Microsoft Overloads the Patch ProcessBy Larry Seltzer | Posted 2005-02-08 Email Print
Re-Thinking HR: What Every CIO Needs to Know About Tomorrow's Workforce
Opinion: It's going to take you a long time to deal with everything that happened today. Perhaps it would have been better for Microsoft to have two patch days this month.I'm done patching my own systems.
I threw caution somewhat to the winds this time. I did do some testing; I have a test desktop and a test server I install these things on and run a few tests involving common tasks of mine, but this time was different from most others.
This time Microsoft had put out so much information and so many patches that I really didn't have time to understand it all before I applied them.
Microsoft and others have attempted to set priorities in terms of the most serious problems, but only you know what issues are the important for your systems.
The problem of overload is even worse than the 12 security bulletins would indicate. Microsoft also chose today to release at least one Office patch unrelated to the vulnerabilities disclosed in the bulletins. There may be more, it's still too hard to tell given the sheer volume of information. Microsoft also chose today to release an update for Exchange Server 2000 related to a bulletin from last year.
But wait, there's more. Perhaps hoping to slip in under the radar, other vendors reported problems today. For instance, Symantec revealed a bug in the UPX (Ultimate Packer for eXecutables) engine in a large number of their products that could allow an attacker to inject code and take control from the engine. I'll have more on this later.
So while you're getting ready to update all your Windows systems, don't forget to update your Symantec products. And a non-trivial vulnerability showed up in Apple's MacOS X AppleFileServer.
Earlier I toyed with the idea of seeing if today's flood of patches cleaned the slate of unpatched vulnerabilities on Windows, but it appears this isn't the case, at least depending on who you talk to.
Last fall Finjan announced that they had found 10 new vulnerabilities in Windows XP SP2. Microsoft still disputes the severity of the problems, and in any event confirmed today that "none of the bulletins released today addressed any of the alleged vulnerabilities on Finjan's list..." So fear not, there are more bulletins to come.
The point of having a regularly-scheduled patch day, and later on of giving limited advance information, was to help administrators plan for updates and to schedule time in which to test and apply them. There's no way that anyone's regularly-scheduled interval will be adequate to handle everything that happened today.
It might actually have been better for Microsoft to have announcd last Thursdayinstead of saying that there would be 13 advisories (in the end there were only 12, as Microsoft held one back for further testing)that the advisories would come in two phases.
They could declare a special off-schedule patch day next Tuesday or whatever an appropriate period would be. They could divide the two days based on priority or on products.
Since Microsoft didn't split up the problems for us, we'll have to prioritize on our own. But we'll have to do it with the issues and the patches in public, which means that the exploits will be coming out quicker than they would otherwise. We can only hope that overload days like this are rare, but maybe Microsoft will even the workflow out when they happen in the future.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
Check out eWEEK.com's for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.