Microsoft: Patches, Patches Everywhere!

Ridgelift writes "Even though Microsoft's recently announce they would not be issuing any new patches for the month of December, the boys at Redmond were scrambling today to figure out why some systems are being patched. The reason? They haven't got a clue."

The apparent lack of a patch.

[Neck_of_the_Woods]

I guess they are going to have to issue a patch to stop the machines from patching....ironic.

Re:The apparent lack of a patch.

[kautilya]

Perhaps..they should move to a different business model. You will get windows for free. But you have to pay for patches!!!

Re:The apparent lack of a patch.

[0WaitState]

We once again apologize for the fault in the patch process. Those responsible for patching the patchers who have patched the patch process, have now been patched.

Re:The apparent lack of a patch.

[.com+b4+.storm]

We once again apologize for the fault in the patch process. Those responsible for patching the patchers who have patched the patch process, have now been patched.

And with great dispatch, might I add. :) *groan*

Re:The apparent lack of a patch.

[Joe+the+Lesser]

Patch bites can be preti nasti mind you

Re:The apparent lack of a patch.

[jrockway]

*crickets*

Monthly patches?

[beattie]

At the end of the article it says that MS wants to do monthly patches to make it less of a surprise to sysadmins... Anyone else see a problem with waiting a month for your windows machine to get updated?

Re:Monthly patches?

[Fjornir]

...and of course you read the announcement about this, didn't you? And as such you know that they will still release zero-hour patches for vulnerabilities which are actively being exploited in the wild and/or are to the top left of the threat matrix (remote/system level explots).

Re:Monthly patches?

[JVert]

Lets see, the world had roughly 5 weeks before blaster ran amok. Worst case scenario that patch will be delayed 4 weeks so admins get 1 week to test patches instead of the usual 5 week 'grace'.

Re:Monthly patches?

[leifm]

The benefit, at least for Microsoft, is that by making patches a routine(second Tuesday of the month) security patches are now a routine, and thus probably won't make news when they are released. This is also good for sysadmins in a way, because they can play for patch deployment, but I bet this system crumbles as soon as some flaw is wormed three weeks before the patch is scheduled for release.

Re:Monthly patches?

[BrynM]

I thought about that too. It's reflective of Microsoft's attitude torward exploits: If no one releases a flaw publicly, then no one will exploit the flaw before the patch is out, right? Unfortunately for MS, we live in the real world and flaws will be exploited regardless of whether or not it's on Microsoft's schedule. I imagine that the scheduled update method will eventually bite them in the ass, but by then they would have already made a big show of "improving" security and the patch/update process - just like they are doing with the December No Patch announcement. Thus the egg on their faces will only be from us geeks in-the-know and not from the short term memories of the media and press. It's not just what and how to spin, but when you spin that matters in today's media.

Re:Monthly patches?

[Zocalo]

Actually, it makes a lot of sense in the context of Microsoft's closed source, security through obscurity approach. By having patches (if any) come out on a known date each month it allows efficient network admins to plan ahead and have time available to test it and patch their systems. Well, that seems to be the theory anyway.

The obvious downside is what happens when a major new remote root exploit comes out like Blaster. However, in that case the news is all over the tech media at worst, and often the mainstream media as well, so there is nothing to stop Microsoft issuing an "emergency" patch or advisory in that case and have the word get out. Unfortunately, that apparently hasn't stopped them from failing to release a patch for the remote IE exploit announced a fortnight ago.

Re:Monthly patches?

[km790816]

Slow down turbo. In this case blaster was created by looking at the patch that it exploited. It only affected unpatched systems.

I won't argue that the longer one waits the bigger the window for an exploit, but given that a large number of exploits are created from looking at patches, it makes sense to compress the patch time so that sys admins can make time to make sure their infrastructure is updated all at once.

You may have the start of a point, but certainly not with reguard to blaster.

Re:Monthly patches?

[LizardKing]

they will still release zero-hour patches for vulnerabilities which are actively being exploited in the wild

"Kewl", as the script kiddies might say. This simply means that those crackers who resist the urge to get some f4me for their new exploit by announcing it on a SadCrAck3r IRC channel have a four week window to root more boxes.

Chris

Re:Monthly patches?

[ryanvm]

That's a silly argument. Are you suggesting that nobody could code a virus within 4 weeks of an exploit being published? The four week window will just force virus writers to use more timely exploits.

Re:Monthly patches?

[SpaceCadetTrav]

I don't think the system would "crumble", as you put it. Microsoft will just do an emergency patch release outside of the normal cycle.

Re:Monthly patches?

[Theatetus]

You mean there are patches available for things OTHER than vulerabilities from Microsoft?

Well, there are some neat non-security "patches" like the Root Cert updates, and they usually include any new versions of drivers for your hardware. The stuff that's listed under "recommended" for your OS is either those, or some annoying but not critical bug fixes, or is the subject of this rant:

What bugs me is that they also keep trying to get me to install Windows Media Player 9 and the .NET runtime, neither of which I want, particularly on a production server. Can't they take the hint that a box running W2K Advanced Server probably doesn't want WMP9? At least they don't have them selected for installation by default, but still, they should keep Windows Update to stuff that's actually updating the OS/drivers/etc. rather than applications they want me to use.

Re:Monthly patches?

[mhesseltine]

What bugs me is that they also keep trying to get me to install Windows Media Player 9 and the .NET runtime, neither of which I want, particularly on a production server. Can't they take the hint that a box running W2K Advanced Server probably doesn't want WMP9? At least they don't have them selected for installation by default, but still, they should keep Windows Update to stuff that's actually updating the OS/drivers/etc. rather than applications they want me to use.

Yes, but, in the eyes of Microsoft, WMP9, .NET runtime, etc. are part of the OS. That's the difference between the mindset of Microsoft (one big tool that does everything) and that of the *nix world (many small tools, each that does something in particular)

Face it, Microsoft hasn't changed its viewpoint in this long, it's probably not going to happen any time soon.

Re:Monthly patches?

[Remco_B]

What bugs me is that they also keep trying to get me to install Windows Media Player 9 and the .NET runtime

Did you know WIndows Update is configureable? If you don't want to install a particular "update", you can instruct Windows Update not to show it again. I don't know the exact name of the link in English, but it should be obvious.

Re:Monthly patches?

[bryhhh]

...and of course you read the article didn't you? Please allow me to quote the first paragraph from the article for your benefit.

The company scrambled on Wednesday morning to figure out why a patch had been issued through its Windows Update service, when the software maker had declared on Tuesday that it would not issue any fixes in December.

In short, the update wasn't a 'zero-hour' patch, or a planned release.

Interestingly, this update has been mysteriously approved on our local SUS server without our knowledge. I really do hope that this patch has been thorougly tested by Microsoft, as they have just deployed it across our LAN without our consent.

Trustworthy computing? pftttt.

Re:Monthly patches?

[Fjornir]

Chris --

Somehow you've managed to miss the point entirely. Vulnerabilities at the top/left of the matrix (such as the RPC hole blaster exploited -- a system level compromise achieved remotely requiring no user intervention) will have patches available more or less immediately. As you move down the list (...DoS, source fragment disclosure on ASP pages...) or to the right (...requires server-side instantiation of objFoo, requires user to view malicious webpage...) it is more likely to be rolled into the monthly patch cycle.

And thanks oodles for the out-of-context quote which actually addressed your concern, if only you had read it.

Re:Monthly patches?

[Fjornir]

That's the whole point, see! Having patch-day be a regular event allows lusers to set reminders, "Yay! Patch-day! I get six 5-minute coffee breaks because all of these need seperate reboots!" and stay current.

But admins aren't subjected to the constant trickle of noncriticals... "Huh. An alert just popped into my mailbox saying there's a patch I need.... Its not patchday, so I wonder how big the impact will be for us..." And if its big he can take appropriate action...

Re:Monthly patches?

[Cromac]

What is the latest "safe" version of Windows Media Player, anyway? I've kept with 6.4 for fear of privacy/DRM problems with later versions.

Should I upgrade?

Media Player 6.4 won't play all of Microsofts media files anymore. WMA or ASF files created with the latest version of Media Player won't play on ver 6.4, it won't download the codecs for all of them. Subtle way for them to get people to upgrade, isn't it.

Wether that's worth upgrading for is up to you.

Re:Monthly patches?

[ndqc]

he can upgrade to Media Player Classic - plays more formats than m$ wimp :-)

fill in joke here

[daeley]

"They haven't got a clue."

...Yes, well...

I got it

[Sklivvz]

My machine got patched this morning, and I thought "funny, didn't microsoft say no patches for this month?" and then i saw they were dated november... but it was too late.

The reason ?

[frodo+from+middle+ea]

Simple, there is a bug in the patch issuing s/w which needs to be patched .

Re:The reason ?

[frodo+from+middle+ea]

I just want to be the fly on the wall of M$'s office

Patch Officer :- Sir, Out windows update service has issued a Patch today.
Billy G :- But I said NO Patches in month of Dec.
Patch Officer :- Yes Sir, but the patch issuing s/w has a bug, We need to patch it ASAP.
Billy G :- But I said no patches in Dec , damn it.
Patch Officer :- But then we won't be able to prevent the windows update service from issuing the first patch
Billy G :- READ MY LIPS man, NO patches in Dec.

Shall we say patch-22 :-)

Uhhh, they DO know?

[LookSharp]

...They haven't a clue.

On Wednesday morning, Microsoft discovered that a glitch in the patching process resulted in a November fix not being applied to some Windows XP computers. The same patch was sent out again via the Windows update service on Tuesday night. The company is still investigating why and how the patch was reissued.

It looks like someone modified a patch. When a patch gets updated, the KB articles (and often the fixes) are auto-published.

I'd be more interested in knowing why some corporate SUS (Software Update Services, like an in-house Windows Update) subscribers were reporting to NTBugTraq today that they got about a DOZEN updated patches last night!

Re:Uhhh, they DO know?

[Zak3056]

Two things:

1) In answer to your suggestion that Microsoft knows what happened, allow me to point out a comment in the text that you yourself quoted:

The company is still investigating why and how the patch was reissued.

Not only do they not know WHY someone released a patch, they don't know HOW either!

Secondly, I'm also curious. I run an SUS server, and here's my sync log from last night:

Automatic Sync Started- Wednesday, December 10, 2003 2:00:07 AM Successful
Updates Added:
Critical Update for Windows XP Media Center Edition 2004 (KB830786) - KB830786_WXP_MCE2_ENU_c512cb910f28d8b6051537519556 0b3.EXE

Updates Removed:
810847: February 2003, Cumulative Patch for Internet Explorer 5.01 Service Pack 3 - Q810847_B3CA04E8D113EBDE0D561AB3AFAA02EBC3922F36.E XE

813489: April 2003, Cumulative Patch for Internet Explorer 5.01 Service Pack 3 - q813489_7526690df0c1e078957b0d83f8018c0.exe

818529: June 2003, Cumulative Patch for Internet Explorer 5.01 Service Pack 3 - q818529_1d67aa22e752bb5ca55eba289ee1e9f.exe

Q324929: December 2002, Cumulative Patch for Internet Explorer 5.5 - Q324929_E34CB7562E3FADE04E0FBA7A8DF20236ABFC6C46.E XE

810847: February 2003, Cumulative Patch for Internet Explorer 5.5 Service Pack 2 - Q810847_102065CAD52C737EBBF4422AEF2CAC5E100B6EFA.E XE

813489: April 2003, Cumulative Patch for Internet Explorer 5.5 Service Pack 2 - q813489_8ebdafa9c0f5c09d0678826b4c04de5.exe

818529: June 2003, Cumulative Patch for Internet Explorer 5.5 Service Pack 2 - q818529_d8d150d39cc718ff858be51239ea081.exe

Q324929: December 2002, Cumulative Patch for Internet Explorer 6 - Q324929_55049C7F14E3EFF258F10F95FE0A3C179833CB17.E XE

Q324929: December 2002, Cumulative Patch for Internet Explorer 6 SP1 - Q324929_A90F1A87F766965A4D0FC5F1395F3E808ABE7D27.E XE

810847: February 2003, Cumulative Patch for Internet Explorer 6 - Q810847_DDE9BE0E09FF7E261B1E32AFF6F597FA27A72B6A.E XE

810847: February 2003, Cumulative Patch for Internet Explorer 6 Service Pack 1 - Q810847_C3902604B28A9E2AAD419E883ACC553FD69B84F9.E XE

813489: April 2003, Cumulative Patch for Internet Explorer 6 - q813489_2fd2c598d4beecc513c2798f443cf8e.exe

813489: April 2003, Cumulative Patch for Internet Explorer 6 Service Pack 1 - q813489_3a4cba12c72c64d461b611365375bc9.exe

818529: June 2003, Cumulative Patch for Internet Explorer 6 - q818529_5a71949492d46d5a9ed0713ed68cc98.exe

818529: June 2003, Cumulative Patch for Internet Explorer 6 Service Pack 1 - q818529_94327511db0b86d509decf6a3becf73.exe

818529: June 2003, Cumulative Patch for Internet Explorer - WindowsServer2003-KB818529-x86-ENU_0f07225ca313bf4 5fe205783dd059d0.exe

Reissued Update(s):
Security Update, February 14, 2002 (Internet Explorer 5.5) - VBS55NEN_A76B47D34E497BB2C14BA3CBED923CC042406C8B. EXE

Security Update, March 7, 2002 - Q313829_F56D00FEAAE71A0F246EA0A042B92AEEEC822F9D.e xe

814078: Security Update (Microsoft Jscript version 5.1, Windows 2000) - js51nen_8812c08817b46676876f0e06a3cda5b.exe

814078: Security Update (Microsoft Jscript version 5.6, Windows 2000, Windows XP) - JS56_DB18C6EA0F4E8522715BEEA284F6843ECE71D944.EXE

Windows 2000 Service Pack 4 Network Install for IT Professionals - w2ksp4_en_7f12d2da3d7c5b6a62ec4fde9a4b1e6.exe

Flaw In Windows Media Player May Allow Media Library Access (819639) - WindowsMedia9-KB819639-x86-ENU_bfd620da8e1529c3e4f fadfb93f33fa.exe

Q329390: Security Update - Q329390_WXP_3F60064794271F0053892985402FE5B6679D3F 2D.EXE

Q329115: Security Update (Windows XP) - Q329115_WXP_SP2_X86_1D09793FAF21249FEBCC

Re:Uhhh, they DO know?

[MMaestro]

Its inevitable. The larger the company/corporation the more likely it is for someone to forget to talk to someone else. In large companies such as Microsoft, you'll sometimes have two or three groups doing the same project, doing the same work, and the same research but not be aware of each other. Thats one of the (major) advantages small business have over large ones. Its easier to take the elevator down a floor and talk to group B than it is to setup a teleconference with group halfway across the globe.

Curious

[bluedust]

Imagine a Microsoft product doing something without reason...

What's the big deal?

[TwistedSquare]

On Wednesday morning, Microsoft discovered that a glitch in the patching process resulted in a November fix not being applied to some Windows XP computers. The same patch was sent out again via the Windows update service on Tuesday night.

The patch was due out in November, but it got missed so they re-issued. It's sort of going against what they said but it's understandable and I doubt it will make the world stop spinning. Why is this front page slashdot? If it had been any other company than Microsoft it never would have been news.

Re:What's the big deal?

[sbennett]

Why is this front page slashdot?

Simply because Slashdot will take any and every opportunity to make Microsoft look bad.

Re:What's the big deal?

You mean, like Microsoft will take any and every opportunity to make Linux and GPL and OpenSource look bad?

Re:What's the big deal?

[jldrew]

Why is this front page slashdot? If it had been any other company than Microsoft it never would have been news.

True. The reason why this is on the front page of slashdot is, as an AC trolled:

Any other company like Microsoft no, the catch being of course that there arent any other companies like Microsft.

Of course, said troll quickly gets to the trolling, but the first part is dead-on. Microsoft is big, they're more relevant to slashdot users than any other company.

Then again, the submitter worded his submission so that the mystery patch sounded scary, but if you RTFA, it's not. Perhaps timothy fell for it.

Re:What's the big deal?

[geekoid]

Like MS needs the help.

Where is Edward James Olmos?

[charlieo88]

So the computers are patching themselves now, are they?

When exactly was it that the Cylons are supposed to attack?

Re:Where is Edward James Olmos?

[gmhowell]

I have no idea, but wake me for the lesbian cylon scene between six and Boomer. Note to self: buy more hand cream.

SUS at least makes this easy.

[Coaster-Sj]

Ever since we started using Software Update Services this has been cake.
All the clients just pull the windows critical updates that we approve from OUR servers.
I feel sorry for anyone who is trying to run around and do them by hand.

Re:SUS at least makes this easy.

[gosand]

Ever since we started using Software Update Services this has been cake. All the clients just pull the windows critical updates that we approve from OUR servers. I feel sorry for anyone who is trying to run around and do them by hand.

Really? It sucks for us. Our SUS client is pointed at our corporate server. When corporate decides a patch should be installed, it gets installed on our systems. The problem? I am in QA, and our systems started acting goofy lately. In particular, our Rational applications started behaving very strangely. We *think* that it is due to the MS updates, but have no way of telling without launching a full-blown investigation into the issue. We have different OSs we have to test on, and different configurations. But they all have to have these stupid patches installed automatically. And some of them you cannot un-install. Try to track down the cause of a problem when there were 10 patches installed on your system the night before.

Now that isn't necessarily MS's fault, it is more our head office's fault. We should be able to test out patches with the software we use before having it mass-deployed. Sure, mandate it for all the meat-bag virus-spreaders in sales, but leave us the F alone. The IT guys in our own building are clueless, because they don't have to do anything now - the auto-updater will take care of it, and the patches come from corporate. But like you said, that part is cake....

Transcript

[blogboy]

"Hey Bob...did you patch this?" "No, I thought you did." "Phil!" "What?" "Is this your patch?" "Not me. No patches in December, remember? It's our gift to the world." "Then who the hell...hey Eddie!" "Not now...I'm trying to track down this patch..." "Crap."

Fin.

Microsoft did the right thing

[spitzak]

If I understand this right, there was a bug. Maybe this bug was introduced by the previous patch, or maybe the previous patch did not work as expected, or whatever, but no matter what the reason, there was a bug, they could fix it, and they sent out a patch. That is the correct behavior.

They were probably being pretty stupid to say "no new patches". Due to Murphy's law, that guarantees that a problem will come up within days. Probably if they said "we are going to issue more patches than ever" then suddenly all their programmers would start have trouble finding bugs or figuring out how to fix them...

Anyway we can laugh at marketing for the "no new patches" but technically they did the right thing.

Re:Microsoft did the right thing

[Short+Circuit]

When they said "no new patches", they meant it. They simply raised existing patches. :)

And...

[Nom+du+Keyboard]

It moved to a fixed schedule of monthly patches to make the process more predictable for network and system administrators.

...and virus writers.

Re:And...

[IM6100]

Fortunately 'writing a worm' isn't the same thing as finding a new exploit.

Think about it: many exploits, in both Windows and Linux and every other system, exist for months or years before being discovered. Or should we say, before being discovered by the kind of person who makes noise about it and/or noisily makes trouble using it. I wonder sometimes how 'far ahead of the curve' on that sort of thing the smarter black hats and agencies like the NSA tend to stay. Surely they like the convenience of Open Source and quietly audit it all the time. Easier to find flaws if you're reading source code than black-box testing Windows (though the NSA surely has a source license for Windows)

RTFA. jesus

[User+956]

the boys at Redmond were scrambling today to figure out why some systems are being patched. The reason? They haven't got a clue.

The do have a clue. Read the article. It's because a November patch for frontpage wasn't applied to some machines.

I dont' get it...

[chill]

The idea of monthly patches was to ease the burden on corporate sysadmins.

MS makes an update server freely available, and it can serve XP Pro, NT Workstation and 2000 Workstation -- the official corporate clients.

How hard is it to have your central corporate update server get the patches DAILY, if necessary, and push them out on a schedule with SMS? Or a login script, or...

This also gives the sysadmin time to regression test some patches if that is their policy.

Big business clients -- you know, the ones benefitting from the monthly schedule -- shouldn't be using Windows Update anyway!

-Charles Hill

Re:I dont' get it...

[Gr33nNight]

With SUS its very easy. We have our SUS server sync up with the Windows Update every morning at 4 am, then I manually test and approve each patch for deployment. Then it is automatically installed upon reboot of the users machines. Very simple and easy.

Re:I dont' get it...

It's WAY WAY more complicated than that. Have you even worked at a big company? Like, say, a company with 60,000+ employees, all on disparate systems across many regions of the world? We've got branch offices that still run Windows 95, and it's not even our fault! We only recently acquired them!

To top it off, we have frequent problems where patches and security policy updates BREAK our programs. We can't just push it out to every client. We have to be ABSOLUTELY certain that we don't interrupt our employees ability to work. We are a Bank afterall, people DO NOT like it when their Bank can't give them their money.

You can't just gloss over this problem, it's an INCREDIBLY difficult problem. The only real solution is for MS (not just MS though, everybody) to stop releasing crappy software in the first place. Until that happens we're going to continue to be screwed no matter what we do.

Re:I dont' get it...

As far as I'm concerned, the monthly schedule makes it more difficult for ths sysadmin. When you get a flood of patches released on the same day does that really make it easier? Not for me, it just adds to my headaches. With weekly patches, I could review and plan a patching strategy at my convenience. And not apply too many patches at once, so there was some hope of discovering which patch screwed up the PC afterwards. But now, it's a nightmare. And it isn't helped by Microsoft releasing updated patches WITH THE SAME FILENAME!!!! And even on the monthly scedule, they're still releasing security bulletins which publish the wrong file version information for the patch files. So my scripted patch installation goes awry because the documentation is wrong. OK, I find that pretty quickly but it's still unnecessary work and headaches.

It's not a patch

[spidergoat2]

It's an undocumented upgrade.

Stupid for desktop/home users

[Chuck+Chunder]

I have my PC set up to autodownload updates. It's no skin off my nose if I get a "you have updates ready to install" more than once a month.

It's probably just an attempt to increase the appearance of security (by decreasing patch frequency) while not actually increasing security (and in fact decreasing security as machines can be unpatched for longer).

Re:Stupid for desktop/home users

[Nevo]

It's no skin off your nose, but you're not the admin for 1500 machines.

The admins of large scale deployments have asked Microsoft to make patches more predictable so they can do planning for patch deployment. Microsoft complied.

As others have stated, when a known vulnerability exists, or when sample code is publicly available, Microsoft will release the patch as soon as it's written.

Re:Stupid for desktop/home users

[captaink]

If you had 1500 machines I would suggest using SUS server :)

It' MS's fault

[nytes]

They keep sending me those security patches in email, and I keep applying them. I wish they'd stop it.

Obligatory Treasure of the Sierra Madre quote

[adso]

Patches? We don't need no stinking patches!

Making it more intuitive and easy to use

[aflat362]

The article states that Microsoft is making the patch process more intuitive and easy to use. How much easier could it be than opening a link to a web site, pressing scan, reading a list of results with descriptions and selecting the ones you want?

I mean, are people retarded or something? My grandpa who could barely figure out how to use a mouse was able to do an update of his computer after some simple instructions.

I suppose they could just have your PC patch itself by default but in my opinion that would suck.

Interesting......

[vwjeff]

I went to Windows Update like all users should (must)do and found one patch for Win XP. It is a Frontpage Server Extensions Patch. It looks pretty serious and I can see why they would want it released quietly. Here's the URL:

http://support.microsoft.com/default.aspx?scid=k b; en-us;810217

Any other company than Microsoft yes

Any other company like Microsoft no, the catch being of course that there arent any other companies like Microsft. Microsoft is singled out because it stands alone in its class, and it is an undeniable adversary of the GPL ... no other reason.

No, they have got a clue.

[Rahga]

See, here's how it goes.

-Microsoft knows their software is weak when it comes to security.

-Microsoft pleads to the security community not to make any vulnerabilities public prior to notifying them for at least a few weeks, and sues everyone who doesn't fall in.

-Microsoft reveals the reason it wants vulnerabilites not to go public.... So CTOs can claim that security updates only happen every month rather than every day, keeping their job intact and making more money for MS in the long run.

-Somebody who cares about security rather than marketing posts a needed FrontPage Extensions update.

See.... someone at Microsoft has a clue. They just don't talk to the marketing folks. I don't blame 'em.

no no no, rtWfa

[White+Shade]

if you read the WHOLE article you find this:

The same patch was sent out again via the Windows update service on Tuesday night. The company is still investigating why and how the patch was reissued.

So, they have a reason for it to be released, but they don't actually know why or how it got released... so... maybe 'they haven't got a clue' is a bit of overstatement, but they certainly don't have the whole clue.

WTF?

[ChangeOnInstall]

How can a company claim that:

There will not be any patches issued in the month of december

and

they release patches more promptly than Linux vendors?

What is the benefit of no patches in Dec?

[zapp]

Any ideas why this would be beneficial at all? Are they going for the record thing, like some work places have a big sign that say "It's been days since the last workplace injury"? Are they trying to say "hey, Windows is secure! See, no patches released in days"?

What if a highly critical bug is discovered tomorrow, something big enough that several exploits are in the wild by next week? Will they release a patch then, or will they stick to their policy and hold out on us until 2004?

Addendum

[tds67]

In October, Microsoft committed to making its patch-release schedule more regular, by only publishing patches on the second Tuesday in each month.

In other news today, the Cracker community announced it would commit to new virus and worm releases on the second Wednesday in each month.

Whatever happened to One Service Pack behind?

[mr_lithic]

It used to be the standard method of dealing with Microsoft Service Packs that you never deployed the latest one on your boxes. You always stayed one step behind. This practice was proved right with the Service Pack 6/6a debacle.

With automatic patching of machines from Windows Updates at Microsoft, it seems that everyone is thrown into chaos at the same time.

Do we really trust Microsoft enough to think that they will get their updates right everytime?

Re:Whatever happened to One Service Pack behind?

[lurker412]

Well, last month's cumulative update for IE6 broke the normal behavior of clicking in a scroll bar to page down. AFAIK, Microsoft has not issued an updated patch. After backing out the offending patch (which affected more than just IE), I switched to Firebird, and have been happy with it.

Automatic updates are really convenient for home users, but there is no easy way to stay one release behind. Some patches are standalone, others are bundled. Some cannot be uninstalled. Some require the presence of previous patches. It has become such a burden to stay current that it is not surprising that even people who should know better don't bother.

Re:Whatever happened to One Service Pack behind?

[TrancePhreak]

Are your keyboards missing the Page Down button? How about Page Up? Maybe some keyboard manufacturers are leaving out these keys to save money.

That's right

[truthsearch]

If it had been any other company than Microsoft it never would have been news.

But it wasn't any other company. It's the company that believes it knows what's best for everyone. The same company that believes it deserves to control all software on Earth. When they make a "big" policy change, even these insignificant ones, and then mess it up right away, it's news.

smaller vs. larger patches

[Dynamic+Ranger]

You can keep using smaller and smaller patches, and eventually, you can stop smoking.

Or, you can keep using larger and larger patches and eventually become a smoker.

Monthly patches are stupid

As someone who has to keep over 1000 clients patched, I have no idea what they're talking about when they say "admins want this".

You know what admins want? I'll tell you. They want to know about bugs AS THEY ARE FOUND, not AS THEY ARE PATCHED, so that we can block ports/attachments/capabilities and aren't sitting there vulnerable for months waiting for a patch. Then, when we get the patch, we want the patch to work. Lastly, we want products that aren't as much in need of patches. Are you listening? That's my top 3 requests--I don't give a rat's ass about monthly patch releases.

Here's how it works out in the real world, Microsoft. Nobody trusts your patches. After you release them, do you think we just cross our fingers and install the thing? Hell no. We do a test deployment, let it run for a few weeks, and if there aren't any problem, THEN we do the general deployment. And guess what? Frequently, we find problems with your patches and don't deploy them at all.

So this leaves us vulnerable. Sure, that's bad, but we were ALREADY vulnerable the whole time we've been using this software, and more alarmingly, we were vulnerable and you knew about it and didn't tell us while you were working on a patch.

We didn't choose to be vulnerable when we chose not to install your broken patches, we chose to be vulnerable when we chose to use your products.

No no NO! Microsoft is COMMITTED to Security!

[Ridgelift]

Lest we forget...

www.trustworthycomputing.com

Windows Update became self-aware!

[BigGerman]

head for the hills

Re:This is Newsworthy?

[placeclicker]

Windowsupdate is the offical service to update Windows.

All versions of windows use this service.

If Windowsupdate sends out a bogus patch, millions of machines install the patch.

See where this is going? WindowsUpdate could easily be utalized to infect millions of machines with a virus. It could also bug out and send a patch that breaks millions of machines.

This service should *NOT* be sending out mysterious patches that no one knew anything about.

Everywhere?

[greygent]

One patch isn't "patches, patches everywhere!". If you want to see "patches, patches everywhere" for the month of December, look at Red Hat 9.

Seems like they've released yet another patch every other day this month. I know it hasn't been quite that many, but it's been several, and much more than Microsoft.

Could we have a little more fact, and a lot less Microsoft FUD? It makes Slashdot look rubbish.

The "Linux community" could stand to ridicule less and study their enemy more. Then maybe they wouldn't be slowly slipping behind the Windows Server platform more and more in providing more of the features people need.

Re:Everywhere?

[LizardKing]

One patch isn't "patches, patches everywhere!". If you want to see "patches, patches everywhere" for the month of December, look at Red Hat 9.

I'd sooner trust an operating system vendor that releases prompt patches to small portions of their product, than some cowboy outfit who release occasional mega patches to their product. Besides, comparing the number of patches to RedHat 9 against those for Windows is bullshit. The typical Linux distro includes a large number of genuinely useful software packages, while MicroSoft's OS comes with ... notepad.

Chris

How I read it

[swb]

I read this in October:

In case you didn't get a chance to review the statement from Steve Ballmer last week, I will try to bring you all up to date on the new process for security alerts.

The net of this all is that Microsoft is moving to a monthly security bulletin release schedule. This change was in response to customer feedback.

After today, we will be releasing security bulletins on the second calendar Tuesday of every month. Today was the starting day, and was an exception.

There are a couple of benefits to this new process:

1) Switching to a monthly release cycle for security patches allows customers to install multiple patches with a single install and single reboot (using Qchain.exe, Update.exe and other similar tools). This will minimize downtime on mission-critical systems and will allow customers to consolidate the patch deployment to once per month.

2) Another benefit of the monthly cycle is that it offers customers more time between releases of security patches. This allows customers to evaluate, test and install patches in their computing environments in a timely manner. The release schedule is also more predictable and allows customer to plan in advance for deploying patches.

You may notice as well that the format of the bulletins has changed, so when you view the bulletin from the link inside of the security alert email, you will notice the sections of the bulletins have changed a bit.

The change in this process is in order to make it more predictable for our customers so that you can plan and implement patches as quickly as possible.

If you have any feedback on this new process, please feel free to let me know and I will pass it along to the security team directly.

Which I translated as:

We were so humiliated by the never-ending barrage of security vulnerabilities in our products that in order to enable our sales force to make any headway at all against Linux/IBM/Sun we decided to bundle all our security vulnerabilities into a once-per-month release. Our analysis of MSN News and Entertainment Tonight indicates that on our chosen date, the second Tuesday of the month, people are much more likely to be preoccupied with Ben 'n' Jen and the previous day's sporting events, and will easily overlook the most recent worm/virus/breech attributable to our bloated, unmanageable software base.

The other reasons for the new monthly cycle are that since we'll be dumping more patches into a single file, you'll need more time to debug, back out or ultimately rebuild systems corrupted by patches that will also include special new "features". We also think that our new monthly cycle will coincide with your or your spouses' monthly cycle, allowing you to be victimized by uncontrolled emotional outbursts in one tidy week, instead of having it spread out all over the month.

Thanks again for buying Microsoft.

This isn't the only patch

[Malc]

The story talks about a patch for FrontPage. Well, there was a patch for Windows XP Media Center Edition machines today too. So there :P

Exploits from patch announcements?

[JimmytheGeek]

MS has claimed that worms come from reverse-engineering vulnerability patches, but I'm not convinced. If an outside researcher found the problem, what makes you think a Black Hat didn't (and has been keeping quiet)?

Driver updates appeared as well

[Pop69]

For some reason windows update wants to install Nvidia drivers from 6th October on my machine as opposed to the ones dated 9th December that I installed earlier.

Here you go fella

[melted]

www.linuxisnotsecureeither.com

Patches....

[Dj]

Patches want to be free!

This is the first action of the Patch Liberation Front!

You are all missing the point

[DaEMoN128]

They say that the patch was a previously issued patch, and it just was re issued. That is a problem, but not a major one (unless the re issued patch has some undocumented modifications). I also see many people saying that the once a month patch gives black hats time to exploit a critical flaw. I dont remember where it was said, but I read that the critical flaws were to be patched immediately and the minor flaws were going to be patched monthly. I am going to do a search and post a link in response to this post when I do find the article.

Re:it's nice to criticise, but ...

[sir_cello]

> If that doesn't give you cause for concern, you're not a computing professional.

You don't understand: it doesn't give me cause for concern because I _am_ a computing professional. I see software that affects thousands of computers belonging to other people where the manufacturers have no idea why. In fact, I usually have no idea why something goes wrong with my own software until I've spent a couple of hours looking at it. In fact, sometimes I never do find out what went wrong with my software.

I think you're the one that's not a computing professional :-).

Rubbish? *snicker*

[freeweed]

Microsoft FUD? It makes Slashdot look rubbish.

Actually, it makes Slashdot look like Slashdot.

Once again, we seem to have an influx of new Slashdot readers and posters. Let me spell it out for you: THIS SITE IS DECIDEDLY PRO-LINUX, PRO-OPEN SOURCE, AND ANTI-MICROSOFT. It has been since day one, and it will be until MS acquires OSDN or whoever the owner is. Deal with it, stop your bitching, and if you don't like it, there are plenty of pro-Microsoft newssites out there.

Yeesh. Every story lately these people are coming out. Listen kids, Microsoft doesn't need you to defend them. And you don't look cool just because you bash what's the popular thing around here. In my day, we used to call that "trolling".

If you wanna talk SUS...

[little_fluffy_clouds]

Not only did they release a patch - they removed a bunch and reissued quite a few. Here is the log from last night's SUS sync...
(Note if you don't know what SUS is, try http://susserver.com/)

Automatic Sync Started- Thursday, 11 December 2003 12:59:56 AM Successful

Updates Added:

Critical Update for Windows XP Media Center Edition 2004 (KB830786) - KB830786_WXP_MCE2_ENU_c512cb910f28d8b6051537519556 0b3.EXE

Updates Removed:

810847: February 2003, Cumulative Patch for Internet Explorer 5.01 Service Pack 3 - Q810847_B3CA04E8D113EBDE0D561AB3AFAA02EBC3922F36.E XE

813489: April 2003, Cumulative Patch for Internet Explorer 5.01 Service Pack 3 - q813489_7526690df0c1e078957b0d83f8018c0.exe

818529: June 2003, Cumulative Patch for Internet Explorer 5.01 Service Pack 3 - q818529_1d67aa22e752bb5ca55eba289ee1e9f.exe

Q324929: December 2002, Cumulative Patch for Internet Explorer 5.5 - Q324929_E34CB7562E3FADE04E0FBA7A8DF20236ABFC6C46.E XE

810847: February 2003, Cumulative Patch for Internet Explorer 5.5 Service Pack 2 - Q810847_102065CAD52C737EBBF4422AEF2CAC5E100B6EFA.E XE

813489: April 2003, Cumulative Patch for Internet Explorer 5.5 Service Pack 2 - q813489_8ebdafa9c0f5c09d0678826b4c04de5.exe

818529: June 2003, Cumulative Patch for Internet Explorer 5.5 Service Pack 2 - q818529_d8d150d39cc718ff858be51239ea081.exe

Q324929: December 2002, Cumulative Patch for Internet Explorer 6 - Q324929_55049C7F14E3EFF258F10F95FE0A3C179833CB17.E XE

Q324929: December 2002, Cumulative Patch for Internet Explorer 6 SP1 - Q324929_A90F1A87F766965A4D0FC5F1395F3E808ABE7D27.E XE

810847: February 2003, Cumulative Patch for Internet Explorer 6 - Q810847_DDE9BE0E09FF7E261B1E32AFF6F597FA27A72B6A.E XE

810847: February 2003, Cumulative Patch for Internet Explorer 6 Service Pack 1 - Q810847_C3902604B28A9E2AAD419E883ACC553FD69B84F9.E XE

813489: April 2003, Cumulative Patch for Internet Explorer 6 - q813489_2fd2c598d4beecc513c2798f443cf8e.exe

813489: April 2003, Cumulative Patch for Internet Explorer 6 Service Pack 1 - q813489_3a4cba12c72c64d461b611365375bc9.exe

818529: June 2003, Cumulative Patch for Internet Explorer 6 - q818529_5a71949492d46d5a9ed0713ed68cc98.exe

818529: June 2003, Cumulative Patch for Internet Explorer 6 Service Pack 1 - q818529_94327511db0b86d509decf6a3becf73.exe

818529: June 2003, Cumulative Patch for Internet Explorer - WindowsServer2003-KB818529-x86-ENU_0f07225ca313bf4 5fe205783dd059d0.exe

Reissued Update(s):

Security Update, February 14, 2002 (Internet Explorer 5.5) - VBS55NEN_A76B47D34E497BB2C14BA3CBED923CC042406C8B. EXE

Security Update, March 7, 2002 - Q313829_F56D00FEAAE71A0F246EA0A042B92AEEEC822F9D.e xe

814078: Security Update (Microsoft Jscript version 5.1, Windows 2000) - js51nen_8812c08817b46676876f0e06a3cda5b.exe

814078: Security Update (Microsoft Jscript version 5.6, Windows 2000, Windows XP) - JS56_DB18C6EA0F4E8522715BEEA284F6843ECE71D944.EXE

Windows 2000 Service Pack 4 Network Install for IT Professionals - w2ksp4_en_7f12d2da3d7c5b6a62ec4fde9a4b1e6.exe

Flaw In Windows Media Player May Allow Media Library Access (819639) - WindowsMedia9-KB819639-x86-ENU_bfd620da8e1529c3e4f fadfb93f33fa.exe

Q329390: Security Update - Q329390_WXP_3F60064794271F0053892985402FE5B6679D3F 2D.EXE

Q329115: Security Update (Windows XP) - Q329115_WXP_SP2_X86_1D09793FAF21249FEBCC160D341612 338DFD3154.EXE

Security Update for Windows XP (KB810217) - WindowsXP-KB810217-x86-ENU_696190f151ea0bcb063f0a8 9471e45b.exe

Q811114: Security Update (Windows XP or Windows XP

Stealth Patch

[nurb432]

Sort of disconcerting if they don't have enough 'quality control' to even know who put the patch into effect to be distributed..

Considering the ramifications of patches and their 'assumed authority' with autopatch, this is a very bad blunder.

No way ...

[s20451]

Where is Edward James Olmos?

Forget that. Begin the thawing of Lorne Greene.

FrontPage is a Security Hole?

[calyphus]

It isn't enough that it creates some of the crappiest html since Pagemill, but an html editor that creates security holes, too? What will they have to patch next? Notepad?

I still do not see the advantage

[stealth.c]

...in announcing regular times when you WONT be issuing patches. What if a new flaw is discovered? Shouldn't you get the patch out ASAP? Wouldn't that be best for customers if a big security hole was discovered that needed to be FIXED NOW? (Pre-SP1 XP, anybody?)

If sysadmins wanted a monthly patch schedule, they're smart enough to do it themselves. Check WindowsUpdate every month, get all the new stuff, rinse & repeat every 30.4375 days.

I fail to see the advantage in Microsoft deliberately delaying fixes to problems that, for some, can be very very immediate.

This almost reminds me of a time when Konqueror and IE had an SSL security hole. While Microsoft buried its head in the sand, the Konq guys just solved the damn problem (in a matter of hours, if memory serves).

Maintaining important software is only hindered when some buraucratic colossus feels the need to babysit the process.

Microsoft Patch Problems

[rpg25]

Am I the only one who finds the new updater for XP really unhelpful?

Having been burned in the past, I configured the updater to just download the patches, but not install them, so that I can read the "details" before deciding whether to install the patch.

Clearly, Microsoft's definition of "details" diverges significantly from my own. Their detailed description always seems to be something like "There's a problem in application X that could allow an attacker to gain administrator privilege on your machine." Optionally, they might warn me that I won't be able to remove the patch once it's installed.

This is wildly insufficient. For one thing, if the patch is unremovable, the details should contain at least a capsule explanation of what the tradeoffs are likely to be --- in particular, whether or not installing this patch is likely to bust some beloved function. I still remember ruefully the time I installed a patch that busted synchronization of my WinCE handheld (I have since switched to a PalmOS device). I had to reinstall Windows to fix that one, and it cost me the better part of a work day.

The patch descriptions are also inadequate. E.g., the latest patch reports problem with FrontPage Server extensions. It's not even clear whether the problem is only if I'm running FrontPage server, or whether MS has just given a back door into my machine to any server that uses FrontPage.

I know, one can go to the Knowledge Base to get more details, but what part of "details" doesn't Microsoft understand? When I click on "details" I want details, not an opportunity to go yet further for the real details....