Skip navigation

Windows IT Pro UPDATE--Security Patches R Us: Would You Like a Heads-Up with That?--November 9, 2004

This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertiser's Web sites and show your support for Windows IT Pro UPDATE.

Free Download! Award-winning GROUP POLICY management tool

HP ProLiant ML330 server;11730465;10471254;u?|AUM


1. Commentary
- Security Patches R Us: Would You Like a Heads-Up with That?

2. Hot Off the Press
- Microsoft and Novell Settle Antitrust Case for $536 Million

3. Resources
- Featured Thread: Check Out the VirtualServer Migration Toolkit
- Tip: How can I repair Windows 2000 Server's default Group Policy Objects (GPOs)?

4. New and Improved
- Compress Data
- Stop Junk Email at the Server

==== Sponsor: Free Download! Award-winning GROUP POLICY management tool ====

Are auditors and compliance officers driving regulatory compliance down your throat? Did you know that Group Policy in Active Directory can help you meet those compliance requirements? Try NetIQ's award winning Group Policy Administrator for 30 days, and you'll see how you can more easily manage Group Policy to meet those compliance requirements.


==== 1. Commentary: Security Patches R Us: Would You Like a Heads-Up with That? ====
by Paul Thurrott, News Editor, [email protected]

Since Microsoft began its monthly security-patch-release schedule last year, the company has come under fire from what I call the "can't-win-no-matter-what-you-do" crowd. Microsoft used to issue security patches whenever the patches were ready, and as any battle-weary systems administrator can tell you, the effects were painful. Because of the number of Microsoft security patches over the past few years, some administrators did little more than evaluate and deploy patches, while spending their few remaining minutes of free time wondering when the next patch was coming. Moving to a monthly patch-release schedule, however, didn't mollify all users. Some security experts, for example, warned that the monthly release schedule meant that some critical bugs might go weeks without being fixed, simply so that Microsoft could adhere to an artificial release schedule.

So the software giant added a provision to its plan, whereby under certain circumstances the company will release critical patches out of band with the regularly planned schedule, which releases security patches on the second Tuesday of each month. Since announcing this plan, Microsoft has indeed released a few out-of-band security patches, most notably for Microsoft Internet Explorer (IE), which remains, quite possibly, the buggiest piece of software the company has ever written.

Although one might debate the soundness of this plan, Microsoft has to balance the needs of its customers with a desire to treat its volume buyers a bit better than the rest of us. In keeping with this policy, late last year the company instituted a plan whereby certain customers would receive advance warning about the regularly scheduled monthly security patches, giving them time to prepare for what's become known as Black Tuesday in certain IT circles. The idea is that, with a little heads-up, administrators can plan downtime accordingly and deploy patches as needed without interrupting business.

Microsoft eventually opened up the early access program to any company that was willing to sign a nondisclosure agreement (NDA). The reasons for this requirement are many, but my feeling is that Microsoft feared that malicious hackers might use the early-access information to create malicious software (malware) that exploits bugs before the patches are widely available. Those fears were partially realized when several customers who had signed NDAs earlier this year leaked information about upcoming security patches. Although I know of no examples of malicious hackers using this information to successfully exploit the flaws, the cat was out of the bag. By late summer, bad press and complaining companies had forced Microsoft to, once again, re-evaluate its stance on patch information access.

The problem here is obvious. Users were asking why Microsoft was hiding security patch information from most customers. As with airbags in cars, shouldn't all customers benefit from this information? Responding to the criticism, Microsoft has indeed opened up the early-access patch information program--now called Microsoft Security Bulletin Advanced Notification--to all users. However, the program now provides less information: The advance notification will include only the number of patches the company will issue, the expected severity ratings of each flaw, and a list of affected products.

The Microsoft Security Bulletin Advanced Notification program starts this month, and currently takes the form of a Web page on the Microsoft Web site (URL below). Starting in December, the program will also include an email notification to which you can subscribe. Microsoft says that it will give "3 business days" of advance notice about the patches, so you'll have the basic information by the Friday before the second Tuesday of each month or 3 business days before any out-of-band security patch.

Frankly, I think Microsoft should be commended for making this information available to customers, even though the company had to be dragged, kicking and screaming, to the party (similar, again, to the way the automobile industry reacted to various security-oriented requirements for cars). This type of transparency can only help those customers who elect to take advantage of the service. Go forth, people, and complain no more.

Microsoft Security Bulletin Advance Notification


==== Sponsor: HP ProLiant ML330 Server ====
Save up to $279 today on the HP ProLiant ML330 server, the powerful server designed for easy management and expandability, and backed by a one-year, global pre-failure warranty. Add backup storage with an HP StorageWorks DAT40 external tape drive, and take another $100 off your total. Not sure if the HP ProLiant ML330 is right for you? Download: "How Do I Choose a Server?";11730465;10471254;u?|AUM


==== 2. Hot Off the Press ====
by Paul Thurrott, [email protected]

Microsoft and Novell Settle Antitrust Case for $536 Million Details are still forthcoming, but Microsoft and Novell announced yesterday that, thanks to private mediation, they've settled Novell's NetWare-based antitrust lawsuit against Microsoft for $536 million. Under terms of the agreement, Novell will release all its US-based antitrust claims against Microsoft and withdraw from the European Union (EU) antitrust case against Microsoft. Microsoft, meanwhile, will pay Novell $536 million and release its counterclaims against the company. For the complete story, visit the following URL:

==== Announcements ====
(from Windows IT Pro and its partners)

Subscribe Now to Windows IT Pro with Exclusive Online Access!
Windows & .NET Magazine is now Windows IT Pro! Act now to get the November issue, which features a Linux primer for Windows administrators, the how-tos of making NTBackup work, and a checklist for Sarbanes-Oxley compliance. You'll save 30% off the cover price and receive exclusive subscriber-only access to our entire online library with your paid subscription! This is a limited-time offer, so click here to order today!

Get the Final Chapter Release--"The Expert's Guide for Exchange 2003: Preparing for, Moving to, and Supporting Exchange Server 2003"
Download our final chapter, "Exchange Security," and learn 5 key strategies to help you secure your environment before vulnerabilities become a problem, including how to reduce the number of protocols used and how to partition your environment. Plus, start protecting authentication credentials, data transmission, and more. Get the entire eBook now!

Attend and Get a Free Subscription to Windows IT Pro! The Enterprise Alliance Roadshow
Come and join us for this free event and find out how a more strategic and holistic approach to IT planning helps organizations increase operational efficiency and facilitate the implementation of new technology. Attend and you could win an iPod! Sign up today. Space is limited.

Win a Trip to TechEd 2005 Plus iPod and XBox Prizes
Compete in the first-ever IT Prolympics to test your Active Directory knowledge against your peers. You could win recognition and great prizes. The IT Prolympian grand prize is an expense-paid trip to TechEd 2005. Click here to enter the competition.

~~~~ Hot Release: (Advertisement) Whitepaper: Is Your Outlook FAX Integrated? ~~~~

Where's Bob? (off sending a fax at the fax machine again???)
Are you still "getting by" sending via fax machines or less fax savvy solutions? Integrate FAX into applications like Microsoft World, Excel and even Outlook!
Download (whitepaper, trial & ROI)

==== Instant Poll ====

Results of Previous Poll:
The voting has closed in Windows IT Pro's nonscientific Instant Poll for the question, "Would you trust and use Internet-based voting?" Here are the results from the 303 votes:
- 39% Yes, if third-party experts are hired to certify its security
- 22% Yes, but only after public scrutiny of the voting system
- 32% No, never
- 8% I don't know

(Deviations from 100 percent are due to rounding error.)

New Instant Poll:
The next Instant Poll question is, "Do you like Microsoft's monthly security-patch-release schedule?" Go to the Windows IT Pro home page and submit your vote for a) Yes or b) No, I prefer to receive patches as soon as they're available.

==== 3. Resources ====

Featured Thread: Check out the VirtualServer Migration Toolkit
Ward Ralston's latest posting to the Virtualization Technology Blog introduces the VirtualServer Migration Toolkit (VSMT). To join the discussion, go to the following URL:

Tip: How can I repair Windows 2000 Server's default Group Policy Objects (GPOs)?
by John Savill,

You can use Microsoft's Recreatedefpol utility to repair the Default Domain Policy and Default Domain Controllers Policy. (Recreatedefpol works only on Win2K Server systems.) You can download recreatedefpol.exe at On Windows Server 2003 systems, use the Dcgpofix tool to restore default GPOs to their original state, as I explain in the FAQ "How can I restore the contents of the Default Domain and Default Domain Controller (DC) Group Policy Objects (GPOs)?" ( ).

==== Events Central ====
(A complete Web and live events directory brought to you by Windows IT Pro: )

IT Security Solutions Roadshow--Attend and Get a Free Subscription to Windows IT Pro
Take your security to the next level with this free half-day event covering topics such as antivirus, intrusion prevention, vulnerability discovery, and more. Get a backstage pass to the ISA Server 2004 Hands-on Lab. Attend and enter to win tickets to a professional sports game. Register now!

==== 4. New and Improved ====
by Angie Brew, [email protected]

Compress Data
PKWARE released PKZIP 8.0, a data-compression utility. The product features administrative control that lets you ensure that consistent compression and password-based encryption practices are used throughout your organization. PKZIP 8.0 seamlessly integrates with Microsoft Outlook and Lotus Notes so that users can quickly and easily zip and secure files directly from their email client. The file-splitting feature splits an archive into configurable segment sizes for storage on local drives or removable media. A single-user license costs $24.95. Contact PKWARE at 414-289-9788.

Stop Junk Email at the Server
Chrysanth released Chrysanth Mail Manager, an email manager for Windows that lets you identify and filter junk email on your mail server without downloading the email. The product lets you create whitelists and blacklists and provides graphs and figures to help you analyze the amount of junk mail you receive. Chrysanth Mail Manager features the ability to mark all mail headers to be bounced or deleted. Chrysanth Mail Manager can support multiple email accounts and costs $24.95. Contact Chrysanth at [email protected].

Tell Us About a Hot Product and Get a T-Shirt!
Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to mailto:[email protected].


==== Contact Us ====

About the newsletter -- [email protected] About technical questions -- About product news -- [email protected] About your subscription -- [email protected] About sponsoring UPDATE -- [email protected]


This email newsletter is brought to you by Windows IT Pro, the leading publication for IT professionals deploying Windows and related technologies. Subscribe today!

View the Windows IT Pro Privacy policy at Windows IT Pro is a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538, Attention: Customer Service Department Copyright 2004, Penton Media, Inc. All Rights Reserved.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.