity!
I clicked on the no new security updates planned link and I got this, which doesn't actually say anything at all:
Microsoft Security Bulletin Advance Notification
Updated: February 13, 2007
Security Bulletin Advance Notification
The next security bulletin advance notification is scheduled for March 8, 2007, and will outline information for the March 13, 2007 security bulletin release.
Are we going to have to re-patch everything in a year or two when they change it back?
On the good side, we found out what doesn't come back up automatically after a reboot on the Sun systems that needed the libc patch, too.
500GB of disk, 5TB of transfer, $5.95/mo
Linux has to to be patched as well for DST.
Maybe nothing needs patching!? Ya, that must be it.
Libertarian Leaning Political Discussion Forum.
"Microsoft has no new security updates planned for Tuesday, despite at least five zero-day vulnerabilities that are waiting to be fixed. The patch break could be a welcome respite for IT managers still busy testing the dozen fixes Microsoft released last month. Also, many IT pros may be occupied with the switch to daylight saving time, which at the behest of Congress, is happening three weeks earlier this year. "
Maybe it's because they don't have any patches to release?
Actually that caught my eye too: "at least five zero-day vulnerabilities are waiting to be fixed." It's the number of unpatched vulnerabilities that matters, not the number that were discovered by black hats before white hats. In any case, I'm not even sure it makes sense to say "this is a 0-day exploit" if it's something that was discovered a month ago (regardless of who discovered it first).
You obviously don't work in an enterprise.
These last 2 weeks have been crazy. Monstrous. Patches for Windows, patches for Exchange, patches for Outlook, patches for Java, patches for Oracle, patches for Act, patches for Blackberries, patches for Treos, patches for that weird-ass cell the COO uses and no one else does. Patches to replace patches. Patches to undo the damage other patches have made. I firmly place blame on the software companies for waiting this long to sort things out, but this says it all: http://support.microsoft.com/kb/914387 NINETEEN REVISIONS. That's the most for an MS KB article ever.
Yes, there are zero-day vulnerabilities out there. However, considering the potential trainwreck that's going to happen Monday, no admin in their right mind would install new patches on Tuesday. No admin worth their salt would do so anyway: usually you wait a few days for the early adopters to fish out the bugs and MS to release any new versions. You let your security hardware and software (which has barely needed to be patched) deal with any potential problems. That's just smart business sense.
For those of you admining a handful of servers, serving basic stuff like webpages, laughing at the work some people have to do for this, that's great. Enjoy yourselves. For the rest of us with a real workload: hundreds of servers and tens of thousands of desktops, all with software on top of software that may or may not be compatible with each other patchwise, this last few weeks have been a living hell. A couple people getting their Word documents hosed is nothing compared to payroll systems not working, trade systems coughing up blood, etc. I'll hand that responsibility off to Symantec and friends -- I've got more important stuff to worry about.
"Zero-day vulnerability" is totally meaningless. Even the proper "zero-day exploit" makes no sense after zero-day. Totally useless garbage speak, just the marketroids and talking heads who make up words like "factoid" because somehow the word "fact" is not descriptive enough.
Gamingmuseum.com: Give your 3D accelerator a rest.
That will only updated your system clock. It will not fix any date calculations in software (now - 1500). The time will be wrong. That's what all the patches are about. Updating your system clock is easy, it's making sure the time calculations show the appropriate time is what everyone is worried about.
Check out my lame java blog at www.javachopshop.com
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
What Company A spends in costs to upgrade systems for DST, Company B receives. It isn't a loss, it is an economic stimulant.
As a contractor, I've been working extra hours upgrading telecom switching systems and while it is a pain-in-the-ass, I'm happy to have the extra work. Extra work is extra money.
So far, every upgrade I've done includes more than just DST patches. Like the whole Y2K bit, companies are using this as an opportunity to squeeze out more funding for upgrades.
Learning HOW to think is more important than learning WHAT to think.
You don't know how ntpd works. It uses differentials from UTC. How is it going to know to adjust your clock if your time zone is still standard time? FYI: Windows has had integrated NTP since Windows 2000.
Gamingmuseum.com: Give your 3D accelerator a rest.
That's the life of a very bad admin. A good admin doesn't need to do any of that because the patches worked without a hitch.
Slow Down, Cowboy! It's been 60 minutes since you last successfully posted a comment.
They had since August 2005 to address this, but the software patch only came out in early February of 2007. Then, they had the gall to change the instructions no less than four times while I was preparing to upgrade (KB930879 was updated three times while I was reading it two Thursdays ago), along with a new version of the upgrade tool that were substantially different from what the instructions said. Even the consulting firm we hired only got it to work this past Sunday night.
Microsoft blew it, folks. This is not to say that OSS does it much better, although Red Hat and FreeBSD (two other OSs we use) nailed the patch months ago. But when you are a $50B company and could only produce the detritus that is the DST patch, there is no excuse for it.
http://support.microsoft.com/kb/914387
Doesn't look very hard coded to me...
For linux it's one file and that can be automated.
For Windows it seems that half the software needs to be patched, plus the OS (reboot required of course).
I mean... Exchange? Oracle? You'd think the authors of software like that would have a frikkin clue. Harcoding DST routines into user applications? WTF??
Most Linux Computers are already fixed for DST thru Apt-get/urpmi etc etc
http://chimpbox.us
This is opposed to the heart-stoppingly exciting life of posting anti-MS FUD on a Linux news site?
I think I'd rather take the 'endless' patching.
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
Testing, testing, testing, testing and more testing.
How many people can read hex if only you and dead people can read hex?
which is probably the real reason for no patches this Tuesday..........
Perhaps they need a good lawyer like the ones at http://www.bozolawyers.com/
(wierd capcha today, is there supposed to be a space between "frag" and "rant"?)
No, there isn't.
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
You're illustrating the broken window fallacy, which assumes that since money for repairs is spent somewhere, it isn't lost and is entirely stimulative.
The problem with that is that the opportunity cost of not having that money elsewhere. Of course money never vanishes, it recirculates. If the $1 spent on Y2K7 compliance isn't spent there, it is spent elsewere to earn a return, or as profits to be retained and reinvested or given to shareholders as dividends. All involved would no doubt prefer to spent the money A) increasing widget production, B) developing a new widget, or C) reinvesting it in a profitable opportunity elsewhere. None would choose to spend it D) on updating DST calculations.
Now, when an economy is in a depression or deep recession, sometimes their is a stimulative effect of bad spending (hence the Keynesian stimulation of deficit spending), because the economic loss of unemployed resources is such that the economy may get a lift from spending to bring it out of the depression... that's how WWII ended the great depression... in a non depressed economy, few would argue that the best use of scare resources is to blow up the cities of other countries and send a chunk of your workforce to go into combat half a world away, but in a depression, reducing unemployment through war spending and by removing conscripts from the potential labor force may be stimulative enough to get the economy growing.
However, right now, this isn't economically beneficial. That said, I can't wait for the extra hour of sunshine Monday night!
Alex
A good admin doesn't need to do any of that because the patches worked without a hitch.
Tell me what a good admin can do to make sure M$ does not break someone else's program. Even if M$ were not malicious, they can't know what other non free companies have done on any given computer and will break things with changes.
A good admin will also keep up with the ever changing tools M$ and others throw out, and this causes even more wasted time. I've seen ambitious young admins spending months of weekends reading four inch thick books on things like Visual Studio, knowing .NET is just around the two year away corner.
Friends don't help friends install M$ junk.
How can they be zero day if they are publicly known? Oh, I know, zero day sounds so much more 'dangerous'.
2 weeks?
Granted, I'm not a microsoft admin, but some of our 3rd party apps still run on server 2003. I understand that some companies may not have had patches out until recently, but we started back in January with our Oracle and Java patches. Our approach was to bite of small junks as early and often as possible.
We also pushed back on any 3rd party applications that we pay support to, to get DST patches as quickly as possible.
We've had most patches (all mission critical ones) in place on test systems since early February, giving our users ample time to test.
The past 2 weeks have been relaxing AFAIC compared to the previous 4-6.
I'll apologize in advance if this is a redundant post, but it is just too good to not read. This is full of the usual Microsoft doublespeak and PR. http://www.eweek.com/article2/0,1895,2102366,00.as p
It was not so hard to update my Red Hat systems.
Maybe they just need a little more time to start The Wow. I'm still waiting, and I'm using Vista.
Always someone has power over you. The thing to consider is this: Is the power good, or bad?
Factoid is to fact as truthiness is to truth.
I've never really understood why they didn't just make DST permanent. In other words, get rid of the whole spring-forward/fall-back business, and just move the time zones in the U.S. up an hour, if that would give us more daylight in the evenings, when apparently we want it.
It's all just a psychological game, anyway; the actual amount of daylight obviously never changes, it's just that people really hate having to get up before their clock says they should, and thus it's necessary to fudge the clocks so that people get up earlier, and don't waste daylight and end up having it dark in their (clock-proscribed) "evening."
If we want it to show something different on the lock when the big warm ball starts to rise in the morning, which is apparently what we want, I don't get why we don't just push all the U.S. time zones forward an hour and leave them there, and get rid of this fall/spring switching.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
If you're so damn busy, how do you have time to write a book to post on /.? Cry me a river r-tard
If you haven't been following the mayhem, the original DST patch for Windows XP/2003 came out very late last year. That was coupled with a call to edit the timezone files manually in 2000. Fine.
Then Microsoft released another update in January, replacing the existing. That had to be regression tested and rolled out. Then they released a cumulative update with that and a new fix for a specific timezone (think it was Nova Scotia - can't remember). Fine.
Then, Exchange team came out and said "Guess what, now you need to update your servers as well." But you also need to update Outlook, because if you tell Exchange to fix calendars it'll screw them up in other countries that *aren't* changing this Sunday.
All the while, people are creating appointments that will become off by an hour when the time switches over. The Outlook update has gone through multiple revisions and just got a silent installer about a week ago. The earlier you did the system patch, the more likely appointments will be off.
On top of this, Blackberry and Treos didn't get their patches until late, and you need to do those AFTER the Exchange/Outlook patches. So we had to wait for MS to sort this nonsense out.
And I'm just talking messaging here. This doesn't even begin to go into the other software that's affected.
http://www.word-detective.com/101800.html#factoid
Blame it on CNN -- they started the whole ruckus by taking a perfectly good word and twisting it.
"Factoid" is one of those rare words that were undeniably invented by an identifiable individual, in this case Norman Mailer, in his book "Marilyn," published in 1973. The Oxford Dictionary of New Words defines "factoid" thus: "A spurious or questionable fact; especially something that is supposed to be true because it has been reported (and often repeated) in the media, but is actually based on speculation or even fabrication." Norman Mailer himself defined "factoids" as "facts which have no existence before appearing in a magazine or newspaper, creations which are not so much lies as a product to manipulate emotion in the Silent Majority."
Mailer invented the word by combining "fact" with "oid," a scientific suffix meaning "resembling or having the form of, but not identical to." Needless to say, "factoids" in Mailer's sense are the antithesis of serious reporting, and to accuse a journalist of trafficking in "factoids" was a grave insult, at least until CNN came along.
Sent from the iPad I found in your car.
The Anonymous Coward had me until the name calling.
It's not about energy, regrdless of the name of the bill it was in, it's about money- more specfically, commerce. Not as many people go shopping when it's dark out. That downtown just isn't as much fun to walk around when it's dark out. Conversely, when it's still light out (after work) people are more likely to go out and... that's right, spend money shopping. Bean counters figured out that the economy will generate [x] more dollars a year with an extra hour of daylight. That's tax revenue folks.... the retail sector wins, government coffers win, the only ones that gets hosed are those of us with toddlers trying to adjust thier bedtimes 1 hour. =P
Microsoft: "These are not the flaws you are looking for"
Customer: "These are not the flaws I was looking for"
Microsoft: "Go home and rethink your life"
Customer: "I will go home and rethink my operating system decision"
Microsoft: "What??? No! Your Life! Rethink your Life!"
Customer: "Rethink my li.... nux. I need Linux."
yeah, that's it, they all switched to vista and their computers won't access the MS codebase any more.
thank you, glad to have cleared that up.
if this is supposed to be a new economy, how come they still want my old fashioned money?
This still doesn't help out the problems with the TZ environment variable usage under countless apps written in MS Visual C, Visual C++, .NET Studio, etc, where timezone logic has been hard-coded into all those MSVCRT.DLL and MSVC*.DLL files. Microsoft's usage of the TZ environment variable, depending on who you ask, might or might not obey the POSIX standard syntax for modifying the start and stop dates for DST encoded into the TZ variable's string (e.g. TZ=EST6EDT,M3.2.0,M11.1.0). I cannot find any official MS documentation on their implementation of how they read and interpret the TZ string for any version of Windows older than Vista, which purportedly does support the full POSIX syntax for TZ. There seems to be a mostly complete absence of official documentation for older Windows versions' TZ variable supported syntax.
To give an indication of how big of a problem this might become, a quick search on one of my servers shows no fewer than FIVE different versions of the Visual C runtime DLLs that could be affected, and some of my apps are written to use the TZ environment variable in lieu of obtaining the timezone info from elsewhere in the system. The vendors of those apps are clueless about the problem and are trying to feign ignorance about it too.
Microsoft does have a knowledge base article listing some replacement DLLs for each version, but they were just announced very recently (less than two weeks ago) and the DLLs are not downloadable... you must have a paid support agreement with them to get these.
The situation totally sucks.
I'm leading the charge on DST for my company and well.... let's just say that I manage over 350 servers with over 4000 users. It's going to be ugly though, if I do my job properly it should mean some good kudos afterwards :)
The price is always right if someone else is paying.
Also, many IT pros may be occupied with the switch to daylight saving time, which at the behest of Congress, is happening three weeks earlier this year.
As a European, what mostly occupies me is deleting all those "field notices" that Cisco mails me about the DST issue. It looks like they send a separate mail for every product they sell and have ever sold, telling me that it needs to be patched. Not all on a single day or all in a single mail, but spread over a month time.
And the profiles that you can define for the kind of notices you want to receive by mail does not allow the selection of an affected region, or to remove field notices about some specific subject.
Well, you have to have something to complain about...
Only SNTP I'm afraid, which is much less accurate. Accoring to wikipedia, Windows 2003 SP1 finally implements NTP, eleven years after the NTPv3 RFC was published.
On top of this, Blackberry and Treos didn't get their patches until late, and you need to do those AFTER the Exchange/Outlook patches.
If you could get the Blackberry patch to work at all, that is.
For whatever reason, RIM thought it would be clever to distribute a "helper" rather than an actual patch. You can push it out from the BES, but all it does is install a little utility on the handhelds which then MUST use internet access to download the real version of the patch that's applicable to that handheld and firmware version.
Once I'd gotten the internet access part working on the backend (which required a huge kludge because of RIM's braindead "everything is done via a single service account instead of using the user's own credentials" model) I discovered that the only handhelds which would correctly install the patch were the Pearls, which allegedly don't need to be patched anyway.
Even if you *do* get the patch to install, it does not correct existing appointments. So you either have to delete and recreate all of them, or wipe and reactivate the handheld. Neither one is practical. What we'd end up with is Blackberry users who had a mix of appointments that were off by an hour or not, with no way of telling which is which. So we're delaying the patch until *after* DST would have switched anyway, so that when it flips in the fall there will have been plenty of time for appointments scheduled in advance to have been created after the patch was applied.
The US government are a bunch of morons for allowing this DST change, but the tech companies providing patches have handled the situation at least as poorly.
"...always new atoms but always doing the same dance, remembering what the dance was yesterday." -Richard Feynman
No shit. I've put in about 70 hours this week. The Exchange DST tool is the most hacked together piece of shit software I've seen in a long time. I fear what other software is out there that I missed. What little things will break because timestamps are different on the endpoints-- like DNS's rndc and VPN traffic. Too many things to think about.
Congress can kiss my ass after this worthless piece of legislation, which further reinforces my impression that having people who write laws full time and get paid for it is a bad idea. Did they even think about how many devices keep time? We're talking millions, at least! We should be moving away from regional differences in time, not toward it. Pass a fucking law that says you can come into work an hour later. That I'm OK with. I wish we would just all switch to UTC and be done with this piece of make-work. Time is complicated enough without some brainless fool in Washington making things worse.
Fortunately, I have a vacation planned starting Monday. See ya, suckers! If the company is still standing when I come back, super.
Windows-Securityoid?
Ah, the sad life of a Windoze admin. So busy testing endless and useless security patches
Frankly if any large corporation (or "big dumb company" in twitterspeak) didn't test patches before rolling them out onto production machines, patches to anything on any system, then they would be utterly moronic.
Helpful reminder: Linux software has patches and security updates too. Those patches and security updates need to be tested to make sure they don't break anything like any other. It really shows you've never done any systems administration or anything, considering you seem to think testing is "useless". Do you seriously think F/OSS is completely perfect and magically heals itself if things go wrong?
By summer it was all gone...now shesmovedon. --
Someone should have told Norman about these words: rumor and lie.
Gamingmuseum.com: Give your 3D accelerator a rest.
I really don't understand this. All software should support arbitrary dates for DST start and end.
I am from Brazil and here we don't have fixed dates for DST. The stupid government change them every year. But at least every single piece of software produced here supports changing the DST period. You shouldn't have to patch anything but just change some configuration file (ok, changing the configuration file is still patching, but you got my point). How hard is this?
And probably most of those new patches *still* have hardcoded dates for the new DST period. So if it ever changes this whole mess happen again. Sigh... Won't they ever learn? Y2K, anyone?
One of my biggest fans misses the point again:
It really shows you've never done any systems administration or anything, considering you seem to think testing is "useless". Do you seriously think F/OSS is completely perfect and magically heals itself if things go wrong?
The testing, of course, is required. It's the patch that's useless. It should be obvious by now that patching will never fix Windows security problems. The whole exercise is a waste of time and that may be intentional.
There's no magic to free software working right. When people co-operate and share code, they are less likely to break each other's work. They can also be tested by the distributor before they are released, so that users can install with much greater confidence.
Friends don't help friends install M$ junk.
Because this is the calm between storms. We've done all we can from a patch standpoint. Sunday is the change, Monday is the test. Considering MS's official recommendation in calls with them was "Have your users write down their appointment times in the subject line", no matter what we do things will be a crapshoot. We've thrown the shit. Now we need to see what sticks to the fan.
Windows admins can't install patches next tuesday, because they're too busy installing patches which have to be done by this Saturday to be of any use.
What, are they going to go on a 4-day bender after the DST upgrades?
This space for rent. Call 1-800-STEAK4U
Norman Mailer was not exactly unskilled in the use of language; a "factoid" might be either a rumor or a lie, but is distinguished from either in the perception of authority and the mechanism by which that perceived authority is attained. The terms overlap, but are usefully distinct.
Since when did Congress control DST?
Knowing Google's lust for data collection, the Soviet Union is still alive and well inside the psyche of Sergey Brin....
Gee, I wonder if this will screw up all those Microsoft shills who like to quote "studies" (from guys like Rob Enderle) that "prove" Microsoft is "faster" than OSS in fixing security holes...
Nah. They'll just fall back on the idea that OSS has MORE security holes - because a Linux distro comes with 2,000 packages instead of nothing like Windows.
You notice they never add in the Symantec security holes to the Windows total when they're discussing how security holes are to be counted. But they'll add in the SSH holes.
Maybe they should add in their ASSholes...
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
I wonder what the number of packages ms has? No really, if one counts the windows kernal (if one call it that) as the os and everything else is a 'package'. I didn't say packages that we want or even use, just what teh number of packages.
So calculator + notepad + paint + all the other crap = ???? number of 'packages'
actually not trolling I was just wondering how many things are installed. Maybe should say a fresh, clean install. Cause there are like 50-60 more things when people buy a prebuilt computer from dell, hp, or gateway.
To be fair, Windows doesn't require a reboot. The Exchange patch doesn't require a reboot either (unless something's in use at the time) but it does require the services to restart. However, I agree that there should be absolutely no patches required for the applications. Unfortunately, it may be more of a function of the programming language and the way the application is linked than a problem with the OS. For example, there is an update for glibc for the locales. Any application that statically linked the locale information would need a patch. Dynamically linked applications would only need the locale update for glibc. However, for something like Exchange where it only runs on a single OS, you'd think that they'd use the time zone info built into the OS. I suppose that there may be other reasons why an application might require its own update.
doesn't matter rite.. patch or no patch.. break or no break.. it just the same.. still lots of vulnerabilty..
~live a life without regret~