back to article Microsoft to set record with next Patch Tuesday

Microsoft's security patch release scheduled for next week will include a record number of bulletins that fix dozens of vulnerabilities in several of its products, the company said on Thursday. The next Patch Tuesday, scheduled for August 10, will include 14 bulletins, eight of which are rated critical, Microsoft's highest …

COMMENTS

This topic is closed for new posts.
  1. heyrick Silver badge

    Reboot?

    "Yes, a reboot is required for many of the patches."

    Does this mean apply patch, reboot, apply another patch, reboot, apply yet another patch, reboot, repeat until false...? If so, is it not possible to do all that's necessary and then reboot only the one time?

    1. Anonymous Coward
      Anonymous Coward

      Typical

      You must realize the constant rebooting is the microsoft way.

    2. JP19

      Re: Reboot?

      I imagine it'll be reboot once after all the patches are installed, as has been the procedure for every Patch Tuesday I can ever remember.

    3. Anonymous Coward
      Anonymous Coward

      Have you never used Windows?

      Usually only one reboot is needed for all the patches. No one would have patience for that many reboots!

      1. anarchic-teapot

        Oh, I've used Windows

        And while I'll concede that Patch Tuesday rarely, if ever, requires more than one reboot, if you're patching a newly installed system after the OS has been around for at least 6 months you *will* have to reboot several times.

      2. Lance 3

        BSOD

        That is why they invented the BSOD.

    4. xenny

      Reboot? - once

      install all the patches, bounce the machine - once.

    5. Anonymous Coward
      Anonymous Coward

      One reboot normally enough

      With XP you can choose "install and shut down" which is good for an office situation. Its a natural reboot.

    6. Version 1.0 Silver badge
      Joke

      It's a Wonderful Life

      Every time you reboot, an angel gets an upgrade...

      1. Anonymous Coward
        Coat

        or orgasm

        press that button

  2. Robert Brandon

    Apple's Better

    Why not do it the Apple way? Instead of having a dozen different downloads to download, why not package them in one big file? Maybe separate Windows & Office updates, but that's still 2 down from 14!

    1. anarchic-teapot

      All-or-nothing megapatches are a Bad Idea

      The patches come in several small(ish) packages so that the IT department can test individual patches to make sure they won't crash any sensitive applications in use in that company.

      If it's all or nothing, there would be even more vulnerable, unpatched PCs out there.

      Bear in mind also that Apple make it well-nigh impossible to roll back to the previous version if a patch/update causes unexpected problems.

    2. Jordan Davenport

      Service Packs and Update Rollups

      And then you would inevitably get a giant update to download which contains patches that don't even apply to you, not to mention Apple almost always seem to botch *something* when they release their system updates.

      Though that's why Microsoft releases service packs periodically. They contain all updates from the past plus a few extra things never released to the general public before. Perhaps it would be a better idea to release them or their "update rollups" more frequently for the purpose of speeding up clean installs, I'll agree, but for monthly updates, I prefer them all to be separate so I can select what I want and not install what might cause problems.

      1. Mark 65

        On similar lines

        It's always bemused me as to why it is that when I download an Ubuntu LiveCD there's a metric shiteload (not to be confused with the smaller imperial one) of updates that need downloading/installing. Is it too much to ask for another download to be available which has these rolled-up already? Sure, power-users etc can download the original and add what they want but surely your average home user would want all this already included in the disk?

        I think roll-ups for MS bug fixes isn't a bad idea.

        1. heyrick Silver badge

          @ Mark 65

          Indeed, re. Ubuntu. It is a pain "playing" with the OS on an SD card with a 1Gb persistence file when all the many updates are nearly as big as .iso file and fill up all the space you've allocated. Surely to god they can figure out a way to built weekly, if not nightly, .iso files from all the bits?

    3. heyrick Silver badge

      @ Robert Brandon

      Do you remember when Windows Genuine Advantage was pushed out in the patch cycle? Or that one that bluescreened on all the rootkitted machines? If it was an all-in-one file this stuff would be easy to install causing all sorts of consternation.

      At least with the current system, you can pick and choose what you want updated, read security bulletins (like http://go.microsoft.com/fwlink/?LinkID=197393 ) for each one, and make informed decisions as to whether the update needs to be done, can be done later, or can be deferred indefinitely.

  3. Gary F
    Gates Horns

    Oh not again

    Be pleased you don't have to schedule when each of 13 servers can be rebooted after applying the patches, and I have to monitor them to make sure they come back up okay. Why can't MS just get it right so they don't have to keep patching things so often. It's ridiculous.

    1. Lance 3

      Simple

      That is not the Microsoft way.

    2. Anonymous Coward
      FAIL

      Why not...

      ...just switch to a bug-free operating system. Failing that, try one that never needs re-booting.

    3. Shannon Jacobs
      Pint

      Why Microsoft design is flawed

      That last one's easy to answer. The design philosophy of Microsoft is badly flawed. When you perceive the OS as a weapon against your competitors, of course you make it as big and hairy as possible. There are many problems with this approach, but I think the worst one is when you have a child or a little old granny who gets completely pwned. The victim had no idea how to use the trench mortar provided by Microsoft, but the black-hat hackers have plenty of use for evil zombots that are among the world's most powerful supercomputers. (I hope BOINC is still ahead of them, but I'm not sure these days...)

      As proof of the brokenness of the current economic game (as codified into law), even though Microsoft's design philosophy is bad, their economic model is still #1. (Linux has the better OS, but I think it will never become a mainstream OS for the average users--unless maybe Chrome uses a very different economic model.)

    4. Anonymous Coward
      Flame

      Reality check

      Quit your whinging, it's what you get paid to do. If you don't like, get a different job.

    5. Anonymous Coward
      Anonymous Coward

      Err

      The whole point of patch tuesday is to help you schedule patching.

      1. Anonymous Coward
        Anonymous Coward

        Re : Err

        "The whole point of patch tuesday is to help you schedule patching."

        Suppose it does help if you are stuck with the sort of OS that needs rebooting just to install a few bibs & bobs

        1. Anonymous Coward
          Anonymous Coward

          Which OS would you suggest?

          I find a fair proportion of the updates on my Ubuntu set up require a restart too.

          1. Anomalous Cowturd
            Troll

            Re: Which OS would you suggest?

            Only kernel updates need a reboot, muppet.

            Back to your cave.

            1. JP19
              Grenade

              Re: Which OS would you suggest? {Anomalous Cowturd}

              >Only kernel updates need a reboot, muppet.

              >Back to your cave.

              Talk about rabid fanboyism!

              On my Ubuntu system when I run Update Manager a fair number of times I get prompted to reboot. So they're kernel or X server updates. Does that change the fact I need to reboot, or in the latter case suffer almost the equal inconvenience of logging out and back in again? No it doesn't! Muppet.

          2. Chemist

            Re : Which OS would you suggest?

            What ?

            I've used Linux ( 6 machines currently) since ~1996 and NEVER had to reboot except for kernel updates. Indeed several of my machines are set to update automatically including my ultra low power fileserver which has been up for ~75 days since the last kernel update.

            Currently OpenSUSE 11.2 or 11.0

            Suggest you read

            http://it.toolbox.com/blogs/locutus/why-linux-can-be-updated-without-rebooting-12826

  4. Ol'Peculier
    Thumb Down

    Proud?

    It sounds like they are boasting: 14 patches, yay!

    14 holes that shouldn't have had to be filled in the first place...

  5. Totty
    FAIL

    Really? How many ServicePacks for XP did Microsoft release in the years 2005, 2006 and 2007?

    > Though that's why Microsoft releases service packs periodically.

    Really? How many ServicePacks for XP did Microsoft release in the years 2005, 2006 and 2007?

  6. BillboBaggins
    Alert

    @ Gary F & apple winers

    They can't get it right as they don't know what security professionals or hackers are going to find and exploit. Just think of the number of lines of code that there are in windows and tell me you would never made a mistake in that number of lines of anything?!

    As for the Apple debate...At least MS don't charge for service packs. Oh sorry that's right Apple call them new versions of the OS!

  7. Anonymous Coward
    Pint

    Re: Oh not again

    13?? 13!!! Ahem, there might be more than a few people who read this website who will have to be organising the patching and rebooting of a hell of a lot more than that! ;-)

    I'll start the bidding at about 5500, in Europe alone... Which is not a huge number compared to some...

    Perhaps you missed a few zeros from the end of your figure? ;-)

    Beer, because I'll need a few afterwards...

    1. Anonymous Coward
      Alert

      Oh yes again

      I can simpathise having some 6 machines that all do critical work for a small outfit where there is only my humbleness dealing with windows BSD and Debian units

      You I am surmising, work for an ISP which unless you are complete planks have your webbiness spread over at least three servers per 10 Virtual sites. Therefore you have the luxury of patching bit by bit without downtime to your users with a nice large, super knowledgeable staff level. Sometimes dealing with more of the same is not necessary any harder (though I am sure you will say different) than a one man band running less. You will argue I have never been in your shoes and I may retort the same.

  8. General Pance
    Thumb Up

    See You Next Tuesday

    I can't wait.

    1. Anonymous Coward
      Anonymous Coward

      Wrong Language -

      You should have used 'C', silly bunt.

  9. Anonymous Coward
    Anonymous Coward

    But....

    I thought coders were supposed to be clever?

  10. Rob 101

    Ahh, here we go again.

    Comments about MS patches do make me laugh.

    Trolls and self important people who fall for it and think they know what they are on about...

    Think of it this way. 14 patches, 8 critical. None yet being exploited. Should they wait then?

    And I agree. Patch tuesday does make it very easy to shedule server downtime, read up in advance on the coming patches and so on.

    OK so MS are not perfect but neither are any of the others and they have come a long way.

    You can also slipstream service packs and any updates from each patch tuesday into a windows install image if you can be bothered each month.

    1. phoenix
      Pint

      Ah the voice of calm reason again

      Thank you for bring this mess to order.

  11. heyrick Silver badge

    People, time for some perspective...

    It is well known in geek circles that we all get a nice warm glow inside when our projects compile without errors, especially if it's a first-time compile of a major chunk of code. And if it happens without errors AND without warnings, well hell, it's beer time!

    This, I should point out, is evidence that our code is acceptable to the compiler and can be translated into a workable executable and that we've not mistyped any variables. And, with some better compilers, we've not done idiot mistakes like "if (blah = 1)" (instead of ==). But it is no guarantee that the code actually works correctly, or that it doesn't splatter crap to 0x0 thanks to an inadvertant use of an uninitialised pointer. Oh, and don't moan that it is a problem with C, you can make even more majestic cock-ups in assembler!

    We really should expect reliable code from the likes of Microsoft given their resources, but ultimately we have to accept that a modern operating system is so big one single person simply cannot understand it all, line by line. So we have people who will have their own little specialties, like the ethernet stack or the GPU driver or the pagetable/MMU blatter. But then we come to asking how well does this person know their bit of the equation. Not specifically in providing the features, but also in isolating from things that could go wrong. Take for example the various ports (Firewire etc) which would allow DMA to system memory to relieve the processor from a lot of the interfacing issues. For most hardware on the market, this is just fine. However once somebody devises a way to create a special bit of hardware to pwn a computer by spitting data directly into system memory, bypassing all of the driver's security and the OS's security, suddenly it is a problem - and who is to blame? As a coder or designer you now have to consider not just all of the things your project CAN do, but also all of the stuff it shouldn't. Miss one, there's a potential hole waiting to be exploited.

    Don't mistake a genuine bug or sloppy code with vulnerabilities specifically exploited, for today's exploits are akin to saying your car is insecure and worthy of theft because the windscreen did not prevent a sledgehammer... This cycle of patch/attack will never go away. It will just, as systems get more solidly built then the attacks will become ever more ingenious. The concept of a totally secure no-patch-necessary cannot-be-hacked operating system is a dream, only really possible if a system is installed, has NO connection to the outside world, and never takes a program or data from an external source. For the rest of us...

    1. preppy

      "a modern operating system is so big one single person ... cannot understand it all"

      Well, that may be true. But it's beside the point. Professional shops do lots of things both before and after compiling code to make sure that the code is sound. Two examples:

      - [Before] Code walkthroughs (so that bugs like SQL injection are not written into the code)

      - [After] Using LARGE suites of test cases which can be run automatically....it's called .... err ... testing.

    2. Anonymous Coward
      Stop

      RE: People, time for some perspective...

      That's all well and good but think on this:

      Why does MS software have more vulnerabilities than anyone elses? Why is it so insecure and expliotable? Do they test it properly? Doesn't seem like it!

      1. Mark 65

        @AC, regarding MS testing

        The reason for so many vulnerabilities comes down to 2 words

        Legacy code.

  12. andy gibson

    Why is it

    that the patches apply to XP, but also Vista and 7 - operating systems supposedly better and more secure than XP?

    1. Anonymous Coward
      Flame

      Simplez

      Vista and 7 only have a subset of the problems and insecurities that XP has. I know it's Friday but please try engaging your brain a little.

  13. Anonymous Coward
    Pirate

    "supposedly better and more secure than XP?"

    "Why is it that the patches apply to XP, but also Vista and 7 - operating systems supposedly better and more secure than XP?"

    I'm afraid you've misunderstood. The "better and more secure" doesn't mean for the users, it means "better and more secure" for the content providers and their high value high definition digital bitstreams. Can't be having punters copying DRM-protected HD content now, can we.

  14. Anonymous Coward
    Thumb Up

    "Vista and 7 only have a subset of the problems"

    "Vista and 7 only have a subset of the problems and insecurities that XP has. "

    Easy to say, but worthless on its own. How about some compelling evidence to back it up, ideally from somewhere other than MS, otherwise why should anyone take the claim seriously?

  15. Mark A
    FAIL

    Linux fantasies...

    The article on why Linux apparently doesn't need to be rebooted to apply patches is interesting... since Unix effectively reference counts files, you can replace something and the old one just hangs around while one or more processes have it open.

    The presents two obvious problems:

    1. Different processes can be running different versions of a device driver for the same physical hardware - this seems like a recipe for interesting stability problems.

    2. More seriously, you haven't applied the patches for real at all. Any running processes (drivers, server processes, daemons) are still running the old unpatched code, until you do the reboot anyway.

    It's hard to see how this can be considered to be better than the Windows model, except to lull sysadmins into a false sense of security...

    1. Wortel
      Grenade

      @Mark A re: Linux fantasies...

      Updated code (with the obvious exception of kernel, as stated by others already) in *nix systems is engaged directly after updating, as during the process of updating the relevant daemons are restarted while the system remains online.

      Pay attention in the back of class please.

  16. Anonymous Coward
    Linux

    @wortel

    Ksplice - patch the K on the fly without reboot.

    Pay double attention you MCSE's at the back.

    1. Wortel
      Thumb Up

      @A.C. @wortel

      Excellent point, thank you.

  17. Mark A

    @Wortel

    Restarting every major daemon on the system sounds like a long-winded equivalent to a reboot to me.

    You could argue that restarting a process is quicker, but not by much (the OS reboot should be what, 60 seconds at most), and conversely is several patches affect the same process it could need multiple restarts rather than just one.

    Overall in terms of availability it seems like a wafer-thin distinction.

    1. Wortel

      @Mark A. @Wortel

      Taking an entire system off-line to initialize a handful of patches, just to sit through the initialization processes of BIOS, one or more RAID controllers and attached devices before the OS gets stage time is long-winded to me. Those 60 seconds are easily lost.

      Even if you meant OS-only boot times, for Windows' post-install routines to be content another 60 seconds is easily lost too before the rest of the system, and it's user (or users), is given stage time.

      I'd say it is 60+ seconds unnecessarily wasted with the added risk of the OS not coming back up (either properly or at all).

      So yes, I will argue that restarting a daemon (or two, or ten) is by far the quickest route from A to B when it comes to availability.

      The machine and it's OS can still do meaningful service while parts of it are under maintenance.

This topic is closed for new posts.