Risk
3/12/2007
05:55 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

How Will You Spend Your Patch Tuesday?

For the first time since September 2005, 30 days will come and go without what has become a monthly ritual across the IT landscape. Patch Tuesday's reliable stream of bulletins and patches has been silenced for the time being. Is this the equivalent of a snow day for IT security pros? Or are they too burnt out from dealing with Daylight Savings Time issues to even notice?

For the first time since September 2005, 30 days will come and go without what has become a monthly ritual across the IT landscape. Patch Tuesday's reliable stream of bulletins and patches has been silenced for the time being. Is this the equivalent of a snow day for IT security pros? Or are they too burnt out from dealing with Daylight Savings Time issues to even notice?The temporary Patch Tuesday armistice is something of a relief for Bob Burritt, IS network and technology manager for Kettering Medical Center Network, a group of 50 health-care facilities in and around Dayton, Ohio. But he's not reserving a tee time just yet. "We always have something else to do so it is not a hole in anyone's workload," he says.

At Brown University, it's Paul Asadoorian's job as lead IT security engineer to review the monthly set of patches and make recommendations to the groups in charge of the school's desktops and servers based on the amount of risk each Microsoft vulnerability poses. Managing Patch Tuesday has become just another routine for Asadoorian and the rest of Brown's IT staff. "People always say it's a big day, but it's the normal course of doing business," he says.

In fact, the lack of a Patch Tuesday makes Asadoorian more uncomfortable that he would normally be on the second Tuesday of the month. "For me, I think it's pretty scary," he says. "It gives people too much of a sense of security."

Asadoorian would actually like to see Microsoft deliver more patches spread throughout the month than wait for one particular day. "You can't lose sight of the fact that attackers don't wait until patches come out to attack your systems," he says. "I would like to see Microsoft release patches out of cycle, so that we don't have to do our own workarounds."

So does this Patch-less Tuesday come as a big relief? A surprise? Just another day? Long overdue? "All of the above," says Larry Whiteside, information security officer for Marsh Inc., a provider of risk and insurance services. The lack of a Patch Tuesday disrupts what had become a monthly ritual for Marsh that included time spent analyzing each Patch Tuesday release and scheduling meetings to discuss them. "Every IT person I know of has taken a sigh of relief," he says. "This is more than long over due, but my fear is this: what will happen next month?" Hopefully, it won't mean twice as many patches.

Windows has overnight (or over the course of a month) become a much more secure product? More likely, Microsoft recognized that the timing of March's Patch Tuesday couldn't be worse, as companies were until this past weekend more focused on the Daylight Savings Time issue than anything else (even Windows). "To add Black Tuesday to the mix this month with critical vulnerabilities would send people reeling," Whiteside adds.

There are probably as many opinions about Patch Tuesday as there are people charged with securing their company's IT systems. We'd like to hear yours. Let us know how you'll be spending tomorrow's Patch-less Tuesday.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: LOL.
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-3154
Published: 2014-04-17
DistUpgrade/DistUpgradeViewKDE.py in Update Manager before 1:0.87.31.1, 1:0.134.x before 1:0.134.11.1, 1:0.142.x before 1:0.142.23.1, 1:0.150.x before 1:0.150.5.1, and 1:0.152.x before 1:0.152.25.5 does not properly create temporary files, which allows local users to obtain the XAUTHORITY file conte...

CVE-2013-2143
Published: 2014-04-17
The users controller in Katello 1.5.0-14 and earlier, and Red Hat Satellite, does not check authorization for the update_roles action, which allows remote authenticated users to gain privileges by setting a user account to an administrator account.

CVE-2014-0036
Published: 2014-04-17
The rbovirt gem before 0.0.24 for Ruby uses the rest-client gem with SSL verification disabled, which allows remote attackers to conduct man-in-the-middle attacks via unspecified vectors.

CVE-2014-0054
Published: 2014-04-17
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External ...

CVE-2014-0071
Published: 2014-04-17
PackStack in Red Hat OpenStack 4.0 does not enforce the default security groups when deployed to Neutron, which allows remote attackers to bypass intended access restrictions and make unauthorized connections.

Best of the Web