Risk
3/12/2007
05:55 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

How Will You Spend Your Patch Tuesday?

For the first time since September 2005, 30 days will come and go without what has become a monthly ritual across the IT landscape. Patch Tuesday's reliable stream of bulletins and patches has been silenced for the time being. Is this the equivalent of a snow day for IT security pros? Or are they too burnt out from dealing with Daylight Savings Time issues to even notice?

For the first time since September 2005, 30 days will come and go without what has become a monthly ritual across the IT landscape. Patch Tuesday's reliable stream of bulletins and patches has been silenced for the time being. Is this the equivalent of a snow day for IT security pros? Or are they too burnt out from dealing with Daylight Savings Time issues to even notice?The temporary Patch Tuesday armistice is something of a relief for Bob Burritt, IS network and technology manager for Kettering Medical Center Network, a group of 50 health-care facilities in and around Dayton, Ohio. But he's not reserving a tee time just yet. "We always have something else to do so it is not a hole in anyone's workload," he says.

At Brown University, it's Paul Asadoorian's job as lead IT security engineer to review the monthly set of patches and make recommendations to the groups in charge of the school's desktops and servers based on the amount of risk each Microsoft vulnerability poses. Managing Patch Tuesday has become just another routine for Asadoorian and the rest of Brown's IT staff. "People always say it's a big day, but it's the normal course of doing business," he says.

In fact, the lack of a Patch Tuesday makes Asadoorian more uncomfortable that he would normally be on the second Tuesday of the month. "For me, I think it's pretty scary," he says. "It gives people too much of a sense of security."

Asadoorian would actually like to see Microsoft deliver more patches spread throughout the month than wait for one particular day. "You can't lose sight of the fact that attackers don't wait until patches come out to attack your systems," he says. "I would like to see Microsoft release patches out of cycle, so that we don't have to do our own workarounds."

So does this Patch-less Tuesday come as a big relief? A surprise? Just another day? Long overdue? "All of the above," says Larry Whiteside, information security officer for Marsh Inc., a provider of risk and insurance services. The lack of a Patch Tuesday disrupts what had become a monthly ritual for Marsh that included time spent analyzing each Patch Tuesday release and scheduling meetings to discuss them. "Every IT person I know of has taken a sigh of relief," he says. "This is more than long over due, but my fear is this: what will happen next month?" Hopefully, it won't mean twice as many patches.

Windows has overnight (or over the course of a month) become a much more secure product? More likely, Microsoft recognized that the timing of March's Patch Tuesday couldn't be worse, as companies were until this past weekend more focused on the Daylight Savings Time issue than anything else (even Windows). "To add Black Tuesday to the mix this month with critical vulnerabilities would send people reeling," Whiteside adds.

There are probably as many opinions about Patch Tuesday as there are people charged with securing their company's IT systems. We'd like to hear yours. Let us know how you'll be spending tomorrow's Patch-less Tuesday.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web