Time to End Microsoft's Patch Tuesday? 256
buzzardsbay writes "Techtarget's resident security curmudgeon, Dennis Fisher, is calling for an end to Microsoft's monthly security patching cycle. Fisher points out that 'a hacker only needs one unpatched system, one little crack in the fence in order to launch a major attack on a given network. The sheer volume of the patches Microsoft releases each month makes it quite difficult for even the most conscientious IT department to get every patch out to all of the affected systems in a reasonable amount of time.'"
Re:Otherwise known as... (Score:3, Informative)
That's not true. They're released before the patches come out. Microsoft provides vulnerability information through a webpage now.
All the more reason to ditch the patch tuesday, and just release patches when they are ready. As I have repeatedly pointed out otherwhere recently, if you want to install the patches monthly, you can wait for some arbitrary day of the month, and then install the patches.
This is how Microsoft schedules patch releases, so doing this would preserve the existing behavior for those seriously confused people who prefer it. Waiting to release patches is bad for everyone, except the people profiting from exploits.
My Thoughts (Score:5, Informative)
I am the Sys Admin for ensuring that our roughly 1800 desktops and notebooks get updated with the latest updates. Microsoft's strategy is the very least of my concerns. The patches show up on WSUS the Wednesday morning after they are released. I read up on them, noting any "caveats" in the KB articles and inform our help desk if I find anything signficant. Then, I set my approvals and decline any superseded updates. The clients check in and install the updates over night. I am not sure where all this talk about long nights with Red Bull and whatever come into play. If we have mission critical systems, we withold approval for that group for a week or so until we are confident that there are no undisclosed "caveats." Super simple.
I like having a regular schedule for updates. But I wouldn't mind a little more frequency. Why not the first and third tuesday of every month? Sounds reasonable to me.
Now if were only that easy for all the other software vendors out there like Adobe (Acrobat / Flash), Sun (Java), and so on. Where are their enterprise patch management solutions? Why can't I configure my Java clients to check into to one of my servers to automatically apply security updates? Instead I have to spend more money on a 3rd party patch management solution. And I haven't found one yet that is as reliable and simple as WSUS.
Re:I call Bullshit on the Red Bull (Score:4, Informative)
You may be right. My previous job was with a company that did a lot of VAR stuff, including various email systems. It didn't matter to us what you wanted - Notes, Exchange, Unix, anti-virus, anti-spam - we could sell you whatever combinations you wanted. I didn't work with Exchange, but the Exchange guys told me that in the past they used to rush out and patch systems with every "critical" Microsoft patch release and then they applied some patch that totally broke Exchange. The patch had nothing to do with Exchange, but it broke it. It took hours to fix the broken servers. After that fiasco, we regarded all Microsoft patches as suspect and we had a group in another state that one of their jobs was to test new patches on Exchange servers and see if Exchange still worked. It didn't matter to us how "critical" Microsoft considered a patch. We didn't patch any of Exchange servers until our test group gave the OK, which was usually a month later.
Re:I have always wondered... (Score:5, Informative)
I still love the ability to replace in-use libraries. The only problems that ever crop up are when you dynamically load another library, and that library disappears (Windows doesn't help here, either), or its API changes (although usually that results in a new library name, so you still get the old one). If you still have a library loaded when it gets deleted, you maintain a filehandle to it so its disk space is not reclaimed or reused. Shut down all applications still loading the old library, and then the disk space gets reclaimed.
I've updated X.org at least a couple times since the last time I restarted my X server. So I have a bunch of old libraries still sitting on my disk with no way to refer to them (well, there are ways to get them back involving funky lsof/proc tricks, but let's not go there). Nothing will overwrite them. But, when I feel I have the time, I can shut down all my X apps, restart my X server, and free up all that space. But I don't need to take down mysql, apache, or anything not X-based to do so.
I don't get how anyone could consider this a bad idea. The only times it falls over is when people don't follow convention (change your library number when changing APIs!), or in cases that Windows will fall over, too (dynamically loading libraries that don't exist anymore - although that usually doesn't crash as hopefully most people catch the error return and handle it). Otherwise, it maximises the uptime of your server, so that you only need to restart programs that actually use your library when you want to.
(PS - thanks for this thread - it answers a question my wife posed - why her windows machine rebooted overnight when she was in the middle of sorting digital photos to send to be printed, and there was no power outage.)
Re:End Patch Tuesday (Score:2, Informative)
As my weather radio keeps reminding me when there is a thunderstorm alert: "... and stay away from windows".
It's in my diary.. (Score:3, Informative)
This is the way it goes..
Friday: Look at the advanced notification to get an idea of the scale of the patches. Once or twice a year there a none.. yippee!
Wednesday: In the morning we closely analyse the patches to figure out the impact on our organisation. Servers and clients are differently impacted so we look at this to see if we will need to patch servers. Patches are tested on some representative computer systems.
Thursday: raise the inevitable paperwork for any system changes and monitor for any issues.
Friday: Check for issues with the patches and then authorise for client distribution via WSUS.
Saturday: If necessary, patch those servers that are vulnerable. Claim overtime. Yippee.
We know in advance when this is coming up. We can make plans. We ensure that someone always looks at the patches on Wednesday morning and does the analysis. It's a monthly event that we don't miss. This works pretty well.
Sure, sometimes you need to apply an out-of-cycle patch.. these are rare but Microsoft seems to understand that they are needed. If we miss it, then we'll alway pick up on it again later.
Yeah, hardcore sysadmins might like patch and reboot PCs every couple of days or so, but most sysadmins have other things to worry about than constant patching and in my view Microsoft have the balance about right. (One of the few things I like about them!)
Re:I have always wondered... (Score:3, Informative)
In case you're interested, since starting this thread I did some googling and came up with a solution for both XP Pro and Home.
how to [ejabs.com]
registry entries [microsoft.com] (works with XP Home as well)
I guess this has been an issue for about 3 years for people, but it never bugged me bad enough to fix it until I started recording TV on this box.
Re:I have always wondered... (Score:2, Informative)
Re:I have always wondered... (Score:4, Informative)
Windows update will try to replace each file, and when it succeeds everything is fine. When not, it will put the file on disk under a different name, add a "rename" operation to a list, and continues with the next file. At the end, when the list is not empty, it requests a reboot. At reboot, the list is processed (the new files renamed over the old ones), and the list emptied.
But merely stopping an application and closing the file that was in use will not make it rename that file and remove it from the list. You will need to reboot.
Re:SUS (Score:2, Informative)
It isn't a matter of deploying patches. Deployment of software is one of the main functions of a large network. It's a matter of choosing the patches.
If you have 200 core software packages on your big network and a huge number of one offs, then the patch must play nicely with 200 packages. Does it? Lets check. (test against app 1, tick, test against app 2 ...) OK now deploy and hope it does not break too many one offs.