Microsoft Plans An Overhaul For Patch System

sckienle writes "ZD-Net has an article about Microsoft's plans to overhaul their patch system. 'Ninety-five percent of attacks happen after a patch for a known software vulnerability has been issued' says Scott Charney, chief trustworthy computing strategist at Microsoft. Basically, Scott is promoting the idea that Microsoft can do a better job, in many ways, so people will trust and be able to install patches quickly. Microsoft has a transcript of Scott Charney's talk on their site." As reader sweeney37 summarizes, " Microsoft's plan is to reduce the patch installers from eight to two, they want to have one patch installer specifically for the OS side and one specifically for the applications." Sweeney37 points out this InformationWeek article on the planned change.

now?

[CptChipJew]

"We are now doing security audits on all our products as part of development."

No comment necessary =)

recent bad patches?

[ClickWir]

What about the recent patch that "broke" peoples net connections... I don't want something like that automatically applied.

Re:recent bad patches?

[Dot.Com.CEO]

You know, I love the register as any slashdot user does, but, seriously, it is not "news". The specific article that you are posting is full of "may" and "could". The link to SuSE linux at the end of the article hardly makes for detached commentary. In fact, had this article been posted in /. it would have been a -1 Troll.

I think that Microsoft could very well make system updates (ie not DRM related ones) obligatory but I don't think they will. And, seriously, even if they do, what stops you from blocking windowsupdate.microsoft.com at your firewall?

A very tough task

[timeOday]

In the commercial world, because of restrictions on software distribution, there is no single place to go for patches. There is no debian or RedHat that distributes 100s or 1000s of applications and will provide you patches for ALL of them promptly and consistently.

MS Patch

[CySurflex]

I've tried the MS Patch system to rid myself of the MS-addiction, but even with the patch I find myself waking up at night and installing windows 98.

Maybe with this overhaul they'll come out with better microtine patches and I'll be able to look my friends and family in the eyes, once again.

While it's laudable that they're at least trying..

[The+Kryptonian]

.. I sincerely doubt that their reputation for releasing patches that break as much as they fix will be affected very much by this move. I think most business users will see it as an attempt to appear as though they're trying to address the issues instead of actually doing anything.

It's kind of like a balding man with a really bad comb-over. It looks okay from a distance, but it doesn't really fool anyone.

My Patch

[scubacuda]

Yo Bill! Here is my "patch".

PATCH THIS"

Double standard with Linux?

Users who do not patch their default Linux installs are the ones to blame when they get hacked, but Windows users who turn off automatic updates are off the hook because Microsoft didn't roll out a patch correctly?

Double standard, anyone?

Re:User problem

[pla]

If you turn off this feature, it's really your own fault that you get hacked.

I will presume you mean that as a joke.

You do know Microsoft's history of releasing "updates" that have a high probability of making matters worse than the bugs they claim to fix, right?

I believe their last proof of this idea occurred... Oh, last week? And who can forget the legendary NT4 "even numbered SP plague"? They should have released 6a as 7, just to keep their f'd up patches consistantly named. ;-)

Automated patches for pirated copies?

[brogdon]

As I read this little blurb, I was thinking to myself that this probably won't help me any, since I have a pirated copy of XP (as do a nontrivial number of other users, I would imagine). My first thought was that Microsoft would require you to have an "activated" and properly registered copy of Windows and/or the MS applications you were running in order to receive the updates.

But as I thought about it, I realized that not letting the pirates patch their installs of Windows might not be in MS's best interests either. If some worm gets loose, and 98% of registered Windows users are patched, but none of the cracked copies are, the worm will replicate to the 2% of unpatched registered users much faster than if you'd allowed the pirates to receive patches instead of trying to screw them with an insecure version of the OS. That would increase the ultimate number of infected machines and influence whether or not the worm becomes a PR problem.

I'm not sure what I would do in this situation; I'd probably end up allowing pirated copies to update anyway and just try to capture their IP addresses on the sly in case I could use them later.

Re:Automated patches for pirated copies?

[ramzak2k]

I was thinking to myself that this probably won't help me any, since I have a pirated copy of XP

Dude , i suggest you remove the URL to your website. It is not that difficult to find your address.

Re:Automated patches for pirated copies?

[burns210]

"...not letting the pirates patch their installs of Windows might not be in MS's best interests either. If some worm gets loose, and 98% of registered Windows users are patched, but none of the cracked copies are, the worm will replicate to the 2% of unpatched registered users much faster..."

So if you have a pirated copy, and you constantly get infected by worms because you can't get any security patches, wouldn't that make you more inclined to BUY THE SOFTWARE?

Re:Automated patches for pirated copies?

[Dark+Lord+Seth]

Oh, I'll hapiily pay! ... For quality software against a reasonable price, that is. Now if Windows XP didn't cost me a kidney but 50 euros or something OR MS would drastically improve/cough up some versions of their OS worth the money, (stable*, secure*, fast*, bloat-free, no evil licensing schemes/integrated crap) then I'd happily pay! Unfortunately, right now, I'm not going to fork over 300 euros for Win XP Pro only so I can have one huge piece of bloat slow down my computer while MS monkeys/lawyers are constantly trying to think up the holy grail of licenses which in legal terms state that MS will own my house, car, wife, first born and have the right to sell my soul to Satan for favours.

* = Surprisingly, they already managed this. A windows machine CAN be made fairly stable if properly taken care of, same with security. And XP Pro boots pretty fast on my Celeron 300, faster then 2k on an AMD XP 1900 :\ Remember kids, while MS is still evil, most faults can be attributed to human error/incompetence still!

Re:Automated patches for pirated copies?

[dirk]

Oh, I'll hapiily pay! ... For quality software against a reasonable price, that is. Now if Windows XP didn't cost me a kidney but 50 euros or something OR MS would drastically improve/cough up some versions of their OS worth the money, (stable*, secure*, fast*, bloat-free, no evil licensing schemes/integrated crap) then I'd happily pay! Unfortunately, right now, I'm not going to fork over 300 euros for Win XP Pro only so I can have one huge piece of bloat slow down my computer while MS monkeys/lawyers are constantly trying to think up the holy grail of licenses which in legal terms state that MS will own my house, car, wife, first born and have the right to sell my soul to Satan for favours.

* = Surprisingly, they already managed this. A windows machine CAN be made fairly stable if properly taken care of, same with security. And XP Pro boots pretty fast on my Celeron 300, faster then 2k on an AMD XP 1900 :\ Remember kids, while MS is still evil, most faults can be attributed to human error/incompetence still!

So let me get this straight. You'll pay if the software is stable, secure, fast, bloat-free, and has licensing you like. You admit Windows XP is stable, secure, and fast (even though you later go on to contradict yourself and say that it will slow down your computer). If it is stable, secure and fast (as you admit it is), bloat just means it has extra features you don't use, which don't affect any of the previous 3 apparently. So because you don't like the licensing terms (but apparently approve of the rest of the product) you will pirate the software. This seems like the whiniest protest I've ever heard. The software is great, but until they change their licensing and price (which I can afford, since I can afford a computer) I'm going to steal their software. Jesus, and people wonder why non-geeks think /, and other geek sites make all geeks look like a bunch of whiney little children who are just looking for everything for free...

Re:Automated patches for pirated copies?

[Psiren]

That's the biggest load of bullshit I've ever read. If you think Windows is such a bloat-ridden insecure piece of crap, why are you still using it? The truth of the matter is, you can get away with not paying for it, so you will. You're a thief, end of story.

sweet irony

[ciroknight]

After i just go through hell with m$s last patch to fix a security problem... connection problems. That thing took 5 hours to remove and still i see side effects of it (like aim wont connect and stay connected for long). But hey, that's how they make their killing: tech support. Sadly I'm not (dumb|smart) enough to (write|call) them on this one. Maybe its time for a patch system that simply removes the files they over wrote and stores the old ones somewhere.... that'd be really nice..

Security patches used with political means?

Hi, A good idea to improve the speed of patch adoption should be not to use patches to sneak in system "enhancements". I use XP for some tasks at home and once I applied one "cumulative security patch for Internet explorer" I found out Windows was keeping me from watching my region 1 DVDs ( I live in Spain ). Of course I re-installed windows and I stop installing whatever patch and I am trying to move all my desktop needs to Linux; anyway I believe this behavior is shameful if not criminal. I have since advise all my clients to plan an exit-strategy from Microsoft products. The belief from Microsoft they can restrict product features set, after you already bought it makes dangerous to "bet" your business on their good faith as they do not have any

Re:Security patches used with political means?

[teamhasnoi]

Apple did the same thing with iTunes 4.0.1

Kept you from sharing your playlists off your subnet I think...there is a /. story about it here

The dumb thing is that everyone who cared about it caught it before hand, and every one who doesn't care most likely doesn't share their lists.

I was going to post that MS should go to a Apple Software Update sort of thing - it's easy, the patches usually work flawlessly and you can get self contained disk images of all of them to install at your leisure.

Then I realized that this probably wouldn't work, as Apple has a much smaller subset of hardware to deal with than MS.

Which got me thinking that perhaps MS isn't all bad? Maybe its all the crap that people try to use with their PCs from ISA days, and all the spyware that seems to be omnipresent in any shareware install that's causing all the problems. I mean, a browser intergrated into the OS can't be that bad can it?

Then I remembered that Bill Gates eats babies with the devil every afternoon at 4 pm.

Whew! I almost fell to the dark side!

Not true at all!

[2nd+Post!]

Come on, that's hardly reasonable.

How is a user supposed to trust a patch being issued by a company that is known to release vulnerable software in the first place?

Yes, it's not a reasonable standpoint for a user to have, but it's still valid!

Take this example: My system works. Apple releases Quicktime 6.3, iMovie 3.0.3, iSync 1.1, and Bluetooth 1.2.1 today. You expect me to update all of them?

Why? Just because? Because there are new features? Because they fix bugs? Because they improve performance? Just because Apple decided to release them?

But the difference is that I do trust Apple. Having used their OS and system for 2 years, now, I have found that Apple updates don't introduce more problems, do increase functionality, performance, and reliability, so I *will* update just because.

However, there *are* pieces of software I haven't updated. I haven't updated my base station software, yet, because it works and I don't want to restart it. I haven't updated my iPod software, again for the same. I haven't updated my IE because I don't use it, and have deleted it.

But I *don't* trust Microsoft. I've been using them for 10 years, and I won't update until there's feedback on whether there are new instabilities, problems, crashes, etc.

That... and did I mention I don't trust Microsoft?

Re:Not true at all!

[deranged+unix+nut]

Would you trust the patches more if the patch system told you how many people had installed the patch, how long it has been installed on a critical mass of systems, and how many users reported problems after installing the patch?

(I don't know if any patch system does this...just asking)

What they also need...

[brucmack]

Not only do they need to standardize the patch installers more, they also need to put into patches the ability to slipstream them with new installations, like you can do with a service pack. The number of critical updates we have to install after every new installation of XP is ridiculous when they could just provide us with an easy method of integrating the changes into the source files.

What's broken

[Todd+Knarr]

Sorry, Charney, it's not the patch installation software that's the problem. Sure the changes you suggest will make things a lot easier, but their absence isn't why people don't install your patches. The problem is the patches themselves.

Yes, the patches themselves. People don't install them because they break critical production software which must not be broken. And in some cases those patches can't be backed out without a complete wipe and reinstall of the system, witness the recent VPN protocol "fix". As long as this is the case, people will still not install the patches no matter how easy the installation process is.

If MS wants to improve their patch process, they need to do a few things:

1. Insure that security and critical updates don't break existing software. At the very least, if breakage is neccesary the type and extent must be documented in the patch description.
2. All security-related patches must be seperate from functionality upgrades. You can roll security fixes into service packs and upgrade packages, but you must never require the latter to get the former.
3. All patches must be uninstallable. No exceptions. Not even for security patches. Admins must be confident that any patch can be undone if it absolutely has to be.
4. Patches must not change license terms. One of the reasons people avoid patches is that they change the license terms to ones they can't accept. No using security fixes as blackmail to foist terms on users that the users wouldn't agree to on their own.

Re:What's broken

[skillet-thief]

Isn't having fewer patches a step in the wrong direction? I would think that by combining patches together, you would have more chances of things going wrong (ie. breaking your system) than if each patch just fixed one little thing. Even if that means having to install many more patches.

Also, fewer patches means that there will be more time between patches, thus more systems running longer unpatched, and that can't be good.

This might be a good example of the difference in design philosophy between MS and the *nix world: MS always want to make the "one big program that does everything" instead of analyzing problems and breaking things down into small packages.

Of course.

Any time something wrong with Linux is pointed out, you are then reminded that somehow, this is a good thing. Linux is always perfect.

Not so with MS. They can do no good ever. According to Slashdot, MS has NEVER come out with anything decent. They could compile an exact duplicate of Linus' personal kernel, and somehow, the Zealots would find something wrong.

It's amazing how MS is slagged as not having an ounce of innovation, what about Linux itself? This is not an OS that was developed independently, with no legacy ties. In fact, it was written to be a substitute for Unix, a copy, a clone. Linux could not exist with Unix.

This is the thinking of the supplicants who recently touted "Feet of Fury" as innovative.

Of course, this will be modded down. Contrarian opinions are not tolerated here (the supposed bastion of free thinking). You think Bill is the Borg? You haven't met a Zealot.

Re:Of course.

[molarmass192]

The difference is that Linus et al. do not CLAIM to be innovative. MS touts themselves as having invented everything from the toaster to the space shuttle. Reading an MS PR release is like listening to an Al Gore speech in my mind. Neither the Linux kernel nor MS are particularly innovative, but at least Linux hackers do not falsely claim to be. MS does take a lot of heat on /. but I would say that MS's arrogance as a whole is on par with the /. camp's arrogance so it's pretty much a wash.

Also, even though you didn't mention it, some repliers did, I don't use Linux because it's free as in $$$. I can afford the $200 XP Pro price tag. I use Linux (1) becuase I am able to see/change the source as I see fit, (2) it's modular structure lets me tailor the kernel for each box/purpose, (3) I like and use the command line extensively (not all of us are point-and-clickers), and (4) because it's not built around the asinine all-your-eggs-in-one-basket registry concept.

One final point on the $$$ argument. I would guess that over half the XP installs out there are pirated copies anyhow. Every time I see a pirated copy of XP it pains me to NOT call the BSA but I refrain. In fact, I'd bet that most MS backers on this board have one or more pieces of pirated MS software in their possession. It's a little hippocritical to stand up for a closed source software company all while stealing (yes, it's theft) at the same time.

Interesting patch counts....

About a year ago at work we had a presentation of why our clients should go with us and part of that presentation involved showing the patch counts between Windows 2K and Redhat 7.x. If I recall correctly those numbers came out to rougly ~1050 patches versus ~350 patches for roughly the same time period (yes all very ROUGH, we like it ROUGH...).

So I decided to look at the patch counts of some other OS's just to make things look silly when in comparison.

First up, my favorite... OpenBSD! On average for all releases excluding the current ones (3.3 and 3.2), the average patch count is... (note that for 2.2 to 2.6 I doubled the count because at that time they were only supported for 6 months not 1 year like post 2.6 releases were, thus the patch counts rose this isn't really all that fair but as you'll see it doesn't REALLY matter):

32 patches per release. Which is about fair when compared to redhat since they also only patch for a year (yes yes yes, you aren't getting patches for all this other software that you'd use out of ports but hey microsoft isn't providing many patches for other peoples products if at all)

Now lets do VMS (this is scary...)...

A look through bug-traq archives starting at 1997 the average count over the past 6 years has been 4 patches per year. But hey when you've been around the same evolving codebase for 20 years you're bound to hit that point of diminishing returns. Of course if you're not throwing out your codebase due to limitations and problems in the original design *cough* ...

Protecting Us From Joe User

[Alereon]

I see this as Microsoft taking a much needed step towards addressing the #1 security problem plaguing the Internet: Joe User.

Joe User doesn't even know what Windows Update is, so never installs any patches for the operating system. Joe User clicks on any E-mail he gets that says "L@@K NEW WINDOWS SECURITY PATCH!" or "ANNA KOURNIKOVA NAKED!!1" As a result, Joe User is running several different trojans, and his system is being used as a DDoS attack drone whenever it is online.

As much as we might decry a percieved invasion of our right to run our own systems, forcing Joe User to keep his system up to date with the latest patches is a good thing for all of us. Fewer packet floods, fewer lamers on compromized hosts, and possibly less spam. It's likely that Joe User doesn't even CARE that Microsoft is installing whatever it wants, whenever it wants, on his box. In the end, as long as those of us who know what we're doing can disable this feature (and those of us who don't CAN'T), I can only see this being a good thing for everyone concerned.

Microsoft Bob Windows Update Metaphor

[teamhasnoi]

If you were running MS Bob and ran Windows Update, Bob would come out with a broken leg, scabs and open wounds, bandages that seem to eat away the skin, a crutch that would constantly fold under pressure, advanced Parkinson's and Alhzimer's disease, paranoid delusions, amnnesia, a blind eye, a deaf ear, a constant gnawing hunger, a penchant for telling you what you want to hear and gossiping about you when you're out of earshot, a tendency to fall, willingness to disregard you and pretend that you wern't in the room, a constant need for space, a helpful way of stating the obvious repeatedly, lethargy, unwillingness to work with others, nagging you about how he doesn't feel 'connected', a poor work ethic, the abillity to stare at nothing while looking busy, and would most likely lock your file cabinets and give the key away to someone you don't know, all while trying to sell you something you already own.

Good 'ol Bob.

It needs a patch: it IS broken

[Otis_INF]

Yes, the patches themselves. People don't install them because they break critical production software which must not be broken.
That critical production software NEEDS a patch, f.e. it has a security hole, or runs on top of an OS that has a security hole. THerefor it IS already broken and thus needs patching. THere is NO excuse for not patching your software, like there is also no excuse for having security holes in your software.

Re:It needs a patch: it IS broken

[nmos]

That critical production software NEEDS a patch, f.e. it has a security hole, or runs on top of an OS that has a security hole. THerefor it IS already broken and thus needs patching. THere is NO excuse for not patching your software, like there is also no excuse for having security holes in your software.

That's a rather simplistic view. In practice you have to decide if the odds of being affected by the bug the patch fixes are greater than the odds of the patch screwing up the system in some unknown way. Sometimes it comes down to "the devil you know vs. the devil you don't"

Re:It needs a patch: it IS broken

[DreamerFi]

There is NO excuse for not patching your software, like there is also no excuse for having security holes in your software.

To quote Morpheus, "welcome to the real world". What if your choice is between these two:

1) running software with a security hole, but being able to bill your customers, and

2) not running software because the patch breaks the application that allows you to bill your customers, thus not making any money and going out of business.

Unfortunately, sometimes this is a real situation, and not just with microsoft software.

Path, According to Webster

[jabbadabbadoo]

patch1 ( P )

"A small piece of material affixed to another, larger piece to conceal, reinforce, or repair a worn area, hole, or tear. "

- or -

"Computer Science. A piece of code added to software in order to fix a bug, especially as a temporary correction between two releases. "

Temporary correction... Microsoft, I'm afraid, took this literally.

Why is the patch system not a part of the OS?

[pe1chl]

I have always wondered why each patch is distributed as a standalone executable...
Why is there no standard program on the Windows system, that installs a patch that is distributed in a file that contains only the update?
When I patch my Linux system, I retrieve a .RPM and it is installed using the rpm program already on the system.
Windows even has that "MSI" stuff, then why is a Microsoft patch not distributed as a .MSI file?

Here's how the _real_ interview went.

[Apparently MS's FUD group managed to 'clean up' the transcript before it got out. Here's how part of the _real_ interview went.]

"And we'll not be stopping there. Their second biggest concern after patch management was patch suitability and correctness. And that's when I realized that the patches themselves were broken!

We had this engineering group making patches for this and that public relations group announcing patches for that vulnerability and management saying 'why don't you patch the hardware so the bandwidth will be smaller.' And what ended up happening is that no one was actually checking to see if the patches fixed anything." (Nervous Laughter)

So one of the next things I will be doing is to create a Patch Verification working group. Get all the people together to agree on a common nomenclature. What's a "bug" anyway? And how does it differ from a "feature?" No seriously. Can anyone define those terms for us?

Anyway, another thing that seems to bother our hostages. I mean customers. Yes, customers. That's it. It seems to bother our ... customers ... when our patches break working programs. A Patch Testing working group is being formed and is anticipated to be in place for Windows Server 2003's release in late 2004.

We are furthermore developing 'New Technologies' within Microsoft including one we're calling 'debugging,' that I'm very excited about. We think it'll vastly improve the quality of our "MacOS Jagger OS" 'Longhorn' release in 2010. From there we'll be setting our sights on matching Linus Redtop 7's innovation and code quality. [I'm pretty sure he means "Jaguar" and "Redhat 7" -ed]

By then of course, our "Trustworthy Computing" initiative will be in place. Microsoft Big Brother (TM) will impliment Software Update Services to push 'Code we Trust' on enterprises so we can prosecute those who try to back out patches from any of our 25 installer applications, 13 hotfix downloaders or 7 service pack updaters."

[At this point some Microsoft Thugs (TM) confiscated my recorder, though I managed to switch out the tape first -ed]

It's not enough.

[cyt0plas]

While a patch system overhaul is long overdue given the number of affected legacy systems, Microsoft should see this as an oppurtunity to save themselves some serious money (and, as a side effect, do some actual good). If they can learn from this experience, and use this as a learning experience on the importance of writing good code, this could be a great oppurtunity for them.

Instead of having the large full time support staff they do, as well as the crews of people scanning the web for new exploits, how much time, effort, and money could they save by hiring a couple of full time people to check _all_ buffers on all code after it's been committed to sourcesafe? Also, it would reduce data loss due to crashes and other problems. Wow, Microsoft increasing their bottom line in a way that actually helps consumers. What a thought.

OS and Applications?

[JonoPlop]

Hmm, they're separating out patches for the OS and its applications? Interesting, considering their recent move to make the latest version of IE the last 'standalone' one... How will they differentiate OS and applications if they keep doing this? (Real question, not sarcastic/rhetorical)

Re:And the rest 5%??!

[Zork+the+Almighty]

UNIX has been around for a decade longer than even the earliest efforts from MS and it still works really nicely.

That's besides the point. Microsoft is stuck with what they have right now, which is this giant, semi-monolithic applications platform. The best they can do is try to audit it for security and hope they don't break anything, and even that is a trying job. Give credit where credit is due, because for all its clout Microsoft lacks much of the flexibility of its competitors.

No patches for pirated copies..

[SteveX]

Here's something to think about. Microsoft's patch system authenticates you before it will give you patches (not you specifically, but the Activation Code you're using, I believe).. with the last service pack they made a whole lot of pirated corporate editions not able to use Windows Update.

This doesn't mean all the pirates are going to say "gee, guess I'll go legit and buy a copy", it more likely means they'll stay unpatched.

It would be interesting to know how many systems that are participating in DDoS attacks are not patched because they can't patch because they're illegal copies of Windows...

(Yes, patches are available in other ways than Windows Update, but Microsoft is doing all their work to make Windows Update easy - maybe what we need is a "rogue Windows Update" for the pirates :)

- Steve