Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:30 PM
Connect Directly

Daylight Saving Switch Won't Help Hackers

Daylight Saving Time changes won't have a big impact on security, but some things could fall through the cracks

Microsoft's not worried about the impact of the extended Daylight Saving Time (DST), which moves up by three weeks this year to March 11 and extends by one week, to November 4.

Should you be?

M3 Sweatt, chief of staff for Microsoft's customer and partner satisfaction group, says he's been working closely with customers to prepare for the time change, and the majority of Microsoft's patches for the new DST are already out. And most security tools use the atomic clock-based Coordinated Universal Time, also known as UTC, to keep time, he says, so there won't be any major security implications of an extended DST.

"I don't think a lot will be impacted by this on a security basis," he says.

Experts agree DST won't be the frenzied non-event that Y2K was, nor will it cause major security breaches. But DST could still cause some headaches and open some potential security holes. Gartner has warned that DST changes could wreak havoc on arrival and departure times for the travel sector, as well as cause potential financial transaction errors leading to late payments.

Michael Rothman, president of Security Incite, says the risk of any major security fallout due to DST is minimal. The most likely problems would stem from calendars not synchronized with the new DST. "If you have a triage meeting to discuss what to fix today, and half the team shows up an hour later, that could problematic."

Sweatt says Microsoft isn't issuing any DST patches for its Antigen or Forefront security tools because they use the UTC for time. Windows Vista and Office 2007 don't need patching because they were built with the new DST changes in mind. Networking products for the most part won't be affected by the DST changes, either, he says. "Unless they do things that render time from a DST-displayed clock."

"We have heard examples of businesses who have coded their read-time directly from a system clock... They may have to retool their applications," Sweatt says.

"It's the old [software] you worry about -- you'll get time and date discrepancies which could cause systems to crash or result in corrupted data," notes Rob Enderle, principal analyst at the Enderle Group. "Manual fixes could leave systems exposed as people have to go into a lot of systems that aren't touched very often and probably aren't that secure." Many such older systems use administrator privileges that could open up potential windows for attack, he says.

Microsoft is advising customers to watch their electronic calendars closely during those first three weeks of DST. "We're telling them 'you know your calendar best,'" Sweatt says. "For those three weeks, make note and make sure they are correct," including the start and end times, body, and subject.

Overall, security experts say they don't expect any major security fallout from the DST change, just some isolated problems. "There's too much UTC and NTP [Network Time Protocol] daemons" out there, says Ralph Logan, partner with The Logan Group. "There's always the theoretical problem with time/date shifts... But the window of opportunity [for an attacker] is so small and the technological 'advantage' is so small."

"I don't really expect the DST thing to register much past 1.0 on the Richter scale," Security Incite's Rothman says.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Microsoft Corp. (Nasdaq: MSFT)
  • Security Incite
  • Enderle Group Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    FluBot Malware's Rapid Spread May Soon Hit US Phones
    Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
    7 Modern-Day Cybersecurity Realities
    Steve Zurier, Contributing Writer,  4/30/2021
    How to Secure Employees' Home Wi-Fi Networks
    Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2021-05-06
    The "gitDiff" function in Wayfair git-parse <=1.0.4 has a command injection vulnerability. Clients of the git-parse library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.
    PUBLISHED: 2021-05-06
    Exim 4 before 4.94.2 has Execution with Unnecessary Privileges. By leveraging a delete_pid_file race condition, a local user can delete arbitrary files as root. This involves the -oP and -oPX options.
    PUBLISHED: 2021-05-06
    Jellyfin is a free software media system that provides media from a dedicated server to end-user devices via multiple apps. Verions prior to 10.7.3 vulnerable to unauthenticated Server-Side Request Forgery (SSRF) attacks via the imageUrl parameter. This issue potentially exposes both internal and ex...
    PUBLISHED: 2021-05-06
    Mixme is a library for recursive merging of Javascript objects. In Node.js mixme v0.5.0, an attacker can add or alter properties of an object via 'proto' through the mutate() and merge() functions. The polluted attribute will be directly assigned to every object in the program. This will put the ava...
    PUBLISHED: 2021-05-06
    Improper input validation of octal strings in Python stdlib ipaddress 3.10 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many programs that rely on Python stdlib ipaddress. IP address octects are left stripped instead of evaluated as valid I...