A holiday gift from Microsoft?

Last week, I reminded you that on Tuesday Dec. 9, according to Microsoft’s new security patch scheme, a new set of patches and security alerts should have been available on the Security bulletin Web site. A quick check, though, reveals that nothing new has been posted. “Microsoft has no security bulletins to release as part of the monthly release cycle for December,” is the phrasing used.

So in only the third month of the new, vaunted monthly cycle of alerts and patches, Microsoft had nothing to offer. Does this mean there were no new vulnerabilities to report?

A number of news stories are touting the skipping of the patch release as a “holiday gift” from Microsoft. Let’s examine the circumstances a bit closer, though.

According to an IDG News Service story (see “Microsoft’s holiday gift: No patches” https://www.nwfusion.com/news/2003/1209microsanta.html), Microsoft’s security czar, Iain Mulholland, said: “We have made a commitment to release [the monthly patch package] when we’re ready, when we have quality patches. There is simply nothing that has passed the bar yet from a quality perspective for release in December.”

So it’s not that there’s nothing to report, just that there’s nothing ready to release. The wording used appears to allow for the possibility (even the probability) that there are vulnerabilities known to Microsoft and that patches are in the process of being written and/or tested, and they’re simply just not ready to be released.

The next cyclical release date is Jan. 13. Can we wait that long if there is a problem?

Microsoft has said that there can be releases between the cycle dates of the second Tuesday of the month. According to Mulholland, “We will break cycle if there is a real, immediate threat.”

But just suppose there is a patch that’s undergoing test right now. And just suppose it passes all tests sometime next week. If there’s a real threat, then Microsoft will release right away and you’ll be expected to get the fix, do your own lab tests then roll it out as quickly as possible. Won’t that be a lovely Christmas present. Release on Christmas Eve, test on Christmas Day, roll out on Boxing Day and over the weekend.

I’m not saying this is what will happen, more than likely the holiday will pass quietly (at least on the security patch front), but it is possible that the only twinkling lights you’ll see on Christmas are LEDs in the server room. Ho, ho, ho!

Breaking News – Just as I finished writing this, the IDG News Service reported a glitch in the patch system (https://www.nwfusion.com/news/2003/1211delaypatch.html), which saw a patch delivered on Dec. 10 to fix a vulnerability reported in November (the patch was supposed to ship with the security bulletin in November, but it didn’t). There was no word on when a patch to fix the patch system would be delivered.