The second Tuesday of the month is when topics usually move from Chris
Mosby’s Over the Horizon column
to mine, because Patch Tuesday is when problems morph from unpatched to patched.
This week, that didn’t happen at all, and the big news is more about the patches that
weren’t released than the patches that were released.
The last batch of official patches for 2006 leaves us with a few unpatched
vulnerabilities, as Chris Mosexplains, above. But we’re rid of a few "zero day"
Microsoft’s December patch batch also includes a number of confusing, nonsecurity patches,
but I hope to make everything clear for you.
Steve Ballmer was at NASDAQ on Nov. 30 to announce that businesses
are now able to purchase Vista.
For the rest of us, it’ll be after the New Year before we start to
see the patching changes that will impact us the most —
but that doesn’t mean they’ll be small.
Windows Vista was released to manufacturing last week and is expected on
the MSDN download site this weekend. But it’s not yet on our Patch Watch radar
— our steadfast Windows 2000 and XP SP2 machines are.
We said goodbye last month to Microsoft support for XP SP1. Unless you have a patch support contract, you’ll no longer get any patches for that version.
While everyone was in a tizzy over IE7 hitting the streets, the rest of us
mortals were still tracking issues with the patches we got earlier this month.
There are times IT folks overreact to technology changes, such as IE 7 —
but I guess that’s what makes us human.
This month, we say a fond farewell to MS support for Windows XP SP1, pay tribute
to Ray Noorda, and get ready for IE 7.
We also find that the servers at Microsoft Update have taken a page out of Woody
Leonhard’s "you should wait to patch" handbook and decided
to make you do just that.
I’m flattered when folks say they don’t patch their systems until they read
my column, but this
month I’d rather you read Chris Mosby’s column first.
With all the unpatched issues that arise with IE,
it’s not enough to be “fully patched” with Microsoft’s latest fix (MS06-055), you also need
to install workarounds when you hear of them. Fixing recent Microsoft patches —
for example, the two-week-old MS06-049 — is also essential, as I describe below.
I thought all I needed to worry about this Patch Tuesday
was a Windows patch or two and an Office patch.
But it turns out to be essential that you redo August’s critical Internet Explorer and Server
Service patches on Windows 2003 and XP SP1.
I feel like telling everyone to print out today’s
Windows Secrets Newsletter and read it while you’re deploying this month’s patches.
Not only do we have a busy patch month, but the very first patch has many in the
industry thinking that we might see a full-scale, MSBLAST-like incident again.
There are products that need major patching this week, but they aren’t all from Microsoft.
We’re so used to Microsoft programs having security implications
if we don’t patch that we forget the many other software programs that can impact our systems.