Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Security Bug Microsoft

Microsoft: Patches, Patches Everywhere! 388

Posted by timothy from the and-not-a-patch-they-think dept.
Ridgelift writes "Even though Microsoft's recently announce they would not be issuing any new patches for the month of December, the boys at Redmond were scrambling today to figure out why some systems are being patched. The reason? They haven't got a clue."
This discussion has been archived. No new comments can be posted.

Microsoft: Patches, Patches Everywhere! More

Microsoft: Patches, Patches Everywhere!

Comments Filter:

  • The apparent lack of a patch. (Score:4, Funny)

    by Neck_of_the_Woods ( 305788 ) * on Wednesday December 10, 2003 @05:23PM (#7683700) Journal


    I guess they are going to have to issue a patch to stop the machines from patching....ironic.

  • Monthly patches? (Score:3, Interesting)

    by beattie ( 594287 ) on Wednesday December 10, 2003 @05:25PM (#7683717)
    At the end of the article it says that MS wants to do monthly patches to make it less of a surprise to sysadmins... Anyone else see a problem with waiting a month for your windows machine to get updated?

    • Re:Monthly patches? (Score:5, Informative)

      by Fjornir ( 516960 ) on Wednesday December 10, 2003 @05:28PM (#7683756)
      ...and of course you read the announcement about this, didn't you? And as such you know that they will still release zero-hour patches for vulnerabilities which are actively being exploited in the wild and/or are to the top left of the threat matrix (remote/system level explots).

      • ...and of course you read the announcement about this, didn't you? And as such you know that they will still release zero-hour patches for vulnerabilities which are actively being exploited in the wild and/or are to the top left of the threat matrix (remote/system level explots).

        You mean there are patches available for things OTHER than vulerabilities from Microsoft? Wow. Must have missed them at the bottom of the Windows Update page after the 250 zillion Security Patches. :-)

        • Re:Monthly patches? (Score:5, Insightful)

          by Theatetus ( 521747 ) * on Wednesday December 10, 2003 @06:27PM (#7684410) Journal
          You mean there are patches available for things OTHER than vulerabilities from Microsoft?

          Well, there are some neat non-security "patches" like the Root Cert updates, and they usually include any new versions of drivers for your hardware. The stuff that's listed under "recommended" for your OS is either those, or some annoying but not critical bug fixes, or is the subject of this rant:

          What bugs me is that they also keep trying to get me to install Windows Media Player 9 and the .NET runtime, neither of which I want, particularly on a production server. Can't they take the hint that a box running W2K Advanced Server probably doesn't want WMP9? At least they don't have them selected for installation by default, but still, they should keep Windows Update to stuff that's actually updating the OS/drivers/etc. rather than applications they want me to use.

          • Re:Monthly patches? (Score:5, Insightful)

            by mhesseltine ( 541806 ) on Wednesday December 10, 2003 @06:42PM (#7684582) Homepage Journal
            What bugs me is that they also keep trying to get me to install Windows Media Player 9 and the .NET runtime, neither of which I want, particularly on a production server. Can't they take the hint that a box running W2K Advanced Server probably doesn't want WMP9? At least they don't have them selected for installation by default, but still, they should keep Windows Update to stuff that's actually updating the OS/drivers/etc. rather than applications they want me to use.

            Yes, but, in the eyes of Microsoft, WMP9, .NET runtime, etc. are part of the OS. That's the difference between the mindset of Microsoft (one big tool that does everything) and that of the *nix world (many small tools, each that does something in particular)

            Face it, Microsoft hasn't changed its viewpoint in this long, it's probably not going to happen any time soon.

          • Re:Monthly patches? (Score:3, Informative)

            by Remco_B ( 14435 )
            What bugs me is that they also keep trying to get me to install Windows Media Player 9 and the .NET runtime

            Did you know WIndows Update is configureable? If you don't want to install a particular "update", you can instruct Windows Update not to show it again. I don't know the exact name of the link in English, but it should be obvious.

      • they will still release zero-hour patches for vulnerabilities which are actively being exploited in the wild

        "Kewl", as the script kiddies might say. This simply means that those crackers who resist the urge to get some f4me for their new exploit by announcing it on a SadCrAck3r IRC channel have a four week window to root more boxes.

        Chris

      • Re:Monthly patches? (Score:3, Interesting)

        by bryhhh ( 317224 )
        ...and of course you read the article didn't you? Please allow me to quote the first paragraph from the article for your benefit.

        The company scrambled on Wednesday morning to figure out why a patch had been issued through its Windows Update service, when the software maker had declared on Tuesday that it would not issue any fixes in December.

        In short, the update wasn't a 'zero-hour' patch, or a planned release.

        Interestingly, this update has been mysteriously approved on our local SUS server without our

    • Re:Monthly patches? (Score:2, Insightful)

      by JVert ( 578547 )
      Lets see, the world had roughly 5 weeks before blaster ran amok. Worst case scenario that patch will be delayed 4 weeks so admins get 1 week to test patches instead of the usual 5 week 'grace'.

      • Re:Monthly patches? (Score:5, Insightful)

        by km790816 ( 78280 ) <wqhq3gx02@@@sneakemail...com> on Wednesday December 10, 2003 @05:44PM (#7683959)
        Slow down turbo. In this case blaster was created by looking at the patch that it exploited. It only affected unpatched systems.

        I won't argue that the longer one waits the bigger the window for an exploit, but given that a large number of exploits are created from looking at patches, it makes sense to compress the patch time so that sys admins can make time to make sure their infrastructure is updated all at once.

        You may have the start of a point, but certainly not with reguard to blaster.

      • Re:Monthly patches? (Score:3, Insightful)

        by ryanvm ( 247662 )
        That's a silly argument. Are you suggesting that nobody could code a virus within 4 weeks of an exploit being published? The four week window will just force virus writers to use more timely exploits.

    • Re:Monthly patches? (Score:5, Insightful)

      by leifm ( 641850 ) on Wednesday December 10, 2003 @05:32PM (#7683809)
      The benefit, at least for Microsoft, is that by making patches a routine(second Tuesday of the month) security patches are now a routine, and thus probably won't make news when they are released. This is also good for sysadmins in a way, because they can play for patch deployment, but I bet this system crumbles as soon as some flaw is wormed three weeks before the patch is scheduled for release.
    • I have my PC set up to autodownload updates. It's no skin off my nose if I get a "you have updates ready to install" more than once a month.

      It's probably just an attempt to increase the appearance of security (by decreasing patch frequency) while not actually increasing security (and in fact decreasing security as machines can be unpatched for longer).

      • Re:Stupid for desktop/home users (Score:5, Informative)

        by Nevo ( 690791 ) on Wednesday December 10, 2003 @05:58PM (#7684130)
        It's no skin off your nose, but you're not the admin for 1500 machines.

        The admins of large scale deployments have asked Microsoft to make patches more predictable so they can do planning for patch deployment. Microsoft complied.

        As others have stated, when a known vulnerability exists, or when sample code is publicly available, Microsoft will release the patch as soon as it's written.

    • Re:Monthly patches? (Score:3, Insightful)

      by BrynM ( 217883 ) *
      I thought about that too. It's reflective of Microsoft's attitude torward exploits: If no one releases a flaw publicly, then no one will exploit the flaw before the patch is out, right? Unfortunately for MS, we live in the real world and flaws will be exploited regardless of whether or not it's on Microsoft's schedule. I imagine that the scheduled update method will eventually bite them in the ass, but by then they would have already made a big show of "improving" security and the patch/update process - jus
    • Yes, I do. [slashdot.org]

      But M$ promises to put out a patch immediately if it's "critical".

    • Re:Monthly patches? (Score:5, Insightful)

      by Zocalo ( 252965 ) on Wednesday December 10, 2003 @05:43PM (#7683945) Homepage
      Actually, it makes a lot of sense in the context of Microsoft's closed source, security through obscurity approach. By having patches (if any) come out on a known date each month it allows efficient network admins to plan ahead and have time available to test it and patch their systems. Well, that seems to be the theory anyway.

      The obvious downside is what happens when a major new remote root exploit comes out like Blaster. However, in that case the news is all over the tech media at worst, and often the mainstream media as well, so there is nothing to stop Microsoft issuing an "emergency" patch or advisory in that case and have the word get out. Unfortunately, that apparently hasn't stopped them from failing to release a patch for the remote IE exploit [slashdot.org] announced a fortnight ago.

    • How I read it (Score:5, Funny)

      by swb ( 14022 ) on Wednesday December 10, 2003 @06:08PM (#7684219)
      I read this in October:
      In case you didn't get a chance to review the statement from Steve Ballmer last week, I will try to bring you all up to date on the new process for security alerts.

      The net of this all is that Microsoft is moving to a monthly security bulletin release schedule. This change was in response to customer feedback.

      After today, we will be releasing security bulletins on the second calendar Tuesday of every month. Today was the starting day, and was an exception.

      There are a couple of benefits to this new process:

      1) Switching to a monthly release cycle for security patches allows customers to install multiple patches with a single install and single reboot (using Qchain.exe, Update.exe and other similar tools). This will minimize downtime on mission-critical systems and will allow customers to consolidate the patch deployment to once per month.

      2) Another benefit of the monthly cycle is that it offers customers more time between releases of security patches. This allows customers to evaluate, test and install patches in their computing environments in a timely manner. The release schedule is also more predictable and allows customer to plan in advance for deploying patches.

      You may notice as well that the format of the bulletins has changed, so when you view the bulletin from the link inside of the security alert email, you will notice the sections of the bulletins have changed a bit.

      The change in this process is in order to make it more predictable for our customers so that you can plan and implement patches as quickly as possible.

      If you have any feedback on this new process, please feel free to let me know and I will pass it along to the security team directly.
      Which I translated as:
      We were so humiliated by the never-ending barrage of security vulnerabilities in our products that in order to enable our sales force to make any headway at all against Linux/IBM/Sun we decided to bundle all our security vulnerabilities into a once-per-month release. Our analysis of MSN News and Entertainment Tonight indicates that on our chosen date, the second Tuesday of the month, people are much more likely to be preoccupied with Ben 'n' Jen and the previous day's sporting events, and will easily overlook the most recent worm/virus/breech attributable to our bloated, unmanageable software base.

      The other reasons for the new monthly cycle are that since we'll be dumping more patches into a single file, you'll need more time to debug, back out or ultimately rebuild systems corrupted by patches that will also include special new "features". We also think that our new monthly cycle will coincide with your or your spouses' monthly cycle, allowing you to be victimized by uncontrolled emotional outbursts in one tidy week, instead of having it spread out all over the month.

      Thanks again for buying Microsoft.


  • fill in joke here (Score:3, Funny)

    by daeley ( 126313 ) * on Wednesday December 10, 2003 @05:26PM (#7683720) Homepage
    "They haven't got a clue."

    ...Yes, well...

  • I got it (Score:2, Informative)

    by Sklivvz ( 167003 ) *
    My machine got patched this morning, and I thought "funny, didn't microsoft say no patches for this month?" and then i saw they were dated november... but it was too late.

  • The reason ? (Score:3, Funny)

    by frodo from middle ea ( 602941 ) on Wednesday December 10, 2003 @05:27PM (#7683737) Homepage
    Simple, there is a bug in the patch issuing s/w which needs to be patched .

  • Uhhh, they DO know? (Score:5, Interesting)

    by LookSharp ( 3864 ) on Wednesday December 10, 2003 @05:27PM (#7683739)
    ...They haven't a clue.

    On Wednesday morning, Microsoft discovered that a glitch in the patching process resulted in a November fix not being applied to some Windows XP computers. The same patch was sent out again via the Windows update service on Tuesday night. The company is still investigating why and how the patch was reissued.

    It looks like someone modified a patch. When a patch gets updated, the KB articles (and often the fixes) are auto-published.

    I'd be more interested in knowing why some corporate SUS (Software Update Services, like an in-house Windows Update) subscribers were reporting to NTBugTraq today that they got about a DOZEN updated patches last night!

    • I'd be more interested in knowing why some corporate SUS (Software Update Services, like an in-house Windows Update) subscribers were reporting to NTBugTraq today that they got about a DOZEN updated patches last night!

      Because someone broke into Microsoft's network (again) and updated the patches with trojen?

    • This is correct. We run SUS, and this morning I came in to find about a half dozen new fixes, all for the month of November! I didnt really think much of it at the time.
    • I'd be more interested in knowing why some corporate SUS (Software Update Services, like an in-house Windows Update) subscribers were reporting to NTBugTraq today that they got about a DOZEN updated patches last night!

      I wouldn't be surprised if this was because the monthly schedule for SUS is out of sync with the main release schedule.

      I run a SUS via SMS system, and last month's definition file for it didn't include MS03-051 (which I think is the Frontpage extensions patch). I believe this was because th

    • Re:Uhhh, they DO know? (Score:3, Interesting)

      by Zak3056 ( 69287 )
      Two things:

      1) In answer to your suggestion that Microsoft knows what happened, allow me to point out a comment in the text that you yourself quoted:

      The company is still investigating why and how the patch was reissued.

      Not only do they not know WHY someone released a patch, they don't know HOW either!

      Secondly, I'm also curious. I run an SUS server, and here's my sync log from last night:

      Automatic Sync Started- Wednesday, December 10, 2003 2:00:07 AM Successful
      Updates Added:
      Critical Update for Wind

    • Re:Uhhh, they DO know? (Score:5, Insightful)

      by MMaestro ( 585010 ) on Wednesday December 10, 2003 @05:49PM (#7684028)
      Its inevitable. The larger the company/corporation the more likely it is for someone to forget to talk to someone else. In large companies such as Microsoft, you'll sometimes have two or three groups doing the same project, doing the same work, and the same research but not be aware of each other. Thats one of the (major) advantages small business have over large ones. Its easier to take the elevator down a floor and talk to group B than it is to setup a teleconference with group halfway across the globe.

  • Curious (Score:4, Funny)

    by bluedust ( 731676 ) on Wednesday December 10, 2003 @05:28PM (#7683746) Homepage
    Imagine a Microsoft product doing something without reason...

  • What's the big deal? (Score:5, Insightful)

    by TwistedSquare ( 650445 ) on Wednesday December 10, 2003 @05:28PM (#7683752) Homepage
    On Wednesday morning, Microsoft discovered that a glitch in the patching process resulted in a November fix not being applied to some Windows XP computers. The same patch was sent out again via the Windows update service on Tuesday night.

    The patch was due out in November, but it got missed so they re-issued. It's sort of going against what they said but it's understandable and I doubt it will make the world stop spinning. Why is this front page slashdot? If it had been any other company than Microsoft it never would have been news.

    • Re:What's the big deal? (Score:4, Insightful)

      by sbennett ( 448295 ) <spb.gentoo@org> on Wednesday December 10, 2003 @05:31PM (#7683792)
      Why is this front page slashdot?

      Simply because Slashdot will take any and every opportunity to make Microsoft look bad.

    • Any other company than Microsoft yes (Score:3, Interesting)

      by Anonymous Coward
      Any other company like Microsoft no, the catch being of course that there arent any other companies like Microsft. Microsoft is singled out because it stands alone in its class, and it is an undeniable adversary of the GPL ... no other reason.

    • That's right (Score:5, Insightful)

      by truthsearch ( 249536 ) on Wednesday December 10, 2003 @05:46PM (#7683988) Homepage Journal
      If it had been any other company than Microsoft it never would have been news.

      But it wasn't any other company. It's the company that believes it knows what's best for everyone. The same company that believes it deserves to control all software on Earth. When they make a "big" policy change, even these insignificant ones, and then mess it up right away, it's news.
    • I find in this that it's a sad thing that Microsoft can't seem to manage their own affairs, the left hand doesn't know what the right hand is doing and the utter lack of control.

      So, it's not a big deal that they issued a patch, it's a big deal that they are freaking out about their ignorance of their own systems, procedures and processes..

    • Why is this front page slashdot? If it had been any other company than Microsoft it never would have been news.

      True. The reason why this is on the front page of slashdot is, as an AC trolled:

      Any other company like Microsoft no, the catch being of course that there arent any other companies like Microsft.

      Of course, said troll quickly gets to the trolling, but the first part is dead-on. Microsoft is big, they're more relevant to slashdot users than any other company.

      Then again, the submitter word

  • Where is Edward James Olmos? (Score:5, Funny)

    by charlieo88 ( 658362 ) on Wednesday December 10, 2003 @05:28PM (#7683754)
    So the computers are patching themselves now, are they?

    When exactly was it that the Cylons are supposed to attack?

  • SUS at least makes this easy. (Score:5, Insightful)

    by Coaster-Sj ( 614973 ) <aspenwindNO@SPAMhotmail.com> on Wednesday December 10, 2003 @05:28PM (#7683757) Homepage
    Ever since we started using Software Update Services this has been cake.
    All the clients just pull the windows critical updates that we approve from OUR servers.
    I feel sorry for anyone who is trying to run around and do them by hand.
    • Ever since we started using Software Update Services this has been cake. All the clients just pull the windows critical updates that we approve from OUR servers. I feel sorry for anyone who is trying to run around and do them by hand.

      Really? It sucks for us. Our SUS client is pointed at our corporate server. When corporate decides a patch should be installed, it gets installed on our systems. The problem? I am in QA, and our systems started acting goofy lately. In particular, our Rational applicatio

  • There's only some bugfixes of recent patches. This means that there was updated versions of patches, but not any "new" stuff.
  • The same patch was sent out again via the Windows update service on Tuesday night. The company is still investigating why and how the patch was reissued.

    Too bad Mary Wollstonecraft Shelley wasn't alive today. "Frankenstein" could be re-written as a terrible monster bent on world domination that in order to survive must feed on a never-ending stream of patches.

  • Transcript (Score:4, Funny)

    by blogboy ( 638908 ) on Wednesday December 10, 2003 @05:29PM (#7683768)
    "Hey Bob...did you patch this?" "No, I thought you did." "Phil!" "What?" "Is this your patch?" "Not me. No patches in December, remember? It's our gift to the world." "Then who the hell...hey Eddie!" "Not now...I'm trying to track down this patch..." "Crap."

    Fin.

  • Microsoft did the right thing (Score:5, Insightful)

    by spitzak ( 4019 ) on Wednesday December 10, 2003 @05:29PM (#7683776) Homepage
    If I understand this right, there was a bug. Maybe this bug was introduced by the previous patch, or maybe the previous patch did not work as expected, or whatever, but no matter what the reason, there was a bug, they could fix it, and they sent out a patch. That is the correct behavior.

    They were probably being pretty stupid to say "no new patches". Due to Murphy's law, that guarantees that a problem will come up within days. Probably if they said "we are going to issue more patches than ever" then suddenly all their programmers would start have trouble finding bugs or figuring out how to fix them...

    Anyway we can laugh at marketing for the "no new patches" but technically they did the right thing.
  • and I got it. It managed to hose my system to the point that I had to pull out all the RunOnce and Run entires in the registry for my system to get going. I am unsure what the patch did..

  • And... (Score:5, Funny)

    by Nom du Keyboard ( 633989 ) on Wednesday December 10, 2003 @05:31PM (#7683796)
    It moved to a fixed schedule of monthly patches to make the process more predictable for network and system administrators.

    ...and virus writers.

  • RTFA. jesus (Score:5, Informative)

    by User 956 ( 568564 ) on Wednesday December 10, 2003 @05:31PM (#7683799) Homepage
    the boys at Redmond were scrambling today to figure out why some systems are being patched. The reason? They haven't got a clue.

    The do have a clue. Read the article. It's because a November patch for frontpage wasn't applied to some machines.

    • no no no, rtWfa (Score:5, Informative)

      by White Shade ( 57215 ) on Wednesday December 10, 2003 @05:40PM (#7683907)
      if you read the WHOLE article you find this:

      The same patch was sent out again via the Windows update service on Tuesday night. The company is still investigating why and how the patch was reissued.

      So, they have a reason for it to be released, but they don't actually know why or how it got released... so... maybe 'they haven't got a clue' is a bit of overstatement, but they certainly don't have the whole clue.
      • So, they have a reason for it to be released, but they don't actually know why or how it got released... so... maybe 'they haven't got a clue' is a bit of overstatement, but they certainly don't have the whole clue.

        I meant the comment as a double entendre. Not only are they clueless as it pertains to issuing patches for their products, but Microsoft is simply clueless when it comes to security as a whole (aka www.trustworthycomputing.com [trustworthycomputing.com]). I mean seriously! Two years of shouting how serious they are abo

  • I dont' get it... (Score:5, Insightful)

    by chill ( 34294 ) on Wednesday December 10, 2003 @05:32PM (#7683808) Journal
    The idea of monthly patches was to ease the burden on corporate sysadmins.

    MS makes an update server freely available, and it can serve XP Pro, NT Workstation and 2000 Workstation -- the official corporate clients.

    How hard is it to have your central corporate update server get the patches DAILY, if necessary, and push them out on a schedule with SMS? Or a login script, or...

    This also gives the sysadmin time to regression test some patches if that is their policy.

    Big business clients -- you know, the ones benefitting from the monthly schedule -- shouldn't be using Windows Update anyway!

    -Charles Hill
    • With SUS its very easy. We have our SUS server sync up with the Windows Update every morning at 4 am, then I manually test and approve each patch for deployment. Then it is automatically installed upon reboot of the users machines. Very simple and easy.

    • Re:I dont' get it... (Score:4, Informative)

      by Anonymous Coward on Wednesday December 10, 2003 @06:02PM (#7684173)
      It's WAY WAY more complicated than that. Have you even worked at a big company? Like, say, a company with 60,000+ employees, all on disparate systems across many regions of the world? We've got branch offices that still run Windows 95, and it's not even our fault! We only recently acquired them!

      To top it off, we have frequent problems where patches and security policy updates BREAK our programs. We can't just push it out to every client. We have to be ABSOLUTELY certain that we don't interrupt our employees ability to work. We are a Bank afterall, people DO NOT like it when their Bank can't give them their money.

      You can't just gloss over this problem, it's an INCREDIBLY difficult problem. The only real solution is for MS (not just MS though, everybody) to stop releasing crappy software in the first place. Until that happens we're going to continue to be screwed no matter what we do.

    • Re:I dont' get it... (Score:2, Interesting)

      by Anonymous Coward
      As far as I'm concerned, the monthly schedule makes it more difficult for ths sysadmin. When you get a flood of patches released on the same day does that really make it easier? Not for me, it just adds to my headaches. With weekly patches, I could review and plan a patching strategy at my convenience. And not apply too many patches at once, so there was some hope of discovering which patch screwed up the PC afterwards. But now, it's a nightmare. And it isn't helped by Microsoft releasing updated patc

  • It's not a patch (Score:5, Funny)

    by spidergoat2 ( 715962 ) on Wednesday December 10, 2003 @05:32PM (#7683814) Journal
    It's an undocumented upgrade.

  • It' MS's fault (Score:5, Funny)

    by nytes ( 231372 ) on Wednesday December 10, 2003 @05:33PM (#7683821) Homepage
    They keep sending me those security patches in email, and I keep applying them. I wish they'd stop it.

  • Obligatory Treasure of the Sierra Madre quote (Score:5, Funny)

    by adso ( 469590 ) on Wednesday December 10, 2003 @05:34PM (#7683828)
    Patches? We don't need no stinking patches!
  • The article states that Microsoft is making the patch process more intuitive and easy to use. How much easier could it be than opening a link to a web site, pressing scan, reading a list of results with descriptions and selecting the ones you want?

    I mean, are people retarded or something? My grandpa who could barely figure out how to use a mouse was able to do an update of his computer after some simple instructions.

    I suppose they could just have your PC patch itself by default but in my opinion that woul

  • Interesting...... (Score:2, Informative)

    by vwjeff ( 709903 )
    I went to Windows Update like all users should (must)do and found one patch for Win XP. It is a Frontpage Server Extensions Patch. It looks pretty serious and I can see why they would want it released quietly. Here's the URL:

    http://support.microsoft.com/default.aspx?scid=k b; en-us;810217

  • Uh oh.. (Score:2, Insightful)

    by devphaeton ( 695736 )
    You mean the patch i just installed is a MYSTERY TO MICROSOFT TOO?

    Holy shit! ....at least that's what i was thinking when i read that headline. like "oh great, now some ghey crax0rz have infiltrated Windows Update....

    *whew*, i think..
  • "The Reason? They haven't got a clue."

    Double Entendre: a word or expression capable of two interpretations

    aka: Microsoft is clueless.

  • No, they have got a clue. (Score:3, Insightful)

    by Rahga ( 13479 ) on Wednesday December 10, 2003 @05:39PM (#7683889) Journal
    See, here's how it goes.

    -Microsoft knows their software is weak when it comes to security.

    -Microsoft pleads to the security community not to make any vulnerabilities public prior to notifying them for at least a few weeks, and sues everyone who doesn't fall in.

    -Microsoft reveals the reason it wants vulnerabilites not to go public.... So CTOs can claim that security updates only happen every month rather than every day, keeping their job intact and making more money for MS in the long run.

    -Somebody who cares about security rather than marketing posts a needed FrontPage Extensions update.

    See.... someone at Microsoft has a clue. They just don't talk to the marketing folks. I don't blame 'em.

  • WTF? (Score:5, Insightful)

    by ChangeOnInstall ( 589099 ) on Wednesday December 10, 2003 @05:42PM (#7683928)
    How can a company claim that:

    There will not be any patches issued in the month of december

    and

    they release patches more promptly than Linux vendors?

  • What is the benefit of no patches in Dec? (Score:3, Interesting)

    by zapp ( 201236 ) on Wednesday December 10, 2003 @05:43PM (#7683939)
    Any ideas why this would be beneficial at all? Are they going for the record thing, like some work places have a big sign that say "It's been days since the last workplace injury"? Are they trying to say "hey, Windows is secure! See, no patches released in days"?

    What if a highly critical bug is discovered tomorrow, something big enough that several exploits are in the wild by next week? Will they release a patch then, or will they stick to their policy and hold out on us until 2004?

  • Addendum (Score:5, Funny)

    by tds67 ( 670584 ) on Wednesday December 10, 2003 @05:43PM (#7683942)
    In October, Microsoft committed to making its patch-release schedule more regular, by only publishing patches on the second Tuesday in each month.

    In other news today, the Cracker community announced it would commit to new virus and worm releases on the second Wednesday in each month.

  • Whatever happened to One Service Pack behind? (Score:5, Interesting)

    by mr_lithic ( 563105 ) on Wednesday December 10, 2003 @05:43PM (#7683955) Homepage Journal
    It used to be the standard method of dealing with Microsoft Service Packs that you never deployed the latest one on your boxes. You always stayed one step behind. This practice was proved right with the Service Pack 6/6a debacle.

    With automatic patching of machines from Windows Updates at Microsoft, it seems that everyone is thrown into chaos at the same time.

    Do we really trust Microsoft enough to think that they will get their updates right everytime?

    • Re:Whatever happened to One Service Pack behind? (Score:5, Informative)

      by lurker412 ( 706164 ) on Wednesday December 10, 2003 @06:13PM (#7684254)
      Well, last month's cumulative update for IE6 broke the normal behavior of clicking in a scroll bar to page down. AFAIK, Microsoft has not issued an updated patch. After backing out the offending patch (which affected more than just IE), I switched to Firebird, and have been happy with it.

      Automatic updates are really convenient for home users, but there is no easy way to stay one release behind. Some patches are standalone, others are bundled. Some cannot be uninstalled. Some require the presence of previous patches. It has become such a burden to stay current that it is not surprising that even people who should know better don't bother.

  • You can keep using smaller and smaller patches, and eventually, you can stop smoking.

    Or, you can keep using larger and larger patches and eventually become a smoker.

  • Monthly patches are stupid (Score:5, Interesting)

    by Anonymous Coward on Wednesday December 10, 2003 @05:47PM (#7684009)
    As someone who has to keep over 1000 clients patched, I have no idea what they're talking about when they say "admins want this".

    You know what admins want? I'll tell you. They want to know about bugs AS THEY ARE FOUND, not AS THEY ARE PATCHED, so that we can block ports/attachments/capabilities and aren't sitting there vulnerable for months waiting for a patch. Then, when we get the patch, we want the patch to work. Lastly, we want products that aren't as much in need of patches. Are you listening? That's my top 3 requests--I don't give a rat's ass about monthly patch releases.

    Here's how it works out in the real world, Microsoft. Nobody trusts your patches. After you release them, do you think we just cross our fingers and install the thing? Hell no. We do a test deployment, let it run for a few weeks, and if there aren't any problem, THEN we do the general deployment. And guess what? Frequently, we find problems with your patches and don't deploy them at all.

    So this leaves us vulnerable. Sure, that's bad, but we were ALREADY vulnerable the whole time we've been using this software, and more alarmingly, we were vulnerable and you knew about it and didn't tell us while you were working on a patch.

    We didn't choose to be vulnerable when we chose not to install your broken patches, we chose to be vulnerable when we chose to use your products.

  • No no NO! Microsoft is COMMITTED to Security! (Score:4, Funny)

    by Ridgelift ( 228977 ) on Wednesday December 10, 2003 @05:54PM (#7684081)
    Lest we forget...

    www.trustworthycomputing.com [trustworthycomputing.com]

  • Windows Update became self-aware! (Score:5, Funny)

    by BigGerman ( 541312 ) on Wednesday December 10, 2003 @05:57PM (#7684114)
    head for the hills
  • I literally just patched to get the icon off my systray..
  • Spammers keep emailing me these damn >100k attachments promising to patch up my OS, thereby filling up my entire inbox. Maybe those people should be investigated.

  • Everywhere? (Score:3, Insightful)

    by greygent ( 523713 ) on Wednesday December 10, 2003 @06:06PM (#7684202) Homepage
    One patch isn't "patches, patches everywhere!". If you want to see "patches, patches everywhere" for the month of December, look at Red Hat 9.

    Seems like they've released yet another patch every other day this month. I know it hasn't been quite that many, but it's been several, and much more than Microsoft.

    Could we have a little more fact, and a lot less Microsoft FUD? It makes Slashdot look rubbish.

    The "Linux community" could stand to ridicule less and study their enemy more. Then maybe they wouldn't be slowly slipping behind the Windows Server platform more and more in providing more of the features people need.

    • Re:Everywhere? (Score:3, Insightful)

      by LizardKing ( 5245 )

      One patch isn't "patches, patches everywhere!". If you want to see "patches, patches everywhere" for the month of December, look at Red Hat 9.

      I'd sooner trust an operating system vendor that releases prompt patches to small portions of their product, than some cowboy outfit who release occasional mega patches to their product. Besides, comparing the number of patches to RedHat 9 against those for Windows is bullshit. The typical Linux distro includes a large number of genuinely useful software packages,

    • Rubbish? *snicker* (Score:3, Insightful)

      by freeweed ( 309734 )
      Microsoft FUD? It makes Slashdot look rubbish.

      Actually, it makes Slashdot look like Slashdot.

      Once again, we seem to have an influx of new Slashdot readers and posters. Let me spell it out for you: THIS SITE IS DECIDEDLY PRO-LINUX, PRO-OPEN SOURCE, AND ANTI-MICROSOFT. It has been since day one, and it will be until MS acquires OSDN or whoever the owner is. Deal with it, stop your bitching, and if you don't like it, there are plenty of pro-Microsoft newssites out there.

      Yeesh. Every story lately these peop

  • This isn't the only patch (Score:3, Informative)

    by Malc ( 1751 ) on Wednesday December 10, 2003 @06:09PM (#7684230)
    The story talks about a patch for FrontPage. Well, there was a patch for Windows XP Media Center Edition machines today too. So there :P

  • Patches.... (Score:5, Funny)

    by Dj ( 224 ) on Wednesday December 10, 2003 @06:37PM (#7684524) Homepage
    Patches want to be free!

    This is the first action of the Patch Liberation Front!

  • If you wanna talk SUS... (Score:3, Interesting)

    by little_fluffy_clouds ( 441841 ) on Wednesday December 10, 2003 @07:15PM (#7684872)
    Not only did they release a patch - they removed a bunch and reissued quite a few. Here is the log from last night's SUS sync...
    (Note if you don't know what SUS is, try http://susserver.com/)

    Automatic Sync Started- Thursday, 11 December 2003 12:59:56 AM Successful

    Updates Added:

    Critical Update for Windows XP Media Center Edition 2004 (KB830786) - KB830786_WXP_MCE2_ENU_c512cb910f28d8b6051537519556 0b3.EXE

    Updates Removed:

    810847: February 2003, Cumulative Patch for Internet Explorer 5.01 Service Pack 3 - Q810847_B3CA04E8D113EBDE0D561AB3AFAA02EBC3922F36.E XE

    813489: April 2003, Cumulative Patch for Internet Explorer 5.01 Service Pack 3 - q813489_7526690df0c1e078957b0d83f8018c0.exe

    818529: June 2003, Cumulative Patch for Internet Explorer 5.01 Service Pack 3 - q818529_1d67aa22e752bb5ca55eba289ee1e9f.exe

    Q324929: December 2002, Cumulative Patch for Internet Explorer 5.5 - Q324929_E34CB7562E3FADE04E0FBA7A8DF20236ABFC6C46.E XE

    810847: February 2003, Cumulative Patch for Internet Explorer 5.5 Service Pack 2 - Q810847_102065CAD52C737EBBF4422AEF2CAC5E100B6EFA.E XE

    813489: April 2003, Cumulative Patch for Internet Explorer 5.5 Service Pack 2 - q813489_8ebdafa9c0f5c09d0678826b4c04de5.exe

    818529: June 2003, Cumulative Patch for Internet Explorer 5.5 Service Pack 2 - q818529_d8d150d39cc718ff858be51239ea081.exe

    Q324929: December 2002, Cumulative Patch for Internet Explorer 6 - Q324929_55049C7F14E3EFF258F10F95FE0A3C179833CB17.E XE

    Q324929: December 2002, Cumulative Patch for Internet Explorer 6 SP1 - Q324929_A90F1A87F766965A4D0FC5F1395F3E808ABE7D27.E XE

    810847: February 2003, Cumulative Patch for Internet Explorer 6 - Q810847_DDE9BE0E09FF7E261B1E32AFF6F597FA27A72B6A.E XE

    810847: February 2003, Cumulative Patch for Internet Explorer 6 Service Pack 1 - Q810847_C3902604B28A9E2AAD419E883ACC553FD69B84F9.E XE

    813489: April 2003, Cumulative Patch for Internet Explorer 6 - q813489_2fd2c598d4beecc513c2798f443cf8e.exe

    813489: April 2003, Cumulative Patch for Internet Explorer 6 Service Pack 1 - q813489_3a4cba12c72c64d461b611365375bc9.exe

    818529: June 2003, Cumulative Patch for Internet Explorer 6 - q818529_5a71949492d46d5a9ed0713ed68cc98.exe

    818529: June 2003, Cumulative Patch for Internet Explorer 6 Service Pack 1 - q818529_94327511db0b86d509decf6a3becf73.exe

    818529: June 2003, Cumulative Patch for Internet Explorer - WindowsServer2003-KB818529-x86-ENU_0f07225ca313bf4 5fe205783dd059d0.exe

    Reissued Update(s):

    Security Update, February 14, 2002 (Internet Explorer 5.5) - VBS55NEN_A76B47D34E497BB2C14BA3CBED923CC042406C8B. EXE

    Security Update, March 7, 2002 - Q313829_F56D00FEAAE71A0F246EA0A042B92AEEEC822F9D.e xe

    814078: Security Update (Microsoft Jscript version 5.1, Windows 2000) - js51nen_8812c08817b46676876f0e06a3cda5b.exe

    814078: Security Update (Microsoft Jscript version 5.6, Windows 2000, Windows XP) - JS56_DB18C6EA0F4E8522715BEEA284F6843ECE71D944.EXE

    Windows 2000 Service Pack 4 Network Install for IT Professionals - w2ksp4_en_7f12d2da3d7c5b6a62ec4fde9a4b1e6.exe

    Flaw In Windows Media Player May Allow Media Library Access (819639) - WindowsMedia9-KB819639-x86-ENU_bfd620da8e1529c3e4f fadfb93f33fa.exe

    Q329390: Security Update - Q329390_WXP_3F60064794271F0053892985402FE5B6679D3F 2D.EXE

    Q329115: Security Update (Windows XP) - Q329115_WXP_SP2_X86_1D09793FAF21249FEBCC160D341612 338DFD3154.EXE

    Security Update for Windows XP (KB810217) - WindowsXP-KB810217-x86-ENU_696190f151ea0bcb063f0a8 9471e45b.exe

    Q811114: Security Update (Windows XP or Windows XP

  • Stealth Patch (Score:3, Interesting)

    by nurb432 ( 527695 ) on Wednesday December 10, 2003 @07:42PM (#7685110) Homepage Journal
    Sort of disconcerting if they don't have enough 'quality control' to even know who put the patch into effect to be distributed..

    Considering the ramifications of patches and their 'assumed authority' with autopatch, this is a very bad blunder.

  • I still do not see the advantage (Score:4, Insightful)

    by stealth.c ( 724419 ) on Thursday December 11, 2003 @12:09AM (#7686898)

    ...in announcing regular times when you WONT be issuing patches. What if a new flaw is discovered? Shouldn't you get the patch out ASAP? Wouldn't that be best for customers if a big security hole was discovered that needed to be FIXED NOW? (Pre-SP1 XP, anybody?)

    If sysadmins wanted a monthly patch schedule, they're smart enough to do it themselves. Check WindowsUpdate every month, get all the new stuff, rinse & repeat every 30.4375 days.

    I fail to see the advantage in Microsoft deliberately delaying fixes to problems that, for some, can be very very immediate.

    This almost reminds me of a time when Konqueror and IE had an SSL security hole [theregister.co.uk]. While Microsoft buried its head in the sand [theregister.co.uk], the Konq guys just solved the damn problem (in a matter of hours [hackinglinuxexposed.com], if memory serves).

    Maintaining important software is only hindered when some buraucratic colossus feels the need to babysit the process.

Slashdot Top Deals

Our OS who art in CPU, UNIX be thy name. Thy programs run, thy syscalls done, In kernel as it is in user!

Close