"Banker's dozen"
Does that mean that the patches take your data, charge you for the privilege of stealing it, pretend that they didn't do anything wrong and when caught run away with all the goodies anyway?
Another month, another Patch Tuesday from Microsoft, but this month's bundle has come up one short from the 14 promised patches last week. "We are committed to delivering high-quality security updates for our customers and extensively test each bulletin prior to release," Dustin Childs, group manager at Microsoft Trustworthy …
I very rarely have problems, I look after about 25 PCs and a few servers with updates from a local WSUS server. I've had this problem today where two or three patches keep trying to install again and I have one machine that stubbornly refuses an SQL patch, that's it I think. You must be very unlucky.
Think about it. If only 1% of machines suffer a problem / incompatibility, but you only manage 25 PC's, that's a risk worth taking. Chances are you can get through four such updates clean-as-a-whistle before you hit a problem.
But scale up. A typical secondary school has between 100 machines MINIMUM. That means that every update, at least one goes titsup. Multiply that out to several sites that you're in charge off, several customers that you support, and the billion PC's out there that just autoupdate and you're in for a world of hurt almost every month.
Same thing with hard drives. Someone once asked me why our server hard drives fail "so often" (two single failures in four years). Because we have 100+ machines. The servers have 4 disks minimum. We cycle machines every two years, but still, even just "out of the box" defects, you're bound to hit problems on drives before long. Take into account the MTBF of a working drive and it soon comes down to the point where a drive fails every month, even with the best-known brands in the world.
The problem is: Microsoft has the biggest customer base of all of us. And they don't test enough to spot these 1% issues. And then if 1% of the PC's in the world switch off, that's MORE than enough to make the whole problem globally critical and we'll all start patching and blocking the update to prevent it.
Some of the patches only replace one file though, and it will force a reboot if that file's in use. The only way of finding out which file it's talking about it to dig through the KB article.
It would be a lot nicer for the patch to say "I want to replace this file, which is in use by this application/service. Why not close this application/service for me and I'll try again, without having to reboot?" Of course, for desktop roll-outs it's probably simpler just to reboot, but for servers, forcing a reboot to patch a non-essential service, or bloody Internet Explorer is just a pain.
What would be better still is for MS to actually allow you to install just the applications you need, rather than forcing you to install GB worth of shite you never use.
"If you have a system providing a service and can't schedule one node enough downtime to reboot once a month or so, it's a badly designed system. I always reboot after updates, even on linux/unix, so I know it will reboot."
Are, the old "well if you don't run a cluster" fcukwit.
How many single dedicated servers do you think there are on the Internet providing services?
The first service to stop during an update is IIS, followed by compiling the lastest .Net patch and there's usually more than one. Then wait while your server stops everything to install some other patches as it shuts down, followed by another wait while it installs patches on the way back up!!!! You can't have a single server with a 99.9% uptime because Windows takes too long to patch.
On the Linux servers I manage the updates don't stop the server functioning and the reboot is so much shorter, if it's even required. You reboot when not required? Do you also throw up after you eat, it's not required but does reduce the need for a sh...
So, to your surprise there is some action outside of the enterprise. If you use Windows in the enterprise, you should be fired for exposing your clients data on the platform with the worlds largest attack surface and one that is the worlds largest attack target. I'd go as far as to say you are negligent.
If you run a service that's essential, can't tolerate downtime and it's on a single server not in a cluster or some sort of system which allows failover, who is the fuckwit? It's certainly not me. This goes for Windows, Linux, UNIX, z, everything.
You may not have a server with 99.99% although uptime is usually measured in terms of unscheduled downtime, but you can easily have a service with that level or better of availabillity.
Yes, I reboot my Linux servers when they've carried out an update. It's a sensible idea, if you've made changes to a system, reboot it during scheduled downtime, in order that you can make sure the boot process hasn't been damaged in some way, you also know that all the files you had open and were replaced are no longer in use and the new versions are being used. That is, of course, unless you want to find out that your boot process doesn't work as it used to, or someone made changes they didn't record during non-scheduled downtime.
Anyway, if you think that using Windows in the enterprise is negligent, can you point me to a single enterprise who don't use any Windows. I'm pretty sure you won't be able to, but lets say that 0.1% of enterprises don't use Windows, are 99.9% of enterprises wrong and you're right, or maybe you're wrong?
Yes, they are negligent.
Like most, they probably started when security and MS's security were not on the radar. Windows installs were not connected to the Internet and more likely not connected to anything.
As it became increasingly clear with win2000 and problems due to security with downloads from the Internet and then self spreading threats windows was not secure, but it's easier to think AV/AM and the ecosystem will get you out of having to think for yourselves. It's easy to go with the flow, only that's not the job of those in charge of security.
Rely on others is the windows problem, step up and take responsibility. 70% of the planet is covered in water, do you live in the seas and swim everywhere because it's so, no; same with the 99% use windows argument, use an OS that is a smaller target or carry on and be a 'Lemming', jump over the cliff.
If AV/AM vendors solutions worked, there would be no need for hundreds of updates a year, it doesn't, stop denying everything that's wrong with the windows ecosystem.
>>you also know that all the files you had open and were replaced are no longer in use and the new versions are being used.
# lsof | grep 'DEL.*lib' | cut -f 1 -d ' ' | sort -u
Get to know lsof - its really handy. Don't know if there's a similar thingie in Windows. Linux really does handle files rather differently than Windows, so get to know how. Try this little game:
* Run up two root sessions to a Linux box (use screen, ssh in twice, two local consoles or a couple of {x,g,k}{term,onsole}s)
* Run "top" in one session
* Switch to the other session
* Find top's PID eg ps ax | grep top and its location (which top) probably /usr/bin/top
* Make a backup of the top binary (cp /usr/bin/top /tmp/top) and delete it (rm /usr/bin/top)
* Verify that top is still running despite the fact you have deleted it's binary
* Now restore the binary directly from RAM: cp /proc/<PID>/exe /usr/bin/top (obvious replacement for <PID>)
Yes it is a silly trick but it clearly illustrates a clear difference with Windows. Let's face it why should you not be able to delete an executable file once its loaded in RAM? Using /proc is just a good way to reinforce the lesson.
Cheers
Jon
It's always bugged me that they don't fix the 40MB installer, but tack on that load of patches after install.
Each new patch reveals a new set of patches. A clean install from W7 sp1 needs a few hours of updates and reboots before being fully roadworthy. Can they not just release another sp for 7? Pleeeeeeeeeease?
Since I did the update all my Office files have got orange icons and when I double click them I now get a dialog box telling me "The MS Office product necessary to open this file is not installed on your computer". I can run Excel Starter itself and then open those same files within it though. Just a pain to do it that way now :(
At some point Windows Live Movie Maker has decided it can't run on my laptop anymore. Not sure if it's from this update or a previous one.
You have to reset the defaults to point to the "Microsoft Office Client Virtualization Handler"
or
If you're using Starter and can't find winwordc.exe, and also don't have an active link to Word Starter or Excel Starter on the desktop, right-click on the desktop and create new shortcuts with the following paths:
For Word: "C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVH.EXE" "Microsoft Word Starter 2010 9014006604090000
For Excel: "C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVH.EXE" "Microsoft Excel Starter 2010 9014006604090000".
Then right-click on the file you want to associate, and Open With > Choose Default Program. Select one of those new desktop shortcuts and it should be linked up again.
Another one (of the very many) with the recurring three Office updates (kb2760411, kb2760588 and kb2760583).
Microsoft are looking into it, and will update here:
https://support.microsoft.com/kb/2760411
Testing methodology suspect?
Here's a potential fix in the meantime...
https://www.libreoffice.org