Slashdot Mirror

← Back to Stories (view on slashdot.org)

Time to End Microsoft's Patch Tuesday?

Posted by Zonk on from the plenty-of-time-for-trickery dept.

buzzardsbay writes "Techtarget's resident security curmudgeon, Dennis Fisher, is calling for an end to Microsoft's monthly security patching cycle. Fisher points out that 'a hacker only needs one unpatched system, one little crack in the fence in order to launch a major attack on a given network. The sheer volume of the patches Microsoft releases each month makes it quite difficult for even the most conscientious IT department to get every patch out to all of the affected systems in a reasonable amount of time.'"

40 of 256 comments (clear)

  1. I have always wondered... by AxemRed · · Score: 4, Interesting

    Why don't they just release patches as the make them? Is there a specific reason that they hold them all until "patch Tuesday?"

    1. Re:I have always wondered... by Pentavirate · · Score: 2, Insightful

      So your machine only reboots on you when you're not looking once a month instead of every single day!

      --
      www.joshferguson.org
    2. Re:I have always wondered... by kcurtis · · Score: 5, Insightful

      It allows IT departments to specifically set aside 1 (or more) days a month on a regular schedule to test the updates before rolling them out to the client computers.

      If the updates come out on a random schedule, as done before, you cannot plan ahead for the testing required to ensure the updates don't break functionality.

    3. Re:I have always wondered... by Matt+Perry · · Score: 4, Insightful

      It allows IT departments to specifically set aside 1 (or more) days a month on a regular schedule to test the updates before rolling them out to the client computers.

      If the updates come out on a random schedule, as done before, you cannot plan ahead for the testing required to ensure the updates don't break functionality.
      Nonsense. Companies are free to test and upgrade on a given day no matter when updates come out. I test patches and update my Linux servers once a month even though patches for said machines may come out at any point in time between my patch days. I make exceptions to this only for patches that we deem critical enough to apply outside of our schedule.
      --
      Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
    4. Re:I have always wondered... by LurkerXXX · · Score: 4, Insightful

      You always wondered? You must be fairly new to IT. MS switched to that format well within the past 10 years. I think it was around 5 years ago. Before that they released them as each was finished.

      As for why they do them that way now, their large corporate customers asked them to. In large corporate settings there are often lots and lots of in-house-developed applications the company runs. Each time a new patch comes out, the IT dept must go through a lengthy (sometimes several weeks) process of testing the new patch, on test beds of the various models/configurations of computers the company uses, to make sure it doesn't break any of those apps, or any other purchased applications. They often run into many bugs/conflicts that MS doesn't in their testing.

      If MS comes out with a patch, the company starts testing it out, then 3 days later MS comes out with another patch, the big corp now has multiple cycles of testing trying to go on at the same time, using up tons of IT resources, backing things up in the pipeline. If their testing cycle is 2 weeks, and MS releases 6 patches during those two weeks, the pipeline is now filled up with 12 weeks worth of throughput. Not fun.

      If, on the other hand, MS releases on a regularly scheduled day each month, the company can easily run their test suite just a single time, freeing up IT resources, and also letting them plan for the patches/testing, rather than being surprised and having to pull folks off of other projects to work on testing if MS suddenly goes on a streak of releasing several patches in a row.

    5. Re:I have always wondered... by Joebert · · Score: 2, Insightful

      No, it's your fault that you didn't learn how to configure your system to meet your needs. :)

      --
      Wanna fight ? Bend over, stick your head up your ass, and fight for air.
    6. Re:I have always wondered... by edwdig · · Score: 4, Interesting

      Does Windows gracefully handle the situation where a DLL which is currently in use is replaced, or will I wind up with applications calling two different versions of the DLL depending on when they started?

      The reason Windows updates require reboots is because open files cannot be replaced. So if a DLL is in use at the time of update, it won't actually be installed until you reboot.

      Unix systems, otoh, have decided that the name of a file (the thing the user has control over) is not what actually ids a file, but instead the location on disk is the id. Hence why Unix updates don't require reboots and instead result in the problems you've mentioned.

      I've always wondered how someone could consider the Unix design a good idea. Two different programs can open what they think is the same file, yet get completely different results. And yet some people don't seem to get why this is a really bad thing for shared libraries (or even files in general).

    7. Re:I have always wondered... by Tanktalus · · Score: 4, Informative

      I still love the ability to replace in-use libraries. The only problems that ever crop up are when you dynamically load another library, and that library disappears (Windows doesn't help here, either), or its API changes (although usually that results in a new library name, so you still get the old one). If you still have a library loaded when it gets deleted, you maintain a filehandle to it so its disk space is not reclaimed or reused. Shut down all applications still loading the old library, and then the disk space gets reclaimed.

      I've updated X.org at least a couple times since the last time I restarted my X server. So I have a bunch of old libraries still sitting on my disk with no way to refer to them (well, there are ways to get them back involving funky lsof/proc tricks, but let's not go there). Nothing will overwrite them. But, when I feel I have the time, I can shut down all my X apps, restart my X server, and free up all that space. But I don't need to take down mysql, apache, or anything not X-based to do so.

      I don't get how anyone could consider this a bad idea. The only times it falls over is when people don't follow convention (change your library number when changing APIs!), or in cases that Windows will fall over, too (dynamically loading libraries that don't exist anymore - although that usually doesn't crash as hopefully most people catch the error return and handle it). Otherwise, it maximises the uptime of your server, so that you only need to restart programs that actually use your library when you want to.

      (PS - thanks for this thread - it answers a question my wife posed - why her windows machine rebooted overnight when she was in the middle of sorting digital photos to send to be printed, and there was no power outage.)

    8. Re:I have always wondered... by pe1chl · · Score: 2, Interesting

      It can cause problems when abused, but it has come very nice properties.
      For example, you can create a temporary file by opening it (with create option), then deleting its name while keeping the file open.
      Your file will be available as long as you don't close it, and will vanish automatically when you close the file, your program crashes, the system reboots, or whatever.

      No more TEMP directory filling with crap, no need for a program that removes old tmpfiles left when a program crashes, etc.

    9. Re:I have always wondered... by Kijori · · Score: 4, Insightful

      When Microsoft releases a patch for an exploit, it's immediately known that computers are wide open to this attack. Malicious hackers - virus writers and the like included - can reverse engineer the patch to find out what vulnerability is being patched exactly, and know that, since your organization doesn't patch until such-and-such day, you're wide open to attacks. "Exploit Wednesday", the day after patch Tuesday, is a testament to the importance of Microsoft's patches in the development of exploits. Companies can't afford to gear up for patches every day, but can't afford to risk the ramifications of not applying a patch immediately either. Patch Tuesday gets them out of this catch-22.

    10. Re:I have always wondered... by lgw · · Score: 2, Insightful

      I disable the damn update service. Once a month I hit Microsoft Update, generally on the Wednesday following patch Tuesday. Why is this hard?

      --
      Socialism: a lie told by totalitarians and believed by fools.
    11. Re:I have always wondered... by ben+there... · · Score: 2, Informative

      (PS - thanks for this thread - it answers a question my wife posed - why her windows machine rebooted overnight when she was in the middle of sorting digital photos to send to be printed, and there was no power outage.)

      In case you're interested, since starting this thread I did some googling and came up with a solution for both XP Pro and Home.

      how to
      registry entries (works with XP Home as well)

      I guess this has been an issue for about 3 years for people, but it never bugged me bad enough to fix it until I started recording TV on this box. :-)
    12. Re:I have always wondered... by Tacvek · · Score: 2, Insightful

      My wish is for: Download Automatically. Prompt me when downloaded so i can review what is to be installed. If I install them, and it wants to reboot, but I do not reboot, it may leave a systray icon, but MUST NOT keep popping up that window every 10 minutes asking me to restart. I will generally install the updates ASAP, but I only restart when i want to, or if the system becomes really messed up, or BSOD.

      --
      Stylish sheet to fix many problems in Slashdot's D3: https://gist.github.com/801524
    13. Re:I have always wondered... by kasperd · · Score: 2, Interesting

      Hence why Unix updates don't require reboots and instead result in the problems you've mentioned.
      The possibility to update without rebooting is great. The problems you mention are very rare. In fact I have only seen that kind of problem once, in the 10 years I have been using Unix systems. And the case where I saw it, it was not even two programs using different versions, but rather one program being started while it was in the middle of being updated causing it to end up with different versions of the different libraries in the package. And even if that had happened every time I upgraded software, it would still be less of a problem than having to reboot every time.

      I've always wondered how someone could consider the Unix design a good idea.
      Considering how well the Unix way works, I wonder how anybody could consider Windows a good idea. In Windows updates requires a reboot far too often. And in Windows you often get errors about files being busy for no good reason. OTOH with Unix you can upgrade a running program and not even notice. The running instance keeps running, any new instance will use the new version. Only problem is, that this usually works so smoothly, that you don't even notice. I recall once noticing, that I had KDE using libraries that had been deleted a month earlier. (Yes, I had in fact not logged out for a month).

      Two different programs can open what they think is the same file, yet get completely different results.
      If you get completely different results, there is a design flaw. We are talking about bug fixes here. The old version have a bug, and if the program triggers that it might crash or even worse produce undefined results (which could be to let in an attacker). The new version does not have the bug. As long as you don't produce the condition, which would trigger the bug, the two versions are supposed to behave exactly the same. And if you do trigger the condition, it is obviously an advantage that the new version behaves as intended. Of course it is not good that the old version doesn't, but the only way to avoid that is by never introducing bugs, which we all know is rarely feasible.
      --

      Do you care about the security of your wireless mouse?
    14. Re:I have always wondered... by ben+there... · · Score: 2, Informative

      Hey Tacvek, I think my other post might help you too. Specifically, set RebootRelaunchTimeout to 1440 to change that to 24 hours. A couple other options should help too.

    15. Re:I have always wondered... by pe1chl · · Score: 2, Interesting

      The opened and deleted file still has space allocated and it will not be overwritten by other files. Of course when the disk is full, one cannot add data to the file.

      This is not a "trick". A file in Unix exists independent of its name(s). Each file has 1 name when created, but you can delete the name or add more names. When the number of names becomes zero, the file is deleted as soon as all processes that have it open do close it. As long as it is open, it is a fully functional file that occupies space and can be read and written to.

      There even is a special function in the C library to create a temporary file:

      FILE *tmpfile (void);

      This creates a file, opens it for read+write and immediately deletes it. It is available as a temp file until it is fclose'ed.

      In Unix this is simple to implement. The corresponding function in other systems is tricky and does not work completely correctly.

      When you don't believe it, browse to your TEMP directory in a Windows system, usually C:\Documents and Settings\yourusername\Local Settings\Temp.
      You will find many files with .tmp names or names starting with ~ or $, all meant to be temporary files deleted after use.

    16. Re:I have always wondered... by pe1chl · · Score: 3, Informative

      Unlike the Unix mechanism, where the library is replaced and you would need to voluntary restart your application to make it use the new library, there is no easy way to update a DLL in Windows after it has decided a reboot is required.

      Windows update will try to replace each file, and when it succeeds everything is fine. When not, it will put the file on disk under a different name, add a "rename" operation to a list, and continues with the next file. At the end, when the list is not empty, it requests a reboot. At reboot, the list is processed (the new files renamed over the old ones), and the list emptied.
      But merely stopping an application and closing the file that was in use will not make it rename that file and remove it from the list. You will need to reboot.

  2. Volume of patches won't get better by Dynedain · · Score: 2, Interesting

    "The sheer volume of the patches Microsoft releases each month makes it quite difficult for even the most conscientious IT department to get every patch out to all of the affected systems in a reasonable amount of time."
    "

    So the sheer volume of daily patches would make this better?

    Now, MS should take a clue from Apple and have a lot more "rollup" packages than they currently do.
    --
    I'm out of my mind right now, but feel free to leave a message.....
    1. Re:Volume of patches won't get better by gad_zuki! · · Score: 3, Insightful

      Patch day was started because administrators didnt want random patches being pushed out at random times. Its supposed to help the process by giving people a schedule, especially for people who arent using SUS.

      The real question is when are they going to patch the patch system. The 100% CPU svchost bug is killing me and KB916089 (and its predecessor) doesnt do squat.

    2. Re:Volume of patches won't get better by Intron · · Score: 2, Funny

      To reduce the problems caused by the volume of daily patches, they could save them until a particular time and refer to that as "patch minute". I propose that they make this 5:35 pm in each local timezone to catch the IT staff who are trying to sneak out and have a home life.

      --
      Intron: the portion of DNA which expresses nothing useful.
  3. Re:Otherwise known as... by drinkypoo · · Score: 2, Informative

    Patch Tuesday - AKA: The day before the zero-day exploits are released.

    That's not true. They're released before the patches come out. Microsoft provides vulnerability information through a webpage now.

    All the more reason to ditch the patch tuesday, and just release patches when they are ready. As I have repeatedly pointed out otherwhere recently, if you want to install the patches monthly, you can wait for some arbitrary day of the month, and then install the patches.

    This is how Microsoft schedules patch releases, so doing this would preserve the existing behavior for those seriously confused people who prefer it. Waiting to release patches is bad for everyone, except the people profiting from exploits.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  4. SUS by u-bend · · Score: 2, Insightful

    I'm not a fan of MS, nor am I a network administrator, but if you're running a network large enough for patching to be a big problem, shouldn't you have a PDC or BDC or something like that that runs SUS? Then you can choose which patches get installed to clients, and when, right? Probably an oversimplification, but it helped in management of our M$ boxes at a previous job.

    --
    u-bend
    1. Re:SUS by TENTH+SHOW+JAM · · Score: 2, Informative

      Probably an oversimplification,

      It isn't a matter of deploying patches. Deployment of software is one of the main functions of a large network. It's a matter of choosing the patches.

      If you have 200 core software packages on your big network and a huge number of one offs, then the patch must play nicely with 200 packages. Does it? Lets check. (test against app 1, tick, test against app 2 ...) OK now deploy and hope it does not break too many one offs.

      --
      A sig is placed here
      To display how futile
      English Haiku is
  5. The Real Reason for Patch Day by Gary+W.+Longsine · · Score: 3, Insightful

    Dennis Fisher fails to grok. Patch Day was created because Microsoft was getting hammered by the poor press which resulted from releasing many patches in one month. Patch Day, as much as it sucks, is probably here to stay.

    --
    If you mod me down, I shall become more powerful than you could possibly imagine.
    1. Re:The Real Reason for Patch Day by sharkey · · Score: 2, Funny

      Dennis Fisher fails to grok.

      True. Patch Tuesday will arrive when waiting is filled.

      --

      --
      "Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
  6. Patch Tuesday by Anonymous Coward · · Score: 2, Insightful

    My understanding is that they basically did it to allow IT guys to schedule their downtime and patching, instead of having to scramble every time MS releases a patch in the middle of the week. Which is how it used to work, up until 2003 or so.

  7. I call Bullshit on the Red Bull by The+Media+Mechanic · · Score: 3, Insightful

    "Known in some circles as Black Tuesday, the second Tuesday of each month in the last few years has become a kind of national day of mourning in the IT industry, as admins call all hands on deck and load up on pizza and Red Bull for the long night ahead."

    I call bullshit on this anecdotal bit of trivia. Is the author of the article actually suggesting that some companies rush to test the new Winblows patches all through the night on Tuesday so that the patches are ready to deploy on Wednesday ? This sounds like a fresh steaming load of bullshit... what places actually force their employees to work ridiculous hours like this just due to an arbitrary vendor schedule! I would not work at such a place, regardless of the amount of free pizza or Redbull available.

    My point is that this bit of exaggeration in the article has no basis in fact and should be supported by quotes from someone who actually enforces this policy at their IT department.
    --
    I can throw as many stones as I wish; my house is made of transparent aluminum.
    1. Re:I call Bullshit on the Red Bull by Zontar_Thing_From_Ve · · Score: 3, Informative

      Is the author of the article actually suggesting that some companies rush to test the new Winblows patches all through the night on Tuesday so that the patches are ready to deploy on Wednesday ? This sounds like a fresh steaming load of bullshit...

      You may be right. My previous job was with a company that did a lot of VAR stuff, including various email systems. It didn't matter to us what you wanted - Notes, Exchange, Unix, anti-virus, anti-spam - we could sell you whatever combinations you wanted. I didn't work with Exchange, but the Exchange guys told me that in the past they used to rush out and patch systems with every "critical" Microsoft patch release and then they applied some patch that totally broke Exchange. The patch had nothing to do with Exchange, but it broke it. It took hours to fix the broken servers. After that fiasco, we regarded all Microsoft patches as suspect and we had a group in another state that one of their jobs was to test new patches on Exchange servers and see if Exchange still worked. It didn't matter to us how "critical" Microsoft considered a patch. We didn't patch any of Exchange servers until our test group gave the OK, which was usually a month later.

  8. Fix The Real Problem by EXTomar · · Score: 2, Insightful

    The original reason why "Patch Tuesday" was created was because too many were giving feedback to Microsoft that their patching process was far too disruptive to their enterprise. Before "Patch Tuesday", you could check any particular machine, at any time of day or week, and regardless of its role or usage it may have a patch pestering people that it needs to be applied and the machine rebooted. "Patch Tuesday" essentially is a "work around" to condense all of these patches that could be highly disruptive into a smaller, brief time frame.

    The real problem is the patching system Microsoft chose is highly disruptive. Too many still demand user attention even if applied remotely by an administrator. Although less often, too many still require a reboot which is a larger disruption to the user's work. Should Microsoft consider changing how patching is done so that it isn't so "hands on" and pesters the users and administrators to take action? Improve patching to the point where patches can be applied painless from the IT Center and "Patch Whateverday" goes away.

  9. My Thoughts by KenshoDude · · Score: 5, Informative

    I am the Sys Admin for ensuring that our roughly 1800 desktops and notebooks get updated with the latest updates. Microsoft's strategy is the very least of my concerns. The patches show up on WSUS the Wednesday morning after they are released. I read up on them, noting any "caveats" in the KB articles and inform our help desk if I find anything signficant. Then, I set my approvals and decline any superseded updates. The clients check in and install the updates over night. I am not sure where all this talk about long nights with Red Bull and whatever come into play. If we have mission critical systems, we withold approval for that group for a week or so until we are confident that there are no undisclosed "caveats." Super simple.

    I like having a regular schedule for updates. But I wouldn't mind a little more frequency. Why not the first and third tuesday of every month? Sounds reasonable to me.

    Now if were only that easy for all the other software vendors out there like Adobe (Acrobat / Flash), Sun (Java), and so on. Where are their enterprise patch management solutions? Why can't I configure my Java clients to check into to one of my servers to automatically apply security updates? Instead I have to spend more money on a 3rd party patch management solution. And I haven't found one yet that is as reliable and simple as WSUS.

  10. Re:End Patch Tuesday by businessnerd · · Score: 4, Insightful

    Except for the fact that Linux also requires patching. Every other day I have a little star on my desktop notifying me of updates to various libraries, applications, and yes the kernel itself. Mac's have patches too. This is not necessarily a Windows vs. , this is about what the best way of releasing patches is. It's an Incremental vs. Bulk release debate. MS chose the bulk method. Is that a good decision? Maybe, maybe not. Regardless of the OS, patching is always required. No piece of software is bulletproof.

    --
    "It's not whether you win or lose, it's how drunk you get." -- H. J. Simpson
  11. That's the Problem by bill_mcgonigle · · Score: 5, Insightful

    It allows IT departments to specifically set aside 1 (or more) days a month on a regular schedule to test the updates before rolling them out to the client computers.

    Your comment is accurate, and gets to the heart of the problem. The current system minimizes cost, at the expense of security.

    The pundit would rather companies get more staff, do rolling testing, etc., whatever it takes - to maximize security.

    Now, as a non-user of Microsoft products and a victim of attacks by unpatched machines, some of them corporate, it's clear that the current strategy just shifts the costs off of the companies and onto me. If it just crashed their networks I couldn't care less. But it's more than that.

    So I need to side with the proposal - the users need to improve their security. They can do this by having rolling patches from Microsoft or picking a more secure product to use. I don't care how they do it, but they need to stop expecting me to pay for their poor performance.

    Unfortunately, liability is poorly defined in this realm, otherwise I could theoretically sue for damages, and their insurance company would make sure they were in good shape or charge them through the roof for being in bad shape.

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    1. Re:That's the Problem by bill_mcgonigle · · Score: 2, Insightful

      So there's a point where increasing investments security becomes more costly than loss of security. Current system seems like a good balamce to me.

      And more importantly the current system shifts cost off of those with poor security and onto everybody else. Since there's no downside for those doing the shifting, it is a good state of affairs for them. The trouble is with all those insecure goats, the commons are becoming bare.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  12. Re:Not MS' problem by danlor · · Score: 2, Insightful

    Sounds to me like you are the problem. That's a heinous comment.

    Patching is dangerous. It is not for the foolhardy, or ignorant. Your IT department is there to protect you from the "just do it" mentality. Trust them, and when they wine about problems in the process, take heed.

    Our systems have been taken down twice this year due to bad patches from good old MS. Patches that we in IT were FORCED to deploy before proper testing. Guess who has control of the process in our organization now?

  13. Billg's Response by Anonymous Coward · · Score: 2, Funny

    End patch Tuesday? That's the dumbest fucking idea I've heard since I've been at Microsoft.

  14. Re:End Patch Tuesday by harry666t · · Score: 2, Interesting

    Patching MS products is broken...

    I haven't patched anything from MS since years, but as far as I recall there was always some downtime due to reboots after applying a patch. I think MS had to release patches monthly, else there would be more downtime. Now that the Patch Tuesday goes to /dev/den it is going be much harder to schedule the updates. How this could be fixed, dunno. One thing that comes into my mind is that I never had to reboot my Debian box after applying any updates (except after kernel update). I guess Windows needs to be more modular, so people could swap broken components on the fly. Dunno, apt ftw.

    I think the Patch Tuesday is here to stay, at least 'till the end of this year (vista sp1?).

  15. No by Kjella · · Score: 2, Insightful

    A bug might have been there for one year, two years, five years. The chance someone will find it by accident in the next two weeks (average delay to release) is rather slim. On the other hand you know the moment the patch is out, hackers will reverse engineer it within a short period of them. That leads to the following conclusions:

    1. You have to patch within a short period of release
    2. One patch may break any functionality, so you must test all of it
    3. If Microsoft releases patches all the time, you must test all the functionality all the time

    In 99% of the companies out there, that's just not going to happen. I love getting daily patches, my desktop or home server isn't a critical business machine. I'm mostly interested in avoiding someone hacking it so I have to set it up again, far more than a broken patch. At the very least that leaves the machine in a "known broken" state that hopefully be fixed by another patch, where as a decent virus infection might end in a reinstall. For many a corporate machine down means you're down. Sales lost, salaries roll and nothing gets done. Sometimes data gets stolen but most of the time the cost is downtime - whether it's broken software or infected software. Quite often the solution is the same - rollback to a known good state (after you've figured out how to not get reinfected). Under those conditions I see why they prefer a mad scramble every patch Tuesaday instead of a mad scramble all the time.

    --
    Live today, because you never know what tomorrow brings
  16. Re:End Patch Tuesday by badc0ffee · · Score: 2, Informative
    But, I have switched to Linux. I still have to boot into Windows to download and apply the patches... if I remember to. Otherwise I just keep getting my daily Linux enhancements via yum and forget about Windows.

    As my weather radio keeps reminding me when there is a thunderstorm alert: "... and stay away from windows".

    --
    1011 1010 1101 1100 0000 1111 1111 1110 1110
  17. It's in my diary.. by Dynamoo · · Score: 2, Informative
    Patch Tuesday is in my diary (well, actually the Wednesday because the patches are announced in the evening UK time). I have a change control provisionally made for EVERY post-patch Tuesday Saturday to cover servers, and I also have an entry for the Friday before patch Tuesday when the advanced notification is made.

    This is the way it goes..
    Friday: Look at the advanced notification to get an idea of the scale of the patches. Once or twice a year there a none.. yippee!
    Wednesday: In the morning we closely analyse the patches to figure out the impact on our organisation. Servers and clients are differently impacted so we look at this to see if we will need to patch servers. Patches are tested on some representative computer systems.
    Thursday: raise the inevitable paperwork for any system changes and monitor for any issues.
    Friday: Check for issues with the patches and then authorise for client distribution via WSUS.
    Saturday: If necessary, patch those servers that are vulnerable. Claim overtime. Yippee.

    We know in advance when this is coming up. We can make plans. We ensure that someone always looks at the patches on Wednesday morning and does the analysis. It's a monthly event that we don't miss. This works pretty well.

    Sure, sometimes you need to apply an out-of-cycle patch.. these are rare but Microsoft seems to understand that they are needed. If we miss it, then we'll alway pick up on it again later.

    Yeah, hardcore sysadmins might like patch and reboot PCs every couple of days or so, but most sysadmins have other things to worry about than constant patching and in my view Microsoft have the balance about right. (One of the few things I like about them!)

    --
    Never email donotemail@WeAreSpammers.com
  18. How about they stop changing my default browser... by rsmoody · · Score: 2, Interesting

    I don't care how often they patch. I JUST WANT THEM TO STOP FRACKING WITH MY DEFAULT BROWSER!!! This is the second month in a row that I have rebooted to be asked by Firefox if I want it to be my default browser. WTF, over?!?!?! It's MY FRACKING COMPUTER!!!!!!!! I know I know, switch to Linux, the point still remains. WTF is with this crap though?

    --
    45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2