Slashdot Mirror
Microsoft: Patches, Patches Everywhere!
Ridgelift writes "Even though Microsoft's recently announce they would not be issuing any new patches for the month of December, the boys at Redmond were scrambling today to figure out why some systems are being patched. The reason? They haven't got a clue."
My machine got patched this morning, and I thought "funny, didn't microsoft say no patches for this month?" and then i saw they were dated november... but it was too late.
My Stack Overflow user
...and of course you read the announcement about this, didn't you? And as such you know that they will still release zero-hour patches for vulnerabilities which are actively being exploited in the wild and/or are to the top left of the threat matrix (remote/system level explots).
I want a new world. I think this one is broken.
the boys at Redmond were scrambling today to figure out why some systems are being patched. The reason? They haven't got a clue.
The do have a clue. Read the article. It's because a November patch for frontpage wasn't applied to some machines.
The theory of relativity doesn't work right in Arkansas.
" Microsoft says that they are going to do patches monthly. Are they basically saying that they'll only issue patches once a month? So when a malicious coder writes an exploit of a flaw, and they know about it, they're NOT going to issue a patch in a timely manner, instead they're going to make it more "intuitive" by making it MUCH easier to exploit security vulnerabilities. WTF? I just don't get it. Anyone have information to the contrary?"They make an exception if there is an exploit available for a vulnerability.
I went to Windows Update like all users should (must)do and found one patch for Win XP. It is a Frontpage Server Extensions Patch. It looks pretty serious and I can see why they would want it released quietly. Here's the URL:
k b; en-us;810217
http://support.microsoft.com/default.aspx?scid=
if you read the WHOLE article you find this:
The same patch was sent out again via the Windows update service on Tuesday night. The company is still investigating why and how the patch was reissued.
So, they have a reason for it to be released, but they don't actually know why or how it got released... so... maybe 'they haven't got a clue' is a bit of overstatement, but they certainly don't have the whole clue.
ìì!
It's no skin off your nose, but you're not the admin for 1500 machines.
The admins of large scale deployments have asked Microsoft to make patches more predictable so they can do planning for patch deployment. Microsoft complied.
As others have stated, when a known vulnerability exists, or when sample code is publicly available, Microsoft will release the patch as soon as it's written.
It's WAY WAY more complicated than that. Have you even worked at a big company? Like, say, a company with 60,000+ employees, all on disparate systems across many regions of the world? We've got branch offices that still run Windows 95, and it's not even our fault! We only recently acquired them!
To top it off, we have frequent problems where patches and security policy updates BREAK our programs. We can't just push it out to every client. We have to be ABSOLUTELY certain that we don't interrupt our employees ability to work. We are a Bank afterall, people DO NOT like it when their Bank can't give them their money.
You can't just gloss over this problem, it's an INCREDIBLY difficult problem. The only real solution is for MS (not just MS though, everybody) to stop releasing crappy software in the first place. Until that happens we're going to continue to be screwed no matter what we do.
The story talks about a patch for FrontPage. Well, there was a patch for Windows XP Media Center Edition machines today too. So there :P
Automatic updates are really convenient for home users, but there is no easy way to stay one release behind. Some patches are standalone, others are bundled. Some cannot be uninstalled. Some require the presence of previous patches. It has become such a burden to stay current that it is not surprising that even people who should know better don't bother.
For some reason windows update wants to install Nvidia drivers from 6th October on my machine as opposed to the ones dated 9th December that I installed earlier.
They say that the patch was a previously issued patch, and it just was re issued. That is a problem, but not a major one (unless the re issued patch has some undocumented modifications). I also see many people saying that the once a month patch gives black hats time to exploit a critical flaw. I dont remember where it was said, but I read that the critical flaws were to be patched immediately and the minor flaws were going to be patched monthly. I am going to do a search and post a link in response to this post when I do find the article.
Stop signs are only Suggestions
Did you know WIndows Update is configureable? If you don't want to install a particular "update", you can instruct Windows Update not to show it again. I don't know the exact name of the link in English, but it should be obvious.
Somehow you've managed to miss the point entirely. Vulnerabilities at the top/left of the matrix (such as the RPC hole blaster exploited -- a system level compromise achieved remotely requiring no user intervention) will have patches available more or less immediately. As you move down the list (...DoS, source fragment disclosure on ASP pages...) or to the right (...requires server-side instantiation of objFoo, requires user to view malicious webpage...) it is more likely to be rolled into the monthly patch cycle.
And thanks oodles for the out-of-context quote which actually addressed your concern, if only you had read it.
I want a new world. I think this one is broken.
he can upgrade to Media Player Classic - plays more formats than m$ wimp :-)