6307521
story
Comments: 341 +- IT: Microsoft Plans Largest-Ever Patch Tuesday on Thursday October 08, @06:49PM
background: url(//a.fsdn.com/sd/topics/topicbug.gif); width:80px; height:62px;
bug
background: url(//a.fsdn.com/sd/topics/topicupgrades.gif); width:70px; height:58px;
upgrades
background: url(//a.fsdn.com/sd/topics/topicms.gif); width:75px; height:55px;
microsoft
background: url(//a.fsdn.com/sd/topics/topicsecurity.gif); width:59px; height:78px;
security
background: url(//a.fsdn.com/sd/topics/topicit.gif); width:75px; height:61px;
it
CWmike writes "Microsoft said it will deliver its largest-ever number of security updates on Tuesday to fix 13 flaws in every version of Windows, as well as Internet Explorer (IE), Office, SQL Server, important developer tools and Forefront Security client software. Among the updates will be the first for the final, or release to manufacturing, code of Windows 7, Microsoft's newest operating system. The 13 updates slated for next week, eight of them pegged 'critical,' beat the previous record of 12 updates shipped in February 2007 and again in October 2008." Update Reader Kurt Seifried writes to correct the math a bit, pointing to Microsoft's Advance Notification page for the release, which says that rather than 13 flaws, this Patch Tuesday involves "13 bulletins (eight critical and five important), addressing 34 vulnerabilities ... Most of these updates require a restart so please factor that into your deployment planning."
Related Stories
: by
Executive ability is prominent in your make-up.
All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2010 Geeknet, Inc.
But will it let me buy stuff using paypal? (Score:4, Interesting)
EVERY version of Windows? (Score:5, Funny)
Does this mean that my Windows 3.1 box will finally get the DST update?
Re:EVERY version of Windows? (Score:5, Funny)
No, you'll have to move to Arizona. Sorry.
I'd rather use Windows 3.1 than live in Arizona.
Parent
Re:EVERY version of Windows? (Score:5, Funny)
Coming from someone whose ID is Tumbleweed?
You bet. Arizona's so bad the plants evolved to get outta there!
Parent
...Patch Tuesday (Score:4, Insightful)
Re:...Patch Tuesday (Score:5, Interesting)
Yes, I think there is something in that for all of us, don't you? *puffs pipe*
Parent
Re:...Patch Tuesday (Score:4, Insightful)
It's a very good security strategy to piss off all your customers with WGA and Windows Media bullshit until they all turn off automatic updates.
Parent
Re:...Patch Tuesday (Score:5, Insightful)
MS requires customers to install the new WGA on a regular basis. That is also nagging.
Parent
Re:...Patch Tuesday (Score:5, Interesting)
I built my system myself which means that I'm more than capable of grabbing a bootleg copy of Windows online. Instead I chose to pay for a copy of WinXP because the OS is a MAJOR part of my system and as such was worth the asking price. (And also because I'm not a thieving schmuck. If you don't want to pay use Linux.)
Ever since I've been hounded by WGA. I just want my system patched. Microsoft wants to verify "something", god knows what, every time I try to access patches. Their checker needs updating quite often. I don't know what it does. I don't know what info it sends them. I just know it's an annoyance, maybe a personal security risk. I can't patch without it. (Officially that is. I'm aware of "alternate" patch sources but how secure is that? Seriously now, come on...)
This is the thanks I get for dropping money on their product. I passed on Vista. I'll pass on Win7. Once this system has aged to the point of uselessness (translation: can't game any more) I'm going to Linux full time. Why? BECAUSE THEY ACT AS IF THEY OWN MY MACHINE, NOT ME. THAT pisses me off.
So f--- them. I'm done.
Parent
Re: (Score:3)
Aside from that, you CAN patch from MS themselves without WGA, using Offline Update [h-online.com]. You can even burn the resulting files to disk and take it with you for patching friends/families machines.
Re:...Patch Tuesday (Score:4, Informative)
Parent
Re: (Score:3, Insightful)
Lessee...domain is h-online.com, refers you to patch files hosted at heise.de--yep, that's direct from Microsoft, all right!
Long Weekend (Score:4, Insightful)
Re:Long Weekend (Score:5, Insightful)
How do people forget a password in three days?
Because people are stupid. A person is smart, but people are stupid.
One of the most strangely insightful comments in Men in Black from memory.
Parent
Re: (Score:3, Insightful)
How do people forget a password in three days?
Duh, the janitor who comes in on holidays keeps throwing out the post-its taped to the monitors!
Re: (Score:3, Informative)
That would be Thanksgiving.
Bad luck (Score:5, Funny)
Wring. 13 advisories with 34 issues. RTFM (Score:5, Informative)
http://blogs.technet.com/msrc/archive/2009/10/08/october-2009-bulletin-release.aspx [technet.com]
For October we are releasing 13 bulletins (eight critical and five important), addressing 34 vulnerabilities, affecting Windows, Internet Explorer, Office, Silverlight, Forefront, Developer Tools, and SQL Server. Most of these updates require a restart so please factor that into your deployment planning.
Re: (Score:3, Funny)
So you are going to have to reboot more than thirty times to install this?
Re: (Score:3, Informative)
Fortunately just the once. You can thank Windows insane file locking (easy to establish a lock
To clarify what this means, Win32 API function CreateFile, which opens files, locks them for exclusive access if the argument in which lock flags are passed is set to 0. In other words, the default is "lock for everything", and you explicitly have to opt out of that by specifying things like (FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE).
This has a minor advantage in that stupid people often forget to lock their files properly, and then applications crash (or silently corrupt data) because they do
Kudos (Score:5, Interesting)
Look, I know it's fashionable to make negative remarks about MS round here, but it's only fair to say 'well done' to them for bettering their previous high count. Hopefully they haven't run out of bugs to fix and they'll work hard to find and fix even more next time. Who knows, this time next year they could be fixing hundreds of bugs every month - and if we're lucky, some of them could be quite serious or critical - wouldn't that be just awesome!
Go MS!
13 Patches != 13 Flaws (Score:5, Informative)
I was about to bitch about the submitter/moderator not RTFA, but it turns out, the article doesn't mention it either, so I'll clarify instead: thirteen updates are being released which together address thirty-four security vulnerabilities of varying severity across varying products (ten of which are targetted at Windows). So, that's NOT thirteen flaws (plenty more actually), just thirteen updates, some of which (all?) address multiple flaws in the particular system they are targetted at. Of course, this is just the advance notification, so full details about how many vulnerabilities each update addresses and the general information on them won't be released until the patches are next Tuesday. I think it's also worth nothing (although the summary of course neglects to mention it) that the good aspect of these updates are both major zero-day exploits (targetting IIS & SMB 2.0) are patched with these updates.
And while I'm posting, why does Slashdot insist on linking to shitty tech magazine articles (poorly) summarising the raw and accurate data straight from Microsoft? Seriously, I'm not sure if it's some sort of aversion to linking to MS, but they're the ones doing the patching, so it follows that they have the best, newest, most accurate data on them, and they'll likely be the first to provide updates on their content. These articles are just summarising what Microsoft has published on their various web-sites, and being a summary, they provide a lot more information and raw data:
Microsoft Security Bulletin Advance Notification for October 2009 [microsoft.com]
October 2009 Bulletin Release Advance Notification [technet.com]
Does it fix Windows 7's problems? (Score:5, Funny)
Nice! (Score:5, Funny)
So where are the instructions for the patch party?
So? (Score:3, Interesting)
So what?
My Ubunutu Jaunty desktop downloaded 130mb of updates last night. And this isnt the first time either.
I didnt see the /. community getting their nickers in a knot about it
Re:So? (Score:4, Insightful)
And you didn't have to wait for the magical Patch Day for Ubuntu to share them with you.
Parent
Re: (Score:3, Funny)
So it installs linux?
Yes, and kills problem users.
Re:It fixes EVERY bug? (Score:5, Funny)
Parent
Re:The more crap you add... (Score:4, Insightful)
I'd like to see a comparison between the number of patches to Linux vs. Windows. :)
Which do I think is a better OS in terms of security and stability? Linux. But I tend to get tired of the "Microsoft releases so many patches, their OS is obviously bad" argument when the it seems the whole development model of open source software (e.g., Linux distros) is that anyone can develop both features and patches, thus improving the software.
Parent
Re:The more crap you add... (Score:5, Insightful)
I'd like to see a comparison between the number of patches to Linux vs. Windows. :)
For just the kernel, or for a whole average distro? Which distro's kernel and which variant (e.g. SMP vs. uniprocessor) and which arch? (x86 vs. say, PPC or ARM)? Do we count all the optional modules, and what about the stuff that is out there which could be compiled-in, but usually isn't (e.g. Win4Lin extensions)? Are patches counted as individual diffs checked in to a CVS/SVN/BK repo source tree, or counted only if distributed .rpm/.apt packages by a vendor?
Otherwise, yeah, I can see your POV. :)
Parent
Re:The more crap you add... (Score:5, Insightful)
Fair questions, but easily answered: for whatever is being compared to in a Windows OS. Windows, as I recall, has a kernel, has components that are necessary, has components that are unnecessary, etc. It seems Linux fans easily lapse into thinking that Windows is one complete mess all bound into one, whereas Linux has messy parts but the core is great... but who installs "Linux" and doesn't install a "Linux distro." To be fair to Windows. I'd have to say you'd have to compare an entire Linux distro default installation to an entire Windows default installation... all software included in the iso, not the latest-updated-version-of-Amarok or whatever comes with it by default. Getting the latest Amarok version is just like getting the latest patch for Windows Media Player...
As for CVS/SVN/BK diff's and whatnot, that's hard to come up with... I have no clue how much code differences there are in a given Windows patch. For all I know, it's one single typo, but since it's a binary, the entire thing is built and sent over in the patch, right? So who knows? I would think, from an end-user perspective, it only counts as a patch if it's distributed in an easily installed format; e.g., as an update or as an rpm or included in the distro, etc.
Thanks for seeing my POV. :) hehe. I'm in an unfortunate position for my life on slashdot; I actually enjoy Windows OS's. And Linux distros. Awful, I know.
I don't like AIX though...
Parent
Re:The more crap you add... (Score:5, Insightful)
Parent
Re: (Score:3)
Re: (Score:3, Informative)
The number of patches and whether or not Windows or *nix requires more is pretty much a moot point. Both systems need to be updated regularly and both are vulnerable to automated vulnerability scanners that are being run 24/7 on compromised boxes. I won't re-tell the tale here, but you can check my journal if you want to read about the most recent tale of an Ubuntu box that I setup getting owned in under a month. Any OS that falls behind on patches becomes an exploitable target.
Re: (Score:3, Insightful)
Don't get me wrong, I'd not put a Windows machine directly facing the internet - but I wouldn't do that with an un-firewalled desktop Linux box either.
Linux doesn't have OLE, but they're still messing with implementing Bonobo, kpart, etc to re-create basically the
Re: (Score:3, Interesting)
Plus, OpenOffice.org has it's own component system (UNO) which is very similar to OLE/COM, Mozilla has XUL which is also the same thing and you also have CORBA which is akin to DCOM (which is distributed OLE/COM). Components are not inherently less secure than normal applications... and even better, you have more granular control over their use (separate permissions for use, activatio
Re: (Score:3, Informative)
Erk, there is nothing inherently wrong with OLE, ActiveX or anything else in COM. At the end of the day they're just a means to embed or utilise one program from another. And yes GNOME/KDE have their equivalents. The problem has nothing to do with the OS but in the way IE promoted ActiveX, including automatic installation and the broken as
Re: (Score:3, Insightful)
That said, I've had no issues with five different webcams functioning properly under Ubuntu, without having to compile anything. I believe this is commonly referred to as "It Just Works(TM)".
Additionally, I'll take "knowing about vulnerabilities quickly" over "having somewhat fewer vulnerabilities that are publicly disclosed, leaving out problems Microsoft doesn't feel like informing the admin community of until exploits are
Re: (Score:3, Funny)
Nope, that doesn't require a patch; it was built into the original release ...
Re:Autodestruct? (Score:5, Funny)
Nope, that doesn't require a patch; it was built into the original release ...
Yup. The hard drive with ME installation will jump out from the chasis, climb the refrigerator and rub itself all over the magnets.
Parent
Re:Autodestruct? (Score:4, Funny)
Will it make every PC that uses windows ME self-destruct?
Not likely, PC's running Windows ME probably don't have the power to do more than to self fizzle at most. I would personally be impressed if they let out the smallest little puff of smoke. I think the reality would be that they just refuse to power up due to shame.
Parent
Re: (Score:3)
I wish they'd patch my work computer to do that, and in such a way that the IT department can't fix it. I hate Outlook, and I'd love a good excuse to not use it any more.
Re: (Score:3, Informative)
I used to say that. Then we got forced onto Lotus Notes.
and when I get to Heaven To St. Peter I will tell: "One more Notes user reporting, Sir -- I've served my time in Hell."
Re: (Score:3, Insightful)
Well stop pirating office and you won't have those kinds of problems.
Re: (Score:3)
Re: (Score:3, Informative)
Please patch ALL versions of Windows! (Score:4, Funny)
Or at least patches to Win2K would be nice, maybe some working timezone data.
I also would highly recommend Microsoft release patches for Windows 3.11 to fix flaws in Win32s, and perhaps add IPv6 to Wolverine (winsock 1.1 for Windows for Workgroups)
Parent
Re:Typical Bullshit (Score:5, Insightful)
Kernel issues still require a reboot.
I run both Linux and FreeBSD in the server room, and have for about 15 years - but in terms of managing, reporting on, and distributing updates to hundreds of desktops, there's nothing off the shelf for *nix that comes close.
Parent
Re:Typical Bullshit (Score:5, Informative)
We use it to manage several thousand linux servers that store and process the data that's about to come from one of the LHC detectors. Handles provisioning, RPM updates, etc. And yeah, it'll work with Linux desktops.
Parent
Re: (Score:3, Interesting)
Kernel issues still require a reboot.
Have a look at KSplice. It allows the kernel to be patched dynamically, with no reboot. It's also free to users of Ubuntu 9.04 and 9.10 but I'm not sure about others. It works nicely from what I've seen so far, and the company was nice enough to answer a few of the questions I had about it. It's great if you really want to avoid reboots.