Yesterday's "Patch Tuesday"--that day of the month when Microsoft discloses the problems in its products that could cause you big headaches if you don't apply the patches--was one helluva patchfest. According to Microsoft-watchers--who make a good living cleaning up after Microsoft--the Redmond giant is breaking its own records for patches.
3Com's TippingPoint division claimed that yesterday marked "the most vulnerabilities fixed by Microsoft at one time." Qualys only went so far to say Microsoft had tied its previous record set back in February 2005.
"Microsoft issued twelve new patch bulletins containing 21 new vulnerabilities with the potential for remote code execution," noted Amol Sarwate, manager of the vulnerability research lab at Qualys. "This is the largest number we have seen since February of 2005."
According to Sarwate, "The significance of this large number of patches lies in the fact that 19 of them are remote code executions. And they affect so many applicatiions--Microsoft Word, Internet Explorer, Microsoft PowerPoint, etc--all of which are so frequently used and sent as attachments in the course of business that without patching these vulnerabilities, you would have to in effect tell your employees to just stop working."
There's an idea! Let's have a new holiday, "Patch Day," which everyone except the systems administrators get off. For them, we'll create another special holiday, "Patch Wednesday," where they can collapse with exhaustion after applying these patches to office computers without having to use up a sick day.
Some say Microsoft's "Dirty Dozen" patch bulletins are "Mission Impossible" for sys admins anyway because there's no way they could roll out all these patches in one day.
"The sheer number makes it nearly impossible to roll out," said Eric Schultze, chief security architect at Shavlik Technologies, which makes patch-management products. "It will take three hours just to read all the bulletins."
For three weeks, there's been an exploit out for the Word vulnerability, said Schultze. He added, "Word and Office patches are notoriously difficult to deploy as are Exchange patches."
For Microsoft, "It sucks that this coincides with TechEd," Schultze pointed out, referring to Microsoft's big technical conference going on this week in Boston where Microsoft tells attendees about product plans.
"It's bad timing but that's the way it's happening. Frantic admins are going to be going back to their hotel rooms to see how the patching is going back at their organizations," Schultze predicts.
According to McAfee, Microsoft has the dubious distinction of having to patch 70% more citical vulnerabilities in the first half of 2006 compared with the same period last year. McAfee advised sys admins to pay special attention to MS06-025 and MS06-029 since these are candidates for exploitation by mass-mailer worms.
Post a comment
|
Does Verizon's Voyager stack up to the iPhone? |
5 IT skills that won't boost your salary 
[1,407]
Women 4 times more likely than men to cough up personal info [589]
Japan's 10 funniest tech-related commercials [Videos] [407]
Throwing away a promo CD is "unauthorized distribution"? [1,265]
Adults too quick to dismiss educational video games [682]
Attack of the iPhone clones [Slideshow] [578]
10 things IT needs to know about AJAX [1,258]
This Year's 25 Geekiest 25th Anniversaries [Slideshow] [409]
