Microsoft Plans An Overhaul For Patch System

sckienle writes "ZD-Net has an article about Microsoft's plans to overhaul their patch system. 'Ninety-five percent of attacks happen after a patch for a known software vulnerability has been issued' says Scott Charney, chief trustworthy computing strategist at Microsoft. Basically, Scott is promoting the idea that Microsoft can do a better job, in many ways, so people will trust and be able to install patches quickly. Microsoft has a transcript of Scott Charney's talk on their site." As reader sweeney37 summarizes, " Microsoft's plan is to reduce the patch installers from eight to two, they want to have one patch installer specifically for the OS side and one specifically for the applications." Sweeney37 points out this InformationWeek article on the planned change.

now?

[CptChipJew]

"We are now doing security audits on all our products as part of development."

No comment necessary =)

recent bad patches?

[ClickWir]

What about the recent patch that "broke" peoples net connections... I don't want something like that automatically applied.

Re:recent bad patches?

[Dot.Com.CEO]

You know, I love the register as any slashdot user does, but, seriously, it is not "news". The specific article that you are posting is full of "may" and "could". The link to SuSE linux at the end of the article hardly makes for detached commentary. In fact, had this article been posted in /. it would have been a -1 Troll.

I think that Microsoft could very well make system updates (ie not DRM related ones) obligatory but I don't think they will. And, seriously, even if they do, what stops you from blocking windowsupdate.microsoft.com at your firewall?

A very tough task

[timeOday]

In the commercial world, because of restrictions on software distribution, there is no single place to go for patches. There is no debian or RedHat that distributes 100s or 1000s of applications and will provide you patches for ALL of them promptly and consistently.

MS Patch

[CySurflex]

I've tried the MS Patch system to rid myself of the MS-addiction, but even with the patch I find myself waking up at night and installing windows 98.

Maybe with this overhaul they'll come out with better microtine patches and I'll be able to look my friends and family in the eyes, once again.

While it's laudable that they're at least trying..

[The+Kryptonian]

.. I sincerely doubt that their reputation for releasing patches that break as much as they fix will be affected very much by this move. I think most business users will see it as an attempt to appear as though they're trying to address the issues instead of actually doing anything.

It's kind of like a balding man with a really bad comb-over. It looks okay from a distance, but it doesn't really fool anyone.

Re:User problem

[pla]

If you turn off this feature, it's really your own fault that you get hacked.

I will presume you mean that as a joke.

You do know Microsoft's history of releasing "updates" that have a high probability of making matters worse than the bugs they claim to fix, right?

I believe their last proof of this idea occurred... Oh, last week? And who can forget the legendary NT4 "even numbered SP plague"? They should have released 6a as 7, just to keep their f'd up patches consistantly named. ;-)

Automated patches for pirated copies?

[brogdon]

As I read this little blurb, I was thinking to myself that this probably won't help me any, since I have a pirated copy of XP (as do a nontrivial number of other users, I would imagine). My first thought was that Microsoft would require you to have an "activated" and properly registered copy of Windows and/or the MS applications you were running in order to receive the updates.

But as I thought about it, I realized that not letting the pirates patch their installs of Windows might not be in MS's best interests either. If some worm gets loose, and 98% of registered Windows users are patched, but none of the cracked copies are, the worm will replicate to the 2% of unpatched registered users much faster than if you'd allowed the pirates to receive patches instead of trying to screw them with an insecure version of the OS. That would increase the ultimate number of infected machines and influence whether or not the worm becomes a PR problem.

I'm not sure what I would do in this situation; I'd probably end up allowing pirated copies to update anyway and just try to capture their IP addresses on the sly in case I could use them later.

Re:Automated patches for pirated copies?

[ramzak2k]

I was thinking to myself that this probably won't help me any, since I have a pirated copy of XP

Dude , i suggest you remove the URL to your website. It is not that difficult to find your address.

Re:Automated patches for pirated copies?

[Psiren]

That's the biggest load of bullshit I've ever read. If you think Windows is such a bloat-ridden insecure piece of crap, why are you still using it? The truth of the matter is, you can get away with not paying for it, so you will. You're a thief, end of story.

sweet irony

[ciroknight]

After i just go through hell with m$s last patch to fix a security problem... connection problems. That thing took 5 hours to remove and still i see side effects of it (like aim wont connect and stay connected for long). But hey, that's how they make their killing: tech support. Sadly I'm not (dumb|smart) enough to (write|call) them on this one. Maybe its time for a patch system that simply removes the files they over wrote and stores the old ones somewhere.... that'd be really nice..

Security patches used with political means?

Hi, A good idea to improve the speed of patch adoption should be not to use patches to sneak in system "enhancements". I use XP for some tasks at home and once I applied one "cumulative security patch for Internet explorer" I found out Windows was keeping me from watching my region 1 DVDs ( I live in Spain ). Of course I re-installed windows and I stop installing whatever patch and I am trying to move all my desktop needs to Linux; anyway I believe this behavior is shameful if not criminal. I have since advise all my clients to plan an exit-strategy from Microsoft products. The belief from Microsoft they can restrict product features set, after you already bought it makes dangerous to "bet" your business on their good faith as they do not have any

Not true at all!

[2nd+Post!]

Come on, that's hardly reasonable.

How is a user supposed to trust a patch being issued by a company that is known to release vulnerable software in the first place?

Yes, it's not a reasonable standpoint for a user to have, but it's still valid!

Take this example: My system works. Apple releases Quicktime 6.3, iMovie 3.0.3, iSync 1.1, and Bluetooth 1.2.1 today. You expect me to update all of them?

Why? Just because? Because there are new features? Because they fix bugs? Because they improve performance? Just because Apple decided to release them?

But the difference is that I do trust Apple. Having used their OS and system for 2 years, now, I have found that Apple updates don't introduce more problems, do increase functionality, performance, and reliability, so I *will* update just because.

However, there *are* pieces of software I haven't updated. I haven't updated my base station software, yet, because it works and I don't want to restart it. I haven't updated my iPod software, again for the same. I haven't updated my IE because I don't use it, and have deleted it.

But I *don't* trust Microsoft. I've been using them for 10 years, and I won't update until there's feedback on whether there are new instabilities, problems, crashes, etc.

That... and did I mention I don't trust Microsoft?

Re:Not true at all!

[deranged+unix+nut]

Would you trust the patches more if the patch system told you how many people had installed the patch, how long it has been installed on a critical mass of systems, and how many users reported problems after installing the patch?

(I don't know if any patch system does this...just asking)

What's broken

[Todd+Knarr]

Sorry, Charney, it's not the patch installation software that's the problem. Sure the changes you suggest will make things a lot easier, but their absence isn't why people don't install your patches. The problem is the patches themselves.

Yes, the patches themselves. People don't install them because they break critical production software which must not be broken. And in some cases those patches can't be backed out without a complete wipe and reinstall of the system, witness the recent VPN protocol "fix". As long as this is the case, people will still not install the patches no matter how easy the installation process is.

If MS wants to improve their patch process, they need to do a few things:

1. Insure that security and critical updates don't break existing software. At the very least, if breakage is neccesary the type and extent must be documented in the patch description.
2. All security-related patches must be seperate from functionality upgrades. You can roll security fixes into service packs and upgrade packages, but you must never require the latter to get the former.
3. All patches must be uninstallable. No exceptions. Not even for security patches. Admins must be confident that any patch can be undone if it absolutely has to be.
4. Patches must not change license terms. One of the reasons people avoid patches is that they change the license terms to ones they can't accept. No using security fixes as blackmail to foist terms on users that the users wouldn't agree to on their own.

Of course.

Any time something wrong with Linux is pointed out, you are then reminded that somehow, this is a good thing. Linux is always perfect.

Not so with MS. They can do no good ever. According to Slashdot, MS has NEVER come out with anything decent. They could compile an exact duplicate of Linus' personal kernel, and somehow, the Zealots would find something wrong.

It's amazing how MS is slagged as not having an ounce of innovation, what about Linux itself? This is not an OS that was developed independently, with no legacy ties. In fact, it was written to be a substitute for Unix, a copy, a clone. Linux could not exist with Unix.

This is the thinking of the supplicants who recently touted "Feet of Fury" as innovative.

Of course, this will be modded down. Contrarian opinions are not tolerated here (the supposed bastion of free thinking). You think Bill is the Borg? You haven't met a Zealot.

Interesting patch counts....

About a year ago at work we had a presentation of why our clients should go with us and part of that presentation involved showing the patch counts between Windows 2K and Redhat 7.x. If I recall correctly those numbers came out to rougly ~1050 patches versus ~350 patches for roughly the same time period (yes all very ROUGH, we like it ROUGH...).

So I decided to look at the patch counts of some other OS's just to make things look silly when in comparison.

First up, my favorite... OpenBSD! On average for all releases excluding the current ones (3.3 and 3.2), the average patch count is... (note that for 2.2 to 2.6 I doubled the count because at that time they were only supported for 6 months not 1 year like post 2.6 releases were, thus the patch counts rose this isn't really all that fair but as you'll see it doesn't REALLY matter):

32 patches per release. Which is about fair when compared to redhat since they also only patch for a year (yes yes yes, you aren't getting patches for all this other software that you'd use out of ports but hey microsoft isn't providing many patches for other peoples products if at all)

Now lets do VMS (this is scary...)...

A look through bug-traq archives starting at 1997 the average count over the past 6 years has been 4 patches per year. But hey when you've been around the same evolving codebase for 20 years you're bound to hit that point of diminishing returns. Of course if you're not throwing out your codebase due to limitations and problems in the original design *cough* ...

Path, According to Webster

[jabbadabbadoo]

patch1 ( P )

"A small piece of material affixed to another, larger piece to conceal, reinforce, or repair a worn area, hole, or tear. "

- or -

"Computer Science. A piece of code added to software in order to fix a bug, especially as a temporary correction between two releases. "

Temporary correction... Microsoft, I'm afraid, took this literally.

Why is the patch system not a part of the OS?

[pe1chl]

I have always wondered why each patch is distributed as a standalone executable...
Why is there no standard program on the Windows system, that installs a patch that is distributed in a file that contains only the update?
When I patch my Linux system, I retrieve a .RPM and it is installed using the rpm program already on the system.
Windows even has that "MSI" stuff, then why is a Microsoft patch not distributed as a .MSI file?

Re:It needs a patch: it IS broken

[DreamerFi]

There is NO excuse for not patching your software, like there is also no excuse for having security holes in your software.

To quote Morpheus, "welcome to the real world". What if your choice is between these two:

1) running software with a security hole, but being able to bill your customers, and

2) not running software because the patch breaks the application that allows you to bill your customers, thus not making any money and going out of business.

Unfortunately, sometimes this is a real situation, and not just with microsoft software.