Microsoft To Distribute Third-Party Patches

dhiren writes "Secunia on Wednesday announced that their authenticated internal vulnerability scanner, the Corporate Software Inspector (CSI) 4.0, has been integrated with Microsoft Windows Server Update Service (WSUS) and System Center Configuration Manager (SCCM). This will hopefully pave the way for other vendors to also make use of Windows' existing patching infrastructure and eliminate the need for the multitude of custom updater applications and services that clutter most systems today."

Oh just call it

[LordKaT]

Oh, just call it a package manager and get over it. Your fancy words don't make it better.

Re:Oh just call it

[140Mandak262Jamuna]

No way buddy. It is going to come in so many editions:

• Absolutely Basic Package Manager
• Expanded Basic Package Manager
• Funeral Director Edition Package Manager (third from the bottom of pricelist!)
• Anything Less Would not work Manager
• Ultimate Home Edition Package Manager (clueless user Special)
• Professional Ultimate Package Manager
• Ultimate Professional Package Manager with Downgrade to Ugrade Option Bundled
• Super Ultimate Professional with Multimedia Expansion Package Gamer special Package Manager
• Absolutely Super Ultimate, this time really really Ultimate Gamer Professional Home Maker Special Edition Package Manager

Re:Oh just call it

You really can't call it a package manager because it doesn't do dependency and it doesn't do upgrades. It just does patches - which is why it is not called a package manager.

Re:Oh just call it

[dkleinsc]

But see, a "package manager" is the result of careful research and experience by a bunch of long-haired university-bound communist hippies, so it could never have any usefulness in the real world. Plus it's not a register-able trademark, so customers might realize that there are other better package managers out there. And once they get hooked on apt-get, they'll turn immediately into a clone of RMS and start helping the FSF.

Re:Oh just call it

Except you cannot install or remove programs from this. So its not a package manager.

Re:Oh just call it

[melikamp]

FUN FACT:

Quickly pronouncing ASUTTRRUGPHM SE PM three times in a row is the last trial of Microsoft Professional certification, and the one that counts for 90% of the total score.

Re:Oh just call it

[nine-times]

I've been thinking for quite a long time that Apple and Microsoft to come up with package managers for their operating systems. It's ironic because after all the talk of it being hard to install things in Linux, it's much easier to keep a Linux system up to date. In most cases, you can upgrade every application on your computer with a single line in the command line.

Microsoft has "Microsoft Update" and Apple has "System Update", so they basically have the system in place already for their own software, but then 3rd party software all installs their own updaters or expect you to hunt down updates on the web. It seems to me their built-in updaters could be expanded for 3rd party updates through one of two methods:

1. Microsoft and Apple could each create repositories for approved/certified applications which would be updated through "Microsoft Update" and "System Update", respectively. This has the advantage of being more secure (repositories would have known-good software in them) but would create a lot of additional work for Microsoft and Apple. Additionally, this wouldn't address the issue comprehensively since there would be applications which would never become certified.
2. The other option would be to create an open set of standards that would allow each software developer/publisher to create their own repositories, and programs could add their repositories to the update system at install time. Then the update system would have a list of separate repositories for each publisher which could be managed by the user. The main downside I can think of for this is the possibility of malware getting into the repository list.

Re:Oh just call it

[Slashdot+Suxxors]

Patchage Manager

Re:Oh just call it

[spazdor]

That happened to my sister. Apparently she's getting way more dates now. Even with the open-source beard.

Re:Oh just call it

[Runaway1956]

"you can upgrade every application on your computer with a single line in the command line."

Even better:

aptitude safe-upgrade

Because, sometimes, upgrading EVERYTHING breaks obscure dependencies. ;^)

Re:Oh just call it

[rjch]

You really can't call it a package manager because it doesn't do dependency and it doesn't do upgrades. It just does patches - which is why it is not called a package manager.

Actually, WSUS does do dependences, even if it does them badly. I do agree that calling it a package manager is an overstatement though.

Re:Oh just call it

[anshulajain]

Probably just an update manager then, if not a package manager, right? Linux-based systems have had this for ages. Microshaft now rolls out some fancy, business-jargon pimped up SCCM, Linux vendors should hit M$ over the head with this in the press and trade journals.

Re:Oh just call it

[Ihmhi]

If you turn off the lights in the bathroom at night and say that into a mirror three times backwards, Steve Jobs appears behind you and pulls a black turtleneck over your head.

A turtleneck... that you can NEVER REMOVE!

*thunderclap*

Misreading

[AnonGCB]

For a minute I read the headline as "Microsoft to Distribute Eye Patches". With the rate of piracy Microsoft has goin on, I wouldn't be surprised.

Misleading article

[djben]

Correct me if I am wrong, but Secunia is announcing that they are going to piggy-back on an existing WSUS server, and not that WSUS is going to start shipping with and deploying Secunia's updates for everyone who uses WSUS? I'm not sure why this is anything special at all. I help people replace WSUS all the time and they want to use less of it, not more. Perhaps I'm not understanding something here...

Re:Misleading article

[bangwhistle]

A lot of us use WSUS and SCCM because they do a good job of managing MS patches AND the cost (for WSUS) is right. This announcement is interesting but raises questions: how much will it cost; who will support it and how much work will it be to import third party updates? We can currently build packages for SCCM for any product, no not much gain there. But WSUS... Maybe it's time for the free trial...

Re:Misleading article

What WSUS are you using? And what the hell are you replacing it with for patch management across a few hundred windows PCs? It takes me only a matter of a half hour a week to handle and check up on patches and updates.

WSUS is a free application for deploying and controlling patches that would normally be handled via automatic updates. Automatic updates still downloads and installs but it pulls from WSUS instead of directly from MS. You can deny patches when there are issues or conflicts and you can see where problems are. You must be thinking of something entirely different or you don't know what the hell you are doing.

Re:Misleading article

[afidel]

I use WSUS on the server side because it doesn't require yet another freaking agent on my servers. In my experience the reliability of a windows server is inversely proportional to the number of third party packages running on it. I run AV because it's required by policy, I run a backup agent if the server has a large number of small files, other than that I avoid them like the plague. I do monitoring using WMI and SNMP, do patching via WSUS, etc.

Re:About time!

[bmo]

The Wikpedia says that dpkg came out in 1993.

So Microsoft is only catching up after 17 years.

--
BMO

Really?

[KGBear]

This will hopefully pave the way for other vendors to also make use of Windows' existing patching infrastructure and eliminate the need for the multitude of custom updater applications and services that clutter most systems today.

Or just go to Linux, where most distributions have had something like this for over a decade now. The worst part is, I'm sure I will star hearing from Windows people how fantastic the new "innovation" is...

Re:Really?

[Voyager529]

Oh I'm fully aware of how awesome Synaptic/Yum/$PACKAGE_MANAGER is, but unfortunately I doubt that a full-blown software repo will ever happen on Windows, because ultimately, it will end up as one of two scenarios:

1.) Microsoft requires all software added to the repo to have a specific digital certificate, and/or additional repos themselves will have to be signed and secured. These certificates will cost $$$$. Some indi dev will want to get their software in the repo, won't be able to afford it, and Microsoft will find itself in court faster than a hooker running out of church. That, or some shady software dealer will find itself being unsigned 'cuz someone at MS doesn't trust them or they sue...the details may change, but the bottom line is that if Microsoft discriminates who gets in and who doesn't, regardless of whether they have a legit reason to do so, they'll end up in court.

2.) Microsoft allows any repo, signed or unsigned, to be added to the repo/update tree. Malware attacks shift from "click here to remove the 638 trojans our fake virus scanner found" to "click here to add our repo and install our fake virus scanner". Status quo remains unchanged, and the point of adding repos in the first place gets mitigated.

I love the entire concept of package managers and would LOVE to see Synaptic on Windows. The problem is, the Windows platform is just too entrenched to make a package manager work there.

Small Piece of a 1,000 piece puzzle.

[Mekkah]

It's just a small piece of the pie. When they open it up to some other major players I'll be impressed.

It's not like this is a new concept, get with the times; it is for the security of your OS for christ sakes. Maybe cut down on why OSX or whichever OTHER OS anyone can name has such a virus advantage on you, if even slightly.


Oh and Yes I understand what Secunia entails, but it's still small.

Re:About time!

[ircmaxell]

It isn't the fact that they copied the idea. It's the fact that it took so long to do so. I mean Windows has been through how many revisions since Up2Date (Yum's predecessor) and APT have been around? Since at latest 1999 (I'm sure there were earlier, but I know they existed in 99). And in that time, MS released XP, Vista and 7 (as far as desktop OS's go)...

CNet used to have a similar service

[Animaether]

CNet used to have a similar service... only for the software that they themselves offered to users, of course. Then they discontinued it, re-launched as CatchUp, discontinued it again.. now it's some weird newsletter thing you can subscribe to.

Worked fairly well, though - was just a small utility that I guess checked for installed apps, checked the version info (from registry / files) for those it knew, and checked if there were any newer versions offered off of CNet.

Sucked when they discontinued it.. meant you had to check the pages / author sites manually all the time.. or subscribe to their RSS feeds (which only became popular later on), etc. In addition, half the apps I run now have their own update checking stuff.. some check on startup, some check every day, some check once a week... finding the settings for this (if the settings are even exposed) can be a to of fun too.. etc.

So hooray for Microsoft looking into this... looooong overdue. I do hope they allow -any- developer/application to take part, though.

Re:CNet used to have a similar service

[matang]

filehippo has an update checker. i've used it for a while and it works well: http://www.filehippo.com/updatechecker/

Re:CNet used to have a similar service

[TClevenger]

I think my favorites used to be the ones that checked when the app started up. Adobe Acrobat Reader was really bad about this. "Would you like to take 30 minutes out of your day to load an Adobe Downloader so you can load the latest version of Adobe Reader so you can reboot and then have to come back to this page so you can read this one-page document, or ignore this and I'll pester you the next time you try to open a document?"

You forgot the second half of that story.

(30 minutes later) "Oh, sorry, you have to be an administrator to install that." (Then after the next reboot) "Would you like to take 30 minutes out of your day to load an Adobe Downloader so you can load the latest version of Adobe Reader so you can reboot and then have to come back to this page so you can read this one-page document, or ignore this and I'll pester you the next time you try to open a document?"

The end for Internet Explorer

[fran6gagne]

The only reason we keep using Internet Explorer at work is because we can patch it with WSUS. So if we could patch firefox with WSUS, it will be the end of IE in our environment! Can't wait for that day to come....

Personal Software Inspector

[xippie]

I use PSI (Personal Software Inspector) http://secunia.com/vulnerability_scanning/personal/ \

Compare?

[vlm]

I don't do windows. Mac and Linux only.

Could someone compare and contrast with apt-get and security.debian.org, which I am very familiar with?

I'm not trying to ignite a flamewar, I'm just curious about the feature set. What one side would have to add to reach the other side's level, etc.

Re:Compare?

[radish]

Broadly speaking they're very similar. With Windows Update it's normally limited to stuff which MS publish, in much the same way as (say) apt-get on Ubuntu is limited to things in the Ubuntu repos by default. Obviously that's a lot more software there as it's freely distributable, but you still get packages sometimes which aren't included in the distro's repos and you have to add another source to your packages list (or even worse, download a tarball and maintain it manually). This change is to allow third party code to come down through Windows Update, in essence adding more package sources.

It's not new or unique, but it is still useful and a step forward for Windows. Now OSX is the only one without something similar (as far as I know).

Re:Compare?

[metrix007]

Because when someone says they "don't do windows" it says a lot about that person.

Someone has to be amazingly closeminded and fundamentalist, and go out of their to avoid the most prevalent consumer OS for the last 10 years.

Re:Compare?

[the_womble]

Someone has to be amazingly closeminded and fundamentalist, and go out of their to avoid the most prevalent consumer OS for the last 10 years.

It is fundamentalist and closed minded to not buy a product because you do not like it?

Coca-cola is the most popular soft drink, if someone said that they had not drunk it for a few years because they never liked it, but they could not remember exactly what it tasted like, would that be "fundamentalist and closed minded"?

go out of their to avoid the most prevalent consumer OS for the last 10 years.

I have hardly touched Windows in the last six years. I have not gone out of my way: I would have to go out of my way to use Windows more. I have a laptop and a dektop, both with Linux installed. Dual boot would be a hassle, virtualisation uses too much memory, and I have no pressing reason to do either. I rarely use other people's machines, so it would take a definite effort to use Windows.

CNet TechTracker

[Animaether]

reply to self - go figure.. I tried to dig up some more information on the old service.. and somewhere buried among the google hits:
http://www.cnet.com/techtracker/

Which sounds like it does what the old app did... except you now need a CNet account to see the results? *sigh*
Some posts in the forum for it ( http://forums.cnet.com/techtracker-forum/ ) seem to indicate some possible issues as well.

Misleading summary?

[trifish]

Does anyone have any link that would confirm that Microsoft actually did anything besides allowing a third party to use an API? The summary tries to make it sound like Microsoft uses (integrates) some Secunia stuff now.

The article certainly does read like a Secunia ad.

OSS Alternative

[bdam]

The current version of WSUS includes an API that allows, among other things, anyone to publish third party updates through the WSUS system. I've been working on a project for a few months that does just that: https://sourceforge.net/projects/localupdatepubl

Re:OSS Alternative

[bdam]

You are mostly correct. In my project, there's no support for automatically importing or being alerted about new updates from vendors. I'm not aware of any centralized source for that sort of data. If such a thing exists, I'd be interested to know about it. So, to be clear, Secunia has a definite edge there that I can't conceive of matching without some freely available repository. However there is some value for the software publisher. One of the reasons that Microsoft released the API was in the hope that publishers would create and release catalogs for their programs although few have done so. These catalogs would make it dead simple for the administrator to manage that publisher's application in their environment. My project currently doesn't support those catalogs, mainly because so few exist, but it's on the proverbial to-do list.

Re:Wait, what's going on?

[Jazz-Masta]

WSUS is what server admins use to push patches to machines connected to a particular server.

Most machines that are part of a domain or network that utilizes WSUS has Windows Update disabled. The server admin goes through the patches and selects the ones he/she wants to push out to each of the computers.

It's quick and simple...but has nothing to do with the end user.

yes

[fulldecent]

This is a good thing, if done properly.

It's also part of why people generally smile when they use their phones and frown when they use their computers.

Re:This is the first step

You showed him!

Microsoft doesn't even do this internally!

[SoonerSkeene]

I've long wondered why Microsoft doesn't use their Windows Update/Microsoft Update infrastructure to offer updates for things like Windows Live Essentials, Sync, Mesh, any other technologies. Microsoft needs to institute a rule that every group at the company *must* use existing API's before inventing their own system... no duplicate functionality.

Re:About time!

[Runaway1956]

200 distros? Really? Confining ourselves to Linux - I think there are a half dozen root distros, with dozens of derivatives from each.

There are three main package managers, one of which will work with almost any distro you choose.

I know - half the people in the world can't decide what color socks to wear today, so they only buy black socks, or white socks. Some of the rest of us buy both black and white, and mix and match according to mood. Some daring individuals actually buy COLORFUL socks, and manage to keep up with the pairs.

The point is, not everyone is retarded.

Re:About time!

[clysel]

dpkg is ported for windows ... take a look at http://windows-get.sourceforge.net/index.php

Re:About time!

[Runaway1956]

Every app is available for download. If the user is savvy enough to understand the differences between versions, then he will be savvy enough to use Google to ask for help installing that particular version.

Attractive and fully functional GUI? Yeah, I guess so. Depending on what you mean by "attractive", and "fully functional". If, by "attractive" you mean, "it looks and works like Microsoft", then you're out of luck. If by "attractive" you mean "it has working buttons to open and close, with a title bar, a toolbar with a help button", yeah, it's all there. If by "attractive" you mean "can it get me off" - well, only you can be the judge of that. As for functionality - the GUI's are just front ends for the REAL package managers, and they are all fully functional.

Have you had a particular problem, or are you echoing some of the FUD that the Windows fanbois have posted?