There’s been a trend lately with Microsoft’s "critical" patches. You may
have noticed that a significant portion of the time, patches the company rates
as Critical aren’t critical on Windows XP SP2 and Windows Server 2003 SP1. This is certainly no accident.
With these releases, in my opinion, Microsoft has achieved some actual payoff for
its security efforts.
The yellow shield is in the System Tray reminding me this is Patch Tuesday.
And before I began to write this article, I installed all 9. (Yes, there are 8 patches and
one malicous software removal tool.)
Normally, my second column of the month is my “clean up your patch details”
column. (The first column of the month deals with the problems that beset us from
Microsoft’s Patch Tuesday.)
Last Friday, I got the news that Microsoft would only have a new Malicious Software
Removal Tool and a high-priority, nonsecurity patch coming out on Patch Tuesday. So I
thought I’d be writing to you with my thoughts on Hurricane Katrina. Little did I know
that we’d end up with quite a bit of patching news after all.
About six weeks ago, Microsoft released Update Rollup 1 (UR1) for Windows 2000 SP4.
Many people missed the security advisory, whereas some of those who saw the
advisory and did install the
rollup experienced problems. Microsoft has announced plans to reissue the update,
due to a few glitches affecting some customers, but has not yet given an exact
date for that release.
The calendar says we’re in the dog days of August, and Patch Tuesday this
week was crawling along pretty slow, too.
The expected patches were released, all right. But reports were soon received from
sources on the PatchManagement.org list that the
direct-download patches for Internet Explorer had faulty digital signatures. As reported the
however, the patches for Windows Update,
Microsoft Update, SUS, and WSUS were unaffected this. I cover the details of
the problems below.
I go to Windows Update or Microsoft Update and think nothing of downloading
bits and pieces of what’s there. But many folks would really like to know what is
happening to their machines.
Where has the year gone? We’re already to the first Patch Tuesday of July, which means we have half of our patches for the year under our belt
and the other half to come.
A number of years back, I owned a car with a seatbelt that automatically
ran along a track and over my shoulder as soon as I closed my car door. It was
one of the first of its kind and I thought it was very cool. The only problem
was that you still had to manually pull the lap belt over to be completely safe
(and not be decapitated in a crash).
Unfortunately, the automated shoulder strap gave such a false sense of security
that it was easy to neglect the lap belt.
The week after Patch Tuesday typically is when more subtle issues of patches
start coming to light. This post-Patch week was no exception.