Slashdot Mirror
Microsoft Plans An Overhaul For Patch System
sckienle writes "ZD-Net has an article about Microsoft's plans to overhaul their patch system. 'Ninety-five percent of attacks happen after a patch for a known software vulnerability has been issued' says Scott Charney, chief trustworthy computing strategist at Microsoft. Basically, Scott is promoting the idea that Microsoft can do a better job, in many ways, so people will trust and be able to install patches quickly. Microsoft has a transcript of Scott Charney's talk on their site."
As reader sweeney37 summarizes, " Microsoft's plan is to reduce the patch installers from eight to two, they want to have one patch installer specifically for the OS side and one specifically for the applications." Sweeney37 points out this InformationWeek article on the planned change.
If you turn off this feature, it's really your own fault that you get hacked.
;-)
I will presume you mean that as a joke.
You do know Microsoft's history of releasing "updates" that have a high probability of making matters worse than the bugs they claim to fix, right?
I believe their last proof of this idea occurred... Oh, last week? And who can forget the legendary NT4 "even numbered SP plague"? They should have released 6a as 7, just to keep their f'd up patches consistantly named.
As I read this little blurb, I was thinking to myself that this probably won't help me any, since I have a pirated copy of XP (as do a nontrivial number of other users, I would imagine). My first thought was that Microsoft would require you to have an "activated" and properly registered copy of Windows and/or the MS applications you were running in order to receive the updates.
But as I thought about it, I realized that not letting the pirates patch their installs of Windows might not be in MS's best interests either. If some worm gets loose, and 98% of registered Windows users are patched, but none of the cracked copies are, the worm will replicate to the 2% of unpatched registered users much faster than if you'd allowed the pirates to receive patches instead of trying to screw them with an insecure version of the OS. That would increase the ultimate number of infected machines and influence whether or not the worm becomes a PR problem.
I'm not sure what I would do in this situation; I'd probably end up allowing pirated copies to update anyway and just try to capture their IP addresses on the sly in case I could use them later.
This tagline is umop apisdn.
So they can automagicly patch my system so that the "world" doesn't hear about it until almost everyone has the patch.. and right about that time (lets say 48 hours later) I find out that all my e-mails have been going to someone else, or my firewall settings are broken because of the patch.. and I spent two days working like a dog trying to find why it suddenly stopped working.
My wish of MS, would be to improve their OS and application design philosophy BEFORE they make it, so these patches aren't so damned regular in requirements or DIRE in consaquences.
Mongrels.
>:-|
"Consider how lucky you are that life has been good to you so far. Alternatively, if life hasn't been good to you so far
So I decided to look at the patch counts of some other OS's just to make things look silly when in comparison.
First up, my favorite... OpenBSD! On average for all releases excluding the current ones (3.3 and 3.2), the average patch count is... (note that for 2.2 to 2.6 I doubled the count because at that time they were only supported for 6 months not 1 year like post 2.6 releases were, thus the patch counts rose this isn't really all that fair but as you'll see it doesn't REALLY matter):
32 patches per release. Which is about fair when compared to redhat since they also only patch for a year (yes yes yes, you aren't getting patches for all this other software that you'd use out of ports but hey microsoft isn't providing many patches for other peoples products if at all)
Now lets do VMS (this is scary...)...
A look through bug-traq archives starting at 1997 the average count over the past 6 years has been 4 patches per year. But hey when you've been around the same evolving codebase for 20 years you're bound to hit that point of diminishing returns. Of course if you're not throwing out your codebase due to limitations and problems in the original design *cough* ...
Would you trust the patches more if the patch system told you how many people had installed the patch, how long it has been installed on a critical mass of systems, and how many users reported problems after installing the patch?
(I don't know if any patch system does this...just asking)
Kept you from sharing your playlists off your subnet I think...there is a /. story about it here
The dumb thing is that everyone who cared about it caught it before hand, and every one who doesn't care most likely doesn't share their lists.
I was going to post that MS should go to a Apple Software Update sort of thing - it's easy, the patches usually work flawlessly and you can get self contained disk images of all of them to install at your leisure.
Then I realized that this probably wouldn't work, as Apple has a much smaller subset of hardware to deal with than MS.
Which got me thinking that perhaps MS isn't all bad? Maybe its all the crap that people try to use with their PCs from ISA days, and all the spyware that seems to be omnipresent in any shareware install that's causing all the problems. I mean, a browser intergrated into the OS can't be that bad can it?
Then I remembered that Bill Gates eats babies with the devil every afternoon at 4 pm.
Whew! I almost fell to the dark side!
Yes, the patches themselves. People don't install them because they break critical production software which must not be broken.
That critical production software NEEDS a patch, f.e. it has a security hole, or runs on top of an OS that has a security hole. THerefor it IS already broken and thus needs patching. THere is NO excuse for not patching your software, like there is also no excuse for having security holes in your software.
Never underestimate the relief of true separation of Religion and State.
I have always wondered why each patch is distributed as a standalone executable... .RPM and it is installed using the rpm program already on the system. .MSI file?
Why is there no standard program on the Windows system, that installs a patch that is distributed in a file that contains only the update?
When I patch my Linux system, I retrieve a
Windows even has that "MSI" stuff, then why is a Microsoft patch not distributed as a
Maybe...just maybe...my post was done with a certain irony. Consider it a poke at how petty most of the criticism is around here. Or perhaps a jab at how most posters here on slashdot talk big, but in the end, do little more than extend an angry ASCII middle finger.
But that is part of the problem. It is only slightly related to the patch problem, but it was the reason Microsoft needed to develop "Windows file protection", as all those developers were really messing up the integrity of the system with their (sometimes) lame installers!
Had they kept this under their own control a bit earlier (with a centralized dependency check and resolve system like Yast+RPM or the equivalent on other systems, there would be no need for "Windows file protection" and all Windows 2000 systems in the world would boot faster. Think of the gains that would bring to end-users...
well, critical updates are *mostly* distributed by the ever-popular windowsupdate service. I recently created a slip-streamed, unattended CD-R for XP Pro that has SP1a && corp activation (via corp $erial) && m$ft jvm && every critical update & patch. And, if you want, you can download WinINSTALLER to create .MSI files from any/all your programs and automagikally install those too. It's basically what the dell "repair" disks. See this, this, this, this, and this
The biggest trick the devil pulled was letting lawyers become politicians so they can write the laws.
From reading this story closely, it appears that Microsoft has once again run into a problem which the open source community has successfully solved: how to effectively deliver patches and security updates to a wide audience across the internet. Existing mechanisms for distributing updated software for Microsoft's operating systems and applications are currently only semi-effective and are in urgent need of overhaul. They certainly do not represent a best-of-breed, enterprise-level approach.
At this point, I would like to put forward a suggestion to both the readers of Slashdot, and to the management of Microsoft which may address the aforementioned shortcomings: win-apt-get. As Debian users across the planet know only too well, apt-get is a robust, convenient, scalable and enterprise-ready solution for managing not only Debian packages, but also the rapid dissemination of updates and patches when they become available. Apt-get is in fact listed as the number one reason for choosing the Debian GNU/Linux distribution above other competing distributions by respondents in a recent LinuxWorld survey. Given such tremendous community support and technical advantages, why is it not worth considering a version of apt-get tailored specifically for Windows...a win-apt-get, if you will.
Please...I hear you reaching for your 'Troll' and 'Offtopic' moderator buttons. Certainly many high-ranking Debian luminaries exhibited similar responses when I approached them with this idea at this year's Open Source Expo. However upon listening to my plans, they were all convinced. Bruce Perens was particularly enthused, as I had offered to buy him lunch at the cafeteria if he listed to my pitch, an offer which he accepted vigorously, let me tell you!
But enough ancedotes of rubbing shoulders with the 'Debian doyens'. What I need are volunteers to help with the porting of apt-get to the Windows platform. This is in fact part of a much larger initiative, which unfortunately has been met with much hostility by the overwhelming Gentoo community on Slashdot. This initiative is the production of a new version of Debian, one which uses a new underlying operating system: Debian GNU/Windows XP.
Let it sink in. I will be back shortly to tell you more. I'm excited!
Best regards,
Debian Troll
Right. And every time Microsoft talks about distributing more stuff with Windows, the FTC starts talking about lawsuits and antitrust.
I'm not trying to defend Microsoft here -- they certainly were acting in an anticompetitive manner -- but it wouldn't surprise me at all if Redhat starts to get into antitrust problems.
Yes, Redhat is only distributing free stuff; but as MSIE vs. Netscape shows, even free stuff can raise antitrust issues.
Tarsnap: Online backups for the truly paranoid
I agree. A link categorizing Microsoft's failures, including the one last week, would really help to assess whether or not they have an acceptable rate of failure. Given that there are probably at least 50 updates with WinXP, and maybe 2 are bad, that gives us a 96% success rate. So, a link would be very helpful.
"It's better to have a gun and not need it than need a gun and not have it." ~ Christian Slater, True Romance
I'm guilty of the other user problem. I stick in a bigger hard drive. I reinstall the older OS because the hardware doesn't support a newer one and I'm not spending twice the price of the HD on an OS when the original one works and is paid for. Do the words no longer supported mean anything? Your old one may have been fully updated and patched until the hard drive gets replaced. The OS can be reinstalled, but reinstalling the no longer avalable patches could be a challange.
Too bad most patches only directly install and are not saved first. Having a CD of the OS and a CD of all the patches for a reinstall would be nice, but the system was never set up that way.
The truth shall set you free!
The difference is that Linus et al. do not CLAIM to be innovative. MS touts themselves as having invented everything from the toaster to the space shuttle. Reading an MS PR release is like listening to an Al Gore speech in my mind. Neither the Linux kernel nor MS are particularly innovative, but at least Linux hackers do not falsely claim to be. MS does take a lot of heat on /. but I would say that MS's arrogance as a whole is on par with the /. camp's arrogance so it's pretty much a wash.
Also, even though you didn't mention it, some repliers did, I don't use Linux because it's free as in $$$. I can afford the $200 XP Pro price tag. I use Linux (1) becuase I am able to see/change the source as I see fit, (2) it's modular structure lets me tailor the kernel for each box/purpose, (3) I like and use the command line extensively (not all of us are point-and-clickers), and (4) because it's not built around the asinine all-your-eggs-in-one-basket registry concept.
One final point on the $$$ argument. I would guess that over half the XP installs out there are pirated copies anyhow. Every time I see a pirated copy of XP it pains me to NOT call the BSA but I refrain. In fact, I'd bet that most MS backers on this board have one or more pieces of pirated MS software in their possession. It's a little hippocritical to stand up for a closed source software company all while stealing (yes, it's theft) at the same time.
Good people do not need laws to tell them to act responsibly, while bad people will find a way around the laws-Plato