Microsoft Plans Largest-Ever Patch Tuesday

CWmike writes "Microsoft said it will deliver its largest-ever number of security updates on Tuesday to fix 13 flaws in every version of Windows, as well as Internet Explorer (IE), Office, SQL Server, important developer tools and Forefront Security client software. Among the updates will be the first for the final, or release to manufacturing, code of Windows 7, Microsoft's newest operating system. The 13 updates slated for next week, eight of them pegged 'critical,' beat the previous record of 12 updates shipped in February 2007 and again in October 2008." Update Reader Kurt Seifried writes to correct the math a bit, pointing to Microsoft's Advance Notification page for the release, which says that rather than 13 flaws, this Patch Tuesday involves "13 bulletins (eight critical and five important), addressing 34 vulnerabilities ... Most of these updates require a restart so please factor that into your deployment planning."

But will it let me buy stuff using paypal?

[randy of the redwood]

I am still worried about using Ebay to buy my star wars collectables from my Chrome Browser - http://it.slashdot.org/story/09/10/06/2118211/Null-Prefix-SSL-Certificate-For-PayPal-Released [slashdot.org]

EVERY version of Windows?

[CSMatt]

Does this mean that my Windows 3.1 box will finally get the DST update?

Re:

[Kratisto]

No, you'll have to move to Arizona. Sorry.

Re:EVERY version of Windows?

[Tumbleweed]

No, you'll have to move to Arizona. Sorry.

I'd rather use Windows 3.1 than live in Arizona.

Re:EVERY version of Windows?

[Tumbleweed]

Coming from someone whose ID is Tumbleweed?

You bet. Arizona's so bad the plants evolved to get outta there!

...Patch Tuesday

[steelscalp]

Last week's "critical updates" were two copies of Windows Genuine Annoyance.

Re:...Patch Tuesday

[Fluffeh]

Well, they can be called critical. It's subjective you see. Critical to you as a user, or critical to Microsoft as a business?

Yes, I think there is something in that for all of us, don't you? *puffs pipe*

Re:...Patch Tuesday

[Entropius]

It's a very good security strategy to piss off all your customers with WGA and Windows Media bullshit until they all turn off automatic updates.

Re:...Patch Tuesday

[Elwood P Dowd]

MS requires customers to install the new WGA on a regular basis. That is also nagging.

Re:...Patch Tuesday

[Anonymous Coward]

I built my system myself which means that I'm more than capable of grabbing a bootleg copy of Windows online. Instead I chose to pay for a copy of WinXP because the OS is a MAJOR part of my system and as such was worth the asking price. (And also because I'm not a thieving schmuck. If you don't want to pay use Linux.)

Ever since I've been hounded by WGA. I just want my system patched. Microsoft wants to verify "something", god knows what, every time I try to access patches. Their checker needs updating quite often. I don't know what it does. I don't know what info it sends them. I just know it's an annoyance, maybe a personal security risk. I can't patch without it. (Officially that is. I'm aware of "alternate" patch sources but how secure is that? Seriously now, come on...)

This is the thanks I get for dropping money on their product. I passed on Vista. I'll pass on Win7. Once this system has aged to the point of uselessness (translation: can't game any more) I'm going to Linux full time. Why? BECAUSE THEY ACT AS IF THEY OWN MY MACHINE, NOT ME. THAT pisses me off.

So f--- them. I'm done.

Re:

[TheRealMindChild]

Firstly, I have never been "hounded" by WGA. Sure, sometimes it wants to install before other updates. So does Windows Media Player and Internet Explorer.

Aside from that, you CAN patch from MS themselves without WGA, using Offline Update [h-online.com]. You can even burn the resulting files to disk and take it with you for patching friends/families machines.

Re:...Patch Tuesday

[Mr. Roadkill]

That's now at www.wsusoffline.net

Re:

[Chris Mattern]

Lessee...domain is h-online.com, refers you to patch files hosted at heise.de--yep, that's direct from Microsoft, all right!

Re:

[TheRealMindChild]

If you bothered to even look, it is a set of scripts that download the patches directly from Microsoft servers, all which have a digital signature.

Re:

[hmar]

I am a legit user and I get burned burned by WGA all of the time. Ever try explaining to a customer why replacing the motherboard on their Acer means buying a new copy of windows?

You don't need to. It may be a pain in the ass, but you can call microsoft and they will give you a new code. It even gives you the number when you try to activate it.

Re:

[JohnBailey]

The geek is pissed off by what to anyone else is over and done with one or two clicks of the mouse.

Or quite often turned off and never used again.

Re:

[sconeu]

You forgot Office Genuine Annoyance, too.

Why is it critical?

Long Weekend

[camperdave]

Isn't Tuesday the first day back from a long weekend? Is that really the best time to do this? We'll be up to our eyeballs in password resets already. (How do people forget a password in three days?)

Re:

[CannonballHead]

only if you have Monday off! ;)

Re:Long Weekend

[Fluffeh]

How do people forget a password in three days?

Because people are stupid. A person is smart, but people are stupid.

One of the most strangely insightful comments in Men in Black from memory.

Re:

[flipper9]

Because people are required to memorize multiple passwords, between many different systems, that have different password construction requirements, require differing expiration dates on passwords. Not to mention each different system has a different login username and sequence. Then you wonder why people write their login information down on a post-it-note on their desk. Too many passwords and usernames lead to greater insecurity. Don't blame them for forgetting a password amongst so many.

Re:

[PrimaryConsult]

How do people forget a password in three days?

Duh, the janitor who comes in on holidays keeps throwing out the post-its taped to the monitors!

What's the Canadian holiday?

[XanC]

Here in the US it'll be Columbus Day. ...you nitwit.

Re:

[camperdave]

"What's the Canadian holiday?"

That would be Thanksgiving.

Re:

[jrumney]

Don't forget "no dictionary words to appear anywhere within the password".

Re:

[SuiteSisterMary]

You just remember that next time you come asking for clean water to drink, my friend.

Heard this one from a buddy of mine who lived in Minnesota for a few years: "How do you find a Canadian in a room full of Americans? A: Start stepping on toes. Whoever says 'sorry' is the Canadian." It's funny because it's true.

Windows 2000?

[Azureflare]

I'm guessing windows 2000 isn't one of the operating systems that will be patched?

I couldn't find details in the article, but since extended support has ended... RIP win2k :(

P.S. unless it's not affected by this? but I think there are previous vulnerabilities which haven't been patched too so maybe win2k is already dead and I missed the boat.

Re:

[Fluffeh]

so maybe win2k is already dead and I missed the boat

so maybe win2k is already dead and I missed the decade
There, fixed that for you.

Re:

[Opyros]

Extended support hasn't ended just yet [microsoft.com].

Why is there never a link to a primary source?

[westlake]

I'm guessing windows 2000 isn't one of the operating systems that will be patched?

You're guessing wrong.

For details and a full listing of the affected software:
Microsoft Security Bulletin Advance Notification for October 2009 [microsoft.com] [Oct 8]

Re:

[jeffasselin]

I remember them saying backporting some of the fixes from last month wasn't even doable to the W2K codebase. You're already obsolete.

in the last patch supertuesday

[circletimessquare]

i got this awesome bug fix such that Outlook now says "This copy of Office is not genuine. Click here to learn more online." in an unremoveable toolbar

can't wait to see what gets patched next!

Re:

[Grishnakh]

I wish they'd patch my work computer to do that, and in such a way that the IT department can't fix it. I hate Outlook, and I'd love a good excuse to not use it any more.

Re:

[Darth_brooks]

I used to say that. Then we got forced onto Lotus Notes.

and when I get to Heaven To St. Peter I will tell: "One more Notes user reporting, Sir -- I've served my time in Hell."

Re:

[Ritchie70]

That's funny, because we're in the process of being switched from Notes to Outlook and I miss Notes terribly.

Come on, I can't even make the folder name font bigger without increasing the drop-down menu size for all of the programs?

Re:

[Entropius]

Thankfully Office is considered quaint where I work. Anybody who wants to be taken seriously uses vi/emacs/kwrite/textpad and LaTeX.

Re:

[f8l_0e]

Is your employer hiring?

Re:

[plague3106]

Well stop pirating office and you won't have those kinds of problems.

Re:

[AmberBlackCat]

Was it "genuine"? Cause all I got was a message saying the system was being updated. I waited that out and everything worked as usual. The only annoyance was it didn't say what was updated, nor did it ask if I wanted the updates even though my settings are to notify me before updating.

Re:

[DAldredge]

Then why are you begging from money to film a movie?

Re:

[DAldredge]

I want it for free so you should make it for free. That is after all what you just said a few post up.

Re:

[dave562]

The extent of your vocabulary cannot conceal the fact that you're a cheapskate and a probably pirate. Microsoft software isn't digital content. It is content creation software. Tools are not free unless you want to write your own, or use tools that others provide you for free. There are plenty of them out there and you can feel free to use them. If you find a feature that your free tools don't have, pay for a tool that has the feature you want.

Bad luck

[gmuslera]

13 patches released at 13:00 of Tuesday 13. Windows sysadmins that day will have to pass below ladders, see a black cats cross in front of them and then break a mirror. But that will be nothing. The worst part will be when they turn on the computer, and see that windows is still running.

Wring. 13 advisories with 34 issues. RTFM

[seifried]

http://blogs.technet.com/msrc/archive/2009/10/08/october-2009-bulletin-release.aspx [technet.com]

For October we are releasing 13 bulletins (eight critical and five important), addressing 34 vulnerabilities, affecting Windows, Internet Explorer, Office, Silverlight, Forefront, Developer Tools, and SQL Server. Most of these updates require a restart so please factor that into your deployment planning.

Re:

[John Hasler]

So you are going to have to reboot more than thirty times to install this?

Re:

[seifried]

Fortunately just the once. You can thank Windows insane file locking (easy to establish a lock, hard to make sure everyone let go, so the easiest way to overwrite a file is put it in the queue for overwriting at reboot time when you can be sure no-one is messing with it). Linux is so much saner in this aspect.

Re:

[shutdown -p now]

Fortunately just the once. You can thank Windows insane file locking (easy to establish a lock

To clarify what this means, Win32 API function CreateFile, which opens files, locks them for exclusive access if the argument in which lock flags are passed is set to 0. In other words, the default is "lock for everything", and you explicitly have to opt out of that by specifying things like (FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE).

This has a minor advantage in that stupid people often forget to lock their files properly, and then applications crash (or silently corrupt data) because they do

Re:

[Abcd1234]

To clarify what this means, Win32 API function CreateFile

Actually, the real issue is that OpenFile does the exact same fucking thing. The result is that you can't replace things like existing DLLs on a live system because you can neither delete them nor overwrite them so long as an application has the DLL open (and that includes Windows itself).

Linux, OTOH, thanks to it's Unix underpinnings, will happily let you delete an open file... the inode just goes away once all references to it have been closed. Me

Kudos

[Linker3000]

Look, I know it's fashionable to make negative remarks about MS round here, but it's only fair to say 'well done' to them for bettering their previous high count. Hopefully they haven't run out of bugs to fix and they'll work hard to find and fix even more next time. Who knows, this time next year they could be fixing hundreds of bugs every month - and if we're lucky, some of them could be quite serious or critical - wouldn't that be just awesome!

Go MS!

13 Patches != 13 Flaws

[Ralish]

I was about to bitch about the submitter/moderator not RTFA, but it turns out, the article doesn't mention it either, so I'll clarify instead: thirteen updates are being released which together address thirty-four security vulnerabilities of varying severity across varying products (ten of which are targetted at Windows). So, that's NOT thirteen flaws (plenty more actually), just thirteen updates, some of which (all?) address multiple flaws in the particular system they are targetted at. Of course, this is just the advance notification, so full details about how many vulnerabilities each update addresses and the general information on them won't be released until the patches are next Tuesday. I think it's also worth nothing (although the summary of course neglects to mention it) that the good aspect of these updates are both major zero-day exploits (targetting IIS & SMB 2.0) are patched with these updates.

And while I'm posting, why does Slashdot insist on linking to shitty tech magazine articles (poorly) summarising the raw and accurate data straight from Microsoft? Seriously, I'm not sure if it's some sort of aversion to linking to MS, but they're the ones doing the patching, so it follows that they have the best, newest, most accurate data on them, and they'll likely be the first to provide updates on their content. These articles are just summarising what Microsoft has published on their various web-sites, and being a summary, they provide a lot more information and raw data:

Microsoft Security Bulletin Advance Notification for October 2009 [microsoft.com]
October 2009 Bulletin Release Advance Notification [technet.com]

Re:

[dave562]

On some level Slashdot bills itself as a news aggregator. Information taken straight from software vendors aren't necessarily news articles. They often times contains the most accurate information. If the editors start posting microsoft.com articles, then they have to post apple.com articles, and adobe.com articles and pretty soon this isn't News for Nerds, it's Corporate PR Central.

I'm of the opinion (how ever little that is truly worth) that articles about patch counts are completely worthless. Anythi

Does it fix Windows 7's problems?

[MBCook]

Does it fix the problems with Windows 7? After reading this review [cracked.com] of a pre-release download, I'm a bit hesitant to use it.

QUESTION about "critical" software

[yeehaomgyay]

I am using special exam software to take a grad school exam Wednesday morning. The version of the software which I'll be using was released TODAY. Would I be smart to turn off Automatic Updates on Monday, or is this just paranoia?

Re:

[John Hasler]

> Does this make sense?

No. You are mad to agree to take an important exam under such conditions.

Nice!

[rrohbeck]

So where are the instructions for the patch party?

Biggest patch ever?

[CAIMLAS]

Does this mean they're releasing Windows 7 a full 10 days early, then?

Largest ever...

[bennomatic]

...so far!

So?

[Anonymous Coward]

So what?

My Ubunutu Jaunty desktop downloaded 130mb of updates last night. And this isnt the first time either.

I didnt see the /. community getting their nickers in a knot about it

Re:So?

[Teun]

You said it: Updates.

And you didn't have to wait for the magical Patch Day for Ubuntu to share them with you.

Good in Microsoft

[sco_robinso]

I know Microsoft is often poked at, especially around these parts, for having so many vulnerabilities to patch, but at least there on the ball doing it. Not to mention, automatic updating has been the defacto standard now since XPSP2, so nowadays it's pretty hard not to be somewhat up to date. So my OS pulls down a batch of updates once or twice a month, big deal... I think Microsoft has done a good job with the hand of cards they've been dealt.

Not to mention, WSUS in the enterprise is an excellent, free tool for centrally managing patch deployment.

Number of patches and vulnerabilities aside, I think MS is a standout leader in this category.

Re:

[Mr. Roadkill]

So it installs linux?

Yes, and kills problem users.

Re:

[w0mprat]

So it installs linux?

Yes, and kills problem users.

Those users are not bugs they are a feature

Re:

[genner]

So it installs linux?

Yes, and kills problem users.

Can't be it says it only fixes 13 flaws. I have more problem users than that.

Re:

[JWSmythe]

The flaw is in the methodology, not in the the number of users.

For example, if there's an error in the filesystem driver with corrupt blocks, the fix is just in the drivers behavior, not in the number of blocks that it fixes.

Obviously, one of those fixes is in how you kill your users. While firearms work very efficiently, bullets are expensive. Go for rapid blunt force trauma. Training is mandatory. Too much force, and you get blood splatter. Too little forc

Re:It fixes EVERY bug?

[CannonballHead]

Yes, those users, too. ;)

Re:

[von_rick]

So it installs linux?

Yes, and it not only provides support for your hardware, but also provides child support and psychiatric support.

Re:The more crap you add...

[CannonballHead]

I'd like to see a comparison between the number of patches to Linux vs. Windows. :)

Which do I think is a better OS in terms of security and stability? Linux. But I tend to get tired of the "Microsoft releases so many patches, their OS is obviously bad" argument when the it seems the whole development model of open source software (e.g., Linux distros) is that anyone can develop both features and patches, thus improving the software.

Re:The more crap you add...

[Penguinisto]

I'd like to see a comparison between the number of patches to Linux vs. Windows. :)

For just the kernel, or for a whole average distro? Which distro's kernel and which variant (e.g. SMP vs. uniprocessor) and which arch? (x86 vs. say, PPC or ARM)? Do we count all the optional modules, and what about the stuff that is out there which could be compiled-in, but usually isn't (e.g. Win4Lin extensions)? Are patches counted as individual diffs checked in to a CVS/SVN/BK repo source tree, or counted only if distributed .rpm/.apt packages by a vendor?

Otherwise, yeah, I can see your POV. :)

Re:

[Penguinisto]

...and yes, I meant to say git and not BK. Stupid brain farts...

Re:

[CannonballHead]

I blindly followed suit..

Re:

[CompMD]

Wow, yeah, when you said BK, I thought I would take the initiative and get off your lawn.

Re:The more crap you add...

[CannonballHead]

Fair questions, but easily answered: for whatever is being compared to in a Windows OS. Windows, as I recall, has a kernel, has components that are necessary, has components that are unnecessary, etc. It seems Linux fans easily lapse into thinking that Windows is one complete mess all bound into one, whereas Linux has messy parts but the core is great... but who installs "Linux" and doesn't install a "Linux distro." To be fair to Windows. I'd have to say you'd have to compare an entire Linux distro default installation to an entire Windows default installation... all software included in the iso, not the latest-updated-version-of-Amarok or whatever comes with it by default. Getting the latest Amarok version is just like getting the latest patch for Windows Media Player...

As for CVS/SVN/BK diff's and whatnot, that's hard to come up with... I have no clue how much code differences there are in a given Windows patch. For all I know, it's one single typo, but since it's a binary, the entire thing is built and sent over in the patch, right? So who knows? I would think, from an end-user perspective, it only counts as a patch if it's distributed in an easily installed format; e.g., as an update or as an rpm or included in the distro, etc.

Thanks for seeing my POV. :) hehe. I'm in an unfortunate position for my life on slashdot; I actually enjoy Windows OS's. And Linux distros. Awful, I know.

I don't like AIX though...

Re:

[vxvxvxvx]

all software included in the iso,

You'd still be making an invalid comparison. The normal linux distribution includes multiple tools to do the same tasks. For example, most come packaged with both Gnome and KDE. It's pretty impossible to compare security by number of patches.

Re:

[some_guy_88]

Also, a lot of patches for linux software are adding new functionality. Not just fixing bugs.

Furthermore, what exactly is contained in one Windows "update"? As far as we know one windows update contains as many changes to the system as dozens of smaller patches in a linux distro.

But yeah, the idea that more released patches = less secure system isn't a very good one.

Re:The more crap you add...

[jrumney]

The point the GP is trying to make is that they just aren't directly comparable. Limiting yourself to the Linux kernel is unfair to Windows, as Windows is much more than just a kernel. But comparing with a full distribution is unfair to Linux, as there is much more in a distribution than even Windows + Office + SQL Server + everything else that Microsoft Update covers.

Re:

[powerspike]

Well.... ALL of them, as the 13 updates includes office etc as well. Reguardless if it's SMP or uniprocessor, it's apart of the kernel, if it's a kernel patch it has to be counted, otherwise it wouldn't be linux would it? At the end of the day 13 is for everything "in this batch", so if your going to be counting linux bugs, i would count everything you'd consider linux, just because one distro doesn't include one part of the kernel doesn't mean you don't count a patch for it...

Re:

[dave562]

The number of patches and whether or not Windows or *nix requires more is pretty much a moot point. Both systems need to be updated regularly and both are vulnerable to automated vulnerability scanners that are being run 24/7 on compromised boxes. I won't re-tell the tale here, but you can check my journal if you want to read about the most recent tale of an Ubuntu box that I setup getting owned in under a month. Any OS that falls behind on patches becomes an exploitable target.

Security & Stability

[omb]

There is just NO comparison, Linux especially and all UNIX like systems are hugely more correct and stable than Windoze(TM) will ever be. Two reasons:

Bad and sloppy code gets found, fixed qickly, and is met with hoots of derision from other developers.

Certain FEATURES touted as a + for Windoze eg OLE never made it into Unix since their design required the OS to be broken by design and the developers declined to do it.

A couple of days reading LKML will show you how much chance a really bad idea, eg filetype

Re:

[smash]

I hate to break it to you, but there's plenty of bad and sloppy code in the open source world as well. Build a system from scratch from source, and you'll see plenty of compiler warnings for a start, not to mention buggy application behavior.

Don't get me wrong, I'd not put a Windows machine directly facing the internet - but I wouldn't do that with an un-firewalled desktop Linux box either.

Linux doesn't have OLE, but they're still messing with implementing Bonobo, kpart, etc to re-create basically the

Re:

[ericlondaits]

Linux doesn't have OLE, but they're still messing with implementing Bonobo, kpart, etc to re-create basically the same idea.

Plus, OpenOffice.org has it's own component system (UNO) which is very similar to OLE/COM, Mozilla has XUL which is also the same thing and you also have CORBA which is akin to DCOM (which is distributed OLE/COM). Components are not inherently less secure than normal applications... and even better, you have more granular control over their use (separate permissions for use, activatio

Re:

[TheRaven64]

ActiveX wasn't such a horrendous idea. It is basically a fast way of deploying (and keeping updated) native Windows components that you can tie together with HTML and scripts. For a corporate Intranet, that kind of functionality is useful if you're willing to standardise on a single vendor's stack.

The only mistake they made was the dialog box when a non-Intranet site tried to send you an ActiveX control. This shouldn't have caused a dialog box, it should have just been blocked.

Re:

[DrXym]

Certain FEATURES touted as a + for Windoze eg OLE never made it into Unix since their design required the OS to be broken by design and the developers declined to do it.

Erk, there is nothing inherently wrong with OLE, ActiveX or anything else in COM. At the end of the day they're just a means to embed or utilise one program from another. And yes GNOME/KDE have their equivalents. The problem has nothing to do with the OS but in the way IE promoted ActiveX, including automatic installation and the broken as

Re:

[JakartaDean]

I don't know that anyone is saying "Microsoft is bad because nobody should have to release 13 patches on one day" or whatever the number is. I think there are a couple of valid concerns, around issuing a set of patches that require a reboot on the first day back from a long weekend, for example. I'm also a little pissed off and confused, now that I'm using a Windows machine again for work, that when I came in for work today (Friday morning, we're 1/2 day ahead of USA), my machine had been rebooted in the

Re:

[palegray.net]

PROTIP: That's actually a usage error. He (or she) spelled "metal" correctly.

That said, I've had no issues with five different webcams functioning properly under Ubuntu, without having to compile anything. I believe this is commonly referred to as "It Just Works(TM)".

Additionally, I'll take "knowing about vulnerabilities quickly" over "having somewhat fewer vulnerabilities that are publicly disclosed, leaving out problems Microsoft doesn't feel like informing the admin community of until exploits are

"About which I know nothing..."

[Joce640k]

Believe me ... I've sat and recompiled Spca5xx for a roomful of PCs after the monthly Linux updates. Last time I did it was less than a year ago.

Is it in the kernel now? Maybe ... I don't use Linux much these days.

Re:

[thatskinnyguy]

Here's what you do: set up a WSUS server, set it to check for critical or important updates, sync and then check back every patch Tuesday for an updated list. FYI... There are thousands.

Re:

[BenBoy]

Will it make every PC that uses windows ME self-destruct?

Nope, that doesn't require a patch; it was built into the original release ...

Re:Autodestruct?

[von_rick]

Nope, that doesn't require a patch; it was built into the original release ...

Yup. The hard drive with ME installation will jump out from the chasis, climb the refrigerator and rub itself all over the magnets.

Re:

[Lulfas]

You..... you win. There is nothing better to be found on the internets than the image that put in my mind. Good game sir, good game.

Re:Autodestruct?

[Fluffeh]

Will it make every PC that uses windows ME self-destruct?

Not likely, PC's running Windows ME probably don't have the power to do more than to self fizzle at most. I would personally be impressed if they let out the smallest little puff of smoke. I think the reality would be that they just refuse to power up due to shame.

Re:

[SilverHatHacker]

Obviously, you were lucky enough to never encounter the following error message:

Computer will now throw itself out window. Press F1 to continue.

Re:

[siddesu]

No, it will only show the "Autodestruct" button. You still have to kill all monsters and hit it manually (with a fist) to have the PC assplode.

Re:

[dubbayu_d_40]

I'll wager not just ME, but all versions that are not Windows 7.

Re:

[TheVelvetFlamebait]

Yep. Nothing maximises profits like paying people to develop a huge patch, and then providing the bandwidth to distribute that patch free.

Unless, of course, your comment was a subtle parody of anti-MS crowd. ;)

Please patch ALL versions of Windows!

[OrangeTide]

Or at least patches to Win2K would be nice, maybe some working timezone data.

I also would highly recommend Microsoft release patches for Windows 3.11 to fix flaws in Win32s, and perhaps add IPv6 to Wolverine (winsock 1.1 for Windows for Workgroups)

Re:Typical Bullshit

[smash]

I've yet to see a good Linux/Unix distribution that offers centralized patch management in an easily administered manner to compare with WSUS.

Kernel issues still require a reboot.

I run both Linux and FreeBSD in the server room, and have for about 15 years - but in terms of managing, reporting on, and distributing updates to hundreds of desktops, there's nothing off the shelf for *nix that comes close.

Re:Typical Bullshit

[TooMuchToDo]

http://www.redhat.com/spacewalk/ [redhat.com]

We use it to manage several thousand linux servers that store and process the data that's about to come from one of the LHC detectors. Handles provisioning, RPM updates, etc. And yeah, it'll work with Linux desktops.

Re:

[jaavaaguru]

Landscape [canonical.com]

Re:

[Nerdfest]

Kernel issues still require a reboot.

Have a look at KSplice. It allows the kernel to be patched dynamically, with no reboot. It's also free to users of Ubuntu 9.04 and 9.10 but I'm not sure about others. It works nicely from what I've seen so far, and the company was nice enough to answer a few of the questions I had about it. It's great if you really want to avoid reboots.

Re:

[smash]

Just to elaborate... WSUS, which is free and easy to set up, enables me to push patches to hundreds or thousands of boxes, and report on the status of each box or what machines are missing any or all patches at the click of a button. Downloads will run whenever the machine is online and start/stop as required, using BITS.

Can you do this on Linux? Maybe. Its certainly not standard, and a lot more work. Can you automatically updates unix boxes? Sure - but to set up the monitoring of the process, its a