Slashdot Mirror
Tuesday Was Microsoft's Last Non-Cumulative Patch (helpnetsecurity.com)
There was something unique about this week's Patch Tuesday. An anonymous Slashdot reader quotes HelpNetSecurity:
It was the last traditional Windows Patch Tuesday as Microsoft is moving to a new patching release model. In the future, patches will be bundled together and users will no longer be able to pick and choose which updates to install. Furthermore, these new 'monthly update packs' will be combined, so for instance, the November update will include all the patches from October as well.
Last month a Slashdot reader asked for suggestions on how to handle the new 'cumulative' updates -- although the most common response was "I run Linux."
Last month a Slashdot reader asked for suggestions on how to handle the new 'cumulative' updates -- although the most common response was "I run Linux."
I think if the patches are bundled together now - you basically have to treat them as one larger patch. In other words, nothing changes except any time you find you did one and it breaks something, you roll the whole collection back until it can be rectified.
IMO, Microsoft's Windows Updates have been a huge, overly confusing mess for a long time anyway. I used to use WSUS to centrally administer them and for our small to mid-sized company, it became more trouble than it was worth. I like the advantage that you only have to download the patches once to the central WSUS server and then all the clients grab copies from there to save your Internet bandwidth. But in practice, our workforce is mobile enough that it's almost better we just let their laptops grab updates over the net from wherever they're at so they get patched more quickly.
Sifting through all of their patches and deciding when it was safe to "release" them was getting to be way more time-consuming for I.T. than it should have been. So often, you have slews of patches that wind up marked "superseded" by other patches, and there are weird dependencies too. Can't do certain patches unless you've done others first. (Why not automate all of that so any patch dependent on another one just auto-applies the required one as part of its installation?)
If you do a fresh install of Windows 7 these days? The update process is PAINFUL! You'll literally need to leave the PC downloading updates for a good 8-10 hours or more before it finally starts doing anything obvious. (It seems that it needs so many individual patches to get current, it overwhelms their updater service trying to sort through all of it and prepare to download them in the proper order?)
"You want security patches? Welp, you're gonna have to accept Telemetry too."
Which modern variant are you using that you have conflicts of this kind?
The world's burning. Moped Jesus spotted on I50. Details at 11.
How aobut 'botch Tuesdays'?
>"Last month a Slashdot reader asked for suggestions on how to handle the new 'cumulative' updates -- although the most common response was "I run Linux.""
Yep, still run Linux...
I install whatever I want, whenever I want, however I want, on what I want. My machine belongs to me.
The hosts file is already circumvented by Microsoft.
If you really want to solve this then it's to force Microsoft to change every IP address they are associated with.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
MS won't release SPs anymore because all of their shit in place says SPs add to the support length of the OS.
That's why Windows 8.1 happened instead of Windows 8 SP 1.
That's why 7 had only 1 SP despite desperately needing another. It's so bad Windows Update doesn't work on a fresh Windows 7 install until it crashes twice over 36 hours. The third time usually works after another 8-12 hours.
actually, it's because "service packs" require testing and they don't employ patch testers anymore.
For general information, if you're installing a fresh Windows 7 now (starting from SP1, presumably) then it seems by far the fastest way to get a system reasonably well patched is to install the Convenience Rollup (KB3125574) and if necessary its prerequisite (KB3020369) from the Microsoft Update Catalog. That immediately brings you up to somewhere around April 2016 in terms of patch level, and you can download the required files quickly from the Catalog site and then install them locally using WUSA without waiting around for hours while Windows Update does whatever its current broken mess needs to do now. The most recent time I did this was just a few days ago, and after doing that it was then another couple of hours for Windows Update to find the rest and install the remaining security updates, but at least it could be done in an afternoon instead of leaving the new PC overnight and hoping it might have found something by the morning. Spybot Anti-Beacon or some similar tool can still turn off the various telemetry junk that you can't now individually because it's all bundled into the CR update.
Incidentally, for those who would prefer to keep security patching their existing Windows 7 systems but not get anything else, there are reportedly (direct from a Microsoft source) going to be monthly security-only bundles as well, but you'll have to get those from Microsoft Update Catalog manually as well, they won't be advertised or pushed out through Windows Update. So it looks like the new SOP is to turn off Windows Update entirely (as a bonus, you get back that CPU core that's been sitting at 100% running the svchost.exe process containing the Windows Update service for the last few months) and instead just go along and manually download the security bundle each month to install locally.
Of course, Microsoft Update Catalog requires Internet Explorer 6.0 or later and won't run with any of the other modern browsers, but I'll live with using IE to access it if it means I get security-patched but otherwise minimally screwed up Windows 7 machines for another 3 years.
Also, it's been confirmed that this policy will apply to all editions of Windows 7. It's not an Enterprise-only feature and doesn't require the use of WSUS etc. Let's hope they stick to their word on this one.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
What is effectively Windows 7 SP2 is called the Convenience Rollup instead, probably because it avoids complications about extending support dates if a new Service Pack is released, and it's found as KB3125574. See my first post to this discussion for more about how to use it, including installing it without waiting an eternity for Windows Update to get its act together.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Can we get something like windows 10.01 10.02?
Or Windows 7 sp2 or SP1.5
Windows 8.2 or 8.1.5?
Sure. It's already there. Just gotta understand how Microsoft versions Windows now.
(TL;DR: Mac OS X 10.11.6 == Windows 10 10.10586.589.)
Microsoft publishes a list of the cumulative fixes for Windows 10 and their Build/UBR numbers on their web site. They've never done this kind of a list for previous versions of Windows.
So what exactly are they going to do? Are we going to download the entirety of updates that have ever been released for Windows every month? That seems like a crazy waste of bandwidth, especially for people with slow or capped connections.
-=This sig has nothing to do with my comment. Move along now=-
Having done the end user computing engineering thing for quite some time, I've had to deal with Windows Update in places as large as 40,000+ PCs. There's a conundrum in the cumulative patching model -- it's super-easy for IT, but could leave some places more vulnerable.
The problem is that the more diverse a company's IT needs are, and the more proprietary software they rely on, the less able they are to just roll out a bundle of fixes to everyone and call it a day. I think Microsoft is forgetting how much some companies are relying on desktop Windows for line of business applications...it's almost like everyone there has drunk deep of the Cloud/Surface/Phone/Tablet/Web Services kool aid, and just assumed those crappy 20 year old applications have disappeared along with desktop/laptop use cases. In their minds, the only thing they have to make sure works correctly on site is Internet Explorer/Edge and Office.
Admittedly, updates are a confusing mess of semi-circular dependencies and it is very difficult for Microsoft to test even common combinations. But, making them all cumulative means this...Assume you have 10 updates in a bundle, 6 work fine everywhere, 1 breaks 40 PCs in Department A, 1 breaks the LOB app running on all 18,000 PCs you run, 1 breaks a behavior in IE some junky internal web app running on 2,300 PCs and 1 breaks the CEO's computer. All those computers have to wait until the problem is solved to get the protection for the 6 vulnerabilities, and they will continue to be unpatched since the bundle is cumulative.
The other thing I'm not a fan of is the removal of any sort of information about what gets patched. There used to be comprehensive descriptions of what was patched, and companies who knew what they were doing could direct testing to the right application groups. That's the other thing that's going away this month. We're a big Microsoft shop so we're pretty much resigned to upgrading to Windows 10...I guess we'll see what happens. Microsoft's been trying to cremate Windows 7 ever since early this year, messing with support dates and not backporting features. We'll see if Microsoft's "update rings" strategy that they're recommending everyone migrate to is workable.
I was going to ask if, by bunding updates together like this, is it going to make the lives of security researchers more difficult, as they can't simply diff the changed files of a particular security update? Seems I'm not the only one wondering this...
There should be a single blog, yes. But there should also be the ability to choose which patches you want, if necessary. Say a particular graphics driver is known to kill a certain game, or a certain network update conflicts with a utility, there should be a way for advanced users do opt-out of them.
But then, Microsoft is trying to create an environment as closed as Mac, with user tracking beyond the pale of Google, accompanied a fee stream to rival any subscription service. It's not about what users want anymore, just about extracting maximal dollars.
Why does anyone worried about privacy, security, or really "owning" their computer run windows anymore? It's time to accept that windows is no longer a consumer OS, it is a subscription service that allows you access to things you think you own, only as long as you pay the piper (that subscription payment will be coming, just wait for it).
To answer the question: If you want a AAA game platform, just buy your $5K game console and be done with it. Yes, like any console, it can do more, but at what cost?
The cesspool just got a check and balance.
You are lucky. I updated my Win7 laptop a few days ago (had not found updates for a while and suddenly found them when on the net for a day). Took something like 20h to find all updates and another 10h or so to install them. Talk about fundamentally broken technology.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.