Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Windows Operating Systems Software Security Microsoft

Microsoft Skips Patch Tuesday 164

maotx writes "According to their recently released security bulletin, Microsoft will skip this month's Patch Tuesday. Patch Tuesday, also known as Black Tuesday amongst Administrators, is the second Tuesday of every month, in which Microsoft releases a series of patches and critical updates for its various operating systems and applications."
This discussion has been archived. No new comments can be posted.

Microsoft Skips Patch Tuesday

Comments Filter:
  • by guildsolutions ( 707603 ) on Saturday September 10, 2005 @11:21AM (#13526170)
    That security on there software is too expensive, and that they can lower the TCO and become cheaper tha linux by forgoing security completely.
    • Hey, you know what? The average user still doesn't give a damn. And that's why windows is so insecure -- it's not because it has market share, it's because the average user doesn't feel the need to update.
      • Very true. Microsoft could help the cause by making updates simpler, and requiring less restarts. Have you seen a mac when it needs its OS updated? Its much simpler.
        • The thing about Darwin (OS X) is that it runs on a micro kernel. You can unload parts of the kernel, make changes and reload them. That's really cool. There is a micro kernel project for linux also, but I've never looked at that. I'm happy to restart my desktop when I recompile the kernel. That's acceptable for me.
          • Would putting a microkernel in Linux even leave you with Linux? Linus Torvald's opinions on microkernels is well known.
            • Well this is getting offtopic now, but it does not stop a side project from deploying this as a patch, like many features in the past, eventually enough people want it and then it becomes main stream.

              I think it's just something that Linus will think 'hey i could have done this if it was a micro kernel' and his views may change. Who knows, it's forever being changed.
              • Considering the kind of re-engineering that has to go in the process, 'patch' is just not the appropriate word to use here. Try 'fork'. Btw, L4Linux, MkLinux are existing codebases that do what you want.

            • I think the grandparent is talking about this [tu-dresden.de], which doesn't really do much.

              Microkernels are an inevitable future. They have so many advantages for developers and users, and their only real downside is speed. Linux is great and all, but there's so many really cool things that can be done with operating systems that just aren't possible with a monolithic kernel. Maybe some kind of Linux compatibility layer (like FreeBSD has) could be used to ease the transition.

              • Hi,

                > Microkernels are an inevitable future. They have
                > so many advantages for developers and users, and
                > their only real downside is speed.

                I've seen this line of reasoning outlined for the last 15 years or so.

                The fact is speed still matters and will likely continue to matter, and microkernels still aren't the majority. Purists even dispute that OS/X runs a microkernel...
        • That said, windows has part of the GUI in the kernel to 'speed' things up aparantly. Is not the goal of efficent programing to only include the basics of what you need in the kernel and build up from there? IE, why do you need to reboot to change the windows domain you belong to, or the workgroup for that matter? That said, I belive it is one of the biggest security risks associated with windows, is when you boot the machine, everythings built into the huge kernel and everything is turned on and started. If
          • The goal of efficient programming is to create efficient code.

            In this case, the Windows GUI is very responsive on even the slowest of computers. On the other hand, OS X requires a reasonable video card, and Linux GUI is just always slow.
        • I just had to restart my Mac to install iTunes 5 and always have to for an OS update. Some security updates don't require a restart, but many of them do as well.
          • Yes but to fix a bug in Apache you dont have to restart. A lot of the security updates that deal with libraries and stuff you do need to restart. Why iTunes requires a restart I am not exactly sure, that has always baffled me.

            But wouldnt you agree that keeping your mac up to date is much simpler than keeping your windows PC up to date?
            • I don't know... Open IE which I have homepaged to http://update.microsoft.com/ [microsoft.com] since I use Firefox for everything else.

              Click the Custom Button

              Select the updates I want, normally all of them, click the download/install button.

              Do other things as the updates download and install.

              Normally a reboot after the process is complete

              What is so hard about that? Or if you're a confused home user just leave the automatic updates turned on. It will automatically download the updates and install them for you. It wi

          • It's still much simpler. OS X's Software Update is an actual application, not a webpage, and it lists available updates and nothing more. You fire up the app from the Apple menu, check the boxes, and start the download process.

            Windows starts up Internet Explorer and opens the Windows Update site, which is loaded with hyperlinks and buttons, has an "Express" and a "Custom" update process, and generally requires more clicking and waiting to get it done.
            • you apparently don't know what you're talking about. windows update does NOT open a browser with "express" and "custom" buttons. by default in xp sp2, it is set to automatically download & install updates. updates are done in the background. when the update process is completed, the user is prompted to reboot. gee - that sounds easier than the "fire up the app from the Apple menu" process you described. going forward, you should get a clue before spouting utter bullshit. but it was a nice try, asshole.
              • You apparently forgot your medication this morning. Windows Update, the web site that is in your Programs menu by default, displays an 'Express' and a 'Custom' button for choosing your updates. With SP2, there are also more Automatic Updates features included, but that web site is still there and still useful for application upgrades.

                The same thing goes for Mac OS X. You can either select Software Update from the Apple menu to manually grab new updates, or Software Update will spawn as often as you choose
          • If you install iTunes, and at the point where the dialog box with the restart button appears press command-option-escape, and kill the installer, you don't have to restart the computer and iTunes works fine. At least that's what I did with iTunes 5.

      • Microsoft software is insecure because that is a way of "maximizing shareholder value", in my opinion.

        When people have problems with their computer, they often buy a new computer [nytimes.com]. Then Microsoft sells another copy of Windows, which, of course, still has huge security risks.

        That also seems to be why Microsoft software is so... unfinished. If they ever finished the job, no one would need to buy another copy. So maximizing shareholder value means minimizing quality as much as possible, considering what c
      • by l0ungeb0y ( 442022 ) on Saturday September 10, 2005 @02:26PM (#13526947) Homepage Journal
        That's complete BS. The average user does give a damn.
        The problem is that the average user is scared as hell to update their Windows OS because when they have in the past it broke things and caused all sorts of problems.

        There's an old saying: "Once bitten, twice shy".
        You do the "right" thing only to get bitten in the ass because of it, you learn quickly not to do that again.

        The average user isn't a geek and while so many geeks can't understand this fact and rant how most people are clueless.
        This works both ways. How would you like it if every trip to the auto-mechanic you were chided for having certain tires, not using a particular brand/weight of motor oil, not being timely enough in getting a tune up, why didn't you change your own oil, your tire pressures too low? Or if you went to a lawyer, you were spoken down to and treated like a schmuck because of your ignorance of legalese?

        So when these people run Windows auto-update in their attempt to "be good" and then need to call in some geek to fix it, only to get an ear-full of crap about IE this and Outlook that and VB-de blah de blah, you think they really want to suffer that indignity again?

        It's a two fold problem really -- Running MS Auto-update is like playing Russian Roulette and if you lose, you've got to fork over cash for a lecture from some holier than thou sociopathic computer geek that's lost all perspective of life outside /.

        So for many, the best option is to ignore the patches to avoid the headaches they've learned by experience to associate with negative experiences.

        And it's people like you that help reinforce that associative perception. Good job.
        • Except that in the auto industry, like any other industry, if thousands upon thousands of mechanics told *everyone* that a using a particular brand of oil would fuck up their engine (making a comparison with IE/Outlook Exp. here), then if after some time you were using that brand of oil, it's your damn fault if the engine acts up and yes, you should be chided for it (first-time infractions can walk away free).

          Beware that you have a good point there, still, it doesn't apply to some of the stuff "us geeks" ha
        • How would you like it if every trip to the auto-mechanic you were chided for having certain tires, not using a particular brand/weight of motor oil, not being timely enough in getting a tune up, why didn't you change your own oil, your tire pressures too low?

          Ok here's a scenario, I go to the mechanic and tell him "My engine has no power and heats up really quickly now." and he checks a few things, comes back and says "You have no oil." He'll put in some oil, tell me to check it every so often stuff like
        • How would you like it if every trip to the auto-mechanic you were chided for having certain tires, not using a particular brand/weight of motor oil

          To be fair, if you drove around with the automobile-safety equivalent of internet explorer, the police would pull you over and tell you to stop driving until it was fixed...

    • It doesn't cost anything to 0wn a windows box and I've got a 10k strong botnet to prove it!
  • Yes! (Score:5, Funny)

    by MyLongNickName ( 822545 ) on Saturday September 10, 2005 @11:22AM (#13526175) Journal
    Finally, all of the Microsoft vulnerabilities have been fixed. No more work to do.

    In your face, LINUX!
  • by freetipe ( 913682 ) on Saturday September 10, 2005 @11:23AM (#13526181)

    "Patch Tuesday" has cancelled.
    "Hawaiian Shirt Friday" will continue as normal.
    "Executive Chair Throwing Saturday" is uncertain, but quite likely.

  • by Gopal.V ( 532678 ) on Saturday September 10, 2005 @11:25AM (#13526188) Homepage Journal
    A patch every month ?. Do they hold onto the patches if it happened to be one that slipped a schedule and became available on the thursday after the first release. Do they wait an entire month before shipping in the next ?.

    I've often heard tuesday mid-morning was the best time to release a new package - mostly hearsay. Any bit of truth in it ?

    Tuesday's are considered unlucky in Indian lore - to undertake new things. Wednesdays are the day of beginnings - but it's already Wed here by the time it's released worldwide.
    • by Saven Marek ( 739395 ) on Saturday September 10, 2005 @11:42AM (#13526244)
      The whole idea of releasing patches only once a month and on a set date is ridiculous.

      Vulnerabilities aren't discovered and exploits aren't written to respect the timing of Microsoft in this regard.

      What happens if a vulnerability is discovered and an exploit written for it a couple of days after patch tuesday? Microsoft's whole bug fixing scheme is then set to only handle it 28 days later.

      And we all know what happens in 28 days later.

      What happens when a vulnerability is fixed that needs more testing for many people, but also comes attached to vulnerabilities that can be simply exploited? do we wait for the former before applying the latter, or apply the latter and to hell with the consequences in the former?

      I think this is moron thinking. Each patch should be one small patch to fix that vulnerability and only that vulnerability. no other bug fixes with regards to non security issues, no combining patches, no waiting for days to fix a patch.

      Then the monthly updates can be set client side however the client wishes to handle it. daily or weekly or monthly. whatever they wish to handle. at the time.

      • MOD PARENT UP!! Good thinking.

        Lameness filter encountered. Post aborted! Reason: Don't use so many caps. It's like YELLING.

        We have a lame lameness filter.

        --
        If your gov't chooses killing as policy (CIA trained Arabs in 1980), expect others to choose the same.
      • I'd even advocate MS writing patch worms that force exposed and flawed computers to close a hole that would cause a destructive worm to tear across the net, such as Zotob and Blaster did. But I know that Microsoft is famous for breaking its own products with its own patches, so I can't really support that method.

        I installed SP4's Rollup 1 on W2K the other week, and it broke Office XP's ability to save to the Floppy drive!
      • by lseltzer ( 311306 ) on Saturday September 10, 2005 @01:39PM (#13526666)
        Just so it gets said, they set this schedule because large corporate customers demanded it, and they're happy with it. In case this is the first time you noticed, they've been doing this for almost 2 years I think. Oracle does something similar, on a quarterly basis. Having a regular schedule (with some warning in advance of which products are affected and how many updates there are) allows them to plan for patching in advance.

        The fact that they have a schedule doesn't preclude them from issuing an "out of cycle" update, which they have done 2, maybe 3 times.
        • large corporate customers demanded it

          I assume you mean the spam-bot operators. They're the ones who benefit the most from this schedule because if they time their exploits right, every new crack can be used for a full month.

          Any other "large corporate customer" would demand the publishing of workarounds AS SOON AS ANY WORKAROUND IS IDENTIFIED for a security issue - even if that workaround is "disable the XYZ service".

        • They also do this because it allows those large corporate customers (and others but that's not so much the issue) to update their systems with the new patches the day the patches are released.

          Contrary to popular Slashdot thinking, very few windows vulnerabilities have been exploited before the patches were issued (ignoring the person who discovered and verified the exploit.) Most of the big-name viruses that have spread based on Windows security flaws spread after the patches were available.

          A previous poste
      • I believe the original intention was for large corporations who have to patch several thousand machines. Going to each machine every day to do a single patch would be absurd. But instead, you could patch them all the same starting on that Tuesday and working your way through the month. However, you are still patching machines like crazy. And setting it client side only works in non-domain situations, like home computers, or peer to peer networks. If you are a domain user, chances are, you are not allowed to
        • Not only that, I think it is also the matter of making sure the patches don't conflict with the plethora of existing software that the corporations use, rather than just blindly updating every computer. I had one computer which would use 100% of CPU power while doing nothing if a certain patch was applied, for reasons I didn't understand. I think it would be a very bad thing to have if this happened on nearly every one of an organization's fleet of nearly identical computers.
      • Vulnerabilities aren't discovered and exploits aren't written to respect the timing of Microsoft in this regard.

        Correct and incorrect at the same time. Patches are reverse engineered and exploits are written based off of the changes in the patch. Which means once you release a patch, the clock is ticking for your customers to pick it up and deploy it before some script kiddie writes a worm that brings down your network.

        What happens if a vulnerability is discovered and an exploit written for it a couple of
        • No, they can't. The changes in Microsoft's patches are reverse engineered. Exploits are written against a patch within 72 hours. Once the patch is released, you MUST deploy it or your are vulnerable to every bot author who wants to add your machine to their zombie army.


          This is SO true. Zotob was reverse engineered and released only two or three days after the patch was released.

    • If M$ were running a hospital, ambulances would come once in a month to your house, asking if someone is serious, and the day when it comes to your house would always be a tuesday. Unfortunately due to unforseen reasons, this month, M$ is unable to send ambulance to your house. M$ feels there are not enough emergencies this week, or that the hospital is already overwhelmed.
      ----
      This space intentionally filled up.
    • > I've often heard tuesday mid-morning was the best time to release a new package

      Back when weekly trade papers mattered, Tuesday was early enough to make next week's papers. Monday was too early; the journalists might not yet be recovered from the weekend.
    • I expect they try to keep on schedule, but they've known about these bugs for weeks or months already so what's another month if the vulnerability hasn't been disclosed?

      Does releasing patches on a regular schedule increase security by increasing the uptake of patches, or decrease it by increasing the time from discovery to patch? Does anybody have any numbers on the uptake of Windows patches since they started the monthly schedule?

    • " A patch every month ?. Do they hold onto the patches if it happened to be one that slipped a schedule and became available on the thursday after the first release. Do they wait an entire month before shipping in the next ?"

      Yes, that is exactly what they do. It was a business decision - they were getting hammered in the press because of the frequency at which people had to update their computers. So they decided to move things to a monthly schedule, because psychologically it would lend an air of normalcy
  • In Firefox, the linked website is wider than the screen. Did anyone try it with IE?

    As far as it goes, Black Tuesday is only a means for hackers to learn vulnerabilities in Windows by analyzing the dropped bits. It's very infrequent that an exploit is released before the updates are.

    Windows is sure to have many problems, but if hackers are only willing to investigate changed bits and then attack not-yet updated systems, then not putting any updates out will keep those hackers at bay.

    I don't think they shou
  • Patches? (Score:1, Funny)

    by slideroll ( 901934 )
    We don't need no steenking patches!
  • by Zocalo ( 252965 ) on Saturday September 10, 2005 @11:30AM (#13526202) Homepage
    It's not so much that there isn't a patch this month, as that Microsoft has decided to hold off on releasing a patch due to stability concerns, which is laudable. So, while we have no patches this month, we also have a known unpatched, remotely exploitable hole in Internet Explorer until the eventual release. The big question is, will Microsoft release an out of cycle patch to fix the issue, or will be have a full month of PCs getting owned just because they visited the wrong URL using IE6?
    • by maskedbishounen ( 772174 ) on Saturday September 10, 2005 @11:39AM (#13526232)
      (...) or will be have a full month of PCs getting owned just because they visited the wrong URL using IE6?

      And how is that different from any other month?

      *ducks*
    • I tend to believe the latter; which is a shame cause I want some time off...sigh/
    • The big question is, will Microsoft release an out of cycle patch to fix the issue, or will be have a full month of PCs getting owned just because they visited the wrong URL using IE6?

      They have to make sure they don't break the five or six of ten [slashdot.org] PCs that can actually fill out FEMA registration forms do they? That would nail one the only real advantage that platform has right now. They can break them in a week or two, so the patch that improves your net half life from 12 to 15 minutes will come. While M

    • It's not so much that there isn't a patch this month, as that Microsoft has decided to hold off on releasing a patch due to stability concerns, which is laudable.

      It's laudable if the stability concerns truly do outweigh the security concerns.

      But, then, Microsoft is weighing the evidence and making the decision for everyone, all at once; not individual sysadmins, who might weight the balance differently, depending on the stability of their particular application mix. You're not making the decision. They ar

    • What ever hole exists has probably existed for a long time. When Microsoft discovers a hole themselves (or when a third party who knows how to keep their mouth shut discovers it and tells Microsoft) there is not that much additional risk created by leaving the hole there until they have the right fix and even more importantly until they have prepared customers (by having set release dates for fixes) to make the update very quickly.
  • by Henry V .009 ( 518000 ) on Saturday September 10, 2005 @11:32AM (#13526212) Journal
    "Late in the testing process, Microsoft encountered a quality issue that necessitated the update to go through additional testing and development before it is released. Microsoft is committed to only releasing high quality updates that fix the issue(s) in question, and therefore we feel it is in the best interest of our customers to not release this update until it undergoes further testing."
    That is one positive thing about Microsoft. When they release a patch, you can be sure that it has been tested through the roof. It's a rare open source project that can match Microsoft on that.
  • The Inquirer has a story [theinquirer.net] saying that there was a critical update and the software tool coming out September 13.

    WTF?

  • by bearl ( 589272 ) on Saturday September 10, 2005 @11:39AM (#13526229)
    TFA article clearly says that they're issuing several updates right on schedule this coming Tuesday.

    They are delaying a security update that was previoiusly scheduled for Tuesday. They're delaying it because they found some problems during late testing. Good on 'em for that.

    Aside from that, the rest of the updates will be issued as scheduled.
    • by Anonymous Coward
      I have always wondered what it would be like if magically, all of M$'s non-techie customers (private and commercial) suddenly had the ability to fully understand the way their "Magic boxes" work, and could objectively evaluate what Microsoft tells them.

      What a wonderful day it would be if average users started asking hard questions and DEMANDING answers (as in: Why does there need to be a patch Tuesday in the first place?)

      I'm not a Linux fanboy by any means( I use both windows and linux boxes, and both OS's
    • An inaccurate headline and summary on Slashdot? You, sir, are threatening the hegemony.
  • Notice how the wording says that no SECURITY patches are coming out this month due to their "strict focus on quality"? Notice that there's still a high=priority non-security patch coming out.

    I looked for examples of what this covered on my WSUS server, and found that this generally means, "Some patch or service pack or program isn't going to install/run unless you install this 'non-security patch'."

    KB885523: "This update resolves a compatibility issue with a non-Microsoft software application installed on
  • by marktwen0 ( 650117 ) on Saturday September 10, 2005 @11:48AM (#13526265)
    Microsoft announced they had omitted the patch

    Funny--my girlfriend also said something about not needing to use the patch this week...and something else about a missed month...

    Oh, wow! Cigars, anyone?

  • It's good to know no more patches are needed for Windows, and that it is now finally secure.

    Next month, on the day formerly known as patch Tuesday, Microsoft will buy everyone a pony. Henceforth it shall be known as Microsoft Pony Tuesday. We shall be celebrating with the pixies and faeries!
  • When the title says "Microsoft skips patch tuesday", it means that Microsoft will skip a patch's deployment on tuesday, not that they are going to cancel the "patch tuesday".

    Sigh.
  • by Mad Man ( 166674 ) on Saturday September 10, 2005 @11:55AM (#13526288)

    Patch Tuesday, also known as Black Tuesday amongst Administrators, is the second Tuesday of every month in which Microsoft releases a series of patches and critical updates for its various operating systems and applications.


    I always refer to it as "That time of the month for P.M.S.: Patching Microsoft Servers."

    ("Patching Microsoft Systems" also works).
  • If your present vehicle is working, what incentive do you have to buy a new one?
    It's only after it becomes unreliable (or really ugly from rust etc) that you think about replacing it.

    Software (despite what M$ would have us believe) doesn't wear out.

    The only way to sell new stuff is have it break down. They only fix a few vulnerabilities at a time to make us believe they're trying to keep it safe, but they really built the "rust" at the factory.

    Add a few new "features" (read code bloat) and the replacem

  • Why would a business invest in software that has a set patch schedule. Would they buy a fleet of cars that need to be brought in to fix a safty recall monthly?
    Sure, a safety fix deals with life and death, but look how much money some of the corporations stand to loose to this bullshit. Look at Caterpillar.
    • If that company doesn't replace its cars' tires or brakes as part of a regular maintenance routine, those said cars will eventually careen off the road and kill someone.

      In fact, usually car manufacturers recommend that tires and brakes be checked at every oil change, or 3 months. Hmm.

"You know, we've won awards for this crap." -- David Letterman

Working...