Slashdot Mirror
Microsoft Plans An Overhaul For Patch System
sckienle writes "ZD-Net has an article about Microsoft's plans to overhaul their patch system. 'Ninety-five percent of attacks happen after a patch for a known software vulnerability has been issued' says Scott Charney, chief trustworthy computing strategist at Microsoft. Basically, Scott is promoting the idea that Microsoft can do a better job, in many ways, so people will trust and be able to install patches quickly. Microsoft has a transcript of Scott Charney's talk on their site."
As reader sweeney37 summarizes, " Microsoft's plan is to reduce the patch installers from eight to two, they want to have one patch installer specifically for the OS side and one specifically for the applications." Sweeney37 points out this InformationWeek article on the planned change.
In the commercial world, because of restrictions on software distribution, there is no single place to go for patches. There is no debian or RedHat that distributes 100s or 1000s of applications and will provide you patches for ALL of them promptly and consistently.
US Democracy:The best person for the job (among These pre-selected choices...)
Well take a look at http://www.macintouch.com/mosxreaderreports.html. The number of people having problems after installing an Apple patch is very large. Blinding trusting a vendor is a recipe for disaster. When did Apple start signing their patches? Enough said.
This is already possible, although it is cumbersome.
You can, when writing your unattend.txt, specify a batchfile that is to be run after the install. In that batchfile you can put the patches, with the correct switches to install them silently and without reboot.
Unfortunately, and this is where the patch program mess comes in, not all patches have the same set of switches and not all of them can be run silently.
For those, you need to use a script (kix, vbscript, whatever) to send the keypresses needed to proceed with the installation.
I'm up at 4AM because an MS patch totally broke a production system in our DC office. That patch was NT4 Security Rollup Patch, from eons ago (18 months?).
The system was effectively firewalled (it was an internal file/print server), and didn't really need the patch, but since I thought I knew better it's now a heap of scrap.
My excuse for not patching my software is that patches often break production systems. I'm going to sleep now, since I need to be up at 8AM to deal with the mess.
So, IMO, there is PLENTY of excuse for not patching your software. If you'd like to debate the point, I invite you to first use Google Groups with the words "security rollup ntoskrnl.exe stop 0x1E".
PS to snarky trolls - that's NOT "stop 0xA", I checked for THAT system-stopping patch problem first, so don't go telling me that there's a warning on the MSKB article, thanks anyway.
Forgot to mention.... MUY IMPORTANTE!!! run URLscan if u have IIS installed!!! And for god's sake, if u run a server, install & USE M$FT lockdown tool and their security audit tool. might be a good idea to install a proxying firewall and get a *real* sec audit tool.
The biggest trick the devil pulled was letting lawyers become politicians so they can write the laws.
Ok, here is the way I solve it:
/N /Z /M
/Q
/Q' ...")0)
1. "most" fixes can be silently installed using:
Qxxxxxxx.exe
2. the ones that don't accept this syntax can often be started using:
Qxxxxxxx.exe
However, these will ask for additional confirmation. When that is not acceptable, use a script that sends the confirmation keys. I use Kixstart:
RUN 'Qxxxxxxx.exe
WHILE (Setfocus("Microsoft
SLEEP 1
LOOP
$X=SendKeys("{ENTER}")
This will usually work. Also with the Java update. However, it is a mess... I agree.
Stipulative Definitions:
;) No stack or buffer-overflows there... and u can SetSecurityManager's all over the place, and java applets are sandbox'ed anyhow (except microsoft's JVM is an insecure PoS.) I'm wondering if a POSIX && a Secure UNIX && a Trusted OS would be any better. I hear they use the "root-isnt-root" trick, everything is encryptable (mem, process name even), and memory has ACLs everywhere.
"Bug" - a serious flaw or unforseen condition that results in unexpected or unintended consequences or actions.
"Exploit" - a creative use of a "bug" to utilize a program for uses not intended by it's user and/or developer.
Premises:
(1) If we assume that every networkable and sizable program contains is not perfect; meaning, it contains one or more bugs.
(2) That bugs are the basis most exploits.
Conclusion:
Every networkable, sizable program is likely to contain one or more bugs, resulting in an possible exploit.
The sad truth is that OSes that use unsentry'ed stacks for method invocation are inherently susceptible to stack overflow xploits. Btw, everyone STOP USING strcmp() && gets() in your programs!!!!!!! use strncmp() && fgets() damnit !!!!! Buffers (fixed & malloc()ed) must NEVER be exceedable from command-line or other user actions!!! In fact, there should be no way to exceed a buffer, though u ALWAYS have the first byte available AFTER the end of an array as a safe place. Write defensive code!!! Code as you would drive in Oakland, CA. assert() never hurt anyone (just never put any code w/ side-effects inside asserts()). I've ran sec audits on so much source, there's always some little util around somewhere that checks argv's with these suckers. Instant buffer-overflow exploit, no water neccessary! There are modified linux kernels that check the stack pointers and the integrity of stack w/ so-called "canaries" random, magic bytes on either size of the stack frame to check for stack overflows. For buffer overflows, it's a little harder, since u need something checks array indicies and malloc(). Even then, there are some exploits that write to valid portions of a user-space app to gain some privileges. My solution: use a language w/ tons of security already in it -- Java.
"You can take that to the bank!" -- I dont know.
The biggest trick the devil pulled was letting lawyers become politicians so they can write the laws.
Go somewhere random
There are a few fundamental problems with Windows update and Microsoft's security patches. NTBugtraq's Russ Cooper recently had this to say about it.
Secondly, Microsoft has the very very bad habit of releasing the "fixed" version of a bad patch under the same filename. Guess what, if you installed the "bad" patch, WindowsUpdate won't tell you there's a revised patch out. Because it is dumb dumb dumb and only checks registry keys and not file dates and versions. So windowsupdate leads one into a very FALSE sense of security.
Phil
That patch was not automatically applied. The only patches that are automatically applied are ones that fix huge holes to the operating system, and even then you have a choice of not letting windows update itself automatically. Most windows users turn off the automatic update feature as soon as they finish installing windows.
Mother is the best bet and don't let Satan draw you too fast.
If Microsoft is serious about wanting people to install their patches, they should institute a policy against making 'retroactive' changes to product EULAs in the patches. If they want me to patch this stuff on a weekly basis, having to parse through a few pages of EULA-ese in order to do so is a substantial 'barrier to entry'.
howing the patch counts between Windows 2K and Redhat 7.x. If I recall correctly those numbers came out to rougly ~1050 patches versus ~350 patches for roughly the same time period
:-)
This kind of statistic interested me also. So, for a while I started collecting advisories mailed on the Croatian CERT mailing list. These are the results for the period since 12th of March through today:
Debian: 28
RH: 26
MS: 21
Mand: 20
Sun: 16
SGI: 12
Cisco: 10
HP: 10
Turbo: 7
SCO: 6
SuSe: 2
Oracle: 2
In conclusion, I'm inclined not to believe your numbers.
You have a choice today. But you may not in the future.
It was not a critical automatic update!!! You had to go and manually install the recommended one which also states DO NOT apply this unless you are experiencing the problem.