Microsoft plans biggest ever Patch Tuesday Microsoft plans to push out a bumper crop of 16 bulletins - four critical - as part of the October edition of Patch Tuesday next week. The updates represent Microsoft's largest ever Patch Tuesday. The patches will collectively grapple with 49 vulnerabilities. The four critical bulletins impact all supported versions of Windows …
I've just applied the openssl updates on my Ubuntu workstation. A popup window, a description of the problem, and a password prompt because I had to authorise the fix before it applied. No reboot needed on this one, as it wasn't a kernel update so I just kept on working. Come to think about it it's a month or so since I did reboot it.
Any useful desktop operating system contains so many million lines of code (MLOC) that at any given time some of these will be risky, and the rate of discovery of faults and fixes in these seems to increase in proportion to the MLOC count. Alas a proportion of these faults will be zero day vulnerabilities which are not widely known about or patched yet, but your computer is vulnerable to a much greater number of attackers the longer you delay patching after these faults are discovered and published and fixes made available.
So go elsewhere by all means as I have, and you may find things less bad as I have, but don't expect to find perfection elsewhere because you won't, and whichever system you use you do need to keep up with the patches. But you are likely to find things better than what you are used to. Much of the trouble on the Net comes from compromised computers belonging to people using cracked and unlicensed versions of Windows, for which Microsoft has no obligation or incentive to provide patches and updates. That and the fact that most Windows users need to obtain software from 3rd party sites to get basic stuff done, where there is no integrated supply-chain quality-assurance and integrity verification of the kind you get with an open-source/free software Linux distribution repository and package management system.
"I've just applied the openssl updates on my Ubuntu workstation. A popup window, a description of the problem, and a password prompt because I had to authorise the fix before it applied. No reboot needed on this one, as it wasn't a kernel update so I just kept on working. Come to think about it it's a month or so since I did reboot it."
This comment is interesting to me because I received the same prompt to update openssl, yet after installing it Ubuntu asked for a reboot. Should I have ignored this request? If so, I have to say this kind of behaviour is not very helpful for someone unfamiliar with Linux.
Incidentally, it's the second time *this month* I've installed Ubuntu updates that have requested a reboot.
"Incidentally, it's the second time *this month* I've installed Ubuntu updates that have requested a reboot"
We are likely to be on different Ubuntu versions or variants running different kernels. The openssl bugs would have applied across various security-supported versions, and these of themselves shouldn't require a reboot. But maybe your kernel updated as well at the same time and mine didn't. You'll probably find that Ubuntu needs to reboot fewer times than Windows for automated security related patches. Also depending upon the kernel problems fixed, the extent to which you understand these and your relative degree of firewalling and the services you are running and providing, not all kernel updates require an immediate reboot. But if you don't understand what a kernel fix was for, you are better off rebooting than not when the update system suggests this course of action. If you daily shutdown and restart your system there is probably no need to worry about this, as your kernel patches will be effective within 24 hours anyway.
It might be more worthwhile if Microsoft did, as a public service, release security updates to all. That way compromised botnets could be reduced as vulnerabilities are patched. Think of it as vaccination to improve herd immunity.
Trouble is its a bit of an arms race out there, so ultimately all bets are off
downloading update installers from microsoft, writing a simple batch script running these in quiet unattended mode logging successes/failures to a text file, using psexec to run it on all computers and then perhaps manually updating those where your log file indicates any failures. Should be quicker if you got more than 5-6 computers to update.
This post has been deleted by its author
Dear El Reg....
Next time you post a story regarding Microsoft (tm) windows (tm) updates, do you think it would be possible to copy and paste the comments from previous stories regarding Microsoft (tm) windows (tm) updates to save everyone the effort of posting the exact same posts time and time again.
Its getting silly now...
yes, windows gets a new batch of updates....
"I just appreciate the fact software can never be perfect and value the effort MS etc go to in providing us with the ongoing support and patches. Thanks,"
I just ran software update on a customers Mac mini and really appreciate the effort Apple went to in providing the 900Mb update that has left the machine unable to boot!!!!!!!!!!!!!!!!!!!!!!!!
/sarcasm, no offence to OP
"I just appreciate the fact software can never be perfect and value the effort MS etc go to in providing us with the ongoing support and patches. Thanks,"
I just ran software update on a customers Mac mini and really appreciate the effort Apple went to in providing the 900Mb update that has left both my machines working perfectly.
/sarcasm, no offence to OP
You don't have much experience with a mac....900mb update. Never encountered one that size so what exactly were you updating.
The largest combo updater I've encountered on OSX was less than half that size. I bet your customer has never, repaired permissions, which do change through everyday use.
As any fool knows, don't use software update to update software. Manually dl and install locally, making sure you have a bootable back up, just in case. IT!!
So, are Microstuffed themselves now trying to gloss over the turd that was 'Vista' by referring to it as"2008R2"
Almost as big a joke as one of the world's biggest petrochemical companies opting for Vista globally.
Mind you, up until this, they were still using NT/2000...
2008R2 is shorthand for Windows Server 2008R2 (Release 2, presumably, but I CBF to check).
Which, as I understand the roadmap, is the server version of Windows 7. Although the server version of Vista, Server 2008, was pretty good anyway, as the real cock-up in Vista was the front end, not the kernel, as such.
GJC
Do you know if any of those 49 vulns is .Net related? In my box the number of pending .NET updates from v2.0 to v4.0 that can't install properly is constantly increasing - presently there are 10 (ten!) of them in the list... I did spend one full day reading authoritative MS forums and trying various magic solutions to no avail. In the beginning I thought this must be MS's way to convince me I need to move on from XP, but from what I've read the issue gracefully plagues all versions of Windows. Since there are only a handful of .NET apps available and I'm not running any of them, I don't intend spending more time to address the issue until I migrate to Windows 8 in 2013 (provided I survive the 2012 doom). Fortunately, until then MS will surely stop issuing patches for XP and then I'll feel safe at last...
Ah, that'll be the magic of .net. 7 different versions, all DLL hell on overload.
To fix, largely ignore MS's KB articles about small in place tweaks and uninstall the lot. Reboot. Install them again from fresh (new download versions). That should fix the .not mess for a bit until the next screw themselves up.
Mr Bill did some enormous talk about a so-called "Security Development Lifecycle" in 2006. You have to admit then man does indeed have some humor. Especially when MS recently had to fix holes which were present already in Windows 3.1, ca 1994 or so. Or their various crypto snafus like the latest with the unprotected cookie.
Read on you own:
http://www.microsoft.com/presspass/exec/billg/speeches/2006/02-14RSA06.mspx
Engineering for Security
BILL GATES: Well, now let's talk about progress in the second area, engineering for security. I mentioned an overall process that we've created, working with others, called the Security Development Lifecycle, and that's exactly this idea of going through, thinking about the threat models, understanding what code to run at what privilege level. Some of this involves the creation of new tools, tools that do extremely deep static analysis of our code, and for the first time we're actually able to prove properties of the code, understand does it ever get into certain states or not, and if it does, be able to show exactly the path that would create those states.
A lot of this is really going to the developers, getting them to write the security architecture as one of the very first things they do. We've documented this and we're sharing that, lots of good feedback, and active community involvement, so you can scope it so it works for projects of different types. Obviously, the ones we do are very large scale, but these principles actually can be applied even for doing simple Web sites, simple applications, it's still very, very important.
We have the tools built in to the Visual Studio compiler. These are the tools that we built ourselves to do these analyses, and so, for example, catching a memory overrun or looking at an API, we're actually not passing in the right kind of information, those will get flagged, and these tools run fast enough that you don't wait and have it be part of some fancy build process, literally this runs on every developers workstation before they can do any code check in. So making that quick, getting it upfront, we've found that that works extremely well.
Haaaa Big Knobs from Microsoft saying PEOPLE USING THEIR SOFTWARE, their pox infested software, their buggy, easy to hack, insecure, their technological "dumbarse" software... should be blocked if their FUNDAMENTALLY INSECURE Microsoft Operating system is hacked and or infested; and they should be licensed to use the web.
Prompting the next question: "By Whom?", Become a Microsoft Certified Web User - after paying a heap to Microsoft - to sit their shitty tests, for their shitty software.
More trips to the psych ward for overdosing on corporate moron bullshit?
No thanks.
OK. I confess - Microsoft gave me every good reason I needed to move to Linux, and Linux gave me every reason I needed to keep using it.
Microsofts patches are essentially worthless.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
