Last month was rough for home patchers — and this month isn’t looking much
It seems like only a few days ago we were dealing with issues with Outlook
Express and Windows Shell. Here we are this month with another patch that so far
looks a bit tricky to get on our boxes, especially for home users without a patch-management adminstrator.
Here I was, looking for fallout from Microsoft’s Eolas/Internet Explorer patch
— but most of the issues came instead from other patches.
Just like everyone else, I was expecting most of the problems from Patch Tuesday
would be from 06-013. This is the cumulative Internet Explorer patch, which
changes the way Active X works. I wasn’t expecting to see issues in the Window
Shell patch, the Outlook Express patch, nor in OE’s Junk Mail Filter. These
issues, because they mostly affect consumers, have raised a concern about online
communities and self-help sites. I think they’re masking the real magnitude of
The Pacific Coast has been showered on
this week and now we’re being showered with security patches.
While the total number of security patches is not that large, it’s still a bit
of a downpour. This
month’s patch release includes not only a cumulative Internet Explorer patch,
but a change in browser behavior due to a patent dispute.
Normally before there’s a patch, we don’t get quite the advance notice that we did this time. An Internet Explorer
upgrade is coming that can impact your
Web-based applications. You need to know now how this may affect you, well before Microsoft
releases the patch on Apr. 11.
Why is this patch different? Because it’s not a security patch — it’s a
reaction to a patent lawsuit.
The bulletins came to my inbox. Two patches. One for Office, one for DACLs.
(What’s a DACL?) But that isn’t all. Microsoft Update has a few more patches it wants me to
In addition to the ever-present Windows Malicious Software Removal Tool for
and the monthly update for the Outlook 2003 Junk E-Mail
913161), we have a few other patches in Microsoft Update’s “high
priority patches” list. It reminds me that it’s not just security patches
that are up there in the top section.
With the patch issues that arose last week, and folks asking if Microsoft
tests patches before releasing them, it reminds us that Redmond still has a
long way to go in the trust department.
But Redmond wasn’t the only one with vulnerability and software issues this time
around. Apple has joined in the browser vulnerability battle with its Safari browser this
week. Sophos didn’t help much with its software giving off false positives.
It’s been more of a battle to clean up after our security tools than it was to
deal with patching issues this month.
The date on the calendar as Microsoft’s patches came out this week said St. Valentine’s
Day, the day for love and romance. But if you’re a patchaholic like me, a guy
who offered to patch my computers for me would be even more romantic than roses
Especially in a week like this, when he’d have to use some extra manual labor
to get my machines fully patched.
You are at risk. No, seriously. Every time you turn on any kind of
technology, you turn on risk.
The question for today is this: Exactly how do you know what risk you are taking when
you use that technology? Some argue that “old code” is secure code, under the
assumption that the older the code, the more “eyes” have
reviewed it. But is that true? Let’s revisit the Windows Metafile issue with
this in mind, shall we?
The ball dropped in New York, ushering in the New Year. But we network admins
were scrambling because of a zero-day
exploit for which no patch was available, other than hoping our antivirus
vendors would catch it.
Little did we know at that time that the ‘bug’ was perhaps a wakeup call for us
better procedures to handle a zero-day event in the future (as InfoWorld’s Roger
When you read that there’s a new security bulletin for IE, you probably tune me out
like you do with flight attendants: "Keep your browser
in its upright and patched position."
There’s a twist this week, though, as Microsoft closes a hole that’s already being
exploited but which hasn’t had a patch available for weeks.