Microsoft: Patches, Patches Everywhere!

Ridgelift writes "Even though Microsoft's recently announce they would not be issuing any new patches for the month of December, the boys at Redmond were scrambling today to figure out why some systems are being patched. The reason? They haven't got a clue."

Uhhh, they DO know?

[LookSharp]

...They haven't a clue.

On Wednesday morning, Microsoft discovered that a glitch in the patching process resulted in a November fix not being applied to some Windows XP computers. The same patch was sent out again via the Windows update service on Tuesday night. The company is still investigating why and how the patch was reissued.

It looks like someone modified a patch. When a patch gets updated, the KB articles (and often the fixes) are auto-published.

I'd be more interested in knowing why some corporate SUS (Software Update Services, like an in-house Windows Update) subscribers were reporting to NTBugTraq today that they got about a DOZEN updated patches last night!

Whatever happened to One Service Pack behind?

[mr_lithic]

It used to be the standard method of dealing with Microsoft Service Packs that you never deployed the latest one on your boxes. You always stayed one step behind. This practice was proved right with the Service Pack 6/6a debacle.

With automatic patching of machines from Windows Updates at Microsoft, it seems that everyone is thrown into chaos at the same time.

Do we really trust Microsoft enough to think that they will get their updates right everytime?

Monthly patches are stupid

As someone who has to keep over 1000 clients patched, I have no idea what they're talking about when they say "admins want this".

You know what admins want? I'll tell you. They want to know about bugs AS THEY ARE FOUND, not AS THEY ARE PATCHED, so that we can block ports/attachments/capabilities and aren't sitting there vulnerable for months waiting for a patch. Then, when we get the patch, we want the patch to work. Lastly, we want products that aren't as much in need of patches. Are you listening? That's my top 3 requests--I don't give a rat's ass about monthly patch releases.

Here's how it works out in the real world, Microsoft. Nobody trusts your patches. After you release them, do you think we just cross our fingers and install the thing? Hell no. We do a test deployment, let it run for a few weeks, and if there aren't any problem, THEN we do the general deployment. And guess what? Frequently, we find problems with your patches and don't deploy them at all.

So this leaves us vulnerable. Sure, that's bad, but we were ALREADY vulnerable the whole time we've been using this software, and more alarmingly, we were vulnerable and you knew about it and didn't tell us while you were working on a patch.

We didn't choose to be vulnerable when we chose not to install your broken patches, we chose to be vulnerable when we chose to use your products.

Exploits from patch announcements?

[JimmytheGeek]

MS has claimed that worms come from reverse-engineering vulnerability patches, but I'm not convinced. If an outside researcher found the problem, what makes you think a Black Hat didn't (and has been keeping quiet)?

Re:Monthly patches?

[Cromac]

What is the latest "safe" version of Windows Media Player, anyway? I've kept with 6.4 for fear of privacy/DRM problems with later versions.

Should I upgrade?

Media Player 6.4 won't play all of Microsofts media files anymore. WMA or ASF files created with the latest version of Media Player won't play on ver 6.4, it won't download the codecs for all of them. Subtle way for them to get people to upgrade, isn't it.

Wether that's worth upgrading for is up to you.