Microsoft Takes a 'Patch Tuesday' Break

Phill0 submitted a ZD story about Microsoft's week off which says "Microsoft has no new security updates planned for Tuesday, despite at least five zero-day vulnerabilities that are waiting to be fixed. The patch break could be a welcome respite for IT managers still busy testing the dozen fixes Microsoft released last month. Also, many IT pros may be occupied with the switch to daylight saving time, which at the behest of Congress, is happening three weeks earlier this year. "

"Patch Tuesday" Break?

[instantkamera]

So they were allowed an extension to their "Avoid Releasing Decent Software" Decade vacation?

A positive note!

[FredDC]

At least they can't break anything new this week!

DST

[Chicken04GTO]

Stupid congress and their DST. How much energy do they think we will save by moving up DST 3 weeks? How much economic loss will be caused by companies all over the place busting their ass trying to get all kinds of systems pathced and working right...?

Idiot congresspeople.

Re:DST

[Billosaur]

How much energy do they think we will save by moving up DST 3 weeks?

It has nothing to do with saving energy. It's about Congress and the Administration wanting to look like they're doing something about our dependence on foreign oil. There's very little energy savings to be had: these new weeks come in the heart of winter, where a few extra hours of daylight in the evening won't matter because who's going outside when it freezing, and more importantly, people will still have to be heating their homes and offices regardless. And since it will be darker in the morning, when people get up to go to work, any evening savings will be offset by morning usage.

They would have been better off writing a bill to increase tax credits for alternative energy sources and trying to encourage more fuel efficiency in cars and an increase in mass transit. Instead, we get window dressing.

Re:DST

[The_Wilschon]

In a significant and large portion of the country, March is the heart of spring. I saw people studying out under trees yesterday because the weather was beautiful. It is 64F right now. I turned on my air conditioning briefly because my apartment got uncomfortably hot yesterday.

If you don't live in Maine, this makes a heck of a lot more of a difference than you apparently realize. (Yes, restricting to only Maine is an exaggeration, too. Deal with it. You know what I mean by it anyway.)

Re:DST

[sconeu]

The economic loss is grossly exagerated like the w2k bug that NEVER hAPENNED

Which Windows 2000 bug was that?

Oh, you meant Y2K? Yeah, it "never happened" because thousands of dedicated professionals worked for years to fix and upgrade old systems.

What about when they realize it was stupid?

[PornMaster]

Are we going to have to re-patch everything in a year or two when they change it back?

On the good side, we found out what doesn't come back up automatically after a reboot on the Sun systems that needed the libc patch, too.

Re:What about when they realize it was stupid?

[Ctrl-Z]

If people were smart about it, they would have implemented the change to be adjustable so we wouldn't have to re-patch everything. How likely is that though?

Re:That's one of the reasons I use OpenSource

[lostwars]

Linux has to to be patched as well for DST.

maybe

[mastershake_phd]

Maybe nothing needs patching!? Ya, that must be it.

Re:Occam's Razor

[thetroll123]

Don't be absurd. The simple explanation is that it's another evil Microsoft conspiracy to take over the world. How can you not see that?

Re:Zero Day

[SilentChris]

You obviously don't work in an enterprise.

These last 2 weeks have been crazy. Monstrous. Patches for Windows, patches for Exchange, patches for Outlook, patches for Java, patches for Oracle, patches for Act, patches for Blackberries, patches for Treos, patches for that weird-ass cell the COO uses and no one else does. Patches to replace patches. Patches to undo the damage other patches have made. I firmly place blame on the software companies for waiting this long to sort things out, but this says it all: http://support.microsoft.com/kb/914387 NINETEEN REVISIONS. That's the most for an MS KB article ever.

Yes, there are zero-day vulnerabilities out there. However, considering the potential trainwreck that's going to happen Monday, no admin in their right mind would install new patches on Tuesday. No admin worth their salt would do so anyway: usually you wait a few days for the early adopters to fish out the bugs and MS to release any new versions. You let your security hardware and software (which has barely needed to be patched) deal with any potential problems. That's just smart business sense.

For those of you admining a handful of servers, serving basic stuff like webpages, laughing at the work some people have to do for this, that's great. Enjoy yourselves. For the rest of us with a real workload: hundreds of servers and tens of thousands of desktops, all with software on top of software that may or may not be compatible with each other patchwise, this last few weeks have been a living hell. A couple people getting their Word documents hosed is nothing compared to payroll systems not working, trade systems coughing up blood, etc. I'll hand that responsibility off to Symantec and friends -- I've got more important stuff to worry about.

Re:Zero Day

[operagost]

"Zero-day vulnerability" is totally meaningless. Even the proper "zero-day exploit" makes no sense after zero-day. Totally useless garbage speak, just the marketroids and talking heads who make up words like "factoid" because somehow the word "fact" is not descriptive enough.

DST fiasco

[Vexler]

They had since August 2005 to address this, but the software patch only came out in early February of 2007. Then, they had the gall to change the instructions no less than four times while I was preparing to upgrade (KB930879 was updated three times while I was reading it two Thursdays ago), along with a new version of the upgrade tool that were substantially different from what the instructions said. Even the consulting firm we hired only got it to work this past Sunday night.

Microsoft blew it, folks. This is not to say that OSS does it much better, although Red Hat and FreeBSD (two other OSs we use) nailed the patch months ago. But when you are a $50B company and could only produce the detritus that is the DST patch, there is no excuse for it.

Re:DST fiasco

[kiwimate]

No, really not, actually. I agree 100%, and I work with Microsoft products for a living and will often defend them against the more egregious slurs posted on Slashdot.

But in this case they've blown it. We called them a year ago to ask them about their plans for the change to DST and they asked "what change?". They only really started to come out with patches a couple of months ago.

CRM? Don't get me started...they kept on finding new components to be patched, server and client, said they'd release the patches in early March (!), finally promised to release on February 28th, and then two days before release date came out and said they'd found some problems and the release would be delayed for another few days. And by the way, if you have more CRM clients to be patched than can be easily handled manually and you don't run your users as local admins, then you're in trouble because it's nigh impossible to get CRM patches distributed over SMS.

The Exchange/Outlook tools are a nightmare. The rebasing tool causes all appointments set in the three week period between new DST time and old DST time to be sent out again so all our users came in to work one morning to find their inboxes filled with dozens of appointments which had been resent. And the whole dismal complicated procedure is so complex we've been told it'll achieve perhaps a 90% success rate and there will be problems that we have to fix manually.

No, ordinarily I'll at least be able to defend Microsoft against Linux zealots and fans, but this time they messed up. Big. That the people we talked to didn't even know this was coming a year ago until we alerted them is just wrong, and it has very plainly been downhill from there.

Re:That's one of the reasons I use OpenSource

[Tony+Hoyle]

For linux it's one file and that can be automated.

For Windows it seems that half the software needs to be patched, plus the OS (reboot required of course).

I mean... Exchange? Oracle? You'd think the authors of software like that would have a frikkin clue. Harcoding DST routines into user applications? WTF??

MS will be busy applying DST to their own servers

which is probably the real reason for no patches this Tuesday..........

Perhaps they need a good lawyer like the ones at http://www.bozolawyers.com/

Sorry buddy, it is a loss

[alexhmit01]

You're illustrating the broken window fallacy, which assumes that since money for repairs is spent somewhere, it isn't lost and is entirely stimulative.

The problem with that is that the opportunity cost of not having that money elsewhere. Of course money never vanishes, it recirculates. If the $1 spent on Y2K7 compliance isn't spent there, it is spent elsewere to earn a return, or as profits to be retained and reinvested or given to shareholders as dividends. All involved would no doubt prefer to spent the money A) increasing widget production, B) developing a new widget, or C) reinvesting it in a profitable opportunity elsewhere. None would choose to spend it D) on updating DST calculations.

Now, when an economy is in a depression or deep recession, sometimes their is a stimulative effect of bad spending (hence the Keynesian stimulation of deficit spending), because the economic loss of unemployed resources is such that the economy may get a lift from spending to bring it out of the depression... that's how WWII ended the great depression... in a non depressed economy, few would argue that the best use of scare resources is to blow up the cities of other countries and send a chunk of your workforce to go into combat half a world away, but in a depression, reducing unemployment through war spending and by removing conscripts from the potential labor force may be stimulative enough to get the economy growing.

However, right now, this isn't economically beneficial. That said, I can't wait for the extra hour of sunshine Monday night!

Alex

Re:Zero Day

[SilentChris]

If you haven't been following the mayhem, the original DST patch for Windows XP/2003 came out very late last year. That was coupled with a call to edit the timezone files manually in 2000. Fine.

Then Microsoft released another update in January, replacing the existing. That had to be regression tested and rolled out. Then they released a cumulative update with that and a new fix for a specific timezone (think it was Nova Scotia - can't remember). Fine.

Then, Exchange team came out and said "Guess what, now you need to update your servers as well." But you also need to update Outlook, because if you tell Exchange to fix calendars it'll screw them up in other countries that *aren't* changing this Sunday.

All the while, people are creating appointments that will become off by an hour when the time switches over. The Outlook update has gone through multiple revisions and just got a silent installer about a week ago. The earlier you did the system patch, the more likely appointments will be off.

On top of this, Blackberry and Treos didn't get their patches until late, and you need to do those AFTER the Exchange/Outlook patches. So we had to wait for MS to sort this nonsense out.

And I'm just talking messaging here. This doesn't even begin to go into the other software that's affected.

Re:Zero Day

[wordsnyc]

http://www.word-detective.com/101800.html#factoid

Blame it on CNN -- they started the whole ruckus by taking a perfectly good word and twisting it.

"Factoid" is one of those rare words that were undeniably invented by an identifiable individual, in this case Norman Mailer, in his book "Marilyn," published in 1973. The Oxford Dictionary of New Words defines "factoid" thus: "A spurious or questionable fact; especially something that is supposed to be true because it has been reported (and often repeated) in the media, but is actually based on speculation or even fabrication." Norman Mailer himself defined "factoids" as "facts which have no existence before appearing in a magazine or newspaper, creations which are not so much lies as a product to manipulate emotion in the Silent Majority."

Mailer invented the word by combining "fact" with "oid," a scientific suffix meaning "resembling or having the form of, but not identical to." Needless to say, "factoids" in Mailer's sense are the antithesis of serious reporting, and to accuse a journalist of trafficking in "factoids" was a grave insult, at least until CNN came along.

Re:DST (it's about the money)

[wasabikev]

It's not about energy, regrdless of the name of the bill it was in, it's about money- more specfically, commerce. Not as many people go shopping when it's dark out. That downtown just isn't as much fun to walk around when it's dark out. Conversely, when it's still light out (after work) people are more likely to go out and... that's right, spend money shopping. Bean counters figured out that the economy will generate [x] more dollars a year with an extra hour of daylight. That's tax revenue folks.... the retail sector wins, government coffers win, the only ones that gets hosed are those of us with toddlers trying to adjust thier bedtimes 1 hour. =P

Re:Why not just fudge the timezones permanently?

[mandelbr0t]

I don't get why we don't just push all the U.S. time zones forward an hour and leave them there, and get rid of this fall/spring switching. Because you share them with Canada, and we really need the spring-forward/fall-back. If we stuck with summer time, the sun would set at 3:30pm in mid-winter. If we stuck with winter time, the sun would rise at 4:30am in mid-summer. Either way, I'm glad the clock changes back and forth. That being said, I don't think there's anything to be gained by moving only 3 weeks, except to put some money in IT consultants' pockets.

Jedi Mind Trick

[RancidMilk]

Microsoft: "These are not the flaws you are looking for"
Customer: "These are not the flaws I was looking for"
Microsoft: "Go home and rethink your life"
Customer: "I will go home and rethink my operating system decision"
Microsoft: "What??? No! Your Life! Rethink your Life!"
Customer: "Rethink my li.... nux. I need Linux."

Doesn't do a damn thing for TZ env var usage.

This still doesn't help out the problems with the TZ environment variable usage under countless apps written in MS Visual C, Visual C++, .NET Studio, etc, where timezone logic has been hard-coded into all those MSVCRT.DLL and MSVC*.DLL files. Microsoft's usage of the TZ environment variable, depending on who you ask, might or might not obey the POSIX standard syntax for modifying the start and stop dates for DST encoded into the TZ variable's string (e.g. TZ=EST6EDT,M3.2.0,M11.1.0). I cannot find any official MS documentation on their implementation of how they read and interpret the TZ string for any version of Windows older than Vista, which purportedly does support the full POSIX syntax for TZ. There seems to be a mostly complete absence of official documentation for older Windows versions' TZ variable supported syntax.

To give an indication of how big of a problem this might become, a quick search on one of my servers shows no fewer than FIVE different versions of the Visual C runtime DLLs that could be affected, and some of my apps are written to use the TZ environment variable in lieu of obtaining the timezone info from elsewhere in the system. The vendors of those apps are clueless about the problem and are trying to feign ignorance about it too.

Microsoft does have a knowledge base article listing some replacement DLLs for each version, but they were just announced very recently (less than two weeks ago) and the DLLs are not downloadable... you must have a paid support agreement with them to get these.

The situation totally sucks.

I don't understand this

[lbschenkel]

I really don't understand this. All software should support arbitrary dates for DST start and end.

I am from Brazil and here we don't have fixed dates for DST. The stupid government change them every year. But at least every single piece of software produced here supports changing the DST period. You shouldn't have to patch anything but just change some configuration file (ok, changing the configuration file is still patching, but you got my point). How hard is this?

And probably most of those new patches *still* have hardcoded dates for the new DST period. So if it ever changes this whole mess happen again. Sigh... Won't they ever learn? Y2K, anyone?

Re:Useless and intentional waste.

[jb.hl.com]

The testing, of course, is required. It's the patch that's useless. It should be obvious by now that patching will never fix Windows security problems. The whole exercise is a waste of time and that may be intentional.

Patching will never fix *any* security problems in *any* system on desktop use. Most, if not all software, has vulnerabilities of some kind. You can't just dismiss Windows because it has holes in it, when there are holes in open source software as well.