Microsoft Plans Largest-Ever Patch Tuesday

CWmike writes "Microsoft said it will deliver its largest-ever number of security updates on Tuesday to fix 13 flaws in every version of Windows, as well as Internet Explorer (IE), Office, SQL Server, important developer tools and Forefront Security client software. Among the updates will be the first for the final, or release to manufacturing, code of Windows 7, Microsoft's newest operating system. The 13 updates slated for next week, eight of them pegged 'critical,' beat the previous record of 12 updates shipped in February 2007 and again in October 2008." Update Reader Kurt Seifried writes to correct the math a bit, pointing to Microsoft's Advance Notification page for the release, which says that rather than 13 flaws, this Patch Tuesday involves "13 bulletins (eight critical and five important), addressing 34 vulnerabilities ... Most of these updates require a restart so please factor that into your deployment planning."

Wring. 13 advisories with 34 issues. RTFM

[seifried]

http://blogs.technet.com/msrc/archive/2009/10/08/october-2009-bulletin-release.aspx [technet.com]

For October we are releasing 13 bulletins (eight critical and five important), addressing 34 vulnerabilities, affecting Windows, Internet Explorer, Office, Silverlight, Forefront, Developer Tools, and SQL Server. Most of these updates require a restart so please factor that into your deployment planning.

Re:Windows 2000?

[Opyros]

Extended support hasn't ended just yet [microsoft.com].

Re:in the last patch supertuesday

[Darth_brooks]

I used to say that. Then we got forced onto Lotus Notes.

and when I get to Heaven To St. Peter I will tell: "One more Notes user reporting, Sir -- I've served my time in Hell."

13 Patches != 13 Flaws

[Ralish]

I was about to bitch about the submitter/moderator not RTFA, but it turns out, the article doesn't mention it either, so I'll clarify instead: thirteen updates are being released which together address thirty-four security vulnerabilities of varying severity across varying products (ten of which are targetted at Windows). So, that's NOT thirteen flaws (plenty more actually), just thirteen updates, some of which (all?) address multiple flaws in the particular system they are targetted at. Of course, this is just the advance notification, so full details about how many vulnerabilities each update addresses and the general information on them won't be released until the patches are next Tuesday. I think it's also worth nothing (although the summary of course neglects to mention it) that the good aspect of these updates are both major zero-day exploits (targetting IIS & SMB 2.0) are patched with these updates.

And while I'm posting, why does Slashdot insist on linking to shitty tech magazine articles (poorly) summarising the raw and accurate data straight from Microsoft? Seriously, I'm not sure if it's some sort of aversion to linking to MS, but they're the ones doing the patching, so it follows that they have the best, newest, most accurate data on them, and they'll likely be the first to provide updates on their content. These articles are just summarising what Microsoft has published on their various web-sites, and being a summary, they provide a lot more information and raw data:

Microsoft Security Bulletin Advance Notification for October 2009 [microsoft.com]
October 2009 Bulletin Release Advance Notification [technet.com]

Re:The more crap you add...

[dave562]

The number of patches and whether or not Windows or *nix requires more is pretty much a moot point. Both systems need to be updated regularly and both are vulnerable to automated vulnerability scanners that are being run 24/7 on compromised boxes. I won't re-tell the tale here, but you can check my journal if you want to read about the most recent tale of an Ubuntu box that I setup getting owned in under a month. Any OS that falls behind on patches becomes an exploitable target.

Re:...Patch Tuesday

[Mr. Roadkill]

That's now at www.wsusoffline.net

Re:Wring. 13 advisories with 34 issues. RTFM

[shutdown -p now]

Fortunately just the once. You can thank Windows insane file locking (easy to establish a lock

To clarify what this means, Win32 API function CreateFile, which opens files, locks them for exclusive access if the argument in which lock flags are passed is set to 0. In other words, the default is "lock for everything", and you explicitly have to opt out of that by specifying things like (FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE).

This has a minor advantage in that stupid people often forget to lock their files properly, and then applications crash (or silently corrupt data) because they don't expect someone else to write at the file they've opened, and don't handle it properly. But it also has a major disadvantage in that every lazy bastard just passes 0 there and locks file for exclusive access, rather than for the minimum that he needs.

Re:What's the Canadian holiday?

[camperdave]

"What's the Canadian holiday?"

That would be Thanksgiving.

Re:Security & Stability

[DrXym]

Certain FEATURES touted as a + for Windoze eg OLE never made it into Unix since their design required the OS to be broken by design and the developers declined to do it.

Erk, there is nothing inherently wrong with OLE, ActiveX or anything else in COM. At the end of the day they're just a means to embed or utilise one program from another. And yes GNOME/KDE have their equivalents. The problem has nothing to do with the OS but in the way IE promoted ActiveX, including automatic installation and the broken assumptions underlying its trust model such as the safe for scripting flag. Basically IE let you instantiate any control installed in your system so long as it was tagged safe for scripting. Even inadvertant bugs in the automation interface of a control could be exploited in drive by attacks.

Other browsers such as Mozilla, Opera etc have their own plugin solutions which are conceptually little different from ActiveX controls. Netscape/Mozilla has various used NPAPI combined with LiveConnect/XPConnect for scripting. The big difference historically was it was more of a pain in the ass to install a plugin than a control so the consequence of an exploit was minimized. It still doesn't prevent exploits happening though as the recent vulnerabilities in Flash Player 10 demonstrate.

Re:Typical Bullshit

[TooMuchToDo]

http://www.redhat.com/spacewalk/ [redhat.com]

We use it to manage several thousand linux servers that store and process the data that's about to come from one of the LHC detectors. Handles provisioning, RPM updates, etc. And yeah, it'll work with Linux desktops.

Re:Typical Bullshit

[smash]

Just to elaborate... WSUS, which is free and easy to set up, enables me to push patches to hundreds or thousands of boxes, and report on the status of each box or what machines are missing any or all patches at the click of a button. Downloads will run whenever the machine is online and start/stop as required, using BITS.

Can you do this on Linux? Maybe. Its certainly not standard, and a lot more work. Can you automatically updates unix boxes? Sure - but to set up the monitoring of the process, its a lot more work, and more likely will require an admin to read/interpret logs.

Sure, linux/unix machines are generally a bit less patch dependent to stay secure, but the Windows patching process is relatively painless if you set up a wsus server. All you need is a spare machine (even running XP, from memory) with plenty of disc, and a method of pointing machine's windows update server registry entry at it - eg with group policy or a login script.

If redhat, suse or whoever can offer something similar that is as easy to set up and monitor, they'll certainly help get *nix easier to support as an end user OS.

Re:Wring. 13 advisories with 34 issues. RTFM

[Abcd1234]

To clarify what this means, Win32 API function CreateFile

Actually, the real issue is that OpenFile does the exact same fucking thing. The result is that you can't replace things like existing DLLs on a live system because you can neither delete them nor overwrite them so long as an application has the DLL open (and that includes Windows itself).

Linux, OTOH, thanks to it's Unix underpinnings, will happily let you delete an open file... the inode just goes away once all references to it have been closed. Meanwhile, any new applications which open the file will see the new version (which is attached to a new inode).

Re:Security & Stability

[TheRaven64]

ActiveX wasn't such a horrendous idea. It is basically a fast way of deploying (and keeping updated) native Windows components that you can tie together with HTML and scripts. For a corporate Intranet, that kind of functionality is useful if you're willing to standardise on a single vendor's stack.

The only mistake they made was the dialog box when a non-Intranet site tried to send you an ActiveX control. This shouldn't have caused a dialog box, it should have just been blocked.

Re:Typical Bullshit

[jaavaaguru]

Landscape [canonical.com]