Microsoft has announced (http://www.microsoft.com/technet/security/bulletin/advance.mspx) that there will be no Black Tuesday (no security patches) this month. Have we finally turned the tide? I think not.
SANS Internet Storm Center keeps a list of knows security vulnerabilities that are not patched "The missing Microsoft patches." (http://isc.sans.org/diary.html?storyid=1940&dshield=5dcab42dbdd98865096b12b60165295c) So if it was a light month why not catch up on unpatched vulnerabilities before another one becomes critical?
In my opinion Microsoft is giving battered IT workers a break due to their Daylight Savings Time (DST) patch requirements. The new US DST starts this weekend (three weeks earlier than previously).
The real problem is the herculean tasks required to up grade all but the latest Microsoft products (Windows XP, 2003 Server and Exchange 2007). As an example Windows 2000 requires manual registry settings, but that is not as bad as Exchange.
For any version prior to Exchange 2007, and how many ran out and updated to that yet? Microsoft supplies utilities that must be run against every Exchange users mailbox. Now these utilities are resource intensive and have been causing total outages on Exchange while running the utility at worst, and apparently intermittent outages on some servers.
While I don't claim to have insider information on all the companies running Exchange what I have seen and heard all point to companies scrambling this week to be prepared for the time change.
You might think shame on the companies for waiting for the last minute, but on the other hand think about:
- Lean and mean IT departments
- Microsoft must be coming out with a less painful method...