Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3/12/2007
05:55 PM
50%
50%

How Will You Spend Your Patch Tuesday?

For the first time since September 2005, 30 days will come and go without what has become a monthly ritual across the IT landscape. Patch Tuesday's reliable stream of bulletins and patches has been silenced for the time being. Is this the equivalent of a snow day for IT security pros? Or are they too burnt out from dealing with Daylight Savings Time issues to even notice?

For the first time since September 2005, 30 days will come and go without what has become a monthly ritual across the IT landscape. Patch Tuesday's reliable stream of bulletins and patches has been silenced for the time being. Is this the equivalent of a snow day for IT security pros? Or are they too burnt out from dealing with Daylight Savings Time issues to even notice?The temporary Patch Tuesday armistice is something of a relief for Bob Burritt, IS network and technology manager for Kettering Medical Center Network, a group of 50 health-care facilities in and around Dayton, Ohio. But he's not reserving a tee time just yet. "We always have something else to do so it is not a hole in anyone's workload," he says.

At Brown University, it's Paul Asadoorian's job as lead IT security engineer to review the monthly set of patches and make recommendations to the groups in charge of the school's desktops and servers based on the amount of risk each Microsoft vulnerability poses. Managing Patch Tuesday has become just another routine for Asadoorian and the rest of Brown's IT staff. "People always say it's a big day, but it's the normal course of doing business," he says.

In fact, the lack of a Patch Tuesday makes Asadoorian more uncomfortable that he would normally be on the second Tuesday of the month. "For me, I think it's pretty scary," he says. "It gives people too much of a sense of security."

Asadoorian would actually like to see Microsoft deliver more patches spread throughout the month than wait for one particular day. "You can't lose sight of the fact that attackers don't wait until patches come out to attack your systems," he says. "I would like to see Microsoft release patches out of cycle, so that we don't have to do our own workarounds."

So does this Patch-less Tuesday come as a big relief? A surprise? Just another day? Long overdue? "All of the above," says Larry Whiteside, information security officer for Marsh Inc., a provider of risk and insurance services. The lack of a Patch Tuesday disrupts what had become a monthly ritual for Marsh that included time spent analyzing each Patch Tuesday release and scheduling meetings to discuss them. "Every IT person I know of has taken a sigh of relief," he says. "This is more than long over due, but my fear is this: what will happen next month?" Hopefully, it won't mean twice as many patches.

Windows has overnight (or over the course of a month) become a much more secure product? More likely, Microsoft recognized that the timing of March's Patch Tuesday couldn't be worse, as companies were until this past weekend more focused on the Daylight Savings Time issue than anything else (even Windows). "To add Black Tuesday to the mix this month with critical vulnerabilities would send people reeling," Whiteside adds.

There are probably as many opinions about Patch Tuesday as there are people charged with securing their company's IT systems. We'd like to hear yours. Let us know how you'll be spending tomorrow's Patch-less Tuesday.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31664
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-33185
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
CVE-2021-33186
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-31272
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
CVE-2021-31660
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.