Microsoft cancels Patch Tuesday as DST looms

The biggest concern for us is that someone gets an email Monday morning that's designed to exploit DST and scan the network or download a Trojan horse. Alphonse Edouard, vice president of ITDune Capital Management

Microsoft said Thursday it will not release any security patches next week. The software giant usually rolls out security updates the second Tuesday of each month, though there are occasionally months where nothing new is released.

"There are many factors that impact the length of time between the discovery of a vulnerability and the release of a security update, and every vulnerability presents its own unique challenges," a Microsoft spokesman said in an email. "Microsoft occasionally has months when it has not released security updates. The last time was September 2005."

The absence of security patches this month will almost certainly be welcome news for IT shops that have plenty of DST patching left to do. Microsoft is still scheduled to release several non-security, high-priority updates Tuesday.

Starting this year, DST will be extended by four weeks in the U.S., Canada, Bermuda and the Bahamas after legislators passed the Energy Policy Act of 2005. It will begin the second Sunday of March instead of the first Sunday in April, and will be extended until the first Sunday in November instead of the last Sunday in October. IT shops must now apply a series of patches from their various IT vendors to ensure electronic appointment calendars and other software tools aren't knocked off kilter when the clocks spring an hour ahead.

DST security concerns: Early DST start causes security heartburn: IT professionals say the earlier start to daylight-saving time (DST) could have unintended security consequences, such as timing glitches in their forensic and auditing tools. Audio downloads: Security Wire Weekly: IT pro Alphonse Edouard discusses what he's doing to prepare his company for DST, and whether it will interfere with his security patching. Download MP3 | Subscribe to Security Wire Weekly Security Wire Weekly: IT pro Susan Bradley on the security implications of DST. Download MP3 | Subscribe to Security Wire Weekly

While basic security tools won't be affected by the switchover, some IT administrators have voiced concern about possible timing glitches in their forensic and auditing tools, as well as their network access controls. Others have expressed concern that IT shops will set aside security patching to deal with lingering DST problems.

Experts note that IT shops often lag in their patch deployments, and fixes released in January and February could still be collecting dust in some environments because of all the preoccupation with DST.

Preparing for DST
Though they'll be getting a break from Patch Tuesday this month, IT professionals will still be keeping a wary eye out for DST-related glitches.

Alphonse Edouard, vice president of IT for Delaware-based investment firm Dune Capital Management, said he's confident his department has done everything necessary to prepare for DST. "We've been preparing for some time, and we think we have the major areas covered," he said.

But he worries attackers might attempt to take advantage of DST. He said his team will keep a sharp eye on any attempts attackers might make to exploit DST to infect company systems with malware.

"The biggest concern for us is that someone gets an email Monday morning that's designed to exploit DST and scan the network or download a Trojan horse," he said. "We're going to be especially vigilant and watch for probing or other activity."

Eric Schultz, chief security architect at Shavlik Technologies LLC, in Roseville, Minn., said most IT shops should have their DST house in order by now, especially if they're using automated patching tools.

"One would expect that an IT pro has been working on DST for quite a while and that they also keep up to date on security patches," he said. But he acknowledges that unforeseen DST glitches are a very real possibility and that, "If you're caught off guard by DST, then next week you'll be dealing with DST issues and you won't have time to deal with security patches."

He said the going could be especially tough for IT shops running older operating systems like Windows 2000, which no longer fall under the mainstream support of Microsoft.

Schultz said his firm is handling DST patching for about 30 companies running Win2000 systems.

"Most big corporations who didn't get the automatic patch support are still paying attention to what they need to do for DST," Schultz said.

Companies with poor patching processes could experience problems next week, he said.

Trouble with legacy applications
Chris Andrew, vice president of security technologies for Scottsdale, Ariz.-based vulnerability management firm Patchlink Corp., said IT administrators could also run into trouble next week if they haven't taken a thorough inventory of their legacy Windows applications.

"It's important to look through your whole Windows catalogue and apply patches," he said. "The DST issue has affected every operating system across the board, from Windows to Linux to Solaris."

The good news, he said, is that there's a high level of DST awareness among IT professionals. But that doesn't mean they won't fall victim to problems in legacy applications they may have lost track of.

"Everyone is talking about this. Every IT guy knows about it," he said. "The question is if they've considered every single area where a patch is needed. You could have your operating system patching done and think you're all set, and then you might find next week you're fixing a couple things you hadn't thought of."