Microsoft: Patches, Patches Everywhere! 388
Ridgelift writes "Even though Microsoft's recently announce they would not be issuing any new patches for the month of December, the boys at Redmond were scrambling today to figure out why some systems are being patched. The reason? They haven't got a clue."
What's the big deal? (Score:5, Insightful)
The patch was due out in November, but it got missed so they re-issued. It's sort of going against what they said but it's understandable and I doubt it will make the world stop spinning. Why is this front page slashdot? If it had been any other company than Microsoft it never would have been news.
SUS at least makes this easy. (Score:5, Insightful)
All the clients just pull the windows critical updates that we approve from OUR servers.
I feel sorry for anyone who is trying to run around and do them by hand.
Re:Monthly patches? (Score:2, Insightful)
Microsoft did the right thing (Score:5, Insightful)
They were probably being pretty stupid to say "no new patches". Due to Murphy's law, that guarantees that a problem will come up within days. Probably if they said "we are going to issue more patches than ever" then suddenly all their programmers would start have trouble finding bugs or figuring out how to fix them...
Anyway we can laugh at marketing for the "no new patches" but technically they did the right thing.
Re:What's the big deal? (Score:4, Insightful)
Simply because Slashdot will take any and every opportunity to make Microsoft look bad.
I dont' get it... (Score:5, Insightful)
MS makes an update server freely available, and it can serve XP Pro, NT Workstation and 2000 Workstation -- the official corporate clients.
How hard is it to have your central corporate update server get the patches DAILY, if necessary, and push them out on a schedule with SMS? Or a login script, or...
This also gives the sysadmin time to regression test some patches if that is their policy.
Big business clients -- you know, the ones benefitting from the monthly schedule -- shouldn't be using Windows Update anyway!
-Charles Hill
Re:Monthly patches? (Score:5, Insightful)
Stupid for desktop/home users (Score:3, Insightful)
It's probably just an attempt to increase the appearance of security (by decreasing patch frequency) while not actually increasing security (and in fact decreasing security as machines can be unpatched for longer).
Re:Monthly patches? (Score:3, Insightful)
Uh oh.. (Score:2, Insightful)
Holy shit!
*whew*, i think..
Re:What's the big deal? (Score:2, Insightful)
No, they have got a clue. (Score:3, Insightful)
-Microsoft knows their software is weak when it comes to security.
-Microsoft pleads to the security community not to make any vulnerabilities public prior to notifying them for at least a few weeks, and sues everyone who doesn't fall in.
-Microsoft reveals the reason it wants vulnerabilites not to go public.... So CTOs can claim that security updates only happen every month rather than every day, keeping their job intact and making more money for MS in the long run.
-Somebody who cares about security rather than marketing posts a needed FrontPage Extensions update.
See.... someone at Microsoft has a clue. They just don't talk to the marketing folks. I don't blame 'em.
Re:I dont' get it... (Score:3, Insightful)
WTF? (Score:5, Insightful)
There will not be any patches issued in the month of december
and
they release patches more promptly than Linux vendors?
Re:Monthly patches? (Score:5, Insightful)
The obvious downside is what happens when a major new remote root exploit comes out like Blaster. However, in that case the news is all over the tech media at worst, and often the mainstream media as well, so there is nothing to stop Microsoft issuing an "emergency" patch or advisory in that case and have the word get out. Unfortunately, that apparently hasn't stopped them from failing to release a patch for the remote IE exploit [slashdot.org] announced a fortnight ago.
Re:Monthly patches? (Score:5, Insightful)
I won't argue that the longer one waits the bigger the window for an exploit, but given that a large number of exploits are created from looking at patches, it makes sense to compress the patch time so that sys admins can make time to make sure their infrastructure is updated all at once.
You may have the start of a point, but certainly not with reguard to blaster.
That's right (Score:5, Insightful)
But it wasn't any other company. It's the company that believes it knows what's best for everyone. The same company that believes it deserves to control all software on Earth. When they make a "big" policy change, even these insignificant ones, and then mess it up right away, it's news.
Re:Uhhh, they DO know? (Score:5, Insightful)
Re:What's the big deal? (Score:2, Insightful)
Why is this front page slashdot? If it had been any other company than Microsoft it never would have been news.
True. The reason why this is on the front page of slashdot is, as an AC trolled:
Any other company like Microsoft no, the catch being of course that there arent any other companies like Microsft.
Of course, said troll quickly gets to the trolling, but the first part is dead-on. Microsoft is big, they're more relevant to slashdot users than any other company.
Then again, the submitter worded his submission so that the mystery patch sounded scary, but if you RTFA, it's not. Perhaps timothy fell for it.
Re:Monthly patches? (Score:3, Insightful)
Re:This is Newsworthy? (Score:5, Insightful)
All versions of windows use this service.
If Windowsupdate sends out a bogus patch, millions of machines install the patch.
See where this is going? WindowsUpdate could easily be utalized to infect millions of machines with a virus. It could also bug out and send a patch that breaks millions of machines.
This service should *NOT* be sending out mysterious patches that no one knew anything about.
Everywhere? (Score:3, Insightful)
Seems like they've released yet another patch every other day this month. I know it hasn't been quite that many, but it's been several, and much more than Microsoft.
Could we have a little more fact, and a lot less Microsoft FUD? It makes Slashdot look rubbish.
The "Linux community" could stand to ridicule less and study their enemy more. Then maybe they wouldn't be slowly slipping behind the Windows Server platform more and more in providing more of the features people need.
Re:Monthly patches? (Score:5, Insightful)
Well, there are some neat non-security "patches" like the Root Cert updates, and they usually include any new versions of drivers for your hardware. The stuff that's listed under "recommended" for your OS is either those, or some annoying but not critical bug fixes, or is the subject of this rant:
What bugs me is that they also keep trying to get me to install Windows Media Player 9 and the .NET runtime, neither of which I want, particularly on a production server. Can't they take the hint that a box running W2K Advanced Server probably doesn't want WMP9? At least they don't have them selected for installation by default, but still, they should keep Windows Update to stuff that's actually updating the OS/drivers/etc. rather than applications they want me to use.
Re:Everywhere? (Score:3, Insightful)
One patch isn't "patches, patches everywhere!". If you want to see "patches, patches everywhere" for the month of December, look at Red Hat 9.
I'd sooner trust an operating system vendor that releases prompt patches to small portions of their product, than some cowboy outfit who release occasional mega patches to their product. Besides, comparing the number of patches to RedHat 9 against those for Windows is bullshit. The typical Linux distro includes a large number of genuinely useful software packages, while MicroSoft's OS comes with ... notepad.
Chris
Re:Stupid for desktop/home users (Score:2, Insightful)
Re:Monthly patches? (Score:5, Insightful)
Yes, but, in the eyes of Microsoft, WMP9, .NET runtime, etc. are part of the OS. That's the difference between the mindset of Microsoft (one big tool that does everything) and that of the *nix world (many small tools, each that does something in particular)
Face it, Microsoft hasn't changed its viewpoint in this long, it's probably not going to happen any time soon.
Re:it's nice to criticise, but ... (Score:4, Insightful)
You don't understand: it doesn't give me cause for concern because I _am_ a computing professional. I see software that affects thousands of computers belonging to other people where the manufacturers have no idea why. In fact, I usually have no idea why something goes wrong with my own software until I've spent a couple of hours looking at it. In fact, sometimes I never do find out what went wrong with my software.
I think you're the one that's not a computing professional
Rubbish? *snicker* (Score:3, Insightful)
Actually, it makes Slashdot look like Slashdot.
Once again, we seem to have an influx of new Slashdot readers and posters. Let me spell it out for you: THIS SITE IS DECIDEDLY PRO-LINUX, PRO-OPEN SOURCE, AND ANTI-MICROSOFT. It has been since day one, and it will be until MS acquires OSDN or whoever the owner is. Deal with it, stop your bitching, and if you don't like it, there are plenty of pro-Microsoft newssites out there.
Yeesh. Every story lately these people are coming out. Listen kids, Microsoft doesn't need you to defend them. And you don't look cool just because you bash what's the popular thing around here. In my day, we used to call that "trolling".
Re:it's nice to criticise, but ... (Score:2, Insightful)
Nice ignorant troll, but try RedHat Up2Date, Suse YAST online update, Debian apt-get, Gentoo emerge.
All of them work better in my opinion. Equally well at least by any objective standard.
Re:And... (Score:2, Insightful)
Think about it: many exploits, in both Windows and Linux and every other system, exist for months or years before being discovered. Or should we say, before being discovered by the kind of person who makes noise about it and/or noisily makes trouble using it. I wonder sometimes how 'far ahead of the curve' on that sort of thing the smarter black hats and agencies like the NSA tend to stay. Surely they like the convenience of Open Source and quietly audit it all the time. Easier to find flaws if you're reading source code than black-box testing Windows (though the NSA surely has a source license for Windows)
I still do not see the advantage (Score:4, Insightful)
...in announcing regular times when you WONT be issuing patches. What if a new flaw is discovered? Shouldn't you get the patch out ASAP? Wouldn't that be best for customers if a big security hole was discovered that needed to be FIXED NOW? (Pre-SP1 XP, anybody?)
If sysadmins wanted a monthly patch schedule, they're smart enough to do it themselves. Check WindowsUpdate every month, get all the new stuff, rinse & repeat every 30.4375 days.
I fail to see the advantage in Microsoft deliberately delaying fixes to problems that, for some, can be very very immediate.
This almost reminds me of a time when Konqueror and IE had an SSL security hole [theregister.co.uk]. While Microsoft buried its head in the sand [theregister.co.uk], the Konq guys just solved the damn problem (in a matter of hours [hackinglinuxexposed.com], if memory serves).
Maintaining important software is only hindered when some buraucratic colossus feels the need to babysit the process.
Microsoft Patch Problems (Score:2, Insightful)
Am I the only one who finds the new updater for XP really unhelpful?
Having been burned in the past, I configured the updater to just download the patches, but not install them, so that I can read the "details" before deciding whether to install the patch.
Clearly, Microsoft's definition of "details" diverges significantly from my own. Their detailed description always seems to be something like "There's a problem in application X that could allow an attacker to gain administrator privilege on your machine." Optionally, they might warn me that I won't be able to remove the patch once it's installed.
This is wildly insufficient. For one thing, if the patch is unremovable, the details should contain at least a capsule explanation of what the tradeoffs are likely to be --- in particular, whether or not installing this patch is likely to bust some beloved function. I still remember ruefully the time I installed a patch that busted synchronization of my WinCE handheld (I have since switched to a PalmOS device). I had to reinstall Windows to fix that one, and it cost me the better part of a work day.
The patch descriptions are also inadequate. E.g., the latest patch reports problem with FrontPage Server extensions. It's not even clear whether the problem is only if I'm running FrontPage server, or whether MS has just given a back door into my machine to any server that uses FrontPage.
I know, one can go to the Knowledge Base to get more details, but what part of "details" doesn't Microsoft understand? When I click on "details" I want details, not an opportunity to go yet further for the real details....