Slashdot Mirror
Microsoft Plans An Overhaul For Patch System
sckienle writes "ZD-Net has an article about Microsoft's plans to overhaul their patch system. 'Ninety-five percent of attacks happen after a patch for a known software vulnerability has been issued' says Scott Charney, chief trustworthy computing strategist at Microsoft. Basically, Scott is promoting the idea that Microsoft can do a better job, in many ways, so people will trust and be able to install patches quickly. Microsoft has a transcript of Scott Charney's talk on their site."
As reader sweeney37 summarizes, " Microsoft's plan is to reduce the patch installers from eight to two, they want to have one patch installer specifically for the OS side and one specifically for the applications." Sweeney37 points out this InformationWeek article on the planned change.
"We are now doing security audits on all our products as part of development."
No comment necessary =)
Vonal Declosion
What about the recent patch that "broke" peoples net connections... I don't want something like that automatically applied.
If you are running WinXP, you can set up Windows Update to download the latest patches anytime you are connected to the web. This will get you the latest updates just about every time you use your computer.
If you turn off this feature, it's really your own fault that you get hacked. If it is true that most attacks occur *after* the patch has been issued, there is no one to blame but the user.
But I'm sure we can twist this into an anti-MS thread anyway.
I have been pwned because my
In the commercial world, because of restrictions on software distribution, there is no single place to go for patches. There is no debian or RedHat that distributes 100s or 1000s of applications and will provide you patches for ALL of them promptly and consistently.
Maybe with this overhaul they'll come out with better microtine patches and I'll be able to look my friends and family in the eyes, once again.
It's so difficult for Administrators to manage all these patches.
We take a risk by delaying patches, we take an even bigger risk by patching without decent amounts of testing.
The last thing we want is to have tested the patch and find out we rolled it out incorrectly. MS appears to be going some way to help us good guys out.
.. I sincerely doubt that their reputation for releasing patches that break as much as they fix will be affected very much by this move. I think most business users will see it as an attempt to appear as though they're trying to address the issues instead of actually doing anything.
It's kind of like a balding man with a really bad comb-over. It looks okay from a distance, but it doesn't really fool anyone.
Yo Bill! Here is my "patch".
PATCH THIS"
Users who do not patch their default Linux installs are the ones to blame when they get hacked, but Windows users who turn off automatic updates are off the hook because Microsoft didn't roll out a patch correctly?
Double standard, anyone?
As I read this little blurb, I was thinking to myself that this probably won't help me any, since I have a pirated copy of XP (as do a nontrivial number of other users, I would imagine). My first thought was that Microsoft would require you to have an "activated" and properly registered copy of Windows and/or the MS applications you were running in order to receive the updates.
But as I thought about it, I realized that not letting the pirates patch their installs of Windows might not be in MS's best interests either. If some worm gets loose, and 98% of registered Windows users are patched, but none of the cracked copies are, the worm will replicate to the 2% of unpatched registered users much faster than if you'd allowed the pirates to receive patches instead of trying to screw them with an insecure version of the OS. That would increase the ultimate number of infected machines and influence whether or not the worm becomes a PR problem.
I'm not sure what I would do in this situation; I'd probably end up allowing pirated copies to update anyway and just try to capture their IP addresses on the sly in case I could use them later.
This tagline is umop apisdn.
After i just go through hell with m$s last patch to fix a security problem... connection problems. That thing took 5 hours to remove and still i see side effects of it (like aim wont connect and stay connected for long). But hey, that's how they make their killing: tech support. Sadly I'm not (dumb|smart) enough to (write|call) them on this one. Maybe its time for a patch system that simply removes the files they over wrote and stores the old ones somewhere.... that'd be really nice..
"Victory means exit strategy, and it's important for the President to explain to us what the exit strategy is." G.W.Bush
It embiggens the smallest open source advocate.
If anything will topple Microsoft's dominance of the operating system market, it's an ascii middle finger.
Bravo, good sir, you have done us all a service.
Please attribute any typos in this post to the numerous tasty newcastles I have consumed.
--
the strongest word is still the word "free"
Hi, A good idea to improve the speed of patch adoption should be not to use patches to sneak in system "enhancements". I use XP for some tasks at home and once I applied one "cumulative security patch for Internet explorer" I found out Windows was keeping me from watching my region 1 DVDs ( I live in Spain ). Of course I re-installed windows and I stop installing whatever patch and I am trying to move all my desktop needs to Linux; anyway I believe this behavior is shameful if not criminal. I have since advise all my clients to plan an exit-strategy from Microsoft products. The belief from Microsoft they can restrict product features set, after you already bought it makes dangerous to "bet" your business on their good faith as they do not have any
US Democracy:The best person for the job (among These pre-selected choices...)
Come on, that's hardly reasonable.
How is a user supposed to trust a patch being issued by a company that is known to release vulnerable software in the first place?
Yes, it's not a reasonable standpoint for a user to have, but it's still valid!
Take this example: My system works. Apple releases Quicktime 6.3, iMovie 3.0.3, iSync 1.1, and Bluetooth 1.2.1 today. You expect me to update all of them?
Why? Just because? Because there are new features? Because they fix bugs? Because they improve performance? Just because Apple decided to release them?
But the difference is that I do trust Apple. Having used their OS and system for 2 years, now, I have found that Apple updates don't introduce more problems, do increase functionality, performance, and reliability, so I *will* update just because.
However, there *are* pieces of software I haven't updated. I haven't updated my base station software, yet, because it works and I don't want to restart it. I haven't updated my iPod software, again for the same. I haven't updated my IE because I don't use it, and have deleted it.
But I *don't* trust Microsoft. I've been using them for 10 years, and I won't update until there's feedback on whether there are new instabilities, problems, crashes, etc.
That... and did I mention I don't trust Microsoft?
GPL Deconstructed
Not only do they need to standardize the patch installers more, they also need to put into patches the ability to slipstream them with new installations, like you can do with a service pack. The number of critical updates we have to install after every new installation of XP is ridiculous when they could just provide us with an easy method of integrating the changes into the source files.
After the spam legislation becomes law I hope to see your ass in the slammer.
http://saveie6.com/
Sorry, Charney, it's not the patch installation software that's the problem. Sure the changes you suggest will make things a lot easier, but their absence isn't why people don't install your patches. The problem is the patches themselves.
Yes, the patches themselves. People don't install them because they break critical production software which must not be broken. And in some cases those patches can't be backed out without a complete wipe and reinstall of the system, witness the recent VPN protocol "fix". As long as this is the case, people will still not install the patches no matter how easy the installation process is.
If MS wants to improve their patch process, they need to do a few things:
Microsoft never fails to surprise me with their futile attempts to try to gain the trust of the IT world. Here we have another story of a billion dollar company, run by a 10 cent brain, i.e. Bill Gates, et al.
I don't think this patch problem is all about number play, i.e. reducing from 8 to 2. They should be more focused at producing a good product in the first place, not just creating a quick podge-job and then bombarding their customers with patches (which are usually also full of bugs).
They claim to be "Secure by Design" and yet they probably one of the worst track records when it comes to security related issues. This is just Microsoft spreading propaganda just to make it look like they're doing they're job.
So they can automagicly patch my system so that the "world" doesn't hear about it until almost everyone has the patch.. and right about that time (lets say 48 hours later) I find out that all my e-mails have been going to someone else, or my firewall settings are broken because of the patch.. and I spent two days working like a dog trying to find why it suddenly stopped working.
My wish of MS, would be to improve their OS and application design philosophy BEFORE they make it, so these patches aren't so damned regular in requirements or DIRE in consaquences.
Mongrels.
>:-|
"Consider how lucky you are that life has been good to you so far. Alternatively, if life hasn't been good to you so far
Any time something wrong with Linux is pointed out, you are then reminded that somehow, this is a good thing. Linux is always perfect.
Not so with MS. They can do no good ever. According to Slashdot, MS has NEVER come out with anything decent. They could compile an exact duplicate of Linus' personal kernel, and somehow, the Zealots would find something wrong.
It's amazing how MS is slagged as not having an ounce of innovation, what about Linux itself? This is not an OS that was developed independently, with no legacy ties. In fact, it was written to be a substitute for Unix, a copy, a clone. Linux could not exist with Unix.
This is the thinking of the supplicants who recently touted "Feet of Fury" as innovative.
Of course, this will be modded down. Contrarian opinions are not tolerated here (the supposed bastion of free thinking). You think Bill is the Borg? You haven't met a Zealot.
So I decided to look at the patch counts of some other OS's just to make things look silly when in comparison.
First up, my favorite... OpenBSD! On average for all releases excluding the current ones (3.3 and 3.2), the average patch count is... (note that for 2.2 to 2.6 I doubled the count because at that time they were only supported for 6 months not 1 year like post 2.6 releases were, thus the patch counts rose this isn't really all that fair but as you'll see it doesn't REALLY matter):
32 patches per release. Which is about fair when compared to redhat since they also only patch for a year (yes yes yes, you aren't getting patches for all this other software that you'd use out of ports but hey microsoft isn't providing many patches for other peoples products if at all)
Now lets do VMS (this is scary...)...
A look through bug-traq archives starting at 1997 the average count over the past 6 years has been 4 patches per year. But hey when you've been around the same evolving codebase for 20 years you're bound to hit that point of diminishing returns. Of course if you're not throwing out your codebase due to limitations and problems in the original design *cough* ...
Just because passwords are being sent in the clear, doesn't mean you can necessarily intercept them. You need to be able to intercept the packets containing the username/password combination from the remote user. You could do this at one of three locations: the remote machine, the server, or in transit. If you own the remote machine, you could just trojan *any* client used, so telnet isn't any worse off than a more secure protocol. If you control the server, the point is already moot.
So let's look at the "intercept the packets in transit" approach. You could try to sniff the packets by compromising one of the routers, or listening in on a wireless LAN if that's what the client was using, or installing a physical wiretap. None of these would work against a secure protocol.
Anyway, let's assume the attacker has intercepted a username/password combination for a particular machine. He could then do anything that user could. However, that doesn't get the attacker full control over the system. For that, the attacker could then use a local root exploit.
Additionally, many of the daemons that provide services like FTP or telnet have had many remote root holes in them.
So, whilst telnet and non-anonymous FTP have their security issues, and you probably shouldn't be running them and certainly shouldn't be exposing them to the world, exploiting their weaknesses isn't quite as easy as you might think.
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
I see this as Microsoft taking a much needed step towards addressing the #1 security problem plaguing the Internet: Joe User.
Joe User doesn't even know what Windows Update is, so never installs any patches for the operating system. Joe User clicks on any E-mail he gets that says "L@@K NEW WINDOWS SECURITY PATCH!" or "ANNA KOURNIKOVA NAKED!!1" As a result, Joe User is running several different trojans, and his system is being used as a DDoS attack drone whenever it is online.
As much as we might decry a percieved invasion of our right to run our own systems, forcing Joe User to keep his system up to date with the latest patches is a good thing for all of us. Fewer packet floods, fewer lamers on compromized hosts, and possibly less spam. It's likely that Joe User doesn't even CARE that Microsoft is installing whatever it wants, whenever it wants, on his box. In the end, as long as those of us who know what we're doing can disable this feature (and those of us who don't CAN'T), I can only see this being a good thing for everyone concerned.
So, uh... what's changed, exactly?
Good 'ol Bob.
Yes, the patches themselves. People don't install them because they break critical production software which must not be broken.
That critical production software NEEDS a patch, f.e. it has a security hole, or runs on top of an OS that has a security hole. THerefor it IS already broken and thus needs patching. THere is NO excuse for not patching your software, like there is also no excuse for having security holes in your software.
Never underestimate the relief of true separation of Religion and State.
"A small piece of material affixed to another, larger piece to conceal, reinforce, or repair a worn area, hole, or tear. "
- or -
"Computer Science. A piece of code added to software in order to fix a bug, especially as a temporary correction between two releases. "
Temporary correction... Microsoft, I'm afraid, took this literally.
I have always wondered why each patch is distributed as a standalone executable... .RPM and it is installed using the rpm program already on the system. .MSI file?
Why is there no standard program on the Windows system, that installs a patch that is distributed in a file that contains only the update?
When I patch my Linux system, I retrieve a
Windows even has that "MSI" stuff, then why is a Microsoft patch not distributed as a
[Apparently MS's FUD group managed to 'clean up' the transcript before it got out. Here's how part of the _real_ interview went.]
... customers ... when our patches break working programs. A Patch Testing working group is being formed and is anticipated to be in place for Windows Server 2003's release in late 2004.
"And we'll not be stopping there. Their second biggest concern after patch management was patch suitability and correctness. And that's when I realized that the patches themselves were broken!
We had this engineering group making patches for this and that public relations group announcing patches for that vulnerability and management saying 'why don't you patch the hardware so the bandwidth will be smaller.' And what ended up happening is that no one was actually checking to see if the patches fixed anything." (Nervous Laughter)
So one of the next things I will be doing is to create a Patch Verification working group. Get all the people together to agree on a common nomenclature. What's a "bug" anyway? And how does it differ from a "feature?" No seriously. Can anyone define those terms for us?
Anyway, another thing that seems to bother our hostages. I mean customers. Yes, customers. That's it. It seems to bother our
We are furthermore developing 'New Technologies' within Microsoft including one we're calling 'debugging,' that I'm very excited about. We think it'll vastly improve the quality of our "MacOS Jagger OS" 'Longhorn' release in 2010. From there we'll be setting our sights on matching Linus Redtop 7's innovation and code quality. [I'm pretty sure he means "Jaguar" and "Redhat 7" -ed]
By then of course, our "Trustworthy Computing" initiative will be in place. Microsoft Big Brother (TM) will impliment Software Update Services to push 'Code we Trust' on enterprises so we can prosecute those who try to back out patches from any of our 25 installer applications, 13 hotfix downloaders or 7 service pack updaters."
[At this point some Microsoft Thugs (TM) confiscated my recorder, though I managed to switch out the tape first -ed]
While a patch system overhaul is long overdue given the number of affected legacy systems, Microsoft should see this as an oppurtunity to save themselves some serious money (and, as a side effect, do some actual good). If they can learn from this experience, and use this as a learning experience on the importance of writing good code, this could be a great oppurtunity for them.
Instead of having the large full time support staff they do, as well as the crews of people scanning the web for new exploits, how much time, effort, and money could they save by hiring a couple of full time people to check _all_ buffers on all code after it's been committed to sourcesafe? Also, it would reduce data loss due to crashes and other problems. Wow, Microsoft increasing their bottom line in a way that actually helps consumers. What a thought.
Contact Me (got tired of viruses emailing me).
well, critical updates are *mostly* distributed by the ever-popular windowsupdate service. I recently created a slip-streamed, unattended CD-R for XP Pro that has SP1a && corp activation (via corp $erial) && m$ft jvm && every critical update & patch. And, if you want, you can download WinINSTALLER to create .MSI files from any/all your programs and automagikally install those too. It's basically what the dell "repair" disks. See this, this, this, this, and this
The biggest trick the devil pulled was letting lawyers become politicians so they can write the laws.
I was once infatuated with the "free software" and GPL, but the more time I spent with that crowd, the more I became to realize that their underlying philosophy was fundamentally anti-corporate, socialist and had typical characteristics of a cult.
It's either their way, all the way, or the high way. Rational discussion is made impossible by hysterical groupthink resembling that of a communist totalitarian state, egocentric reasoning ("closed software is eeevil because it doesn't let us steal the code!"), fondness to the Appeal to Authority logic ("closed software is eeevil because RMS said so!") and cults of personality of Linus, RMS and ESR.
As far as I can see, this attitude stems fundamentally from your run-of-the-mill blue-collar envy of those who are financially successful and who have actually had the courage to risk their reputation and fortune in business.
BOO! TERRO
Hmm, they're separating out patches for the OS and its applications? Interesting, considering their recent move to make the latest version of IE the last 'standalone' one... How will they differentiate OS and applications if they keep doing this? (Real question, not sarcastic/rhetorical)
From reading this story closely, it appears that Microsoft has once again run into a problem which the open source community has successfully solved: how to effectively deliver patches and security updates to a wide audience across the internet. Existing mechanisms for distributing updated software for Microsoft's operating systems and applications are currently only semi-effective and are in urgent need of overhaul. They certainly do not represent a best-of-breed, enterprise-level approach.
At this point, I would like to put forward a suggestion to both the readers of Slashdot, and to the management of Microsoft which may address the aforementioned shortcomings: win-apt-get. As Debian users across the planet know only too well, apt-get is a robust, convenient, scalable and enterprise-ready solution for managing not only Debian packages, but also the rapid dissemination of updates and patches when they become available. Apt-get is in fact listed as the number one reason for choosing the Debian GNU/Linux distribution above other competing distributions by respondents in a recent LinuxWorld survey. Given such tremendous community support and technical advantages, why is it not worth considering a version of apt-get tailored specifically for Windows...a win-apt-get, if you will.
Please...I hear you reaching for your 'Troll' and 'Offtopic' moderator buttons. Certainly many high-ranking Debian luminaries exhibited similar responses when I approached them with this idea at this year's Open Source Expo. However upon listening to my plans, they were all convinced. Bruce Perens was particularly enthused, as I had offered to buy him lunch at the cafeteria if he listed to my pitch, an offer which he accepted vigorously, let me tell you!
But enough ancedotes of rubbing shoulders with the 'Debian doyens'. What I need are volunteers to help with the porting of apt-get to the Windows platform. This is in fact part of a much larger initiative, which unfortunately has been met with much hostility by the overwhelming Gentoo community on Slashdot. This initiative is the production of a new version of Debian, one which uses a new underlying operating system: Debian GNU/Windows XP.
Let it sink in. I will be back shortly to tell you more. I'm excited!
Best regards,
Debian Troll
Stipulative Definitions:
;) No stack or buffer-overflows there... and u can SetSecurityManager's all over the place, and java applets are sandbox'ed anyhow (except microsoft's JVM is an insecure PoS.) I'm wondering if a POSIX && a Secure UNIX && a Trusted OS would be any better. I hear they use the "root-isnt-root" trick, everything is encryptable (mem, process name even), and memory has ACLs everywhere.
"Bug" - a serious flaw or unforseen condition that results in unexpected or unintended consequences or actions.
"Exploit" - a creative use of a "bug" to utilize a program for uses not intended by it's user and/or developer.
Premises:
(1) If we assume that every networkable and sizable program contains is not perfect; meaning, it contains one or more bugs.
(2) That bugs are the basis most exploits.
Conclusion:
Every networkable, sizable program is likely to contain one or more bugs, resulting in an possible exploit.
The sad truth is that OSes that use unsentry'ed stacks for method invocation are inherently susceptible to stack overflow xploits. Btw, everyone STOP USING strcmp() && gets() in your programs!!!!!!! use strncmp() && fgets() damnit !!!!! Buffers (fixed & malloc()ed) must NEVER be exceedable from command-line or other user actions!!! In fact, there should be no way to exceed a buffer, though u ALWAYS have the first byte available AFTER the end of an array as a safe place. Write defensive code!!! Code as you would drive in Oakland, CA. assert() never hurt anyone (just never put any code w/ side-effects inside asserts()). I've ran sec audits on so much source, there's always some little util around somewhere that checks argv's with these suckers. Instant buffer-overflow exploit, no water neccessary! There are modified linux kernels that check the stack pointers and the integrity of stack w/ so-called "canaries" random, magic bytes on either size of the stack frame to check for stack overflows. For buffer overflows, it's a little harder, since u need something checks array indicies and malloc(). Even then, there are some exploits that write to valid portions of a user-space app to gain some privileges. My solution: use a language w/ tons of security already in it -- Java.
"You can take that to the bank!" -- I dont know.
The biggest trick the devil pulled was letting lawyers become politicians so they can write the laws.
And they will be able to reduce the number of attacks to 5% from the current level!
Funny, I always thought the key to software security was to write good code in the first place. Automating a patch system to improve software security is like building automatic bandaid dispensers into children's clothing to make playgrounds safer. It's an extension of security-through-obscurity, at the expense of user freedom.
The majority of hack attacks happen immediately after a patch is announced, implying that announcing the patch announces the vulnerability. So MS is saying the problem isn't the vulnerabilities themselves, it's that hackers respond more quickly to the announcements than ordinary users do. Microsoft's solution is to speed up the response. So what if the users have to give up control of their computers? They're going to have to turn over the keys anyway when Palladium gets shoved down their throats, right?
Casting users as the weak link is ultimately a lame defense for the fix-it-later commercial software development philosophy. Rushing software out the door because the marketing dept has promised it to retailers who want to sell it before Xmas is not the only possible way to do development.
The free software world may not be perfect but it doesn't suffer from that particular disadvantage. One way to make your system more secure might be to run code that was released when the developers decided it was actually ready.
UNIX has been around for a decade longer than even the earliest efforts from MS and it still works really nicely.
That's besides the point. Microsoft is stuck with what they have right now, which is this giant, semi-monolithic applications platform. The best they can do is try to audit it for security and hope they don't break anything, and even that is a trying job. Give credit where credit is due, because for all its clout Microsoft lacks much of the flexibility of its competitors.
In Soviet America the banks rob you!
This is simply another example of Microsoft's ongoing strategy to sell products:
1. Release lots of marketing hoopla about initiatives to improve security, each of which is followed by an embarassing new security breach.
2. Spread FUD about other products that are gaining ground against their products because of an established record of security they just can't seem to produce (see 1 above).
3. Rush patch after patch after patch out the door without proper testing, creating more problems than they fix.
4. Blame the user for each new embarassing security breach.
5. Do anything EXCEPT address the underlying design and implementation philosophies that created all of this mess in the first place!
I no longer patch my Windows systems. I don't have to. I have to run Windows for some of the software that is only available on Windows, but I don't have to expose them to the 'net. My Windows systems hide behind a firewall. Outlook and IIS are banned from my systems. I don't send out Word or Excel files and any that come in are screened and cleaned before I open them.
My Windows systems are sealed in jails with only tight little windows (every pun intended) through which to look out at the Wide Wide World (get it?). Attempts to communicate with the family in Redmond are blocked; contraband coming in from the outside world are routinely scanned for and removed.
And who is the jailer? Right now, Linux. Linux runs on the firewall. My server is Linux. Mail is routed and cleaned though Linux software incoming and outgoing.
Get a clue, Microsoft. This is the way of the future. This is my Microsoft strategy. Increasingly, it is also the strategy of people I consult for: if not now, soon after the next virus attack or server hack. Microsoft software simply cannot be trusted to work in the Wide Wide World.
If Microsoft is serious about wanting people to install their patches, they should institute a policy against making 'retroactive' changes to product EULAs in the patches. If they want me to patch this stuff on a weekly basis, having to parse through a few pages of EULA-ese in order to do so is a substantial 'barrier to entry'.
Here's something to think about. Microsoft's patch system authenticates you before it will give you patches (not you specifically, but the Activation Code you're using, I believe).. with the last service pack they made a whole lot of pirated corporate editions not able to use Windows Update.
:)
This doesn't mean all the pirates are going to say "gee, guess I'll go legit and buy a copy", it more likely means they'll stay unpatched.
It would be interesting to know how many systems that are participating in DDoS attacks are not patched because they can't patch because they're illegal copies of Windows...
(Yes, patches are available in other ways than Windows Update, but Microsoft is doing all their work to make Windows Update easy - maybe what we need is a "rogue Windows Update" for the pirates
- Steve