Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Microsoft Patch Day: The Next Generation

    By
    Larry Seltzer
    -
    September 13, 2004
    Share
    Facebook
    Twitter
    Linkedin

      Its not really the first patch day of the Windows XP Service Pack 2 era. Last months, Aug. 10, was a few days after the initial release of the massive security-focused update.

      But the initial day was anticlimactic, yielding only a single Exchange Server issue, and for an old version at that. But now were over a month since Microsoft finalized the “gold” SP2 code, and we may be about to see how they will handle patches in the post-SP2 era.

      The biggest issue is how Microsoft prioritizes patches for vulnerabilities that affect only pre-SP2 versions. I agree with a lot of what my colleague Steven J. Vaughan-Nichols has to say on this matter, but I dont share his pessimistic sense. At the very worst, SP2 is now just another version of Windows they have to deal with.

      I expect that for some time Microsoft will have to keep Windows XP SP1 and SP2 tracks for security vulnerabilities. In a very important sense, the SP1 track is more similar to the Windows 2000 track than SP2, because Internet Explorer is so different in Windows XP SP2.

      The other thing Im looking out for is whether they move any faster on SP2 vulnerabilities than they have in the past on SP1 and other earlier versions. We have had one important SP2 vulnerability since it was released, the (in)famous drag-and-drop vulnerability. Its not a real killer, but its a bad one, and it demonstrates an oversight in Microsofts lockdown of Internet Explorer in Service Pack 2.

      One can only imagine that when Microsoft works on the patch for this vulnerability they will discover underlying problems broader than this particular hole. The report accompanying the patch will expose other problems.

      /zimages/5/28571.gifFor insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.

      But once again Im optimistic because another thing SP2 does is really, really urge you to turn on Automatic Updates. Some experts are uncomfortable with Automatic Updates. Fine, experts can turn them off, but novices should be running them. Enterprises and other expert-run networks can set up their own Windows Software Update Services servers and test patches while still allowing automatic updates to proceed as soon as they think it prudent.

      But in either case I think we can expect that more users of SP2 will be getting updates more quickly. SP2 vulnerabilities will have a harder time getting exploited widely unless they appear as day 0 network worms. The drag-and-drop vulnerability, in spite of Secunias typically hysterical claims about outside exploits, dont have the potential to spread widely, and require user interaction and a Web site to host them, both of which are brakes on the spread of the attack.

      I cant make up my mind about the severity of the drag-and-drop vulnerability. If its really serious, then I wouldnt expect it this patch day because Microsoft will fix it out of cycle when then can fix it. But if its not that important, then they may wait until next month to fix it, because it hasnt been that long since it was revealed.

      In fact, if I had to wager, Id bet on more SP1 patches this month and for a while. There are still a bunch of SP1 vulnerabilities out there unpatched, and now that SP2 is done I would hope they would get some more attention.

      Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

      /zimages/5/28571.gifCheck out eWEEK.coms Security Center at http://security.eweek.com for security news, views and analysis.
      Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page: http://us.i1.yimg.com/us.yimg.com/i/us/my/addtomyyahoo2.gif

      More from Larry Seltzer

      Larry Seltzer
      Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×