Slashdot Mirror
Microsoft: Patches, Patches Everywhere!
Ridgelift writes "Even though Microsoft's recently announce they would not be issuing any new patches for the month of December, the boys at Redmond were scrambling today to figure out why some systems are being patched. The reason? They haven't got a clue."
I guess they are going to have to issue a patch to stop the machines from patching....ironic.
Neck_of_the_Woods
#/usr/local/surf/glassy/overhead
At the end of the article it says that MS wants to do monthly patches to make it less of a surprise to sysadmins... Anyone else see a problem with waiting a month for your windows machine to get updated?
Wait, this is Microsoft we are talking about.
...Yes, well...
I watched C-beams glitter in the dark near the Tannhauser gate.
My machine got patched this morning, and I thought "funny, didn't microsoft say no patches for this month?" and then i saw they were dated november... but it was too late.
My Stack Overflow user
Simple, there is a bug in the patch issuing s/w which needs to be patched .
for the last time people, I am "frodo from middle eaRTH", not "middle eaST".
What is worse: unplanned patches or planned bugs?
...They haven't a clue.
On Wednesday morning, Microsoft discovered that a glitch in the patching process resulted in a November fix not being applied to some Windows XP computers. The same patch was sent out again via the Windows update service on Tuesday night. The company is still investigating why and how the patch was reissued.
It looks like someone modified a patch. When a patch gets updated, the KB articles (and often the fixes) are auto-published.
I'd be more interested in knowing why some corporate SUS (Software Update Services, like an in-house Windows Update) subscribers were reporting to NTBugTraq today that they got about a DOZEN updated patches last night!
Imagine a Microsoft product doing something without reason...
speaking of patches, these dumbass banks better patch their atm's running xp-
_+_+__+_+_+_+_+_+_+++
when i moo u moo - just like that
Microsoft says that they are going to do patches monthly. Are they basically saying that they'll only issue patches once a month? So when a malicious coder writes an exploit of a flaw, and they know about it, they're NOT going to issue a patch in a timely manner, instead they're going to make it more "intuitive" by making it MUCH easier to exploit security vulnerabilities.
WTF? I just don't get it. Anyone have information to the contrary?
1f u c4n r34d th1s u r34lly n33d t0 g37 l41d Capitalization really works: i helped my uncle jack off a horse
The patch was due out in November, but it got missed so they re-issued. It's sort of going against what they said but it's understandable and I doubt it will make the world stop spinning. Why is this front page slashdot? If it had been any other company than Microsoft it never would have been news.
So the computers are patching themselves now, are they?
When exactly was it that the Cylons are supposed to attack?
Ever since we started using Software Update Services this has been cake.
All the clients just pull the windows critical updates that we approve from OUR servers.
I feel sorry for anyone who is trying to run around and do them by hand.
"Average intelligence is pretty damn stupid"
There's only some bugfixes of recent patches. This means that there was updated versions of patches, but not any "new" stuff.
The same patch was sent out again via the Windows update service on Tuesday night. The company is still investigating why and how the patch was reissued.
Too bad Mary Wollstonecraft Shelley wasn't alive today. "Frankenstein" could be re-written as a terrible monster bent on world domination that in order to survive must feed on a never-ending stream of patches.
Ruby on Rails Screencast
"Hey Bob...did you patch this?" "No, I thought you did." "Phil!" "What?" "Is this your patch?" "Not me. No patches in December, remember? It's our gift to the world." "Then who the hell...hey Eddie!" "Not now...I'm trying to track down this patch..." "Crap."
Fin.
Maybe the Debian, Gentoo(?) and Savannah weren't the only servers hacked recently.
Someone seems pretty intent on injecting bad code to peoples computers..
If I understand this right, there was a bug. Maybe this bug was introduced by the previous patch, or maybe the previous patch did not work as expected, or whatever, but no matter what the reason, there was a bug, they could fix it, and they sent out a patch. That is the correct behavior.
They were probably being pretty stupid to say "no new patches". Due to Murphy's law, that guarantees that a problem will come up within days. Probably if they said "we are going to issue more patches than ever" then suddenly all their programmers would start have trouble finding bugs or figuring out how to fix them...
Anyway we can laugh at marketing for the "no new patches" but technically they did the right thing.
and I got it. It managed to hose my system to the point that I had to pull out all the RunOnce and Run entires in the registry for my system to get going. I am unsure what the patch did..
"If you are on fire you can just stop, drop, and roll. If you fall into Lava you are just dead." - my 5yr old daughter
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
the boys at Redmond were scrambling today to figure out why some systems are being patched. The reason? They haven't got a clue.
The do have a clue. Read the article. It's because a November patch for frontpage wasn't applied to some machines.
The theory of relativity doesn't work right in Arkansas.
The idea of monthly patches was to ease the burden on corporate sysadmins.
MS makes an update server freely available, and it can serve XP Pro, NT Workstation and 2000 Workstation -- the official corporate clients.
How hard is it to have your central corporate update server get the patches DAILY, if necessary, and push them out on a schedule with SMS? Or a login script, or...
This also gives the sysadmin time to regression test some patches if that is their policy.
Big business clients -- you know, the ones benefitting from the monthly schedule -- shouldn't be using Windows Update anyway!
-Charles Hill
Learning HOW to think is more important than learning WHAT to think.
It's an undocumented upgrade.
I have my PC set up to autodownload updates. It's no skin off my nose if I get a "you have updates ready to install" more than once a month.
It's probably just an attempt to increase the appearance of security (by decreasing patch frequency) while not actually increasing security (and in fact decreasing security as machines can be unpatched for longer).
Boffoonery - downloadable Comedy Benefit for Bletchley Park
They keep sending me those security patches in email, and I keep applying them. I wish they'd stop it.
-- I have monkeys in my pants.
Patches? We don't need no stinking patches!
Microsoft has previously said that it would attempt to make its patching process more intuitive and easy to use. It moved to a fixed schedule of monthly patches to make the process more predictable for network and system administrators.
Though this may be ok for systems like solaris, IMHO this would be a wrong move. If you are gonna wait until next month to patch your systems there will be many more worm outbrakes like those we've seen last summer.
The difference is that most windows systems are being used by mom'n'pop, and they tend to think that their computer is like an ultra smart typewriter. They know how to type their word documents but they wouldn't know system administration even if it kicked them in the back.
Windows needs an *automated* procedure for patching and patches that arrive on time, *not* when it's too late.
I mean, are people retarded or something? My grandpa who could barely figure out how to use a mouse was able to do an update of his computer after some simple instructions.
I suppose they could just have your PC patch itself by default but in my opinion that would suck.
Conserve Oil, Recycle, Boycott Walmart
Microsoft issues in 2004: 12
Linux issues, 2004: ???
Today the numbers, tommorow the PR.
Not much need for Microsoft to detail the exact nature of every patch now, is there. Here, apply this lump(tm), it's all good.
I went to Windows Update like all users should (must)do and found one patch for Win XP. It is a Frontpage Server Extensions Patch. It looks pretty serious and I can see why they would want it released quietly. Here's the URL:
k b; en-us;810217
http://support.microsoft.com/default.aspx?scid=
All these M$ patches are getting annoying, so I've applied the last fix for M$ problems that I'll ever need.
It's called LINUX.
There's even a version of this patch works great on PPC.
I think I think, therefore I think I am.
You mean the patch i just installed is a MYSTERY TO MICROSOFT TOO?
....at least that's what i was thinking when i read that headline. like "oh great, now some ghey crax0rz have infiltrated Windows Update....
Holy shit!
*whew*, i think..
do() || do_not();
Sounds more like Dracula, with all that feeding. Oh wait, with Dracula the patches are applied after the feeding. lol.
The preceding comment has been reviewed and declared to be compliant with HIPPA Phase II regulations.
Any other company like Microsoft no, the catch being of course that there arent any other companies like Microsft. Microsoft is singled out because it stands alone in its class, and it is an undeniable adversary of the GPL ... no other reason.
"The Reason? They haven't got a clue."
Double Entendre: a word or expression capable of two interpretations
aka: Microsoft is clueless.
Ruby on Rails Screencast
This certainly opens up the possibility that there will be patches for older versions of Windows even when Microsoft has declared them unsupported. Of course, if we thought the planned stream of patches was dangerous, untrustworthy and unstable, what is an unplanned stream of patches going to be like?
no new patches!!
See, here's how it goes.
-Microsoft knows their software is weak when it comes to security.
-Microsoft pleads to the security community not to make any vulnerabilities public prior to notifying them for at least a few weeks, and sues everyone who doesn't fall in.
-Microsoft reveals the reason it wants vulnerabilites not to go public.... So CTOs can claim that security updates only happen every month rather than every day, keeping their job intact and making more money for MS in the long run.
-Somebody who cares about security rather than marketing posts a needed FrontPage Extensions update.
See.... someone at Microsoft has a clue. They just don't talk to the marketing folks. I don't blame 'em.
I have already migrated to Linux, and hence don't care about Microsoft patches anymore.
And you know what, Linux isn't that great initially. The install can be a little tough depending on the distro, not all my stuff is instantly recognized, yadda yadda yadda, but now that I've been fudging around with it for a while, WOW! My server just sits there and WORKS without crashing after X days. My main "power" machine just keeps on churning away, and installing new programs NEVER requires a reboot (unless it's the kernel of course).
Not to mention the fact that security updates are ready in days or hours, not weeks or months. Sure, it's a challenge to get Linux up and running to the place where it really rocks, but it's worth it. To those of you who aren't all consumed with the latest Windows game(s), give Linux a try. It does email, web surfing, office apps, audio apps, and a lot of other stuff right off most FTP servers, so it's not a piece of crap anymore.
I will also bet you that your paranoia level will go down quite a bit when you start using the inherently, by-design, more secure Linux. (Or any *BSD if that's how you swing)
if you read the WHOLE article you find this:
The same patch was sent out again via the Windows update service on Tuesday night. The company is still investigating why and how the patch was reissued.
So, they have a reason for it to be released, but they don't actually know why or how it got released... so... maybe 'they haven't got a clue' is a bit of overstatement, but they certainly don't have the whole clue.
ìì!
How can a company claim that:
There will not be any patches issued in the month of december
and
they release patches more promptly than Linux vendors?
What has *science* done?!? -- Dr. Weird (ATHF)
Any ideas why this would be beneficial at all? Are they going for the record thing, like some work places have a big sign that say "It's been days since the last workplace injury"? Are they trying to say "hey, Windows is secure! See, no patches released in days"?
What if a highly critical bug is discovered tomorrow, something big enough that several exploits are in the wild by next week? Will they release a patch then, or will they stick to their policy and hold out on us until 2004?
no comment
In other news today, the Cracker community announced it would commit to new virus and worm releases on the second Wednesday in each month.
With automatic patching of machines from Windows Updates at Microsoft, it seems that everyone is thrown into chaos at the same time.
Do we really trust Microsoft enough to think that they will get their updates right everytime?
If it had been any other company than Microsoft it never would have been news.
But it wasn't any other company. It's the company that believes it knows what's best for everyone. The same company that believes it deserves to control all software on Earth. When they make a "big" policy change, even these insignificant ones, and then mess it up right away, it's news.
Developers: We can use your help.
You can keep using smaller and smaller patches, and eventually, you can stop smoking.
Or, you can keep using larger and larger patches and eventually become a smoker.
If someone gained access to that server.. what if they sent out a virus disguised as a patch? I bet more people patch rather than don't patch
At least this was just a "glitch"
Browse at -1, because trolls are often the most creative part of
As someone who has to keep over 1000 clients patched, I have no idea what they're talking about when they say "admins want this".
You know what admins want? I'll tell you. They want to know about bugs AS THEY ARE FOUND, not AS THEY ARE PATCHED, so that we can block ports/attachments/capabilities and aren't sitting there vulnerable for months waiting for a patch. Then, when we get the patch, we want the patch to work. Lastly, we want products that aren't as much in need of patches. Are you listening? That's my top 3 requests--I don't give a rat's ass about monthly patch releases.
Here's how it works out in the real world, Microsoft. Nobody trusts your patches. After you release them, do you think we just cross our fingers and install the thing? Hell no. We do a test deployment, let it run for a few weeks, and if there aren't any problem, THEN we do the general deployment. And guess what? Frequently, we find problems with your patches and don't deploy them at all.
So this leaves us vulnerable. Sure, that's bad, but we were ALREADY vulnerable the whole time we've been using this software, and more alarmingly, we were vulnerable and you knew about it and didn't tell us while you were working on a patch.
We didn't choose to be vulnerable when we chose not to install your broken patches, we chose to be vulnerable when we chose to use your products.
Good grief, Charlie Brown, /.'s blatant anti-M$ obsession is becomming embarrasingly transparent for this glitch to be newsworthy.
Lest we forget...
www.trustworthycomputing.com
Ruby on Rails Screencast
I have been using linux at home and work 2 years and I had never had any virus issue or blue screen of death.
december is devoted to the janitors of Microsoft to make a patch, oh wait, that'd be the normal dev teams.
head for the hills
Hey, I thought this was supposed to be "News for nerds".
My life is an open book ... up to a point.
And in other news, Detroit police will only accept 911 calls from rape victims on Tuesdays.
I literally just patched to get the icon off my systray..
apparently they still don't know when their service is fertile.
Spammers keep emailing me these damn >100k attachments promising to patch up my OS, thereby filling up my entire inbox. Maybe those people should be investigated.
To-do List: Receive telemarketing call during a tornado warning. Check.
One patch isn't "patches, patches everywhere!". If you want to see "patches, patches everywhere" for the month of December, look at Red Hat 9.
Seems like they've released yet another patch every other day this month. I know it hasn't been quite that many, but it's been several, and much more than Microsoft.
Could we have a little more fact, and a lot less Microsoft FUD? It makes Slashdot look rubbish.
The "Linux community" could stand to ridicule less and study their enemy more. Then maybe they wouldn't be slowly slipping behind the Windows Server platform more and more in providing more of the features people need.
What's this I hear from you about no patches in December from MicroSoft?
They has been e-mailing me new patches all this month. In fact, they usually send me several to install every day.
You should really double check your sources before posting misleading articles like this.
Who would win this election: Andrew Weiner vs Andrew Weiner's weiner.
So, are you saying they haven't got a clue what the reason is, or that the reason is that they haven't got a clue? ;)
"Convictions are more dangerous enemies of truth than lies."
The story talks about a patch for FrontPage. Well, there was a patch for Windows XP Media Center Edition machines today too. So there :P
...and not a stable OS?
Patches? We don't no stinking patches!
MS has claimed that worms come from reverse-engineering vulnerability patches, but I'm not convinced. If an outside researcher found the problem, what makes you think a Black Hat didn't (and has been keeping quiet)?
And on christmas day SkyNet starting thinking for itself.
For some reason windows update wants to install Nvidia drivers from 6th October on my machine as opposed to the ones dated 9th December that I installed earlier.
I was looking for an audio driver update sunday and decided to patch/update my XP for the first time(except for the blasterworm patch)since I owned the 'puter.(90+ minutes at 38kbps dial-up speed).Wonder what the fuck I loaded on the machine?
Just looking for "faggots" to flame? I think you have some repressed issues to deal with.
The funny thing is that it's nice of everyone to criticise, and for sure we know that Microsoft has all of its vulnerabilities, but don't underestimate one thing: the microsoft patch/update system is very well done - name another software product/operating system that has a similar patch system that's easy to use and works for "average joe" ? For all you can say about Linux, it doesn't offer this on the desktop yet! Now this framework means that Microsoft can incrementally patch and make up for a lot of lost ground.
Fucking amateurs
Reality is defined by the maddest person in the room
mine got patched, and so did so many others that I'm responsible for. But the biggest question is how microsoft thinks that their highly unstable and insecure systems could go a month without patching
-Tim Louden
www.linuxisnotsecureeither.com
Doesn't seem like Microsoft FUD, just an interesting story. Read the article:
"The company scrambled on Wednesday morning to figure out why a patch had been issued through its Windows Update service, when the software maker had declared on Tuesday that it would not issue any fixes in December.
The patch, for a flaw announced during its monthly fix bulletin in November, updates FrontPage extensions. It plugs a security hole that could allow malicious code to be run on a person's PC.
On Wednesday morning, Microsoft discovered that a glitch in the patching process resulted in a November fix not being applied to some Windows XP computers. The same patch was sent out again via the Windows update service on Tuesday night. The company is still investigating why and how the patch was reissued."
Quack, quack.
Why do the zealots, without fail, paint any action involving M$ as stupid or incompetent. If the idiot poster had bothered to read the article (unless he is being intentionally deceptive), he'd have realized that someone in the patching group for FrontPage extensions simple reposted a patch that had been up in November.
Wow, what collosal stupidity that in a company of tens of thousands of people, somebody put a patch up when the PR flacks stated that no more would go up. Man, HOW LUCKY CAN MICROSOFT BE? They are so collosally stupid and yet they are incredibly rich and powerful. They are the luckiest people ever...
Stupid zealots make it hard for Linux lovers that actually CAN speak rationally to spread the word.
Loading...
So will these patches be like the ones they sell on TV? If so I have some special places I would like Micorsoft to stick them.
I can't use my sig - my computer can't read my handwriting.
your trying to patch the system
do you want to:
-get assistance
-patch without assistance
-just write a letter.
[user gspawn, didn't resolve whatever problem and and too lazy at the moment to do it for one post]
On windowsupdate.com I just found ANOTHER new update for my computer.
This makes 2 December updates not related to any new software/hardware/etc.
I guess that's a lot easier than making their patching process unnecessary, or even necessary less often... Isn't this sort of like GM saying "We're making our new cars much easier to tow when they break down!"
"Freedom means freedom for everybody" -- Dick Cheney
Patches want to be free!
This is the first action of the Patch Liberation Front!
"You know you want me baby!" - Crow T Robot
They say that the patch was a previously issued patch, and it just was re issued. That is a problem, but not a major one (unless the re issued patch has some undocumented modifications). I also see many people saying that the once a month patch gives black hats time to exploit a critical flaw. I dont remember where it was said, but I read that the critical flaws were to be patched immediately and the minor flaws were going to be patched monthly. I am going to do a search and post a link in response to this post when I do find the article.
Stop signs are only Suggestions
Maybe they are hoping that we'll spend so much time laughing at their incompetence that we won't notice they're incompetent.
You are in a maze of twisty little passages, all alike.
Who inserted the "Patch Adams" DVD into the Windows Update server?
Microsoft FUD? It makes Slashdot look rubbish.
Actually, it makes Slashdot look like Slashdot.
Once again, we seem to have an influx of new Slashdot readers and posters. Let me spell it out for you: THIS SITE IS DECIDEDLY PRO-LINUX, PRO-OPEN SOURCE, AND ANTI-MICROSOFT. It has been since day one, and it will be until MS acquires OSDN or whoever the owner is. Deal with it, stop your bitching, and if you don't like it, there are plenty of pro-Microsoft newssites out there.
Yeesh. Every story lately these people are coming out. Listen kids, Microsoft doesn't need you to defend them. And you don't look cool just because you bash what's the popular thing around here. In my day, we used to call that "trolling".
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
Life's a bitch when your stupid. Even when you've got $50 billion in the bank.
WindowsUpdate could easily be utalized to infect millions of machines with a virus.
... or Universal Plug and Play. ... or defaulted folder shares. ... or we can just spend the month between pacth releases finding more ;)
Pfft. We don't need WindowsUpdate for that.
We'll just use the handy always-on RPC service.
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
Givent he recent attacks against Savannah, Debian, and Gentoo, I wonder if it is at all possible that WindowsUpdate got hacked - not badly, possibly just enough for someone to touch the patch causing it to be reissued.
It's not like we'll hear about it if that is the case, so any guesses?
Jedidiah.
Craft Beer Programming T-shirts
Not only did they release a patch - they removed a bunch and reissued quite a few. Here is the log from last night's SUS sync...
(Note if you don't know what SUS is, try http://susserver.com/)
Automatic Sync Started- Thursday, 11 December 2003 12:59:56 AM Successful
Updates Added:
Critical Update for Windows XP Media Center Edition 2004 (KB830786) - KB830786_WXP_MCE2_ENU_c512cb910f28d8b6051537519556 0b3.EXE
Updates Removed:
810847: February 2003, Cumulative Patch for Internet Explorer 5.01 Service Pack 3 - Q810847_B3CA04E8D113EBDE0D561AB3AFAA02EBC3922F36.E XE
813489: April 2003, Cumulative Patch for Internet Explorer 5.01 Service Pack 3 - q813489_7526690df0c1e078957b0d83f8018c0.exe
818529: June 2003, Cumulative Patch for Internet Explorer 5.01 Service Pack 3 - q818529_1d67aa22e752bb5ca55eba289ee1e9f.exe
Q324929: December 2002, Cumulative Patch for Internet Explorer 5.5 - Q324929_E34CB7562E3FADE04E0FBA7A8DF20236ABFC6C46.E XE
810847: February 2003, Cumulative Patch for Internet Explorer 5.5 Service Pack 2 - Q810847_102065CAD52C737EBBF4422AEF2CAC5E100B6EFA.E XE
813489: April 2003, Cumulative Patch for Internet Explorer 5.5 Service Pack 2 - q813489_8ebdafa9c0f5c09d0678826b4c04de5.exe
818529: June 2003, Cumulative Patch for Internet Explorer 5.5 Service Pack 2 - q818529_d8d150d39cc718ff858be51239ea081.exe
Q324929: December 2002, Cumulative Patch for Internet Explorer 6 - Q324929_55049C7F14E3EFF258F10F95FE0A3C179833CB17.E XE
Q324929: December 2002, Cumulative Patch for Internet Explorer 6 SP1 - Q324929_A90F1A87F766965A4D0FC5F1395F3E808ABE7D27.E XE
810847: February 2003, Cumulative Patch for Internet Explorer 6 - Q810847_DDE9BE0E09FF7E261B1E32AFF6F597FA27A72B6A.E XE
810847: February 2003, Cumulative Patch for Internet Explorer 6 Service Pack 1 - Q810847_C3902604B28A9E2AAD419E883ACC553FD69B84F9.E XE
813489: April 2003, Cumulative Patch for Internet Explorer 6 - q813489_2fd2c598d4beecc513c2798f443cf8e.exe
813489: April 2003, Cumulative Patch for Internet Explorer 6 Service Pack 1 - q813489_3a4cba12c72c64d461b611365375bc9.exe
818529: June 2003, Cumulative Patch for Internet Explorer 6 - q818529_5a71949492d46d5a9ed0713ed68cc98.exe
818529: June 2003, Cumulative Patch for Internet Explorer 6 Service Pack 1 - q818529_94327511db0b86d509decf6a3becf73.exe
818529: June 2003, Cumulative Patch for Internet Explorer - WindowsServer2003-KB818529-x86-ENU_0f07225ca313bf4 5fe205783dd059d0.exe
Reissued Update(s):
Security Update, February 14, 2002 (Internet Explorer 5.5) - VBS55NEN_A76B47D34E497BB2C14BA3CBED923CC042406C8B. EXE
Security Update, March 7, 2002 - Q313829_F56D00FEAAE71A0F246EA0A042B92AEEEC822F9D.e xe
814078: Security Update (Microsoft Jscript version 5.1, Windows 2000) - js51nen_8812c08817b46676876f0e06a3cda5b.exe
814078: Security Update (Microsoft Jscript version 5.6, Windows 2000, Windows XP) - JS56_DB18C6EA0F4E8522715BEEA284F6843ECE71D944.EXE
Windows 2000 Service Pack 4 Network Install for IT Professionals - w2ksp4_en_7f12d2da3d7c5b6a62ec4fde9a4b1e6.exe
Flaw In Windows Media Player May Allow Media Library Access (819639) - WindowsMedia9-KB819639-x86-ENU_bfd620da8e1529c3e4f fadfb93f33fa.exe
Q329390: Security Update - Q329390_WXP_3F60064794271F0053892985402FE5B6679D3F 2D.EXE
Q329115: Security Update (Windows XP) - Q329115_WXP_SP2_X86_1D09793FAF21249FEBCC160D341612 338DFD3154.EXE
Security Update for Windows XP (KB810217) - WindowsXP-KB810217-x86-ENU_696190f151ea0bcb063f0a8 9471e45b.exe
Q811114: Security Update (Windows XP or Windows XP
What were the skies like when you were young?
Seriously, why not just have an option in the update tool that allows me to patch ASAP or in monthly intervals?
Personally, I would choose ASAP. Patching is pretty fun.
Wouldn't you say? Apparently the program knew the patch wasn't issued in all cases and fixed itself!! THEY'RE ALIVE RUN FOR YOUR LIVES!!!!
I keep clicking "windows update" and my penis has not gotten any larger as a result. Maybe I have to wait for a full service pack.
If you don't understand anything I post, please accept that I ate paste as a small boy...
Sort of disconcerting if they don't have enough 'quality control' to even know who put the patch into effect to be distributed..
Considering the ramifications of patches and their 'assumed authority' with autopatch, this is a very bad blunder.
---- Booth was a patriot ----
Where is Edward James Olmos?
Forget that. Begin the thawing of Lorne Greene.
Toronto-area transit rider? Rate your ride.
Life's a bitch when your stupid. Even when you've got $50 billion in the bank. Life is a bitch when you can't even spell... you're NOT your...
"Look where we worship" -- Jim Morrison
at first i laughed when i read that, then i remembered that i had just installed a patch earlier today.... shit.
Nathan Friedly
Typically they've been releasing patches every couple of days. Typically their patches require a reboot. Rebooting every couple of days is annoying. By switching to a monthly schedule, they allow admins to keep their systems fully patched, and have month-long uptimes.
Yeah, you should upgrade To Media Player Classic
kicks the shit out of MS's offerings, can even play real and quicktime
TIAEAE!
"The reason? They haven't got a clue.""
As in they don't know why systems are patching themselves, or is this just a general statement of ineptitutde?
Network admins are much more comfortable with the "we didn't patch it because Microsoft hadn't released a patch" excuse than the "we didn't patch it because our monthly patch window isn't for two weeks" one.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
Everyone knows that nobody writes exploits in december...
TheJOsh
Maybe the patch server accidently patched its self causing a feedback loop of patches upon patches, thus creating a patch of a patch of the original patch. This would cause a dependancy update on the client (the patch server) which figured it needed to patch the other patch that patched a patched server in Washington that mirrored the patched patch server in Redmond until the patch created a patch and thus hash difference. A new patch was then generated to patch the patched patch server back to the unpatched patch server that mirrored the patched patch server. This patch triggered a second patch to patch customer machines to match them to the patched servers patch but the trigger was ignored by the second patch server because it was not correctly patched, thus causing a third patch to patch the patched patch servers' patch and remove the previous patch on the unpatched patch servers mirror. Now a hole in the update server caused a buffer overflow (which was subsequently patched from a Redmond support center) that single handedly caused 4 bogus patch notifications to be forwarded to a patch distributing load balancing server that patched 3 other local systems before patching back at the patcher - ie the original machine that patched the mirror of the patch server.
Which explains the big bang
This comment does not represent the views or opinions of the user.
As the decenting intelligencia it is our job to try to make Microsoft look bad. Without a "well-heeled" and "porperly managed" niche opposition, real opposition might foment and cause our corporate masters some discomfort.
Also, as a well-heeled opposition, we have our body-politic well and properly stocked with internal detractors whos job it is to make it look like we are the shills we are supposed to be, by pointing out at every turn how knee-jerk our reactions are.
It's like an ongoing episode of Hannity and Colms (however you spell the names) on Fox Propiganda Network but not so rightest-anti-mock-liberal.
I for one publicly descent from the opinions of our just and mighty corporate overlords who know best how I might serve them with my descent.
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
...as you say, you chose to be vulnerable when you chose a Microsoft platform.
I dont understand why anybody trusts Microsoft anymore. All the time we hear the same old bullshit, how the next product is going to be great, fix all of the problems, be secure...HOW...ITS ALL BASED ON THE SAME CODE...and PHB's lap it up. How about, PHB's dont tell us how to do our jobs (what to spec) and we don't tell them how to do theirs (whoops! ok...starting........now!)
I am NaN
It isn't enough that it creates some of the crappiest html since Pagemill, but an html editor that creates security holes, too? What will they have to patch next? Notepad?
The potato it is uninformed.
I think they should learn from Apache web server... or may be they will join them :)
MisSPatche :)
./me --G--
I guess that really means --- hey what's that 1 in front of all those zeroes? better release a pacth for that vulnerability that was discovered 1000 hours /days ago....
Since dialup users seldom take the hour or two to pull down the daily/weekly patches, this will help to eliminate them from tying up a phone line trying to download Microsoft's patches.
Woah, woah, woah. Back up. ;-)
Since when is MS gonna acquire OSDN? I was kida hoping is was gonna be the other way around
I didn't do it! Unless I was supposed to do it. . . (hmm. .
In October, Microsoft committed to making its patch-release schedule more regular, by only publishing patches on the second Tuesday in each month. The software giant said it will be skipping that release this month.
I'm sorry but this seems to fly in the face of all I understand.... shouldn't you release the patch on the day the exploit is released?!??? Seems that if it's discovered on Wednesday we have a week for our systems to get exploited! YEAH! Another hit for open source
300+ comments and no obligatory
/.
"If they had Linux this wouldn't have happened tee hee"
For shame
...in announcing regular times when you WONT be issuing patches. What if a new flaw is discovered? Shouldn't you get the patch out ASAP? Wouldn't that be best for customers if a big security hole was discovered that needed to be FIXED NOW? (Pre-SP1 XP, anybody?)
If sysadmins wanted a monthly patch schedule, they're smart enough to do it themselves. Check WindowsUpdate every month, get all the new stuff, rinse & repeat every 30.4375 days.
I fail to see the advantage in Microsoft deliberately delaying fixes to problems that, for some, can be very very immediate.
This almost reminds me of a time when Konqueror and IE had an SSL security hole. While Microsoft buried its head in the sand, the Konq guys just solved the damn problem (in a matter of hours, if memory serves).
Maintaining important software is only hindered when some buraucratic colossus feels the need to babysit the process.
Considering the marketshares we can conclude Microsoft windows is the most secure OS ever. :-)
Let me understand this...
Microsoft isn't investigating the vulnerability and why the patch didn't work for some users in the first place? Instead. Microsoft is investigating WHY the update was posted again???
What's wrong with this picture??
Rick's Law: What cannot be imagined will be accomplished by a fool.
Bill Gates: You maniacs! You patched it up! Damn you! God damn you all to hell!!
If all of the major worms have appeared AFTER patch releases, then I'd be willing to grant that reverse-engineering is probably involved in those cases. It strikes me as unlikely that the exploits would always follow the patch unless there was a relationship. But the vulnerability announcement itself may be clue enough. I don't know what the historical record is, but I would be surprised if all of the email worms/viri stemmed from a patch. Or even a vulnerability announcement where no patch was available to provide specific clues to the exploit.
And like you said, there's an advantage to keeping quite about something exploitable. Since we know that independent researchers are coming up with vulnerabilities and POC code, there's no reason that black hats can't do the same thing (and keep it secret). I'm afraid we're stuck with a full disclosure model so that if we choose to be dilligent we have a chance.
patchamuz
You sad little geeks. Microsoft is doing so many things other companies would not dare, it cant be expected to be perfect, yet you tear it apart becasue they dont have their cocks up a penguins arse. Give it time, after this Linux fad has passed and oyu have nothing left, you'll all come back to Windows.
Seems like lots of people have hit on the idea customers could be left waiting for much needed patches simply b/c the 2nd Tuesday of the month hasn't come yet but what happens when everyone tries to download the patches that same day!
I realize some system administrators will think of this and not try to download it that same day but Sys Admins in Microsoft shops aren't exactly known to be the brightest in the bunch when it comes to patches.
Besides DOSing Microsoft's own servers given the prevalance of Windows could this even create a monthly internet wide slowdown? Of course many of these are Desktop machines which probably don't get patched until after a worm hits if ever. At least until Longhorn (2003...4...5...) when patches become automatic.....
So the computers are patching themselves now, are they?
When exactly was it that the Cylons are supposed to attack?
Never mind that, someone find out if John Connor is still with that carny group.
Mod Karma -1: I sed bad wurds. If I cep my mouf shut, I wud be at riyses.
BOOOOOOO!
Patches for none!
BOOOOOOOO!
Patches for some, little american flags^H^H^H^H^H^H^H^H^H^H^H^H^H^H viruses for all!
YAAAAY!
Am I the only one who finds the new updater for XP really unhelpful?
Having been burned in the past, I configured the updater to just download the patches, but not install them, so that I can read the "details" before deciding whether to install the patch.
Clearly, Microsoft's definition of "details" diverges significantly from my own. Their detailed description always seems to be something like "There's a problem in application X that could allow an attacker to gain administrator privilege on your machine." Optionally, they might warn me that I won't be able to remove the patch once it's installed.
This is wildly insufficient. For one thing, if the patch is unremovable, the details should contain at least a capsule explanation of what the tradeoffs are likely to be --- in particular, whether or not installing this patch is likely to bust some beloved function. I still remember ruefully the time I installed a patch that busted synchronization of my WinCE handheld (I have since switched to a PalmOS device). I had to reinstall Windows to fix that one, and it cost me the better part of a work day.
The patch descriptions are also inadequate. E.g., the latest patch reports problem with FrontPage Server extensions. It's not even clear whether the problem is only if I'm running FrontPage server, or whether MS has just given a back door into my machine to any server that uses FrontPage.
I know, one can go to the Knowledge Base to get more details, but what part of "details" doesn't Microsoft understand? When I click on "details" I want details, not an opportunity to go yet further for the real details....
As a pie-in-the-sky dream, I would love to see a side-by-side comparison of known issues in both Linux and Microsoft. It would be interesting to see what bugs were in the queue within both companies, and how quickly each was resolved.
But it sounds to me like your problem isn't the MS schedule, but rather the IT company having an OMG-We-need-that-patch-xmas-eve-or-we're-dead mentality that keeps you on call.
My point was that the IT companies should decide their schedules, not Microsoft. Microsoft's biggest role ought to be simply maintainting their product as best they can. Calling off December patches is a nice way to manipulate the system so the sysadmins can go home for Christmas, but it seems to cause more problems than it solves, IMHO.
As for the MS guys who could be stuck creating those patches on 11PM Dec 24, just look at the OpenSource folks. If it were Linux we were talking about, the patch could get done/distributed by someone at security.debian.org who finds that sort of thing relaxing.
/* Every time a bell rings, a penguin gets it wings. */
Well, at least the answer for the moment is:
n /ms03-051.asp
On Wednesday 10 December 2003, Windows Update and Software Update Services (SUS) prompted some Windows XP users who were not at risk to install the security update MS03-051. This was due to a change in the Windows Update detection mechanism. This is being updated to ensure that Windows Update and SUS only prompts those Windows XP users who need it to install the security update MS03-051.
Customers who installed the security update MS03-051 do not need to take any action; the update is fully tested and supported on Windows XP. However, those customers who determine that they do not need the Windows XP update for MS03-051 and want to remove it can do so as discussed in the "Security Update Information" section of the Security Bulletin.
More information is available in the FAQ section of the Security Bulletin. http://www.microsoft.com/technet/security/bulleti
Automatic Sync Started- Thursday, 11 December 2003 12:59:56 AM Successful Updates Added: Critical Update for Windows XP Media Center Edition 2004 (KB830786) - KB830786_WXP_MCE2_ENU_c512cb910f28d8b605153751955
[SNIPPED FROM LATER POST]
So you are quite wrong.
==================
Together, we will drive the rats from the tundra.
Here's your software replacements:
3DS Max, Photoshop,Illustrator,sampling software, looping software, midi software, etc.
Sorry it took me so long to write them all!