With the patch issues that arose last week, and folks asking if Microsoft
tests patches before releasing them, it reminds us that Redmond still has a
long way to go in the trust department.
But Redmond wasn’t the only one with vulnerability and software issues this time
around. Apple has joined in the browser vulnerability battle with its Safari browser this
week. Sophos didn’t help much with its software giving off false positives.
It’s been more of a battle to clean up after our security tools than it was to
deal with patching issues this month.
The date on the calendar as Microsoft’s patches came out this week said St. Valentine’s
Day, the day for love and romance. But if you’re a patchaholic like me, a guy
who offered to patch my computers for me would be even more romantic than roses
Especially in a week like this, when he’d have to use some extra manual labor
to get my machines fully patched.
You are at risk. No, seriously. Every time you turn on any kind of
technology, you turn on risk.
The question for today is this: Exactly how do you know what risk you are taking when
you use that technology? Some argue that “old code” is secure code, under the
assumption that the older the code, the more “eyes” have
reviewed it. But is that true? Let’s revisit the Windows Metafile issue with
this in mind, shall we?
The ball dropped in New York, ushering in the New Year. But we network admins
were scrambling because of a zero-day
exploit for which no patch was available, other than hoping our antivirus
vendors would catch it.
Little did we know at that time that the ‘bug’ was perhaps a wakeup call for us
better procedures to handle a zero-day event in the future (as InfoWorld’s Roger
When you read that there’s a new security bulletin for IE, you probably tune me out
like you do with flight attendants: "Keep your browser
in its upright and patched position."
There’s a twist this week, though, as Microsoft closes a hole that’s already being
exploited but which hasn’t had a patch available for weeks.
I should have known it was going to be an unusual week when two wooden mouse
traps disappeared in my garage. I thought I had one kind of pest problem at
first — cute, furry little mice in my garage. It turns out, I probably had
a different critter: a rat.
The yellow shield is in the System Tray reminding me this is Patch Tuesday.
And before I began to write this article, I installed all 9. (Yes, there are 8 patches and
one malicous software removal tool.)
Normally, my second column of the month is my “clean up your patch details”
column. (The first column of the month deals with the problems that beset us from
Microsoft’s Patch Tuesday.)
Last Friday, I got the news that Microsoft would only have a new Malicious Software
Removal Tool and a high-priority, nonsecurity patch coming out on Patch Tuesday. So I
thought I’d be writing to you with my thoughts on Hurricane Katrina. Little did I know
that we’d end up with quite a bit of patching news after all.
The calendar says we’re in the dog days of August, and Patch Tuesday this
week was crawling along pretty slow, too.
The expected patches were released, all right. But reports were soon received from
sources on the PatchManagement.org list that the
direct-download patches for Internet Explorer had faulty digital signatures. As reported the
however, the patches for Windows Update,
Microsoft Update, SUS, and WSUS were unaffected this. I cover the details of
the problems below.