Microsoft Pulls Broken XP Update

Cally writes "Yahoo! reports that Microsoft have pulled a Windows XP update from the Windows Update servers after it killed network access for some users of the claimed 600,000 who installed it. (Does this mean only 600,000 XP users trust Windows Update?) The story hints that the problem was something to do with VPN or IPSec drivers clashing with Symantec software - however I haven't found anything about this on the Microsoft KnowledgeBase (the link Yahoo provide goes to the generic support home page.) Anyone got more info?"

That's the problem with automatic patching

[Tsu Dho Nimh]

If XP is allowed to go find its master and patch itself, any problem with a patch will spread widely to the people least able to deal with it.

At least this patch made it perfectly obvious that it had a bug.

Why is this news?

[1g$man]

Has a Linux, or FreeBSD patch ever been pulled because it was broken? *yawn*

I'd say it was a slow news day, but it ain't even daytime yet.

Hmmm....I wonder why...

[Howard Beale]

"Most systems didn't crash; they simply lost network connectivity," said Michael Surkan, a Microsoft program manager for its networking communications group. "There were hundreds of thousands of people who downloaded this, and we know of only a handful of people who had the problem."

Maybe because they couldn't get online to report the problem???

Old news

[rjch]

Unfortunately, it's something we've all heard before. I'm a recent entrant to the world of tech support, and the company I work for (much like many other large companies) refuse to touch a new Microsoft OS until it's been through at *least* one, preferably two service packs. Likewise, updates that Microsoft class as "critical" are not to be installed for at least a fortnight, unless they are for serious security holes with known exploits. Whilst I think this is probably a rather conservative approach, it sure as hell is better than having the network crash down around you. I believe this company was bitten badly by such a problem with a patch a couple of years ago, hence their policy on updates.

More Slashdot Sensationalism

[Anonymous Coward]

Does this mean only 600,000 XP users trust Windows Update

What do you think is more likely: "only" 600,000 people trust Windows Update or everyone else just hasn't patched for checked for patches yet? I personally don't use the little auto-notification thingie, I just check every once in a while.

Also, how is this different from any automated Linux update method? Software has bugs. Patches may have bugs. Regardless of vendor, patches are not perfect and may induce problems.

Agree or disagree with me, when you think about it without bias it's true.

Palladium Pre-Testing

[heretic108]

Part of the pro-Palladium spin is that it will stop people infecting M$ machines with worms.

But that would leave a major gap which, according to this story, has been admirably filled.

Trusted computing - only trust the worms written and distributed by MS itself.

Re:Microsoft Security

[Tony Hoyle]

Sounds secure to me. If a 'doze box can't access the internet, nobody can hack it...

Re:Microsoft Security

[AndroidCat]

If those people lost network access, how would Microsoft know? ;^)

Geez

[Quill_28]

>Does this mean only 600,000 XP users trust Windows Update?

Umm... NO. It doesn't.

And stop taking cheap shots at MS, it just make you look like a whiny school kid.

There is plenty of reasons to bash MS policies and software, but the signal-to-noise ratio is getting silly.

Software Update Services...

[jamesh]

... allows an admin to release patches to users when they have tested them. SUS retrieves patches from Microsoft. An Admin approves them. Client PC's (with an appropriate Group Policy) retrieve and install approved updates from the SUS server. Easy.

If you're paranoid^H^H^H^H^H^H^H^Hsensible, wait a week or more to give the rest of the world time to find bugs, test the patch thoroughly in a test environment, and of course ask yourself if you actually need it.

ps. how many of todays slashdot readers know what ^H means?

Unfortunate

[Davak]

This is not good for the average consumer.

Bugs like this keep the common microsoft user from installing the latest and greatest updates. They might not understand that their security is troubled until they recent damage; however, they understand this:

"I finally ran windows update... and now I can no longer get on the internet. Crap, I'm never doing that again."

Methinks it's a Microsoft-is-too-huge-syndrome. Microsoft can't test its fixes on every possible configuration; therefore, problems like this will occur. Episodes like this [microsoft.com] have previously occurred and will occur again.

It's the nature of the beast.

btw, thanks Slashdot. I could have installed that this morning!

Davak

Re:Maybe its not on KB because nobody is at work?

[olderchurch]

The patch has been out some time now (more then a week). I have indeed installed it and have been figuring out for a day why my network card did not work anymore :(

After deinstalling the update (luckily that was possible, there are updates where there is no rollback) everything worked fine.

I checked again with windows update and the patch wasn't avaialble anymore (this was last saterday), so I reckoned it had nothing to do with my setup, or at least was not the only one.

Re:Why is this news?

[ch-chuck]

Because it's a screwup by the richest folks in the world. They keep telling us they have such a monopoly because the educated consumer market freely choose their products as 'better' than alternatives. We keep insisting they keep their cash cow monopoly because their products are automatically bundled in with each and every Intel PC sold, whether the customer wants it or not, and that just gets the foot in the door so they can lead the gullible by the nose down the primrose path to the rest of their crappy, insecure offerings.

Anyway, hopefully this is yet another incident that tips a few more to 'switch'.

Re:More Slashdot Sensationalism

[knick]

Most of them are peer-reviewed AFTER the fact, because the whole Linux community is hell-bent on releasing their patches in 4 hours, just to show how much better they are then MS. If mistakes are made, they are usually found after the release.

Re:More Slashdot Sensationalism

[PetiePooo]

I think the reason most people here are bitter is the way MS is micro-controlling their patch distribution.

If (insert your favorite distro here) releases a bug fix, its generally well documented, you get the source if you really care, and you can know exactly whats going into your system.

If MS releases a bug fix, the only way to retrieve it is through Windows Update, you don't know what else they slipped in, you often must have all the other service packs/hotfixes installed first, and (this is the really irritating part) it may change your EULA if you choose to install it. If you don't accept the new EULA, you don't get the exploit-fixing critical update you must have to keep your server clean.

I like and use both MS products and Linux, but severly dislike MS's tendency to grab as much control as they can get away with. They grab until there's a user backlash and either ignore it or back off just enough so it looks to the press like they're the good guys for making a concession.

Re:More Slashdot Sensationalism

[Cedric C. Girouard]

Also, how is this different from any automated Linux update method? Software has bugs. Patches may have bugs. Regardless of vendor, patches are not perfect and may induce problems. Agree or disagree with me, when you think about it without bias it's true.

I'll agree with you on the bias issue. Slashdot for all I can remember (which is a couple of years) was not pro-microsoft. I'm not speaking for anyone, just stating a fact.

But there is a difference between Microsoft and where with Windows Update, you have paid for the update service, and you should expect at least a minimum of Q&A done to a patch. With Linux, well... I can remember some packages I installed in which they gave you a very explicit warranty : This might screw you up, we're not responsible if it does.

I've always installed packages on Linux with this in mind. This might not be the best mentality if we really want Linux on the desktop, but at least, I know what I'm getting myself into.

MS Update makes it seem like everything was double-checked for you, and all is well and good to install... MS even goes so far as to recommend URGENT patches, which may or may not leave you worst off... And this you (should have) paid for. So yes, there is a difference, bias or not, since I paid money for my MS release, whereas my RedHat is downloaded and free... So yes, I should expect working patches from MS, and not expect RedHat to give me the time of day if they dont feel like it.

'nuff said.

Re:More Slashdot Sensationalism

[crawling_chaos]

Software has bugs. Patches may have bugs. Regardless of vendor, patches are not perfect and may induce problems.

You're correct, but one of the reasons Microsoft has given in the past for being slower on security updates than the Open Source community is that they have a much more rigorous regression testing procedure that must be run before release. The idea is to make sure that something like this never happens. It is one of the ostensible reasons that you pay so much more for Windows. If the extensive test procedure is no better than Red Hat's or SUSE's, then that proposition kind of goes up in smoke.

Lots More Slashdot Sensationalism

[gad_zuki!]

>Also, how is this different from any automated Linux update method?

Its not. Well, this wasn't automated, it had to be downloaded from the windowsupdate.com site, but I think we're just seeing something of a double standard here.

Okay /. has an anti-MS bias. So do a lot of people, but losing network connectivity is pretty serious, especially on the world's monopoly OS.

What really gets me is that whenever there's an MS problem the /. crowd complains about ignorant users who don't patch. Now the patchers are the problem?

MS's automated patching system isn't bad, it keeps Joe User updated and there simply will be x amount of problems over y amount of time, as you said just like with any other vendor.

Enjoy the schadenfreude guys, it'll just make real MS complaints sound all the less convincing. Optional supplemental reading: the boy who cried wolf.

Crying wolf is a big problem when criticizing MS to the uninitiated. I have the displeasure of taking a 3 hour class with a rabid anti-MS type and at this point no one takes him seriously because of his zeal, even though 2/3 of the stuff he says are actually excellent points.

Engaging in simple-minded schadenfreude simply makes people look less credible. Seems like a tough lesson to learn for the loud-mouth anti-MS types.

Re:windows update

[BrokenHalo]

One does wonder...

Does this mean only 600,000 XP users trust Windows Update?

Probably only 600,000 users actually bother to use the updates. I know any number of people who just use the software that came on their Win98 CDROM, it never even occurs to them to update their software. Like all the academics at my university using Netscape 4.7x with MacOS 9.1.

don't trust windows update

[prell]

Does this mean only 600,000 XP users trust Windows Update?

Well, it's only been available since Friday, so you do the math on vacations (in America), frequency of use, and such.

For whatever reason, though, I never use Windows Update, and I don't know that I've ever patched my Windows XP, outside of SP1. Maybe it's because I really only want to use Windows for gaming and not bother with much else, but I think it's also because, when I get something working, it's sometimes through some steps that elicit black magic from Windows, and I'd like the feature to stay working. The most recent example is the Windows XP VPN service, which for whatever reason will issue me an IP I want, and will work with other users' routers, only occaisionally. Windows allows so little control over its features (compared to Linux and others), and VPN is no exception: A set of wizards, so when it works, yea I'd like it to stay working, and this patch warning that VPN may be affected, is certainly only redoubling my avoidance of Windows Update.

We all know the history of Microsoft and patches, so I'm certain that is a sort of "subconcsious" reaction when I see that awful tooltip in the corner. My Windows patching tendencies are highlighted by my almost religious running and adherence to OS X's Software Update panel (alright, I haven't installed the latest iTunes update ;-), and the fact that I'll usually run up2date in RedHat. In defense of OS X, usually their updates add all sorts of neat features, as compared to Windows XP, whose patches are usually the equivalent of them saying "OOPS, MY BAD!"

No, that's not what it means

[nochops]

"Does this mean only 600,000 XP users trust Windows Update?"

No, that's not what it means. Users who are savvy enough to know about the 'issues' with Windows Update probably don't use Windows XP, for the most part.

Actually, what this means is that you found a story about Microsoft, and needed a way to trash them, so you came up with a lame rhetorical question.

Honestly, what would you have them do? Not retract the broken update? Around here Microsoft is "damned if they do, damned if they don't". They just can't do right by many Slashdot posters.

Sure Microsoft does a lot of bad things, but certainly retracting a broken is not one of them.

Call them on their bad business practices, sure. But snide remarks like yours only make anti Microsoft people look childish, foolish, and generally make you look like you're really struggling to find something wrong with them.

Anti Microsoft Slashdot Goldmine
1. Find non-news story about Microsoft rightly retracting a broken update.
2. Insert witty, yet trollish rhetorical question.
3. Post to Slashdot.
4. Wait for the Karma to roll in.
5. Profit!

Re:More Slashdot Sensationalism

[lpret]

But there is a difference between Microsoft and where with Windows Update, you have paid for the update service, and you should expect at least a minimum of Q&A done to a patch.

I assume your speaking of paying for Windows XP when you say that you've paid for the update service, or else someone really ripped you off. If that is indeed what you are referring to, then I have an issue with Mandrake, Red Hat, and SuSe because I did pay for them (support the cause and all) and although you say "I can remember some packages I installed in which they gave you a very explicit warranty : This might screw you up, we're not responsible if it does. " -- this is exactly what Windows Update says in it's EULA.

So, I would say that Microsoft does a better job in this aspect. Also, you're going to knock Microsoft because they are pro-actively getting people security updates? Wow, this seems to me like a better way, because we all know that many exploits have actually been patched, it's the sysadmins who don't patch their systems that get hacked.

I know we're supposed to be Anti-MS here and all, and I generally am, but please, don't throw out logic and reasoning when attacking the giant.

Re:Why is this news?

[rjamestaylor]

Good thing we have the chance to pay for a professional OS and for professional regression testing. Thanks, Microsoft, for saving us from shoddy, untested software.

Re:That's the problem with automatic patching

[ForNext]

Here is a novel idea......make a better product so there is less need for the constant patching for "security improvement" and "urgent repair". When was the last patch to give the user more bang for there buck....instead of ~ohh~ let me go back and fix what I should have given you to start with.

Poor argument...

[aksansai]

First things first - I love open source software. I prefer Linux. But let's be realistic:

Microsoft is a software vendor - a software vendor has employees that know, love, and baby their source code to produce a software product. Windows XP is one of their software products. These software developers know their particular piece of the puzzle well - while they may know jack and doodle about another piece of the puzzle within the same product. Nevermind they have no clue on how another piece of software is written from a completely different vendor!

If Microsoft were to release a patch to Windows XP - do you honestly want them to test the patch against the fifty three million software products that are available to run under their operating system? Let's not forget all the legacy versions that are still floating out there.

C'mon - that's ridiculous. It's an unfair argument to state that Microsoft should test against software not written by them. I would expect Microsoft's testing strategy is to make sure that the software does not adversely affect the performance of their own operating system and the software that came with it.

Since we do not have sufficient information about all the software that was affected by the patch, we do not know the whole scope of the problem. All we know is that Symantec's software product conflicts with the latest update.

If five software products out of fifty three million are broken while the remainder has absolutely no problem - would it not be safe to say that the problem does not lie within the patch, but perhaps the coding practices of the five software products that have the conflicts?

Unlike what I would have expected from Microsoft, pulling the patch was the right idea. I imagine their quality department immediately dispatched a request to Symantec to evaluate the possible conflict and to work a resolution as a fast as possible.

Re:If only they had apt-get

[GroovBird]

You should know better than to make fun of Joel 'Espy' Klecker [debian.org], to whom the Debian 2.2 release is dedicated.

Just a thought.

Dave

Come On Now...

[tomakaan]

Many of us here on /. are developers. Are you going to honestly say that you've never screwed up in one of your releases and had a security or other bug slip through testing? You tell me that and I've got two words for you...bull ****. Yeah, Microsoft is on a much bigger scale than most of us, and they make a lot more money in sales, but everyone screws up still. Everyone screws up, even the "big-bad-money-hungry" Microsoft everyone loves to complain about!

Re:Why is this news?

[Anonymous Coward]

Released kernel versions and shrinkwrapped OS boxes are NOT comparable. A fair comparison for updateablility would be Debian vs. XP or Suse vs. OS X. But NOT NOT NOT kernel version 2.4.17 vs XP.

Re:That's the problem with automatic patching

[angst_ridden_hipster]

Easy to say.

Not easy to do.

Think about it. QA on Linux has the advantage that the first "users" of any new module/driver/system are actually developers and other savvy users. Many bugs get worked out relatively early -- certainly before they get rolled into a stable distribution.

The Windows OS has to support a nearly infinite variety of hardware, and. It doesn't have the same first-tier of support. Sure, it has beta testers, but, by and large, they aren't developers. They certainly can't tweak the source.

But even then, security is not easy. Think about Open BSD. This OS's community prides itself on its approach security, and they do a very good job. But occasionally, things sneak by (i.e., the SSH remote exploit of a year ago).

So it's nice idea to just do things right the first time. But you can't just make the decision "hey, from now on we're gonna do things right" and have the problem miraculously solved...

Re:windows update

[Keeper]

That's just it -- it didn't effect that many people. Of the 600,000 people who downloaded it, only a "small handful" of people had a problem -- not all 600,000. Now, what quantity a small handful is according to the guy making the statement I do not know, but I doubt it's a significant percentage of the 600,000.

I mean, think about it ... how many possible PC configurations are there out there? How many different versions of drivers for each piece of hardware? How many different combinations of software can be installed on each of those combinations? It is not possible to test each and every possible combination. This is not to say that you don't test all sorts of configurations, but you can't hit them all.

If it were such a "simple error", it would have happened to ALL of the 600,000 people who downloaded the update. Crap happens. QA isn't an exact science -- there is no algorithm you can follow to make sure you find 100% of all bugs in existance. The best you can do in this case is find the problem and make sure you test for it in the future.