Microsoft: Patches, Patches Everywhere!

Ridgelift writes "Even though Microsoft's recently announce they would not be issuing any new patches for the month of December, the boys at Redmond were scrambling today to figure out why some systems are being patched. The reason? They haven't got a clue."

The apparent lack of a patch.

[Neck_of_the_Woods]

I guess they are going to have to issue a patch to stop the machines from patching....ironic.

Re:The apparent lack of a patch.

[0WaitState]

We once again apologize for the fault in the patch process. Those responsible for patching the patchers who have patched the patch process, have now been patched.

Re:The apparent lack of a patch.

[Joe+the+Lesser]

Patch bites can be preti nasti mind you

Uhhh, they DO know?

[LookSharp]

...They haven't a clue.

On Wednesday morning, Microsoft discovered that a glitch in the patching process resulted in a November fix not being applied to some Windows XP computers. The same patch was sent out again via the Windows update service on Tuesday night. The company is still investigating why and how the patch was reissued.

It looks like someone modified a patch. When a patch gets updated, the KB articles (and often the fixes) are auto-published.

I'd be more interested in knowing why some corporate SUS (Software Update Services, like an in-house Windows Update) subscribers were reporting to NTBugTraq today that they got about a DOZEN updated patches last night!

Re:Uhhh, they DO know?

[MMaestro]

Its inevitable. The larger the company/corporation the more likely it is for someone to forget to talk to someone else. In large companies such as Microsoft, you'll sometimes have two or three groups doing the same project, doing the same work, and the same research but not be aware of each other. Thats one of the (major) advantages small business have over large ones. Its easier to take the elevator down a floor and talk to group B than it is to setup a teleconference with group halfway across the globe.

Curious

[bluedust]

Imagine a Microsoft product doing something without reason...

What's the big deal?

[TwistedSquare]

On Wednesday morning, Microsoft discovered that a glitch in the patching process resulted in a November fix not being applied to some Windows XP computers. The same patch was sent out again via the Windows update service on Tuesday night.

The patch was due out in November, but it got missed so they re-issued. It's sort of going against what they said but it's understandable and I doubt it will make the world stop spinning. Why is this front page slashdot? If it had been any other company than Microsoft it never would have been news.

Re:What's the big deal?

[sbennett]

Why is this front page slashdot?

Simply because Slashdot will take any and every opportunity to make Microsoft look bad.

Where is Edward James Olmos?

[charlieo88]

So the computers are patching themselves now, are they?

When exactly was it that the Cylons are supposed to attack?

Re:Monthly patches?

[Fjornir]

...and of course you read the announcement about this, didn't you? And as such you know that they will still release zero-hour patches for vulnerabilities which are actively being exploited in the wild and/or are to the top left of the threat matrix (remote/system level explots).

SUS at least makes this easy.

[Coaster-Sj]

Ever since we started using Software Update Services this has been cake.
All the clients just pull the windows critical updates that we approve from OUR servers.
I feel sorry for anyone who is trying to run around and do them by hand.

Transcript

[blogboy]

"Hey Bob...did you patch this?" "No, I thought you did." "Phil!" "What?" "Is this your patch?" "Not me. No patches in December, remember? It's our gift to the world." "Then who the hell...hey Eddie!" "Not now...I'm trying to track down this patch..." "Crap."

Fin.

Microsoft did the right thing

[spitzak]

If I understand this right, there was a bug. Maybe this bug was introduced by the previous patch, or maybe the previous patch did not work as expected, or whatever, but no matter what the reason, there was a bug, they could fix it, and they sent out a patch. That is the correct behavior.

They were probably being pretty stupid to say "no new patches". Due to Murphy's law, that guarantees that a problem will come up within days. Probably if they said "we are going to issue more patches than ever" then suddenly all their programmers would start have trouble finding bugs or figuring out how to fix them...

Anyway we can laugh at marketing for the "no new patches" but technically they did the right thing.

And...

[Nom+du+Keyboard]

It moved to a fixed schedule of monthly patches to make the process more predictable for network and system administrators.

...and virus writers.

RTFA. jesus

[User+956]

the boys at Redmond were scrambling today to figure out why some systems are being patched. The reason? They haven't got a clue.

The do have a clue. Read the article. It's because a November patch for frontpage wasn't applied to some machines.

I dont' get it...

[chill]

The idea of monthly patches was to ease the burden on corporate sysadmins.

MS makes an update server freely available, and it can serve XP Pro, NT Workstation and 2000 Workstation -- the official corporate clients.

How hard is it to have your central corporate update server get the patches DAILY, if necessary, and push them out on a schedule with SMS? Or a login script, or...

This also gives the sysadmin time to regression test some patches if that is their policy.

Big business clients -- you know, the ones benefitting from the monthly schedule -- shouldn't be using Windows Update anyway!

-Charles Hill

Re:I dont' get it...

It's WAY WAY more complicated than that. Have you even worked at a big company? Like, say, a company with 60,000+ employees, all on disparate systems across many regions of the world? We've got branch offices that still run Windows 95, and it's not even our fault! We only recently acquired them!

To top it off, we have frequent problems where patches and security policy updates BREAK our programs. We can't just push it out to every client. We have to be ABSOLUTELY certain that we don't interrupt our employees ability to work. We are a Bank afterall, people DO NOT like it when their Bank can't give them their money.

You can't just gloss over this problem, it's an INCREDIBLY difficult problem. The only real solution is for MS (not just MS though, everybody) to stop releasing crappy software in the first place. Until that happens we're going to continue to be screwed no matter what we do.

Re:Monthly patches?

[leifm]

The benefit, at least for Microsoft, is that by making patches a routine(second Tuesday of the month) security patches are now a routine, and thus probably won't make news when they are released. This is also good for sysadmins in a way, because they can play for patch deployment, but I bet this system crumbles as soon as some flaw is wormed three weeks before the patch is scheduled for release.

It's not a patch

[spidergoat2]

It's an undocumented upgrade.

It' MS's fault

[nytes]

They keep sending me those security patches in email, and I keep applying them. I wish they'd stop it.

Obligatory Treasure of the Sierra Madre quote

[adso]

Patches? We don't need no stinking patches!

no no no, rtWfa

[White+Shade]

if you read the WHOLE article you find this:

The same patch was sent out again via the Windows update service on Tuesday night. The company is still investigating why and how the patch was reissued.

So, they have a reason for it to be released, but they don't actually know why or how it got released... so... maybe 'they haven't got a clue' is a bit of overstatement, but they certainly don't have the whole clue.

WTF?

[ChangeOnInstall]

How can a company claim that:

There will not be any patches issued in the month of december

and

they release patches more promptly than Linux vendors?

Addendum

[tds67]

In October, Microsoft committed to making its patch-release schedule more regular, by only publishing patches on the second Tuesday in each month.

In other news today, the Cracker community announced it would commit to new virus and worm releases on the second Wednesday in each month.

Re:Monthly patches?

[Zocalo]

Actually, it makes a lot of sense in the context of Microsoft's closed source, security through obscurity approach. By having patches (if any) come out on a known date each month it allows efficient network admins to plan ahead and have time available to test it and patch their systems. Well, that seems to be the theory anyway.

The obvious downside is what happens when a major new remote root exploit comes out like Blaster. However, in that case the news is all over the tech media at worst, and often the mainstream media as well, so there is nothing to stop Microsoft issuing an "emergency" patch or advisory in that case and have the word get out. Unfortunately, that apparently hasn't stopped them from failing to release a patch for the remote IE exploit announced a fortnight ago.

Whatever happened to One Service Pack behind?

[mr_lithic]

It used to be the standard method of dealing with Microsoft Service Packs that you never deployed the latest one on your boxes. You always stayed one step behind. This practice was proved right with the Service Pack 6/6a debacle.

With automatic patching of machines from Windows Updates at Microsoft, it seems that everyone is thrown into chaos at the same time.

Do we really trust Microsoft enough to think that they will get their updates right everytime?

Re:Whatever happened to One Service Pack behind?

[lurker412]

Well, last month's cumulative update for IE6 broke the normal behavior of clicking in a scroll bar to page down. AFAIK, Microsoft has not issued an updated patch. After backing out the offending patch (which affected more than just IE), I switched to Firebird, and have been happy with it.

Automatic updates are really convenient for home users, but there is no easy way to stay one release behind. Some patches are standalone, others are bundled. Some cannot be uninstalled. Some require the presence of previous patches. It has become such a burden to stay current that it is not surprising that even people who should know better don't bother.

Re:Monthly patches?

[km790816]

Slow down turbo. In this case blaster was created by looking at the patch that it exploited. It only affected unpatched systems.

I won't argue that the longer one waits the bigger the window for an exploit, but given that a large number of exploits are created from looking at patches, it makes sense to compress the patch time so that sys admins can make time to make sure their infrastructure is updated all at once.

You may have the start of a point, but certainly not with reguard to blaster.

That's right

[truthsearch]

If it had been any other company than Microsoft it never would have been news.

But it wasn't any other company. It's the company that believes it knows what's best for everyone. The same company that believes it deserves to control all software on Earth. When they make a "big" policy change, even these insignificant ones, and then mess it up right away, it's news.

Monthly patches are stupid

As someone who has to keep over 1000 clients patched, I have no idea what they're talking about when they say "admins want this".

You know what admins want? I'll tell you. They want to know about bugs AS THEY ARE FOUND, not AS THEY ARE PATCHED, so that we can block ports/attachments/capabilities and aren't sitting there vulnerable for months waiting for a patch. Then, when we get the patch, we want the patch to work. Lastly, we want products that aren't as much in need of patches. Are you listening? That's my top 3 requests--I don't give a rat's ass about monthly patch releases.

Here's how it works out in the real world, Microsoft. Nobody trusts your patches. After you release them, do you think we just cross our fingers and install the thing? Hell no. We do a test deployment, let it run for a few weeks, and if there aren't any problem, THEN we do the general deployment. And guess what? Frequently, we find problems with your patches and don't deploy them at all.

So this leaves us vulnerable. Sure, that's bad, but we were ALREADY vulnerable the whole time we've been using this software, and more alarmingly, we were vulnerable and you knew about it and didn't tell us while you were working on a patch.

We didn't choose to be vulnerable when we chose not to install your broken patches, we chose to be vulnerable when we chose to use your products.

Re:The reason ?

[frodo+from+middle+ea]

I just want to be the fly on the wall of M$'s office

Patch Officer :- Sir, Out windows update service has issued a Patch today.
Billy G :- But I said NO Patches in month of Dec.
Patch Officer :- Yes Sir, but the patch issuing s/w has a bug, We need to patch it ASAP.
Billy G :- But I said no patches in Dec , damn it.
Patch Officer :- But then we won't be able to prevent the windows update service from issuing the first patch
Billy G :- READ MY LIPS man, NO patches in Dec.

Shall we say patch-22 :-)

Windows Update became self-aware!

[BigGerman]

head for the hills

Re:This is Newsworthy?

[placeclicker]

Windowsupdate is the offical service to update Windows.

All versions of windows use this service.

If Windowsupdate sends out a bogus patch, millions of machines install the patch.

See where this is going? WindowsUpdate could easily be utalized to infect millions of machines with a virus. It could also bug out and send a patch that breaks millions of machines.

This service should *NOT* be sending out mysterious patches that no one knew anything about.

Re:Stupid for desktop/home users

[Nevo]

It's no skin off your nose, but you're not the admin for 1500 machines.

The admins of large scale deployments have asked Microsoft to make patches more predictable so they can do planning for patch deployment. Microsoft complied.

As others have stated, when a known vulnerability exists, or when sample code is publicly available, Microsoft will release the patch as soon as it's written.

How I read it

[swb]

I read this in October:

In case you didn't get a chance to review the statement from Steve Ballmer last week, I will try to bring you all up to date on the new process for security alerts.

The net of this all is that Microsoft is moving to a monthly security bulletin release schedule. This change was in response to customer feedback.

After today, we will be releasing security bulletins on the second calendar Tuesday of every month. Today was the starting day, and was an exception.

There are a couple of benefits to this new process:

1) Switching to a monthly release cycle for security patches allows customers to install multiple patches with a single install and single reboot (using Qchain.exe, Update.exe and other similar tools). This will minimize downtime on mission-critical systems and will allow customers to consolidate the patch deployment to once per month.

2) Another benefit of the monthly cycle is that it offers customers more time between releases of security patches. This allows customers to evaluate, test and install patches in their computing environments in a timely manner. The release schedule is also more predictable and allows customer to plan in advance for deploying patches.

You may notice as well that the format of the bulletins has changed, so when you view the bulletin from the link inside of the security alert email, you will notice the sections of the bulletins have changed a bit.

The change in this process is in order to make it more predictable for our customers so that you can plan and implement patches as quickly as possible.

If you have any feedback on this new process, please feel free to let me know and I will pass it along to the security team directly.

Which I translated as:

We were so humiliated by the never-ending barrage of security vulnerabilities in our products that in order to enable our sales force to make any headway at all against Linux/IBM/Sun we decided to bundle all our security vulnerabilities into a once-per-month release. Our analysis of MSN News and Entertainment Tonight indicates that on our chosen date, the second Tuesday of the month, people are much more likely to be preoccupied with Ben 'n' Jen and the previous day's sporting events, and will easily overlook the most recent worm/virus/breech attributable to our bloated, unmanageable software base.

The other reasons for the new monthly cycle are that since we'll be dumping more patches into a single file, you'll need more time to debug, back out or ultimately rebuild systems corrupted by patches that will also include special new "features". We also think that our new monthly cycle will coincide with your or your spouses' monthly cycle, allowing you to be victimized by uncontrolled emotional outbursts in one tidy week, instead of having it spread out all over the month.

Thanks again for buying Microsoft.

Exploits from patch announcements?

[JimmytheGeek]

MS has claimed that worms come from reverse-engineering vulnerability patches, but I'm not convinced. If an outside researcher found the problem, what makes you think a Black Hat didn't (and has been keeping quiet)?

Re:Monthly patches?

[Theatetus]

You mean there are patches available for things OTHER than vulerabilities from Microsoft?

Well, there are some neat non-security "patches" like the Root Cert updates, and they usually include any new versions of drivers for your hardware. The stuff that's listed under "recommended" for your OS is either those, or some annoying but not critical bug fixes, or is the subject of this rant:

What bugs me is that they also keep trying to get me to install Windows Media Player 9 and the .NET runtime, neither of which I want, particularly on a production server. Can't they take the hint that a box running W2K Advanced Server probably doesn't want WMP9? At least they don't have them selected for installation by default, but still, they should keep Windows Update to stuff that's actually updating the OS/drivers/etc. rather than applications they want me to use.

Patches....

[Dj]

Patches want to be free!

This is the first action of the Patch Liberation Front!

Re:Monthly patches?

[mhesseltine]

What bugs me is that they also keep trying to get me to install Windows Media Player 9 and the .NET runtime, neither of which I want, particularly on a production server. Can't they take the hint that a box running W2K Advanced Server probably doesn't want WMP9? At least they don't have them selected for installation by default, but still, they should keep Windows Update to stuff that's actually updating the OS/drivers/etc. rather than applications they want me to use.

Yes, but, in the eyes of Microsoft, WMP9, .NET runtime, etc. are part of the OS. That's the difference between the mindset of Microsoft (one big tool that does everything) and that of the *nix world (many small tools, each that does something in particular)

Face it, Microsoft hasn't changed its viewpoint in this long, it's probably not going to happen any time soon.

Re:Monthly patches?

[Cromac]

What is the latest "safe" version of Windows Media Player, anyway? I've kept with 6.4 for fear of privacy/DRM problems with later versions.

Should I upgrade?

Media Player 6.4 won't play all of Microsofts media files anymore. WMA or ASF files created with the latest version of Media Player won't play on ver 6.4, it won't download the codecs for all of them. Subtle way for them to get people to upgrade, isn't it.

Wether that's worth upgrading for is up to you.

I still do not see the advantage

[stealth.c]

...in announcing regular times when you WONT be issuing patches. What if a new flaw is discovered? Shouldn't you get the patch out ASAP? Wouldn't that be best for customers if a big security hole was discovered that needed to be FIXED NOW? (Pre-SP1 XP, anybody?)

If sysadmins wanted a monthly patch schedule, they're smart enough to do it themselves. Check WindowsUpdate every month, get all the new stuff, rinse & repeat every 30.4375 days.

I fail to see the advantage in Microsoft deliberately delaying fixes to problems that, for some, can be very very immediate.

This almost reminds me of a time when Konqueror and IE had an SSL security hole. While Microsoft buried its head in the sand, the Konq guys just solved the damn problem (in a matter of hours, if memory serves).

Maintaining important software is only hindered when some buraucratic colossus feels the need to babysit the process.