That's the day when Microsoft releases its monthly package of patches. And October's Patch Tuesday -- Black Tuesday for many in IT -- was a doozy: 10 patches for 22 newly discovered vulnerabilities. Administrators now face a mountain of work to prioritize, test and deploy them. And that mountain must seem like Mount St. Helens -- guess wrong about which patches to focus on first and you run the risk of a security eruption that will...
bury your organization under a heap of worms.
Security and patch management experts warn that Internet-facing systems are most vulnerable, so patches that apply to them are probably a good place to start. There are, however, plenty of curveballs thrown in that will challenge admins searching for their organization's soft underbelly. Good examples are the flaws in NetDDE and NNTP, features that are normally off by default in Windows, but can be enabled without anyone realizing it.
Folks that are running older versions of Windows such as NT are going to find this most recent patch cycle particularly stressful, according to patch watchers like BindView's Mark Loveless. "If … you're all on NT and you've got 10,000 machines, then it's going to take you a long time to roll those out."
It's a cruel coincidence that the busiest cycle in Microsoft's Patch Tuesday program also fell during the same month as the original Black Tuesday (the stock market crash of Oct. 29, 1929).
Elsewhere in the news
This week, Microsoft fired up a firewall partnership with a Massachusetts-based appliance maker. Under the deal, Microsoft's Internet Security & Acceleration Server 2004 software firewall will run on Network Engines Inc.'s NS Series of firewalls. While it has been saying publicly that a software firewall by itself provides enough protection for an enterprise, Redmond appears to be acknowledging that customers may not be comfortable protecting the network edge with a software-based firewall alone. … Despite being rebuffed recently over its proposed Sender ID protocol, Microsoft is still active in the standards process. Recently, it joined forces with Sun Microsystems and others on a specification that describes how Web services can be used in data centers as a remote management access protocol. WS-Management is the fourth collaboration between Microsoft and Sun in recent months. … Purveyors of spyware have brass, moxie or whatever your favorite expression might be. The U.S. Federal Trade Commission prefers "chutzpah." An agency official used that word to describe the actions of those peddling antispyware called Spy Wiper and Spy Deleter, products that are being used to download spyware on users' computers rather than remove it. … Microsoft has a new job opening in the Europe. This week, Stuart Okin, the head of the software maker's security efforts in the United Kingdom, announced that he's leaving for a new position at Accenture. Nothing against Microsoft, he said, he's just off to "pastures new." … Following up on a pledge in July, Microsoft has launched a beta of its technology-buying site on the idea of CNET, and it's not just to hawk Microsoft hardware and software. The company said the wares of competitors will also be available on the Windows Marketplace portal, which will direct shoppers to the Web sites of the company's retail partners. … Microsoft Watch has reported that server versions of Excel and Visio will be included in the next revamp of Office, which is expected sometime in the Longhorn timeframe.