Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Plans Largest-Ever Patch Tuesday

Posted by timothy on from the 24-hours-but-bigger-minutes dept.

CWmike writes "Microsoft said it will deliver its largest-ever number of security updates on Tuesday to fix 13 flaws in every version of Windows, as well as Internet Explorer (IE), Office, SQL Server, important developer tools and Forefront Security client software. Among the updates will be the first for the final, or release to manufacturing, code of Windows 7, Microsoft's newest operating system. The 13 updates slated for next week, eight of them pegged 'critical,' beat the previous record of 12 updates shipped in February 2007 and again in October 2008." Update Reader Kurt Seifried writes to correct the math a bit, pointing to Microsoft's Advance Notification page for the release, which says that rather than 13 flaws, this Patch Tuesday involves "13 bulletins (eight critical and five important), addressing 34 vulnerabilities ... Most of these updates require a restart so please factor that into your deployment planning."

14 of 341 comments (clear)

  1. Wring. 13 advisories with 34 issues. RTFM by seifried · · Score: 4, Informative

    http://blogs.technet.com/msrc/archive/2009/10/08/october-2009-bulletin-release.aspx

    For October we are releasing 13 bulletins (eight critical and five important), addressing 34 vulnerabilities, affecting Windows, Internet Explorer, Office, Silverlight, Forefront, Developer Tools, and SQL Server. Most of these updates require a restart so please factor that into your deployment planning.

    1. Re:Wring. 13 advisories with 34 issues. RTFM by shutdown+-p+now · · Score: 2, Informative

      Fortunately just the once. You can thank Windows insane file locking (easy to establish a lock

      To clarify what this means, Win32 API function CreateFile, which opens files, locks them for exclusive access if the argument in which lock flags are passed is set to 0. In other words, the default is "lock for everything", and you explicitly have to opt out of that by specifying things like (FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE).

      This has a minor advantage in that stupid people often forget to lock their files properly, and then applications crash (or silently corrupt data) because they don't expect someone else to write at the file they've opened, and don't handle it properly. But it also has a major disadvantage in that every lazy bastard just passes 0 there and locks file for exclusive access, rather than for the minimum that he needs.

    2. Re:Wring. 13 advisories with 34 issues. RTFM by Abcd1234 · · Score: 2, Informative

      To clarify what this means, Win32 API function CreateFile

      Actually, the real issue is that OpenFile does the exact same fucking thing. The result is that you can't replace things like existing DLLs on a live system because you can neither delete them nor overwrite them so long as an application has the DLL open (and that includes Windows itself).

      Linux, OTOH, thanks to it's Unix underpinnings, will happily let you delete an open file... the inode just goes away once all references to it have been closed. Meanwhile, any new applications which open the file will see the new version (which is attached to a new inode).

  2. Re:Windows 2000? by Opyros · · Score: 2, Informative

    Extended support hasn't ended just yet.

  3. Re:in the last patch supertuesday by Darth_brooks · · Score: 2, Informative

    I used to say that. Then we got forced onto Lotus Notes.

    and when I get to Heaven To St. Peter I will tell: "One more Notes user reporting, Sir -- I've served my time in Hell."

    --
    There are some people that if they don't know, you can't tell 'em.
  4. 13 Patches != 13 Flaws by Ralish · · Score: 5, Informative

    I was about to bitch about the submitter/moderator not RTFA, but it turns out, the article doesn't mention it either, so I'll clarify instead: thirteen updates are being released which together address thirty-four security vulnerabilities of varying severity across varying products (ten of which are targetted at Windows). So, that's NOT thirteen flaws (plenty more actually), just thirteen updates, some of which (all?) address multiple flaws in the particular system they are targetted at. Of course, this is just the advance notification, so full details about how many vulnerabilities each update addresses and the general information on them won't be released until the patches are next Tuesday. I think it's also worth nothing (although the summary of course neglects to mention it) that the good aspect of these updates are both major zero-day exploits (targetting IIS & SMB 2.0) are patched with these updates.

    And while I'm posting, why does Slashdot insist on linking to shitty tech magazine articles (poorly) summarising the raw and accurate data straight from Microsoft? Seriously, I'm not sure if it's some sort of aversion to linking to MS, but they're the ones doing the patching, so it follows that they have the best, newest, most accurate data on them, and they'll likely be the first to provide updates on their content. These articles are just summarising what Microsoft has published on their various web-sites, and being a summary, they provide a lot more information and raw data:

    Microsoft Security Bulletin Advance Notification for October 2009
    October 2009 Bulletin Release Advance Notification

  5. Re:The more crap you add... by dave562 · · Score: 2, Informative

    The number of patches and whether or not Windows or *nix requires more is pretty much a moot point. Both systems need to be updated regularly and both are vulnerable to automated vulnerability scanners that are being run 24/7 on compromised boxes. I won't re-tell the tale here, but you can check my journal if you want to read about the most recent tale of an Ubuntu box that I setup getting owned in under a month. Any OS that falls behind on patches becomes an exploitable target.

  6. Re:...Patch Tuesday by Mr.+Roadkill · · Score: 3, Informative

    That's now at www.wsusoffline.net

  7. Re:What's the Canadian holiday? by camperdave · · Score: 2, Informative

    "What's the Canadian holiday?"

    That would be Thanksgiving.

    --
    When our name is on the back of your car, we're behind you all the way!
  8. Re:Security & Stability by DrXym · · Score: 2, Informative
    Certain FEATURES touted as a + for Windoze eg OLE never made it into Unix since their design required the OS to be broken by design and the developers declined to do it.

    Erk, there is nothing inherently wrong with OLE, ActiveX or anything else in COM. At the end of the day they're just a means to embed or utilise one program from another. And yes GNOME/KDE have their equivalents. The problem has nothing to do with the OS but in the way IE promoted ActiveX, including automatic installation and the broken assumptions underlying its trust model such as the safe for scripting flag. Basically IE let you instantiate any control installed in your system so long as it was tagged safe for scripting. Even inadvertant bugs in the automation interface of a control could be exploited in drive by attacks.

    Other browsers such as Mozilla, Opera etc have their own plugin solutions which are conceptually little different from ActiveX controls. Netscape/Mozilla has various used NPAPI combined with LiveConnect/XPConnect for scripting. The big difference historically was it was more of a pain in the ass to install a plugin than a control so the consequence of an exploit was minimized. It still doesn't prevent exploits happening though as the recent vulnerabilities in Flash Player 10 demonstrate.

  9. Re:Typical Bullshit by TooMuchToDo · · Score: 4, Informative
    http://www.redhat.com/spacewalk/

    We use it to manage several thousand linux servers that store and process the data that's about to come from one of the LHC detectors. Handles provisioning, RPM updates, etc. And yeah, it'll work with Linux desktops.

  10. Re:Typical Bullshit by smash · · Score: 2, Informative
    Just to elaborate... WSUS, which is free and easy to set up, enables me to push patches to hundreds or thousands of boxes, and report on the status of each box or what machines are missing any or all patches at the click of a button. Downloads will run whenever the machine is online and start/stop as required, using BITS.

    Can you do this on Linux? Maybe. Its certainly not standard, and a lot more work. Can you automatically updates unix boxes? Sure - but to set up the monitoring of the process, its a lot more work, and more likely will require an admin to read/interpret logs.

    Sure, linux/unix machines are generally a bit less patch dependent to stay secure, but the Windows patching process is relatively painless if you set up a wsus server. All you need is a spare machine (even running XP, from memory) with plenty of disc, and a method of pointing machine's windows update server registry entry at it - eg with group policy or a login script.

    If redhat, suse or whoever can offer something similar that is as easy to set up and monitor, they'll certainly help get *nix easier to support as an end user OS.

    --
    I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
  11. Re:Security & Stability by TheRaven64 · · Score: 2, Informative
    ActiveX wasn't such a horrendous idea. It is basically a fast way of deploying (and keeping updated) native Windows components that you can tie together with HTML and scripts. For a corporate Intranet, that kind of functionality is useful if you're willing to standardise on a single vendor's stack.

    The only mistake they made was the dialog box when a non-Intranet site tried to send you an ActiveX control. This shouldn't have caused a dialog box, it should have just been blocked.

    --
    I am TheRaven on Soylent News
  12. Re:Typical Bullshit by jaavaaguru · · Score: 2, Informative

    Landscape

    --
    Follow me