Microsoft: Patches, Patches Everywhere!

Ridgelift writes "Even though Microsoft's recently announce they would not be issuing any new patches for the month of December, the boys at Redmond were scrambling today to figure out why some systems are being patched. The reason? They haven't got a clue."

Monthly patches?

[beattie]

At the end of the article it says that MS wants to do monthly patches to make it less of a surprise to sysadmins... Anyone else see a problem with waiting a month for your windows machine to get updated?

Uhhh, they DO know?

[LookSharp]

...They haven't a clue.

On Wednesday morning, Microsoft discovered that a glitch in the patching process resulted in a November fix not being applied to some Windows XP computers. The same patch was sent out again via the Windows update service on Tuesday night. The company is still investigating why and how the patch was reissued.

It looks like someone modified a patch. When a patch gets updated, the KB articles (and often the fixes) are auto-published.

I'd be more interested in knowing why some corporate SUS (Software Update Services, like an in-house Windows Update) subscribers were reporting to NTBugTraq today that they got about a DOZEN updated patches last night!

Making it more intuitive and easy to use

[aflat362]

The article states that Microsoft is making the patch process more intuitive and easy to use. How much easier could it be than opening a link to a web site, pressing scan, reading a list of results with descriptions and selecting the ones you want?

I mean, are people retarded or something? My grandpa who could barely figure out how to use a mouse was able to do an update of his computer after some simple instructions.

I suppose they could just have your PC patch itself by default but in my opinion that would suck.

Any other company than Microsoft yes

[Anonymous Coward]

Any other company like Microsoft no, the catch being of course that there arent any other companies like Microsft. Microsoft is singled out because it stands alone in its class, and it is an undeniable adversary of the GPL ... no other reason.

Re:I dont' get it...

[Anonymous Coward]

Have you ever been responsible for 100's of machines? You can't just patch and hope it all works out. Patches have been known to break things, and aren't always uninstallable.

So, while it's hunky dory for you to update three of your personal computers, it's a much bigger deal to so to dozens, especially since you can't be sure that there won't be any issues from the patch.

What is the benefit of no patches in Dec?

[zapp]

Any ideas why this would be beneficial at all? Are they going for the record thing, like some work places have a big sign that say "It's been days since the last workplace injury"? Are they trying to say "hey, Windows is secure! See, no patches released in days"?

What if a highly critical bug is discovered tomorrow, something big enough that several exploits are in the wild by next week? Will they release a patch then, or will they stick to their policy and hold out on us until 2004?

Whatever happened to One Service Pack behind?

[mr_lithic]

It used to be the standard method of dealing with Microsoft Service Packs that you never deployed the latest one on your boxes. You always stayed one step behind. This practice was proved right with the Service Pack 6/6a debacle.

With automatic patching of machines from Windows Updates at Microsoft, it seems that everyone is thrown into chaos at the same time.

Do we really trust Microsoft enough to think that they will get their updates right everytime?

Re:Uhhh, they DO know?

[Zak3056]

Two things:

1) In answer to your suggestion that Microsoft knows what happened, allow me to point out a comment in the text that you yourself quoted:

The company is still investigating why and how the patch was reissued.

Not only do they not know WHY someone released a patch, they don't know HOW either!

Secondly, I'm also curious. I run an SUS server, and here's my sync log from last night:

Automatic Sync Started- Wednesday, December 10, 2003 2:00:07 AM Successful
Updates Added:
Critical Update for Windows XP Media Center Edition 2004 (KB830786) - KB830786_WXP_MCE2_ENU_c512cb910f28d8b6051537519556 0b3.EXE

Updates Removed:
810847: February 2003, Cumulative Patch for Internet Explorer 5.01 Service Pack 3 - Q810847_B3CA04E8D113EBDE0D561AB3AFAA02EBC3922F36.E XE

813489: April 2003, Cumulative Patch for Internet Explorer 5.01 Service Pack 3 - q813489_7526690df0c1e078957b0d83f8018c0.exe

818529: June 2003, Cumulative Patch for Internet Explorer 5.01 Service Pack 3 - q818529_1d67aa22e752bb5ca55eba289ee1e9f.exe

Q324929: December 2002, Cumulative Patch for Internet Explorer 5.5 - Q324929_E34CB7562E3FADE04E0FBA7A8DF20236ABFC6C46.E XE

810847: February 2003, Cumulative Patch for Internet Explorer 5.5 Service Pack 2 - Q810847_102065CAD52C737EBBF4422AEF2CAC5E100B6EFA.E XE

813489: April 2003, Cumulative Patch for Internet Explorer 5.5 Service Pack 2 - q813489_8ebdafa9c0f5c09d0678826b4c04de5.exe

818529: June 2003, Cumulative Patch for Internet Explorer 5.5 Service Pack 2 - q818529_d8d150d39cc718ff858be51239ea081.exe

Q324929: December 2002, Cumulative Patch for Internet Explorer 6 - Q324929_55049C7F14E3EFF258F10F95FE0A3C179833CB17.E XE

Q324929: December 2002, Cumulative Patch for Internet Explorer 6 SP1 - Q324929_A90F1A87F766965A4D0FC5F1395F3E808ABE7D27.E XE

810847: February 2003, Cumulative Patch for Internet Explorer 6 - Q810847_DDE9BE0E09FF7E261B1E32AFF6F597FA27A72B6A.E XE

810847: February 2003, Cumulative Patch for Internet Explorer 6 Service Pack 1 - Q810847_C3902604B28A9E2AAD419E883ACC553FD69B84F9.E XE

813489: April 2003, Cumulative Patch for Internet Explorer 6 - q813489_2fd2c598d4beecc513c2798f443cf8e.exe

813489: April 2003, Cumulative Patch for Internet Explorer 6 Service Pack 1 - q813489_3a4cba12c72c64d461b611365375bc9.exe

818529: June 2003, Cumulative Patch for Internet Explorer 6 - q818529_5a71949492d46d5a9ed0713ed68cc98.exe

818529: June 2003, Cumulative Patch for Internet Explorer 6 Service Pack 1 - q818529_94327511db0b86d509decf6a3becf73.exe

818529: June 2003, Cumulative Patch for Internet Explorer - WindowsServer2003-KB818529-x86-ENU_0f07225ca313bf4 5fe205783dd059d0.exe

Reissued Update(s):
Security Update, February 14, 2002 (Internet Explorer 5.5) - VBS55NEN_A76B47D34E497BB2C14BA3CBED923CC042406C8B. EXE

Security Update, March 7, 2002 - Q313829_F56D00FEAAE71A0F246EA0A042B92AEEEC822F9D.e xe

814078: Security Update (Microsoft Jscript version 5.1, Windows 2000) - js51nen_8812c08817b46676876f0e06a3cda5b.exe

814078: Security Update (Microsoft Jscript version 5.6, Windows 2000, Windows XP) - JS56_DB18C6EA0F4E8522715BEEA284F6843ECE71D944.EXE

Windows 2000 Service Pack 4 Network Install for IT Professionals - w2ksp4_en_7f12d2da3d7c5b6a62ec4fde9a4b1e6.exe

Flaw In Windows Media Player May Allow Media Library Access (819639) - WindowsMedia9-KB819639-x86-ENU_bfd620da8e1529c3e4f fadfb93f33fa.exe

Q329390: Security Update - Q329390_WXP_3F60064794271F0053892985402FE5B6679D3F 2D.EXE

Q329115: Security Update (Windows XP) - Q329115_WXP_SP2_X86_1D09793FAF21249FEBCC

Monthly patches are stupid

[Anonymous Coward]

As someone who has to keep over 1000 clients patched, I have no idea what they're talking about when they say "admins want this".

You know what admins want? I'll tell you. They want to know about bugs AS THEY ARE FOUND, not AS THEY ARE PATCHED, so that we can block ports/attachments/capabilities and aren't sitting there vulnerable for months waiting for a patch. Then, when we get the patch, we want the patch to work. Lastly, we want products that aren't as much in need of patches. Are you listening? That's my top 3 requests--I don't give a rat's ass about monthly patch releases.

Here's how it works out in the real world, Microsoft. Nobody trusts your patches. After you release them, do you think we just cross our fingers and install the thing? Hell no. We do a test deployment, let it run for a few weeks, and if there aren't any problem, THEN we do the general deployment. And guess what? Frequently, we find problems with your patches and don't deploy them at all.

So this leaves us vulnerable. Sure, that's bad, but we were ALREADY vulnerable the whole time we've been using this software, and more alarmingly, we were vulnerable and you knew about it and didn't tell us while you were working on a patch.

We didn't choose to be vulnerable when we chose not to install your broken patches, we chose to be vulnerable when we chose to use your products.

Re:Monthly patches?

[SpaceCadetTrav]

I don't think the system would "crumble", as you put it. Microsoft will just do an emergency patch release outside of the normal cycle.

Re:I dont' get it...

[Anonymous Coward]

As far as I'm concerned, the monthly schedule makes it more difficult for ths sysadmin. When you get a flood of patches released on the same day does that really make it easier? Not for me, it just adds to my headaches. With weekly patches, I could review and plan a patching strategy at my convenience. And not apply too many patches at once, so there was some hope of discovering which patch screwed up the PC afterwards. But now, it's a nightmare. And it isn't helped by Microsoft releasing updated patches WITH THE SAME FILENAME!!!! And even on the monthly scedule, they're still releasing security bulletins which publish the wrong file version information for the patch files. So my scripted patch installation goes awry because the documentation is wrong. OK, I find that pretty quickly but it's still unnecessary work and headaches.

Exploits from patch announcements?

[JimmytheGeek]

MS has claimed that worms come from reverse-engineering vulnerability patches, but I'm not convinced. If an outside researcher found the problem, what makes you think a Black Hat didn't (and has been keeping quiet)?

Here you go fella

[melted]

www.linuxisnotsecureeither.com [google.com]

Re:Monthly patches?

[Anonymous Coward]

If you don't like aspx or running all kinds of new apps MS is putting out then don't install the .Net Framework, they do not force you, they leave it there as an option for the thousands upon thousands who do find use of this.

As for WMP 9, well... again, they don't force it. Although some very small systems would have there admin use the server as a workstation in which case WMP 9 is useful for such things as tutorials. Granted, hardly ideal but also optional, so who cares?

I'd think people would like the options, they aren't forced so why bitch about them?

If you wanna talk SUS...

[little_fluffy_clouds]

Not only did they release a patch - they removed a bunch and reissued quite a few. Here is the log from last night's SUS sync...
(Note if you don't know what SUS is, try http://susserver.com/)

Automatic Sync Started- Thursday, 11 December 2003 12:59:56 AM Successful

Updates Added:

Critical Update for Windows XP Media Center Edition 2004 (KB830786) - KB830786_WXP_MCE2_ENU_c512cb910f28d8b6051537519556 0b3.EXE

Updates Removed:

810847: February 2003, Cumulative Patch for Internet Explorer 5.01 Service Pack 3 - Q810847_B3CA04E8D113EBDE0D561AB3AFAA02EBC3922F36.E XE

813489: April 2003, Cumulative Patch for Internet Explorer 5.01 Service Pack 3 - q813489_7526690df0c1e078957b0d83f8018c0.exe

818529: June 2003, Cumulative Patch for Internet Explorer 5.01 Service Pack 3 - q818529_1d67aa22e752bb5ca55eba289ee1e9f.exe

Q324929: December 2002, Cumulative Patch for Internet Explorer 5.5 - Q324929_E34CB7562E3FADE04E0FBA7A8DF20236ABFC6C46.E XE

810847: February 2003, Cumulative Patch for Internet Explorer 5.5 Service Pack 2 - Q810847_102065CAD52C737EBBF4422AEF2CAC5E100B6EFA.E XE

813489: April 2003, Cumulative Patch for Internet Explorer 5.5 Service Pack 2 - q813489_8ebdafa9c0f5c09d0678826b4c04de5.exe

818529: June 2003, Cumulative Patch for Internet Explorer 5.5 Service Pack 2 - q818529_d8d150d39cc718ff858be51239ea081.exe

Q324929: December 2002, Cumulative Patch for Internet Explorer 6 - Q324929_55049C7F14E3EFF258F10F95FE0A3C179833CB17.E XE

Q324929: December 2002, Cumulative Patch for Internet Explorer 6 SP1 - Q324929_A90F1A87F766965A4D0FC5F1395F3E808ABE7D27.E XE

810847: February 2003, Cumulative Patch for Internet Explorer 6 - Q810847_DDE9BE0E09FF7E261B1E32AFF6F597FA27A72B6A.E XE

810847: February 2003, Cumulative Patch for Internet Explorer 6 Service Pack 1 - Q810847_C3902604B28A9E2AAD419E883ACC553FD69B84F9.E XE

813489: April 2003, Cumulative Patch for Internet Explorer 6 - q813489_2fd2c598d4beecc513c2798f443cf8e.exe

813489: April 2003, Cumulative Patch for Internet Explorer 6 Service Pack 1 - q813489_3a4cba12c72c64d461b611365375bc9.exe

818529: June 2003, Cumulative Patch for Internet Explorer 6 - q818529_5a71949492d46d5a9ed0713ed68cc98.exe

818529: June 2003, Cumulative Patch for Internet Explorer 6 Service Pack 1 - q818529_94327511db0b86d509decf6a3becf73.exe

818529: June 2003, Cumulative Patch for Internet Explorer - WindowsServer2003-KB818529-x86-ENU_0f07225ca313bf4 5fe205783dd059d0.exe

Reissued Update(s):

Security Update, February 14, 2002 (Internet Explorer 5.5) - VBS55NEN_A76B47D34E497BB2C14BA3CBED923CC042406C8B. EXE

Security Update, March 7, 2002 - Q313829_F56D00FEAAE71A0F246EA0A042B92AEEEC822F9D.e xe

814078: Security Update (Microsoft Jscript version 5.1, Windows 2000) - js51nen_8812c08817b46676876f0e06a3cda5b.exe

814078: Security Update (Microsoft Jscript version 5.6, Windows 2000, Windows XP) - JS56_DB18C6EA0F4E8522715BEEA284F6843ECE71D944.EXE

Windows 2000 Service Pack 4 Network Install for IT Professionals - w2ksp4_en_7f12d2da3d7c5b6a62ec4fde9a4b1e6.exe

Flaw In Windows Media Player May Allow Media Library Access (819639) - WindowsMedia9-KB819639-x86-ENU_bfd620da8e1529c3e4f fadfb93f33fa.exe

Q329390: Security Update - Q329390_WXP_3F60064794271F0053892985402FE5B6679D3F 2D.EXE

Q329115: Security Update (Windows XP) - Q329115_WXP_SP2_X86_1D09793FAF21249FEBCC160D341612 338DFD3154.EXE

Security Update for Windows XP (KB810217) - WindowsXP-KB810217-x86-ENU_696190f151ea0bcb063f0a8 9471e45b.exe

Q811114: Security Update (Windows XP or Windows XP

Re:Monthly patches?

[bryhhh]

...and of course you read the article didn't you? Please allow me to quote the first paragraph from the article for your benefit.

The company scrambled on Wednesday morning to figure out why a patch had been issued through its Windows Update service, when the software maker had declared on Tuesday that it would not issue any fixes in December.

In short, the update wasn't a 'zero-hour' patch, or a planned release.

Interestingly, this update has been mysteriously approved on our local SUS server without our knowledge. I really do hope that this patch has been thorougly tested by Microsoft, as they have just deployed it across our LAN without our consent.

Trustworthy computing? pftttt.

Stealth Patch

[nurb432]

Sort of disconcerting if they don't have enough 'quality control' to even know who put the patch into effect to be distributed..

Considering the ramifications of patches and their 'assumed authority' with autopatch, this is a very bad blunder.

Re:Monthly patches?

[Cromac]

What is the latest "safe" version of Windows Media Player, anyway? I've kept with 6.4 for fear of privacy/DRM problems with later versions.

Should I upgrade?

Media Player 6.4 won't play all of Microsofts media files anymore. WMA or ASF files created with the latest version of Media Player won't play on ver 6.4, it won't download the codecs for all of them. Subtle way for them to get people to upgrade, isn't it.

Wether that's worth upgrading for is up to you.

Re:SUS at least makes this easy.

[gosand]

Ever since we started using Software Update Services this has been cake. All the clients just pull the windows critical updates that we approve from OUR servers. I feel sorry for anyone who is trying to run around and do them by hand.

Really? It sucks for us. Our SUS client is pointed at our corporate server. When corporate decides a patch should be installed, it gets installed on our systems. The problem? I am in QA, and our systems started acting goofy lately. In particular, our Rational applications started behaving very strangely. We *think* that it is due to the MS updates, but have no way of telling without launching a full-blown investigation into the issue. We have different OSs we have to test on, and different configurations. But they all have to have these stupid patches installed automatically. And some of them you cannot un-install. Try to track down the cause of a problem when there were 10 patches installed on your system the night before.

Now that isn't necessarily MS's fault, it is more our head office's fault. We should be able to test out patches with the software we use before having it mass-deployed. Sure, mandate it for all the meat-bag virus-spreaders in sales, but leave us the F alone. The IT guys in our own building are clueless, because they don't have to do anything now - the auto-updater will take care of it, and the patches come from corporate. But like you said, that part is cake....