Slashdot Mirror
Microsoft: Patches, Patches Everywhere!
Ridgelift writes "Even though Microsoft's recently announce they would not be issuing any new patches for the month of December, the boys at Redmond were scrambling today to figure out why some systems are being patched. The reason? They haven't got a clue."
The patch was due out in November, but it got missed so they re-issued. It's sort of going against what they said but it's understandable and I doubt it will make the world stop spinning. Why is this front page slashdot? If it had been any other company than Microsoft it never would have been news.
Ever since we started using Software Update Services this has been cake.
All the clients just pull the windows critical updates that we approve from OUR servers.
I feel sorry for anyone who is trying to run around and do them by hand.
"Average intelligence is pretty damn stupid"
Lets see, the world had roughly 5 weeks before blaster ran amok. Worst case scenario that patch will be delayed 4 weeks so admins get 1 week to test patches instead of the usual 5 week 'grace'.
If I understand this right, there was a bug. Maybe this bug was introduced by the previous patch, or maybe the previous patch did not work as expected, or whatever, but no matter what the reason, there was a bug, they could fix it, and they sent out a patch. That is the correct behavior.
They were probably being pretty stupid to say "no new patches". Due to Murphy's law, that guarantees that a problem will come up within days. Probably if they said "we are going to issue more patches than ever" then suddenly all their programmers would start have trouble finding bugs or figuring out how to fix them...
Anyway we can laugh at marketing for the "no new patches" but technically they did the right thing.
The idea of monthly patches was to ease the burden on corporate sysadmins.
MS makes an update server freely available, and it can serve XP Pro, NT Workstation and 2000 Workstation -- the official corporate clients.
How hard is it to have your central corporate update server get the patches DAILY, if necessary, and push them out on a schedule with SMS? Or a login script, or...
This also gives the sysadmin time to regression test some patches if that is their policy.
Big business clients -- you know, the ones benefitting from the monthly schedule -- shouldn't be using Windows Update anyway!
-Charles Hill
Learning HOW to think is more important than learning WHAT to think.
The benefit, at least for Microsoft, is that by making patches a routine(second Tuesday of the month) security patches are now a routine, and thus probably won't make news when they are released. This is also good for sysadmins in a way, because they can play for patch deployment, but I bet this system crumbles as soon as some flaw is wormed three weeks before the patch is scheduled for release.
"Windows Me offers tremendous reliability and stability improvements..." -- Paul Thurott
I have my PC set up to autodownload updates. It's no skin off my nose if I get a "you have updates ready to install" more than once a month.
It's probably just an attempt to increase the appearance of security (by decreasing patch frequency) while not actually increasing security (and in fact decreasing security as machines can be unpatched for longer).
Boffoonery - downloadable Comedy Benefit for Bletchley Park
I thought about that too. It's reflective of Microsoft's attitude torward exploits: If no one releases a flaw publicly, then no one will exploit the flaw before the patch is out, right? Unfortunately for MS, we live in the real world and flaws will be exploited regardless of whether or not it's on Microsoft's schedule. I imagine that the scheduled update method will eventually bite them in the ass, but by then they would have already made a big show of "improving" security and the patch/update process - just like they are doing with the December No Patch announcement. Thus the egg on their faces will only be from us geeks in-the-know and not from the short term memories of the media and press. It's not just what and how to spin, but when you spin that matters in today's media.
US Democracy:The best person for the job (among These pre-selected choices...)
You mean the patch i just installed is a MYSTERY TO MICROSOFT TOO?
....at least that's what i was thinking when i read that headline. like "oh great, now some ghey crax0rz have infiltrated Windows Update....
Holy shit!
*whew*, i think..
do() || do_not();
See, here's how it goes.
-Microsoft knows their software is weak when it comes to security.
-Microsoft pleads to the security community not to make any vulnerabilities public prior to notifying them for at least a few weeks, and sues everyone who doesn't fall in.
-Microsoft reveals the reason it wants vulnerabilites not to go public.... So CTOs can claim that security updates only happen every month rather than every day, keeping their job intact and making more money for MS in the long run.
-Somebody who cares about security rather than marketing posts a needed FrontPage Extensions update.
See.... someone at Microsoft has a clue. They just don't talk to the marketing folks. I don't blame 'em.
How can a company claim that:
There will not be any patches issued in the month of december
and
they release patches more promptly than Linux vendors?
What has *science* done?!? -- Dr. Weird (ATHF)
The obvious downside is what happens when a major new remote root exploit comes out like Blaster. However, in that case the news is all over the tech media at worst, and often the mainstream media as well, so there is nothing to stop Microsoft issuing an "emergency" patch or advisory in that case and have the word get out. Unfortunately, that apparently hasn't stopped them from failing to release a patch for the remote IE exploit announced a fortnight ago.
UNIX? They're not even circumcised! Savages!
Slow down turbo. In this case blaster was created by looking at the patch that it exploited. It only affected unpatched systems.
I won't argue that the longer one waits the bigger the window for an exploit, but given that a large number of exploits are created from looking at patches, it makes sense to compress the patch time so that sys admins can make time to make sure their infrastructure is updated all at once.
You may have the start of a point, but certainly not with reguard to blaster.
A speech...
If it had been any other company than Microsoft it never would have been news.
But it wasn't any other company. It's the company that believes it knows what's best for everyone. The same company that believes it deserves to control all software on Earth. When they make a "big" policy change, even these insignificant ones, and then mess it up right away, it's news.
Developers: We can use your help.
Its inevitable. The larger the company/corporation the more likely it is for someone to forget to talk to someone else. In large companies such as Microsoft, you'll sometimes have two or three groups doing the same project, doing the same work, and the same research but not be aware of each other. Thats one of the (major) advantages small business have over large ones. Its easier to take the elevator down a floor and talk to group B than it is to setup a teleconference with group halfway across the globe.
That's a silly argument. Are you suggesting that nobody could code a virus within 4 weeks of an exploit being published? The four week window will just force virus writers to use more timely exploits.
Windowsupdate is the offical service to update Windows.
All versions of windows use this service.
If Windowsupdate sends out a bogus patch, millions of machines install the patch.
See where this is going? WindowsUpdate could easily be utalized to infect millions of machines with a virus. It could also bug out and send a patch that breaks millions of machines.
This service should *NOT* be sending out mysterious patches that no one knew anything about.
Browse at -1, because trolls are often the most creative part of
One patch isn't "patches, patches everywhere!". If you want to see "patches, patches everywhere" for the month of December, look at Red Hat 9.
Seems like they've released yet another patch every other day this month. I know it hasn't been quite that many, but it's been several, and much more than Microsoft.
Could we have a little more fact, and a lot less Microsoft FUD? It makes Slashdot look rubbish.
The "Linux community" could stand to ridicule less and study their enemy more. Then maybe they wouldn't be slowly slipping behind the Windows Server platform more and more in providing more of the features people need.
Well, there are some neat non-security "patches" like the Root Cert updates, and they usually include any new versions of drivers for your hardware. The stuff that's listed under "recommended" for your OS is either those, or some annoying but not critical bug fixes, or is the subject of this rant:
What bugs me is that they also keep trying to get me to install Windows Media Player 9 and the .NET runtime, neither of which I want, particularly on a production server. Can't they take the hint that a box running W2K Advanced Server probably doesn't want WMP9? At least they don't have them selected for installation by default, but still, they should keep Windows Update to stuff that's actually updating the OS/drivers/etc. rather than applications they want me to use.
All's true that is mistrusted
Yes, but, in the eyes of Microsoft, WMP9, .NET runtime, etc. are part of the OS. That's the difference between the mindset of Microsoft (one big tool that does everything) and that of the *nix world (many small tools, each that does something in particular)
Face it, Microsoft hasn't changed its viewpoint in this long, it's probably not going to happen any time soon.
Overrated / Underrated : Moderation
> If that doesn't give you cause for concern, you're not a computing professional.
:-).
You don't understand: it doesn't give me cause for concern because I _am_ a computing professional. I see software that affects thousands of computers belonging to other people where the manufacturers have no idea why. In fact, I usually have no idea why something goes wrong with my own software until I've spent a couple of hours looking at it. In fact, sometimes I never do find out what went wrong with my software.
I think you're the one that's not a computing professional
Microsoft FUD? It makes Slashdot look rubbish.
Actually, it makes Slashdot look like Slashdot.
Once again, we seem to have an influx of new Slashdot readers and posters. Let me spell it out for you: THIS SITE IS DECIDEDLY PRO-LINUX, PRO-OPEN SOURCE, AND ANTI-MICROSOFT. It has been since day one, and it will be until MS acquires OSDN or whoever the owner is. Deal with it, stop your bitching, and if you don't like it, there are plenty of pro-Microsoft newssites out there.
Yeesh. Every story lately these people are coming out. Listen kids, Microsoft doesn't need you to defend them. And you don't look cool just because you bash what's the popular thing around here. In my day, we used to call that "trolling".
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
name another software product/operating system that has a similar patch system that's easy to use and works for "average joe" ? For all you can say about Linux, it doesn't offer this on the desktop yet!
Nice ignorant troll, but try RedHat Up2Date, Suse YAST online update, Debian apt-get, Gentoo emerge.
All of them work better in my opinion. Equally well at least by any objective standard.
Fortunately 'writing a worm' isn't the same thing as finding a new exploit.
Think about it: many exploits, in both Windows and Linux and every other system, exist for months or years before being discovered. Or should we say, before being discovered by the kind of person who makes noise about it and/or noisily makes trouble using it. I wonder sometimes how 'far ahead of the curve' on that sort of thing the smarter black hats and agencies like the NSA tend to stay. Surely they like the convenience of Open Source and quietly audit it all the time. Easier to find flaws if you're reading source code than black-box testing Windows (though the NSA surely has a source license for Windows)
A Good Intro to NetBS
...in announcing regular times when you WONT be issuing patches. What if a new flaw is discovered? Shouldn't you get the patch out ASAP? Wouldn't that be best for customers if a big security hole was discovered that needed to be FIXED NOW? (Pre-SP1 XP, anybody?)
If sysadmins wanted a monthly patch schedule, they're smart enough to do it themselves. Check WindowsUpdate every month, get all the new stuff, rinse & repeat every 30.4375 days.
I fail to see the advantage in Microsoft deliberately delaying fixes to problems that, for some, can be very very immediate.
This almost reminds me of a time when Konqueror and IE had an SSL security hole. While Microsoft buried its head in the sand, the Konq guys just solved the damn problem (in a matter of hours, if memory serves).
Maintaining important software is only hindered when some buraucratic colossus feels the need to babysit the process.
Am I the only one who finds the new updater for XP really unhelpful?
Having been burned in the past, I configured the updater to just download the patches, but not install them, so that I can read the "details" before deciding whether to install the patch.
Clearly, Microsoft's definition of "details" diverges significantly from my own. Their detailed description always seems to be something like "There's a problem in application X that could allow an attacker to gain administrator privilege on your machine." Optionally, they might warn me that I won't be able to remove the patch once it's installed.
This is wildly insufficient. For one thing, if the patch is unremovable, the details should contain at least a capsule explanation of what the tradeoffs are likely to be --- in particular, whether or not installing this patch is likely to bust some beloved function. I still remember ruefully the time I installed a patch that busted synchronization of my WinCE handheld (I have since switched to a PalmOS device). I had to reinstall Windows to fix that one, and it cost me the better part of a work day.
The patch descriptions are also inadequate. E.g., the latest patch reports problem with FrontPage Server extensions. It's not even clear whether the problem is only if I'm running FrontPage server, or whether MS has just given a back door into my machine to any server that uses FrontPage.
I know, one can go to the Knowledge Base to get more details, but what part of "details" doesn't Microsoft understand? When I click on "details" I want details, not an opportunity to go yet further for the real details....