Forgot your password?
typodupeerror
Security Microsoft Upgrades Windows Technology

Microsoft To Distribute Third-Party Patches 135

Posted by timothy
from the after-the-after-party dept.
dhiren writes "Secunia on Wednesday announced that their authenticated internal vulnerability scanner, the Corporate Software Inspector (CSI) 4.0, has been integrated with Microsoft Windows Server Update Service (WSUS) and System Center Configuration Manager (SCCM). This will hopefully pave the way for other vendors to also make use of Windows' existing patching infrastructure and eliminate the need for the multitude of custom updater applications and services that clutter most systems today."
This discussion has been archived. No new comments can be posted.

Microsoft To Distribute Third-Party Patches

Comments Filter:
  • Oh just call it (Score:5, Insightful)

    by LordKaT (619540) on Wednesday March 24, 2010 @03:07PM (#31601836) Homepage Journal

    Oh, just call it a package manager and get over it. Your fancy words don't make it better.

    • Re: (Score:1, Funny)

      by Anonymous Coward

      Aww but then those guys in marketing would be all bored with nothing to do...

    • Re:Oh just call it (Score:5, Insightful)

      by 140Mandak262Jamuna (970587) on Wednesday March 24, 2010 @03:30PM (#31602188) Journal
      No way buddy. It is going to come in so many editions:
      • Absolutely Basic Package Manager
      • Expanded Basic Package Manager
      • Funeral Director Edition Package Manager (third from the bottom of pricelist!)
      • Anything Less Would not work Manager
      • Ultimate Home Edition Package Manager (clueless user Special)
      • Professional Ultimate Package Manager
      • Ultimate Professional Package Manager with Downgrade to Ugrade Option Bundled
      • Super Ultimate Professional with Multimedia Expansion Package Gamer special Package Manager
      • Absolutely Super Ultimate, this time really really Ultimate Gamer Professional Home Maker Special Edition Package Manager
    • Re: (Score:3, Informative)

      by Anonymous Coward
      You really can't call it a package manager because it doesn't do dependency and it doesn't do upgrades. It just does patches - which is why it is not called a package manager.
    • by dkleinsc (563838) on Wednesday March 24, 2010 @03:33PM (#31602244) Homepage

      But see, a "package manager" is the result of careful research and experience by a bunch of long-haired university-bound communist hippies, so it could never have any usefulness in the real world. Plus it's not a register-able trademark, so customers might realize that there are other better package managers out there. And once they get hooked on apt-get, they'll turn immediately into a clone of RMS and start helping the FSF.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Except you cannot install or remove programs from this. So its not a package manager.

      • Re: (Score:2, Insightful)

        by anshulajain (1359933)
        Probably just an update manager then, if not a package manager, right? Linux-based systems have had this for ages. Microshaft now rolls out some fancy, business-jargon pimped up SCCM, Linux vendors should hit M$ over the head with this in the press and trade journals.
        • by Anpheus (908711)

          These features have existed for years, the news is that Secunia is participating in the program and may package patches for third party programs that have not opted in to participate with Microsoft's solution.

          I can deploy, for example, Dell patches and drivers specific to Dell machines using System Center / WSUS. I think the only news here is that now I can keep Java or Adobe Reader or whatever up to date too.

    • Re: (Score:3, Interesting)

      by nine-times (778537)

      I've been thinking for quite a long time that Apple and Microsoft to come up with package managers for their operating systems. It's ironic because after all the talk of it being hard to install things in Linux, it's much easier to keep a Linux system up to date. In most cases, you can upgrade every application on your computer with a single line in the command line.

      Microsoft has "Microsoft Update" and Apple has "System Update", so they basically have the system in place already for their own software, b

      • by Korin43 (881732)
        Yes if there was a decent package manager for Windows, it would be far less painful to use. Coming back to Windows after a month and having every program complain about updates is incredibly annoying, especially when they're all updates you have to apply manually, one at a time.
        • On OSX, a lot of applications have been using Sparkle [andymatuschak.org]. Programs check for updates when they launch, and if an update is available, it throws up a window notifying that an update is available. If you choose to "Update and relaunch", it will automatically update the program, install the update, and relaunch the program.

          All in all, it's not bad. On the other hand, it means every application pops up with its own update notifications. If I haven't used a system for a while or I reinstall from an image, I ge

          • MacUpdate Desktop [macupdate.com] sounds like what you're looking for.

            It would be nice if it was free, but $20 annually for up to five computers shouldn't break the bank.

            • Thanks. That seems like it's not bad. Still, it's not free, it requires you to have an account.

              Also it gets some things wrong. For example, it tells me there are updates to my Adobe applications because I'm running CS3 and CS4 is available. It'd be nice if there were a common infrastructure where Adobe you support their own application and decide what updates were sensible instead of relying on someone else to guess.

              I'd maintain it's still something that should be done by the OS.

          • by hairyfeet (841228)

            Actually windows is nearly as simple, just use Update Checker [filehippo.com] from FileHippo and there you are. It barely uses any RAM if you absolutely must have the latest udpates you can have it run at startup and check whenever you like, and it will notify you when updates are available and can take you straight to a links page on FileHippo for the updates you need.

            Pretty simple really, and if my nearly 70 year old dad can use it to keep his machine up to date then anybody can.

      • Re: (Score:3, Insightful)

        by Runaway1956 (1322357)

        "you can upgrade every application on your computer with a single line in the command line."

        Even better:

        aptitude safe-upgrade

        Because, sometimes, upgrading EVERYTHING breaks obscure dependencies. ;^)

      • by RMH101 (636144)
        ...and next the app store. Think about it, if you buy your apps from your OS vendor's walled garden, then it acts very similarly - e.g. on the iPhone, you get push notifications for any new updates and an "update all" button.
  • Misreading (Score:5, Funny)

    by AnonGCB (1398517) <(7spams) (at) (gmail.com)> on Wednesday March 24, 2010 @03:08PM (#31601856)
    For a minute I read the headline as "Microsoft to Distribute Eye Patches". With the rate of piracy Microsoft has goin on, I wouldn't be surprised.
  • by Animats (122034)

    Now we just have to break into one of the machines allowed to submit updates to be pushed, and we can rule the world!

  • Misleading article (Score:3, Interesting)

    by djben (785600) on Wednesday March 24, 2010 @03:18PM (#31602014)
    Correct me if I am wrong, but Secunia is announcing that they are going to piggy-back on an existing WSUS server, and not that WSUS is going to start shipping with and deploying Secunia's updates for everyone who uses WSUS? I'm not sure why this is anything special at all. I help people replace WSUS all the time and they want to use less of it, not more. Perhaps I'm not understanding something here...
    • Re: (Score:2, Interesting)

      by bangwhistle (971272)
      A lot of us use WSUS and SCCM because they do a good job of managing MS patches AND the cost (for WSUS) is right. This announcement is interesting but raises questions: how much will it cost; who will support it and how much work will it be to import third party updates? We can currently build packages for SCCM for any product, no not much gain there. But WSUS... Maybe it's time for the free trial...
      • Re: (Score:3, Interesting)

        by afidel (530433)
        I use WSUS on the server side because it doesn't require yet another freaking agent on my servers. In my experience the reliability of a windows server is inversely proportional to the number of third party packages running on it. I run AV because it's required by policy, I run a backup agent if the server has a large number of small files, other than that I avoid them like the plague. I do monitoring using WMI and SNMP, do patching via WSUS, etc.
    • Re: (Score:2, Informative)

      by Anonymous Coward

      What WSUS are you using? And what the hell are you replacing it with for patch management across a few hundred windows PCs? It takes me only a matter of a half hour a week to handle and check up on patches and updates.

      WSUS is a free application for deploying and controlling patches that would normally be handled via automatic updates. Automatic updates still downloads and installs but it pulls from WSUS instead of directly from MS. You can deny patches when there are issues or conflicts and you can see w

  • Really? (Score:2, Insightful)

    by KGBear (71109)
    This will hopefully pave the way for other vendors to also make use of Windows' existing patching infrastructure and eliminate the need for the multitude of custom updater applications and services that clutter most systems today.

    Or just go to Linux, where most distributions have had something like this for over a decade now. The worst part is, I'm sure I will star hearing from Windows people how fantastic the new "innovation" is...
    • by RAMMS+EIN (578166)

      Well, it is a great step forward. And making a system like this work for software that isn't freely redistributable is quite a bit trickier than for open source software. I hope more vendors get with the programme. Even though I don't maintain any Windows systems, I still welcome any development that makes their maintenance less of a burden.

    • by Prefader (1072814)

      The worst part is, I'm sure I will star hearing from Windows people how fantastic the new "innovation" is...

      Of course they will! It was their idea!(copyright 2009 Microsoft Corp.)

    • Re: (Score:3, Interesting)

      by Voyager529 (1363959)

      Oh I'm fully aware of how awesome Synaptic/Yum/$PACKAGE_MANAGER is, but unfortunately I doubt that a full-blown software repo will ever happen on Windows, because ultimately, it will end up as one of two scenarios:

      1.) Microsoft requires all software added to the repo to have a specific digital certificate, and/or additional repos themselves will have to be signed and secured. These certificates will cost $$$$. Some indi dev will want to get their software in the repo, won't be able to afford it, and Microso

    • by robot256 (1635039)
      Or you will start hearing from Windows people how terrible the feature is because MS implemented it poorly, and they will ask how you could possibly put up with such a crappy feature in Linux all these years.
  • It's just a small piece of the pie. When they open it up to some other major players I'll be impressed.

    It's not like this is a new concept, get with the times; it is for the security of your OS for christ sakes. Maybe cut down on why OSX or whichever OTHER OS anyone can name has such a virus advantage on you, if even slightly.


    Oh and Yes I understand what Secunia entails, but it's still small.
  • Is this going to push updates via Windows Update to Windows 7 and other home versions as well, or just Win Server? Or is it even using Windows Update? Is that different from the "Windows Server Update Service?" I don't have anything to do with servers, so I'm honestly confused.

    • by Jazz-Masta (240659) on Wednesday March 24, 2010 @04:11PM (#31602804)

      WSUS is what server admins use to push patches to machines connected to a particular server.

      Most machines that are part of a domain or network that utilizes WSUS has Windows Update disabled. The server admin goes through the patches and selects the ones he/she wants to push out to each of the computers.

      It's quick and simple...but has nothing to do with the end user.

      • WSUS is what server admins use to push patches to machines connected to a particular server.

        Most machines that are part of a domain or network that utilizes WSUS has Windows Update disabled.

        Ah, okay. I get it. I knew at work we were pointed to an internal update server so that we'd only get patches after they were approved as stable, but I never knew the name of the tool, or the process behind it. thank you muchly!

  • by Animaether (411575) on Wednesday March 24, 2010 @03:30PM (#31602206) Journal

    CNet used to have a similar service... only for the software that they themselves offered to users, of course. Then they discontinued it, re-launched as CatchUp, discontinued it again.. now it's some weird newsletter thing you can subscribe to.

    Worked fairly well, though - was just a small utility that I guess checked for installed apps, checked the version info (from registry / files) for those it knew, and checked if there were any newer versions offered off of CNet.

    Sucked when they discontinued it.. meant you had to check the pages / author sites manually all the time.. or subscribe to their RSS feeds (which only became popular later on), etc. In addition, half the apps I run now have their own update checking stuff.. some check on startup, some check every day, some check once a week... finding the settings for this (if the settings are even exposed) can be a to of fun too.. etc.

    So hooray for Microsoft looking into this... looooong overdue. I do hope they allow -any- developer/application to take part, though.

    • CNet TechTracker (Score:3, Informative)

      by Animaether (411575)

      reply to self - go figure.. I tried to dig up some more information on the old service.. and somewhere buried among the google hits:
      http://www.cnet.com/techtracker/ [cnet.com]

      Which sounds like it does what the old app did... except you now need a CNet account to see the results? *sigh*
      Some posts in the forum for it ( http://forums.cnet.com/techtracker-forum/ [cnet.com] ) seem to indicate some possible issues as well.

    • by natehoy (1608657)

      I remember a program about the same time as CatchUp called OilChange that worked in a similar fashion - scanned the registry and hard drive for known files from common applications, determined the current version, and allowed you to at least tell what of your software was out of date. A few programs could be updated from right in the tool, most just sent you to the vendor's home page so you could download the updates.

      In addition, half the apps I run now have their own update checking stuff.. some check on startup, some check every day, some check once a week... finding the settings for this (if the settings are even exposed) can be a to of fun too.. etc.

      I think my favorites used to be the ones that checked when the app started up. Adobe Acro

      • Re: (Score:2, Informative)

        by matang (731781)
        filehippo has an update checker. i've used it for a while and it works well: http://www.filehippo.com/updatechecker/ [filehippo.com]
        • Cool - thanks for pointing that one out as well, I'll have to give it a run and see what it (and that TechTracker thing) come up with on the other machine. I know all the software I use regularly on it is up-to-date, but it's seen so many crap installs that it'll be fun to see what they find :)

      • Re: (Score:3, Interesting)

        by TClevenger (252206)

        I think my favorites used to be the ones that checked when the app started up. Adobe Acrobat Reader was really bad about this. "Would you like to take 30 minutes out of your day to load an Adobe Downloader so you can load the latest version of Adobe Reader so you can reboot and then have to come back to this page so you can read this one-page document, or ignore this and I'll pester you the next time you try to open a document?"

        You forgot the second half of that story.

        (30 minutes later) "Oh, sorry, you have to be an administrator to install that." (Then after the next reboot) "Would you like to take 30 minutes out of your day to load an Adobe Downloader so you can load the latest version of Adobe Reader so you can reboot and then have to come back to this page so you can read this one-page document, or ignore this and I'll pester you the next time you try to open a document?"

        • by natehoy (1608657)

          Assuming you were (a) smart enough to be running your Windows user as non-admin, and (b) inattentive enough to be unaware that you needed those rights you set yourself up not to have in order to install software. :)

          mintUpdate just ROCKS.

  • by arhhook (995275)

    What could possibly go wrong!

  • I don't think the editor of that piece had enough comprehensiveness has the second and third paragraphs are practically identical swatches of marketing vomit.
  • The only reason we keep using Internet Explorer at work is because we can patch it with WSUS. So if we could patch firefox with WSUS, it will be the end of IE in our environment! Can't wait for that day to come....
    • by cmuench (878624)
      And if it can do Flash and PDF Reader I can use this at work. Oh what a joyous day that would be. assuming its free of course...
    • by Spad (470073)

      Just as soon as Firefox comes with support for configuration & control via GPO (Frankly, even if I have to write the templates myself, just *something* would be nice).

      • by deniable (76198)
        We use Frontmotion's version [frontmotion.com] and deploy through GPO. We supersede to upgrade rather than patching with WSUS. Works well for us. If Mozilla did this in-house they'd get more corporate uptake.
    • ... if you can afford it. I don't think it's overpriced per se, but the minimum purchase may put it out of reach of many small organisations. (And perhaps large organisations with tight IT budgets!)

  • I use PSI (Personal Software Inspector) http://secunia.com/vulnerability_scanning/personal/ [secunia.com] \

  • Compare? (Score:4, Interesting)

    by vlm (69642) on Wednesday March 24, 2010 @03:52PM (#31602516)

    I don't do windows. Mac and Linux only.

    Could someone compare and contrast with apt-get and security.debian.org, which I am very familiar with?

    I'm not trying to ignite a flamewar, I'm just curious about the feature set. What one side would have to add to reach the other side's level, etc.

    • by vlm (69642)

      Mystified how this ends up modded troll.

      • Re: (Score:3, Funny)

        by metrix007 (200091)

        Because when someone says they "don't do windows" it says a lot about that person.

        Someone has to be amazingly closeminded and fundamentalist, and go out of their to avoid the most prevalent consumer OS for the last 10 years.

        • Re: (Score:3, Interesting)

          by the_womble (580291)

          Someone has to be amazingly closeminded and fundamentalist, and go out of their to avoid the most prevalent consumer OS for the last 10 years.

          It is fundamentalist and closed minded to not buy a product because you do not like it?

          Coca-cola is the most popular soft drink, if someone said that they had not drunk it for a few years because they never liked it, but they could not remember exactly what it tasted like, would that be "fundamentalist and closed minded"?

          go out of their to avoid the most prevalent consumer OS for the last 10 years.

          I have hardly touched Windows in the last six years. I have not gone out of my way: I would have to go out of

        • Recently there was a time (about a year) when I could do that too. Only Linux then and it was wonderful!

          Now times change, new place and stuff, Windows shop. So I give it a chance again. Here was the timeline how I did:

          Day 1: Well, can't be so bad. Worst that can happen is, that I get to know my foe better.
          Day 2: Install gVim for windows. Getting more familiar with the environment. Something is still not quite right..
          Day 3: Not very productive so far, but new place and all.. Anyway, let's get something done.

    • Re: (Score:3, Informative)

      by radish (98371)

      Broadly speaking they're very similar. With Windows Update it's normally limited to stuff which MS publish, in much the same way as (say) apt-get on Ubuntu is limited to things in the Ubuntu repos by default. Obviously that's a lot more software there as it's freely distributable, but you still get packages sometimes which aren't included in the distro's repos and you have to add another source to your packages list (or even worse, download a tarball and maintain it manually). This change is to allow third

      • This change is to allow third party code to come down through Windows Update, in essence adding more package sources.

        So in essence, they did what I can do with vi /etc/apt/sources.list? Or they replaced a hardcoded "deb http://http.microsoft.com/windows/ [microsoft.com] valuable_vista main contrib non-free" with the same information but now in C:\windows\etc\apt\sources.list, and now I (and my programs) can edit it?

        It's not new or unique

        True, that :)

    • by tehcyder (746570)

      I'm not trying to ignite a flamewar

      No, because to start a flamewar here you'd have to say "I don't do Apple because it is teh gay" or "I don't do Linux because I'm not a hippy communist."

  • by trifish (826353) on Wednesday March 24, 2010 @03:54PM (#31602550)

    Does anyone have any link that would confirm that Microsoft actually did anything besides allowing a third party to use an API? The summary tries to make it sound like Microsoft uses (integrates) some Secunia stuff now.

    The article certainly does read like a Secunia ad.

    • Microsoft didn't do anything. This is a Secunia product, using a documented MS API.

      It's still quite an exciting product for those of us who do have lots of Windows PCs to patch, except that (in my case) we probably won't be able to afford it.

  • OSS Alternative (Score:5, Interesting)

    by bdam (1774922) on Wednesday March 24, 2010 @03:55PM (#31602582)
    The current version of WSUS includes an API that allows, among other things, anyone to publish third party updates through the WSUS system. I've been working on a project for a few months that does just that: https://sourceforge.net/projects/localupdatepubl [sourceforge.net]
    • by zero0ne (1309517)

      Good stuff, will be taking a look at this.

    • That looks like it's great -if- and only if you only have your own intranet to worry about?

      I.e. a system administrator for a local network suggesting that users should install Update X for Application Y, and having that served up to -those- machines through windows updates.

      It doesn't do anything for a software publisher wanting their clients to know about updates. For that, you'd still need your own update checker?

      Maybe I'm mis-reading that mechanism, though.

      • Re: (Score:2, Informative)

        by bdam (1774922)
        You are mostly correct. In my project, there's no support for automatically importing or being alerted about new updates from vendors. I'm not aware of any centralized source for that sort of data. If such a thing exists, I'd be interested to know about it. So, to be clear, Secunia has a definite edge there that I can't conceive of matching without some freely available repository. However there is some value for the software publisher. One of the reasons that Microsoft released the API was in the hope
  • Reading the Secunia website, it seems like this is just a new feature in their 4.0 product, which has been in beta up until today. If the way I read things is correct, it's not like WSUS will be shipping with CSI technology built in; rather, if you purchase CSI 4.0, you'll have the ability to (hopefully, presumably) roll up 3rd party patches so that WSUS will recognize them, and spit them out to clients.

    Which is great, not "Wow I just pissed my pants" great like I originally thought, but still. Can anyone c

    • by jpcarter (1098791)

      Agreed. The press release [secunia.com] states that Secuina "...announced that their renowned authenticated internal vulnerability scanner ... has been integrated with ... WSUS..."

      Is this third party patch management or just a vulnerability scanner built in to WSUS?

      Scanning is neat, but it would be one hell of a lot nicer if I could make sure Flash & Java are updated as easily as the latest Windows updates.

    • by Kaboom13 (235759)

      I was part of the beta test. CSI 3.0 is a vulnerability scanner similar to their PSI software for home users. The difference being it remotely scans hosts over the network. It compares applications it finds on the pcs to a database, and lets you know if anyone of them have security updates available, existing unpatched security flaws, or are end of lifed/discontinued. The results include links to download the appropriate patches when available. The 4.0 version adds integration with WSUS A little used

      • by jayhawk88 (160512)

        Thanks for the info. Price would be the big thing for us; this definitely falls under the "yeah it's nice but why don't we just use Altiris" as you imply. And yet we just heard the other day that Adobe has overtaken Windows/IE/whatever it was as the most vulnerable app. If they're reasonable on price you could perhaps justify it to the boss, but $30 a station seems a bit steep.

  • yes (Score:3, Insightful)

    by fulldecent (598482) on Wednesday March 24, 2010 @04:33PM (#31603136) Homepage

    This is a good thing, if done properly.

    It's also part of why people generally smile when they use their phones and frown when they use their computers.

  • This is nothing new. MS has a tool called System Center Custom Update Pubpluser (or SCUP). Dell, Citrix, and Adobe Flash all have had catalogs to publish into WSUS/SCCM since 2007. Shavik put out a custom catalog last week.

  • I've long wondered why Microsoft doesn't use their Windows Update/Microsoft Update infrastructure to offer updates for things like Windows Live Essentials, Sync, Mesh, any other technologies. Microsoft needs to institute a rule that every group at the company *must* use existing API's before inventing their own system... no duplicate functionality.
  • Dang! I was excited, but alas WSUS isn't distributing the third-party patches, other software "Secunia CSI" is, which is not a free Microsoft download like WSUS is. You still need two different pieces of software (even if they ARE integrated) to accomplish this. Doesn't seem like big news.

"Tell the truth and run." -- Yugoslav proverb

Working...