Security Patch Breaks VMware Users' Windows Desktops

jbrodkin writes "VMware is telling customers that two Windows 7 security patches have left VMware View users incapable of accessing their Windows desktops. Security updates issued on Patch Tuesday fixed Windows but broke the VMware View connection between users' PCs and remotely hosted Windows 7 desktops. Users will have to upgrade VMware View or uninstall the Microsoft patches in order to regain access to their desktops."

Re:They broke our stuff for free...

[bluefoxlucid]

Uh, if they fix it, you will have to download the fixed upgraded version. Which... is what the upgrade is.

YOU SO STUPIIIIIIIIIIIIIIIID!

BYOD!?

Does any company in the real world honestly operate a bring your own desktop policy!?

Re:BYOD!?

[Penguinisto]

One would think that Microsoft would beta-release their patches to the really big software partners, so that at least some sort of testing could happen.

Then again, the conspiracy theorist side of me keeps saying that maybe Microsoft doesn't mind if the biggest competitor to Hyper-V suffers a few PR flubs once in awhile...

Re:BYOD!?

[Jeremiah+Cornelius]

Ballmer hates VMware more than he does Linux - and View 4.x is the new "DR-DOS".

Re:BYOD!?

How about the greater likelihood: VMware is atrocious at desktop software development, so it stands to reason that they relied on nonstandard behavior in Windows.

Re:BYOD!?

[cusco]

They do, most of the patches are in the hands of their larger partners for a month before release. Not sure if VMWare is not considered a partner, or if they just didn't do extensive enough testing. That they already have a fix for View suggests that they knew there was going to be a problem but didn't want to push it out into the real world until they had confirmed that it was an issue outside the lab.

Re:BYOD!?

[nametaken]

I'd guess it's more an effect of us all screaming that it takes them way too long to release fixes as it is. Introducing more lag time for marginal benefit to most of us is a no-win, I'd guess.

That Microsoft Icon

Why wasn't Slashdot's Microsoft icon completely scrapped with the re-design?

That thing looks so incredibly dated and anachronistic even 5 years ago. Its irrelevant on both levels. Bill Gates barely works at Microsoft today, and the Borg is a pop culture reference that's not relevant anymore.

It's sad how Facebook, Google, Apple have their real icons, but Microsoft still does not. Get with the times guys!

Re:That Microsoft Icon

[lordshipmayhem]

Why wasn't Slashdot's Microsoft icon completely scrapped with the re-design?

That thing looks so incredibly dated and anachronistic...(snip)

Sort of like Microsoft...

Re:That Microsoft Icon

The GP gets an "Offtopic" and you a "Funny"??
This "my software is better than yours" sentiment with people arguing how evil Apple and MS are is annoying enough, does slashdot really have to propagate this with that icon?
I'm starting to find this really off-putting!

Re:That Microsoft Icon

Starting to? You must be new here.

Re:That Microsoft Icon

[hairyfeet]

I still think MY idea for a new /. MSFT icon is best...Picture Ballmer's head with his tongue sticking out wearing an "I Heart Apple!" beanie. Considering how "me too!" MSFT has been since Ballmer took over from old Bill I think it would fit the company direction perfectly. Besides it would be karma for the way we MSFT users and admins made fun of Apple when the Pepsi guy was running it into the ground. Now the shoe is on the other foot as they got the visionary back and MSFT got taken over by another Pepsi guy.

As for TFA, don't VMWare View customers get upgrades? I thought that was pretty much SOP for companies like VMWare, you buy the product you get updates and upgrades. Hell of a lot better than Quickbooks whose standard answer is "Buy the new version!" at several hundred a pop when they can't bother to provide updates to fix their bad code.

That is why one of my most popular setups right now is dual boots, as it is cheaper to buy XP Home licenses and set up dual boots on the new Win 7 machines than it is to upgrade to the latest Quickbooks, especially if they have one of the pro packages. It is a PITA but I can see why SMBs are hooked on QB like crack, as you can run a small business and have the whole thing automated and taken care of by a single "Quickbooks girl" (for some reason it is ALWAYS a girl) and it eliminates a TON of paperwork. At least the VMWare View users can just go get the upgrade and be done with it.

As for blaming MSFT that really ain't fair. Did anybody here look at the leaked Win2K source code? MSFT already jumps through crazy hoops trying to keep some of the badly coded third party stuff working and lets face it, Windows wasn't made to be VMed in the first place. I'm sure it probably came down to leave a gaping security hole or fix it and let VMWare issue a patch/upgrade. After all it is backwards compatibility that keeps people on Windows in the first place.

Re:That Microsoft Icon

[marcello_dl]

Dear Cato, in fact your GP is off topic and And globally redundant.

About the rest of your comment, it should be obvious that evil policies are the problem, the resulting complaint is a mere consequence.

Re:That Microsoft Icon

[C_amiga_fan]

Microsoft's soul is Bill Gates soul. They still carry-on the "embrace; extend; extinguish' philosophy he created in the late 80s and into the 90s. In fact - I dare say they've gotten a little worse. Also the Borg reference is appropriate given that Microsoft assimilates everything it touches. AOL instant messaging, WordPerfect, IBM DOS, Netscape, Mosaic, and so on. I'd like to be able to say I don't use any MS product but windows, but that would be a lie. MS has identified my workplace computer as something they can consume, and now control virtually all the software. (At home I have more options, like Firefox and LibreOffice, but not at work.)

Re:That Microsoft Icon

[Larryish]

The current Microsoft icon needs to be replaced by an animated GIF of Steve Ballmer doing the monkey dance.

Re:That Microsoft Icon

[MobileTatsu-NJG]

This "my software is better than yours" sentiment with people arguing how evil Apple and MS are is annoying enough, does slashdot really have to propagate this with that icon?

Yes. Slashdot serves ads while we fanboy-fight.

Re:That Microsoft Icon

[jdharm]

Seconded.

Re:That Microsoft Icon

[techno-vampire]

Either that, or replace one obsolete reference with a slightly less obsolete reference by replacing the Borg icon with a flying chair.

Re:That Microsoft Icon

You're right, I wasn't very clear. I was completely OK with the "Offtopic", but the post that got "Funny", despite being every bit as off-topic, was what really ticked my off in that moment.
Among all those redundant posts, does anyone remember if it ever happened that a mod bothered to comment in this?

Re:That Microsoft Icon

[im_thatoneguy]

Actually it sounds like some of the new virtualization enhancements in SP1 are also in this latest security patch. So it's a case of VMWare theoretically working better--they just didn't expect it yet.

Re:That Microsoft Icon

Among all those redundant posts, does anyone remember if it ever happened that a mod bothered to comment in this?

Sort of like Microsoft...

Re:That Microsoft Icon

[hcs_$reboot]

This is one of these threads where I miss the most my yesterday's moderator points...

VMWare is not VMware view

VMware view is way to access remotely hosted virtual machines.

VMWare workstation and server are not affected.

VMWare view clients just need to be updated.

Re:VMWare is not VMware view

[Khue]

I was actually going to mention this. VMware actually typically assumes you are on the latest version of their software products anyway. After reading the article I didn't think that this was as big of a catastrophe as some of you have made it out to be. Upgrading the VMware View client on the virtualized device doesn't really sound all that difficult and I highly doubt that this is bringing anyone who matter's production system to it's knees. Also, stop upgrading everything on the day patches are released. Second movers are sometimes the winners.

Re:VMWare is not VMware view

[mwvdlee]

VMware actually typically assumes you are on the latest version of their software products anyway. [...] Also, stop upgrading everything on the day patches are released.

Can you see the irony?

Broke a few things so far

[digitalhermit]

At some point the responsibility shifts from Microsoft to VMWare. Where the responsibility for alerting customers lies is maybe not clear yet.

The update has broken a few things for me. Half my desktop gadgets are not functioning properly. There are some other glitches that I noticed with my AV software, though I'm still confirming on other PCs.

Re:Broke a few things so far

[nemesisrocks]

The responsibility absolutely is VMWare's. Large software companies generally have access to early releases of the Microsoft patches, specifically so they can perform whatever testing they need.

Sounds like in this case, VMWare didn't bother doing their testing (or that testing was too costly), and is now trying to blame Microsoft for their fuckup.

Re:Broke a few things so far

[phoebus1553]

The responsibility absolutely is VMWare's. Large software companies generally have access to early releases of the Microsoft patches, specifically so they can perform whatever testing they need.

Sounds like in this case, VMWare didn't bother doing their testing (or that testing was too costly), and is now trying to blame Microsoft for their fuckup.

Lets try to RTFA before assuming...

However, Lee said the Patch Tuesday security updates included the "early release of updates anticipated in" the Service Pack, which is due out Feb. 22. Lee said VMware provided its own VMware View update to customers "within 24 hours of the Microsoft security patch, in an effort to minimize customer impact."

Sounds like MS did an early release of things VMWare knew was coming, but not expected until later. You're right that they were testing, hence the speedy update. Sounds like MS just released early and didn't communicate the release, so shift that blame back to MS.

Re:Broke a few things so far

Microsoft has had a competing virtualization product for years.

Re:Broke a few things so far

[jovius]

Sounds like MS just released early and didn't communicate the release, so shift that blame back to MS.

Lack of communication. And now she want's to talk about issues. I decided to rather have her neatly framed on my desktop than in control.

Re:Broke a few things so far

[bertok]

I wouldn't be surprised.

Windows 7 has the .NET framework built-in, with a version number of 3.5.1, which was an undocumented stealth release. Microsoft's website made no mention of it, Visual Studio could not target it or verify compatibility for it. It seemed to be almost identical to 3.5 SP1, except that it broke VMware Virtual Centre. The issue was a subtle change with the way self-signed cryptographic certificates were verified, and hence probably didn't affect any other application.

This was right around the time that Microsoft had released Hyper-V, and was desperately trying to be relevant in the market next to the vastly superior VMware vSphere product suite. I might just be imagining a conspiracy theory where none exists, but introducing a small API change to break a competitor's product is exactly the kind of underhanded thing Microsoft has done in the past.

Re:Broke a few things so far

[VertigoAce]

Here's the documentation for what is in 3.5.1: http://support.microsoft.com/kb/977683. This list appears to include all publicly documented bugs that were fixed in 3.5.1 (in other words, bugs in earlier versions that warranted a hotfix and KB article).

I would guess that there were other bugs in 3.5 that didn't meet the hotfix bar (for example, low severity issues or ones that no customers had reported). Fixing these kinds of bugs on their own would require lots of testing. Instead, 3.5.1 included fixes for these issues and got to piggyback on all the testing that happens as part of a Windows release anyway.

Re:Broke a few things so far

[wharlie]

There is shared responsiblity.
Some responsibility also lies with the users.
VMware View is an enterprise product, not used by home users.
All enterprises should thoroughly test any patches they deploy, this would be picked up instantly.
More of an annoyance than an issue really.

Re:Broke a few things so far

[bertok]

Windows 7 went RTM in July 2009, that article is from January, 2010.

Microsoft just pretended that the latest .NET version was 3.5 SP1 during the entire Windows 7 beta, and even for a while after RTM, even though they were shipping a new point release with breaking changes in it!

Re:Broke a few things so far

Forget windows 7 for a moment, I've had .NET apps rendered completely useless by microsoft's changes in .NET on XP. It's been 5 years and the .NET app is still broken. No SxS solution for .NET . I will never trust the .NET language ever again. Every time there's an update for .NET I sit there wondering what will be broken next. You wan to know the kicker? The source code is gone because data loss, so the original app can't be recompiled. The only thing left was a screenshot. Motherfuckers.

Re:Broke a few things so far

[syousef]

At some point the responsibility shifts from Microsoft to VMWare. Where the responsibility for alerting customers lies is maybe not clear yet.

The update has broken a few things for me. Half my desktop gadgets are not functioning properly. There are some other glitches that I noticed with my AV software, though I'm still confirming on other PCs.

You know what. I'm tired of running an experimental desktop. I have had enough things break that I view the patches as a greater security risk than the flaws they're meant to fix. I'm sick of it.

Re:Broke a few things so far

you must be new to this computing thing, so let us help you out, turn off automatic updates on your production servers and machines. RUn your own update server, test the patches before you release them to your corporate environment? Standard operating procedure, sounds like you got complacent and lazy, and started to think that MS is able to test every configuration out there. Of course you have no special circumstances in your environment.

Anyone who patches on day zero in a production environment, with no testing at all deserves to have their stuff crash, and their asses handed their severance pay.

How about everyone stop blaming the makers of the software you run, who do not force you to update their product, and take some responsibility for their own mistake and lack of foresight. Oh but that would be contrary to the american way, where everything is someone else's fault.

Re:Broke a few things so far

[mdielmann]

At some point the responsibility shifts from Microsoft to VMWare. Where the responsibility for alerting customers lies is maybe not clear yet.

The update has broken a few things for me. Half my desktop gadgets are not functioning properly. There are some other glitches that I noticed with my AV software, though I'm still confirming on other PCs.

And those gadgets that broke. Are they MS gadgets, or third-party? If MS, then I think it's safe to say that MS screwed up somewhere...

Re:Broke a few things so far

[VortexCortex]

At some point the responsibility shifts from Microsoft to VMWare. Where the responsibility for alerting customers' lies is maybe not clear yet.

(Was I the only one who read the bold section as such?)

I'll take full responsibility for notifying you of which customers are lying. IMHO, this should have been the burden of the headline author: "Patch breaks VMware" is misleading -- The headline should read: "VMware Viewer Client Broken by Windows Desktop Security Patch" or simply "Windows update breaks desktop users' software, once again". Patch the client (viewer), or remove the client machine's security patch (not the remote server) in order to regain access.

It's not like the users' servers went down, just the clients were affected by the Windows security update... Protip: Never ever read the damn Headlines, they are always more sensational than the actual issue at hand.
--
There's Lies, Damn Lies, and Slashdot Headlines.

Re:Broke a few things so far

[syousef]

you must be new to this computing thing, so let us help you out, turn off automatic updates on your production servers and machines. RUn your own update server, test the patches before you release them to your corporate environment?

Yeah, I'll just let the know at work that I won't be requiring any patches and that I'll be running my own update server.

YOU must be new. End user doesn't always have control of the machine.

and homer says....

DOH!

The Mac version doesn't seem to be affected

n/t

Re:The Mac version doesn't seem to be affected

Nor are Toasters, Books, Shoes or Knives.

Re:The Mac version doesn't seem to be affected

[codegen]

There are toasters and knives that run VMware view? Cool. Where can I get one?

Re:The Mac version doesn't seem to be affected

[cusco]

You install Window 7 patches on your Mac? Can I watch?

companyy

[hood8263]

Its a good thing we are so slow at integrating new software. We only have 3 Windows 7 machines in VMWare the rest are all Windows XP!

Re:companyy

Oh you mean it's a good thing you're slow at patching security updates? Good to know. By the way, where do you work?

Not the whole story..

They have an updated build of the View Client available for download that fixes the problem.

Good yes?

Not really. The updated client has a new build number but the SAME version number in the MSI! Why does this matter? It matters because the MSI will not UPDATE an existing install. It looks like the same version so you have to uninstall and then reinstall.
(No I have not tried MSIEXEC /FA option to try and force a reinstall of the same versions, that is next on my list.)

They had the fixed build quick enough that I am guessing that this issue was known prior to today. It is just crazy that they did not change the version number so that the tools for managing applications (SCCM et al) can detect that a new version is available and install it.

Even their own View Connection Servers which check the version of your View Client when you talk to them will not detect that a new version is available.

Crazy!

Jorgie

Re:Not the whole story..

I can personally assure you that the issue was known about, but Microsoft stated they would not release these patches until IE9/Win7 SP1 final.

Re:Not the whole story..

[Culture20]

I can personally assure you that the issue was known about, but Microsoft stated they would not release these patches until IE9/Win7 SP1 final.

Good for ms then, releasing "early" to make all their users safer at the expense of less than one percent of their total users.

Re:Not the whole story..

but the less than 1% of all users affected are the less than 1% that decides what software companies buy next ....

Re:Not the whole story..

No, it is crazy that a tool like SCCM does not check the build number, that is whole point of having two numbers. Version changes when you add features or
break compatability, build number changes when you fix bugs or introduce workarounds to make it compatible with a new version of something it depends on.

This just shows how crap microsoft really are, they provide the ability to have a build number then do not check it when doing patching.

Where's the story?

[TrancePhreak]

They already fixed it according to the summary, so where's the story? Operating system updated, breaks software. Software gets updated.

Re:Where's the story?

The news is that they released a new BUILD of the client, not a new version.

As I said in my note above, since it is a new build not a new version, you cannot just install it, you have to uninstall first AND VMware's own tools for checking the version of the View Client tell you that you are up to date even if the Connection Sever has the new build and your workstation has the old one.

Jorgie

DrDoS?

DrDoS? ...Note, I didn't type DrDos, but DrDoS.... like a portmanteau of DrDos and DrDenial-of-Service..... Microsoft went out of their way to break DrDos from running their software in the 1980's. Its wasn't that DrDos wasn't up to the job, ms went out of their way to make sure their software looked broken when the user was running DrDos. The ms software went looking for a line in the DrDos operating system, and if it didn't say "Microsoft" then BANG! the software would cough up an error message. Kids with bit editors could insert the word 'Microsoft' at the correct offset, and the software would miraculously start working perfectly. The US Government never really smacked ms for that. And ms learned that they can abuse competitors, partners and customers as they like. And they have. Here, whoops, broke VMWare. Sorry bout that. And you can tell I agree from the following two words, both to the affirmative. Yeah, Right!

Stuff happens...

The update was provided within 24 hours of the MS security patch being released....I'm not sure if you can really get better response then that.

Mac users

So Microsoft fixes a potential security vulnerability and is now the bad guy.

Re:Old wine in new bottle?

[kikito]

"At that point all the legacy unportable corporate applications that need IE6 will run in some kind of frozen in time universe"

That point is here already. There are companies effectively frozen in time, from the IT point of view.

Games!

[Raptor007]

I haven't used Windows since 2006. People actually still use it? By God, what for?

I guess you're not a gamer. There's still no better gaming platform out there than Windows.

I also use Windows for Visual Studio, although when I'm developing something cross-platform I tend to write it in Xcode and just use Visual Studio to make Windows builds.

Well You Gotta Admit....

[Greyfox]

They're a lot more secure that way!

New Borg Icon Sucks

WTF? The old Borg icon is much better. Did the creator of this new one not even watch Star Trek and realize borg skin is pale white/blue?

jeez

Re:New Borg Icon Sucks

[WarmNoodles]

Mod this coward up 5 points. Dammed if he doesn't look fleshy and pink.

Just wrong and so many levels.

Re:Old wine in new bottle?

[sleigher]

Unintentional? You thin they didn't test anything and just let it roll? This is called testing to see just how formidable a foe VMWare really are.

Impacted here, it Invalidated Genuine status

[WarmNoodles]

Here is my personal relevant experience related to the botched patch.

Booted up, let the patches roll in(First mistake), but we have policy to keep the honeypot patched you know.
So nothing, no problem, did a normal and of day reboot.

On the restart before login gina was presented, I get the vile your not Genuine dialog, had to click on "correct it now"
That took me to a Microsoft page stating that I should download a program and run it to perform Genuine validation.
Curious, I opened the Control panel system panel and it shows "Genuine" ok.

Then, wait for it, Microsoft Security Essential icon is blood red and come to discover it had dropped the pants down around ankles and had due to the Fo Genuine violation instantly and totally been disabled.

Now I'm caught literally in public with my virtual pants down, no firewall, on a hostile network, no av, ankles getting warmer but I have to do another dammed required Genuine validation, so I download the same program and poof the moment of drama had passed.

I felt extra soiled by the humiliating experience. This all happened in-front of an audience while preparing a demo for the SFO RSA shew.

Thinking some one at Microsoft needs to use the new iPhone confession app cause they can't seem to budget for sacrifice of the requisite number of chikenz any more.

Re:Impacted here, it Invalidated Genuine status

[WarmNoodles]

Forgot to mention, I was running the latest Oracle Virtual box 4.0.2 r69518. Apparently, the impact was not restricted to as as the OP implied to just VM-Ware

Re:Impacted here, it Invalidated Genuine status

[cusco]

You did an update just before you had to do a presentation? WHAT were you thinking? I don't even open email attachments if I have to do a presentation. Maybe I'm just paranoid, but the idea of having my operating system or apps do something unexpected while in front of an audience, especially one that expects us to do all their tech work for them, scares the snot out of me. No thanks.

Re:Impacted here, it Invalidated Genuine status

[WarmNoodles]

I should have been a slight bit more informative RSA is from Feb 14 to the 18th.

This was just a dry run prep. Kind of a sound test and the audience I mentioned was composed of a half dozen geeks I've known for years. A small audience and it was appropriate to be on line and get patches applied, the demo requires it.

At presentation time, I'll be host only.

Re:They broke our stuff for free...

[mwvdlee]

The upgrade is free. You're encouraging piracy of software that is free.
Yes, the base package is commercial, but the upgrade is free. And since you're complaining about being unable to fix broken software free of charge, I'm assuming you purchased the base package already. Otherwise, what right do you have to complain?

Either way, I am not going to be the one paying for this.

I'm going out on a limb here and guess that's you're attitude towards ALL commercial software you use.

Microsoft not responsible ????????

[doperative]

"At some point the responsibility shifts from Microsoft to VMWare. Where the responsibility for alerting customers lies is maybe not clear yet"

At what point did VMware, invent a time machine, go back in time, inflitrate Microsoft and hack out a Windows 7 security patch that broke VMware.

"VMware is telling customers that two Windows 7 security patches have left VMware View users incapable of accessing their Windows desktops"

Re:Microsoft not responsible ????????

[Nevo]

Maybe VMWare was doing something that the documentation says you shouldn't do, and the security patch came along and actually started enforcing what the documentation said. Don't be so quick to judge MSFT. Without further details it's not possible to know whose fault this is (as if assigning blame is productive).

VMWare is Crap, always has been Crap.

VMWare is crap. Always has been. I have hated it every since SQL query speeds from VMWare has caused me to actually start hating my job it is so terrible. They emulate a pile of virtual dog crap. Did I mention it's crap? Don't buy into the hype, your Dilbert bosses will try to pipe you in the backside with this crap.

Perhaps not just vmware...

[jedidiah]

Recent patches seemed to have buggered a Win7 VM I had running in VirtualBox. It wasn't a total buggering but the old configuration of the VM was fine (well, fine enough) until recent patches made it unusable. It bogged down and ground to a halt until I went into safe mode and disabled just about everything that was running.

Sound like it's not just a vmware problem. Wonder if bare metal users were impacted too.

VBox Rox

No issues with VBox!