×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Time to End Microsoft's Patch Tuesday?

Zonk posted more than 6 years ago | from the plenty-of-time-for-trickery dept.

Security 256

buzzardsbay writes "Techtarget's resident security curmudgeon, Dennis Fisher, is calling for an end to Microsoft's monthly security patching cycle. Fisher points out that 'a hacker only needs one unpatched system, one little crack in the fence in order to launch a major attack on a given network. The sheer volume of the patches Microsoft releases each month makes it quite difficult for even the most conscientious IT department to get every patch out to all of the affected systems in a reasonable amount of time.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

256 comments

I have always wondered... (4, Interesting)

AxemRed (755470) | more than 6 years ago | (#19070863)

Why don't they just release patches as the make them? Is there a specific reason that they hold them all until "patch Tuesday?"

Re:I have always wondered... (2, Insightful)

Pentavirate (867026) | more than 6 years ago | (#19070913)

So your machine only reboots on you when you're not looking once a month instead of every single day!

Re:I have always wondered... (1)

ben there... (946946) | more than 6 years ago | (#19071215)

So your machine only reboots on you when you're not looking once a month instead of every single day!

That pissed me off a couple days ago. I had stuff downloading overnight and scheduled SageTV recordings that got interrupted. I woke up to my computer at the login screen and thought the power must have gone out. Then the friendly green shield kindly informed me that it rebooted without my permission.

That's the cue for me to disable the Automatic Updates service. The idea is good but the implementation is awful.

Re:I have always wondered... (1)

binner1 (516856) | more than 6 years ago | (#19071491)

Or...you could just tweak the setting so that it applies patches but waits for permission to reboot. Group Policy (gpedit.msc) somewhere...

Not perfect, but it seems a best of breed given the available options.

-Ben

Re:I have always wondered... (1)

Score Whore (32328) | more than 6 years ago | (#19071611)

Hell, I'm running XP Home and only went to the extent of saying "notify me of patches, but don't download or install them." It pops up the balloon saying "we got patches for you" and then I can choose when to download and install. It doesn't take much in the way of rupert science.

Re:I have always wondered... (1)

jimicus (737525) | more than 6 years ago | (#19071639)

Does Windows gracefully handle the situation where a DLL which is currently in use is replaced, or will I wind up with applications calling two different versions of the DLL depending on when they started?

Because if it's the latter, no thanks. I'd rather download the updates so they're quick to apply, then do the actual application on my own terms.

Re:I have always wondered... (1)

binner1 (516856) | more than 6 years ago | (#19071901)

Renaming of replacement files happens at boot...windows can't delete open files like unix can, thus the new dll's can't be put in place until reboot. You should be safe in that regard. If windows is able to swap the file, then nothing is currently using it.

-Ben

Re:I have always wondered... (1)

ben there... (946946) | more than 6 years ago | (#19072415)

Thanks, but I have XP Home. gpedit.msc and the Security tab on files are all I would need from Pro. Unfortunately, I didn't give MS that much money for all the other stuff I don't need. Sounds like your solution would have worked best though.

I really just want it to install everything. Only thing I don't like is the reboots. Should really be clearly visible option in the AU panel. Thanks for your help. Can't believe some of the other responses I've gotten though...

Re:I have always wondered... (1)

Feyr (449684) | more than 6 years ago | (#19071625)

at least you were greeted by the login screen. i had one "reboot" for patches, except it didnt reboot, it SHUTDOWN. very nice when you want to use it remotely

Re:I have always wondered... (1)

Steendor (917855) | more than 6 years ago | (#19071681)

XP Pro SP2, 2K3, and presumably Vista --- The control panel lets you specify that you don't want it to install until you're ready. No auto-install -> no auto-reboot. Group policy settings go beyond that and let you schedule the auto-reboot, among other things: Computer Configuration\Administrative Templates\Windows Components\Windows Update

Re:I have always wondered... (1)

Joebert (946227) | more than 6 years ago | (#19072199)

You just didn't have it configured the way you needed it to be, your error, not Microsofts.

Configure it to inform you but not automaticly download them & quit blaming your mistakes on Microsoft.

Re:I have always wondered... (1)

BrewedInTexas (971325) | more than 6 years ago | (#19072437)

You just didn't have it configured the way you needed it to be, your error, not Microsofts.
So it's my fault that Microsoft has a crappy default setting?

Re:I have always wondered... (2, Insightful)

Joebert (946227) | more than 6 years ago | (#19072561)

No, it's your fault that you didn't learn how to configure your system to meet your needs. :)

Re:I have always wondered... (5, Insightful)

kcurtis (311610) | more than 6 years ago | (#19070939)

It allows IT departments to specifically set aside 1 (or more) days a month on a regular schedule to test the updates before rolling them out to the client computers.

If the updates come out on a random schedule, as done before, you cannot plan ahead for the testing required to ensure the updates don't break functionality.

That's the Problem (5, Insightful)

bill_mcgonigle (4333) | more than 6 years ago | (#19071467)

It allows IT departments to specifically set aside 1 (or more) days a month on a regular schedule to test the updates before rolling them out to the client computers.

Your comment is accurate, and gets to the heart of the problem. The current system minimizes cost, at the expense of security.

The pundit would rather companies get more staff, do rolling testing, etc., whatever it takes - to maximize security.

Now, as a non-user of Microsoft products and a victim of attacks by unpatched machines, some of them corporate, it's clear that the current strategy just shifts the costs off of the companies and onto me. If it just crashed their networks I couldn't care less. But it's more than that.

So I need to side with the proposal - the users need to improve their security. They can do this by having rolling patches from Microsoft or picking a more secure product to use. I don't care how they do it, but they need to stop expecting me to pay for their poor performance.

Unfortunately, liability is poorly defined in this realm, otherwise I could theoretically sue for damages, and their insurance company would make sure they were in good shape or charge them through the roof for being in bad shape.

Makes sense to me! (0)

Anonymous Coward | more than 6 years ago | (#19071703)

I never have anything going on on Tuesdays...

Re:I have always wondered... (4, Insightful)

Matt Perry (793115) | more than 6 years ago | (#19071747)

It allows IT departments to specifically set aside 1 (or more) days a month on a regular schedule to test the updates before rolling them out to the client computers.

If the updates come out on a random schedule, as done before, you cannot plan ahead for the testing required to ensure the updates don't break functionality.
Nonsense. Companies are free to test and upgrade on a given day no matter when updates come out. I test patches and update my Linux servers once a month even though patches for said machines may come out at any point in time between my patch days. I make exceptions to this only for patches that we deem critical enough to apply outside of our schedule.

Re:I have always wondered... (1)

Hatta (162192) | more than 6 years ago | (#19071777)

Obviously you don't have to install the updates as soon as they're posted. Just pick a day a month to do it all. Of course you'll be vulnerable the rest of the month, but that's no worse than it was when microsoft held the patches.

Re:I have always wondered... (1)

LocoMan (744414) | more than 6 years ago | (#19072207)

To be fair, it is worse because before it was a month where (in the best case) only microsoft knew of the patches, while then it would be a month that crackers had to reverse engineer the patches, find out what the vulnerability was, and take advantage of yet unpatched computers.

Then again, since most home users don't update their computers as it is, that's what's happening already.

Re:I have always wondered... (1)

AxemRed (755470) | more than 6 years ago | (#19072059)

IT departments could still stick to a schedule though... They could apply all available updates once a month just like they do now. If a vulnerability is fixed a week after they usually do the updates, any IT department that wants to stick to a schedule can always ignore the patch until their next scheduled update.

I have seen one example of how this could work at a university where I used to be employed. They disabled automatic Windows updates by default, and they had some 3rd party software that pushed out the updates instead. After Microsoft released updates, they would evaluate them to make sure they wouldn't break anything. Then they would push out the updates later. It wouldn't have really affected them if they updates were released one at a time as opposed to all at once.

Re:I have always wondered... (1)

kjkeefe (581605) | more than 6 years ago | (#19070947)

Probably just an old hang over from pre-Internet patch distribution methods... There's no excuse for them not to get with the times...

Re:I have always wondered... (0)

Anonymous Coward | more than 6 years ago | (#19070973)

They need this time to develop the next backdoor and slip it into the updates.

Re:I have always wondered... (1)

OECD (639690) | more than 6 years ago | (#19070977)

Why don't they just release patches as the make them? Is there a specific reason that they hold them all until "patch Tuesday?"

My guess is precisely to keep it a manageable, once a month job. I don't see how a patch-a-day is going to make IT's life any easier (although it would be a good excuse to hire more staff.)

Re:I have always wondered... (0, Flamebait)

Score Whore (32328) | more than 6 years ago | (#19071731)

As long as you don't mind working nights. There's no way an enterprise is going to accept daily, business hours outages.

Re:I have always wondered... (0)

Anonymous Coward | more than 6 years ago | (#19071861)

If they're already a Microsoft shop, they're used to it.

Re:I have always wondered... (1)

ECS_Norway (1100279) | more than 6 years ago | (#19071005)

I believe patches need a little time to be tested. I think it makes it easier for IT departments to get some sort of coherent schedule on patching machines. It also helps give some for some sort of press to critical patches. It would be hard for the average Tech to keep up with a slew of patches at anytime. But, as the article points out, there are big problems with the once a month system.

Re:I have always wondered... (1)

rob1980 (941751) | more than 6 years ago | (#19071087)

If things are going to blow up, you might as well have it all happen on one day of the week/month/whatever - as every time somebody decides to patch something.

Re:I have always wondered... (1)

Rolgar (556636) | more than 6 years ago | (#19071171)

For system administrators, it allows them to only have to address patching Windows machines once a month. If they can do all of the testing, and roll all of the patches out in one go, then it makes using Windows less of a burden by reducing duplicated effort.

On the other hand, if you're a Microsoft hater, you might think Microsoft is using this to hide how many vulnerabilities Windows has. If users had to reboot 7 times for this week's patches over the course of a month instead of just once a month, they might decide that maybe Windows isn't secure enough and look at alternatives. If you only have to reboot occasionally, it's routine maintenance, but frequent reboots might raise flags in the minds of home users.

Re:I have always wondered... (1, Insightful)

Professor_UNIX (867045) | more than 6 years ago | (#19071403)

For system administrators, it allows them to only have to address patching Windows machines once a month.
This is a stupid idea though. It saves the administrators some hassle, but if Microsoft is putting out a patch for a vulnerability then don't you think that maybe, just maybe, the hackers already know about the vulnerability and are actively exploiting it? Why should I have to wait a month for a patch to a critical vulnerability just because some company's IT department only wants to work one day a month on patching? Patches should be released as soon as possible for anything critical or security-related and you can let companies choose to sit on them for a month if they want.

Re:I have always wondered... (1)

Martin Blank (154261) | more than 6 years ago | (#19071713)

Every company I've been at over the last decade has been stretched on resources, and my current employer much moreso than any before. While I have some additional control over systems that are my responsibility, and will apply updates as I find them, we have numerous fragile applications that have to be carefully managed in shutdown and restart, and they can take from five to fifteen minutes per system of engineer time in coaxing through a proper patch, shutdown, and restart. Spread this over several hundred systems, and that's a lot of time that engineers don't often have -- and usually after hours, since most of the systems are not permitted to be shut down during business hours. We're looking at solutions like WSUS, but the ironic twist is that no one has the time to devote to it to ensure that it's properly done.

There are much larger networks than mine, and some of them even more fragile. Microsoft was blasted for releasing scattershot patches before, and since the change, they've been blasted for releasing them once a month (with the occasional super-critical patch released off-schedule). No matter which way they do things, they're going to have half of the industry mad at them. Better to go with the one that makes their lives easier.

Re:I have always wondered... (1)

BrewedInTexas (971325) | more than 6 years ago | (#19072545)

This is radical thinking I know, but check this out. If you like the once a month patches, just apply them once a month. Personally, I'ld like to get them as soon as possible. If your financial records are stolen because the patch wasn't released, just remember which side you were on and don't blame me.

Re:I have always wondered... (1)

rblancarte (213492) | more than 6 years ago | (#19071785)

As someone who does regularly patch their windows systems, but pays ZERO attention to the schedule, does MS follow this Patch Tuesday rule for only IT or for EVERYONE?

If this is an everyone issue, then IMHO, Patch Tuesday makes no sense. Because some IT don't want to work (stop me if you've heard that one before), they are halting the deployment of patches to the whole populace? IMHO, not smart.

Of course, I could be wrong about this, if so, please enlighten me.

RonB

Re:I have always wondered... (1)

LocoMan (744414) | more than 6 years ago | (#19072261)

This is that sometimes first time a vulnerability becomes public knowledge is when the patch comes out and it's reverse engineered... so if you release patches first to home users and on patch tuesday to corporate ones, you put them more at risk.

Re:I have always wondered... (1)

Score Whore (32328) | more than 6 years ago | (#19071865)

This is a stupid idea though. It saves the administrators some hassle, but if Microsoft is putting out a patch for a vulnerability then don't you think that maybe, just maybe, the hackers already know about the vulnerability and are actively exploiting it?


That's a nonsensical argument. You could make the same argument for any piece of software at anytime. So it's a useless factor in your analysis of the criticality of the particular issues addressed by any particular patch.

Each individual user should be deciding how important a particular patch is. For the vast majority of consumers this is pretty much impossible. For them it makes plenty of sense for Microsoft to establish the patching process and schedule, eg. to provide a service that a business IT department would typically provide.

For businesses, again, it's up to them to determine what their exposure happens to be for each software application and OS. There's no way that a statement can be made that is relevant to industry as a whole.

Re:I have always wondered... (1)

symbolset (646467) | more than 6 years ago | (#19071289)

Because om black wednesday when your clients start complaining about service failed to start and intermittent memory errors, you know to look for the toxic patch first rather than the more usual virus. Saves a ton of diagnostic time.

Re:I have always wondered... (4, Insightful)

LurkerXXX (667952) | more than 6 years ago | (#19071945)

You always wondered? You must be fairly new to IT. MS switched to that format well within the past 10 years. I think it was around 5 years ago. Before that they released them as each was finished.

As for why they do them that way now, their large corporate customers asked them to. In large corporate settings there are often lots and lots of in-house-developed applications the company runs. Each time a new patch comes out, the IT dept must go through a lengthy (sometimes several weeks) process of testing the new patch, on test beds of the various models/configurations of computers the company uses, to make sure it doesn't break any of those apps, or any other purchased applications. They often run into many bugs/conflicts that MS doesn't in their testing.

If MS comes out with a patch, the company starts testing it out, then 3 days later MS comes out with another patch, the big corp now has multiple cycles of testing trying to go on at the same time, using up tons of IT resources, backing things up in the pipeline. If their testing cycle is 2 weeks, and MS releases 6 patches during those two weeks, the pipeline is now filled up with 12 weeks worth of throughput. Not fun.

If, on the other hand, MS releases on a regularly scheduled day each month, the company can easily run their test suite just a single time, freeing up IT resources, and also letting them plan for the patches/testing, rather than being surprised and having to pull folks off of other projects to work on testing if MS suddenly goes on a streak of releasing several patches in a row.

Re:I have always wondered... (1)

SeaFox (739806) | more than 6 years ago | (#19072379)

It would more obvious to Windows users how insecure the product is if they made patches available as soon as they wrote them. Installing 5 patches at once has less negetive PR-effect that installing a different patch at 5 different times.

I've heard people who say they don't update because they get sick of downloading patches, don't think they are of that much importance, etc. Maybe its because almost all the patches are for "critical venerabilities". It's like crying wolf after awhile. The term becomes meaningless because it happens so often. The joke here is it's not crying wolf, all those venerabilities really do have security risks.

Otherwise known as... (0, Troll)

ivan256 (17499) | more than 6 years ago | (#19070931)

Patch Tuesday - AKA: The day before the zero-day exploits are released.

Re:Otherwise known as... (2, Informative)

drinkypoo (153816) | more than 6 years ago | (#19070999)

Patch Tuesday - AKA: The day before the zero-day exploits are released.

That's not true. They're released before the patches come out. Microsoft provides vulnerability information through a webpage now.

All the more reason to ditch the patch tuesday, and just release patches when they are ready. As I have repeatedly pointed out otherwhere recently, if you want to install the patches monthly, you can wait for some arbitrary day of the month, and then install the patches.

This is how Microsoft schedules patch releases, so doing this would preserve the existing behavior for those seriously confused people who prefer it. Waiting to release patches is bad for everyone, except the people profiting from exploits.

Re:Otherwise known as... (1)

toleraen (831634) | more than 6 years ago | (#19071261)

I'm guessing the reason they wait for one day is for their own internal QA process (hear me out!). It can be much easier to test and verify 10 patches at once, instead of testing one at a time. I would assume (hope) that they build systems with the new patches, and stress the systems for a certain amount of time to make sure their compliant with their own internal standards. Testing them all separately as they come out would require a lot more resources, and could end up taking even longer.

Obviously take that with a grain of salt, since we've all seen the 'emergency patch after patch day' deal. Just my take.

Re:Otherwise known as... (0, Troll)

drinkypoo (153816) | more than 6 years ago | (#19071913)

Obviously take that with a grain of salt, since we've all seen the 'emergency patch after patch day' deal. Just my take.

I've had THIS conversation repeatedly, too. My argument against is the same as yours - clearly, the QA is not effective. We've seen that time and time again. They don't even adequately test service packs!

It's a great idea, but the evidence just doesn't support it. I'm not saying they're not doing QA, just that it's not what's stopping the timely releases. Besides, one of two things must be true; either the tests complete at different times, which means that some patches could be released earlier, or that some of the tests are being terminated before they complete, to make them all terminate on time for patch tuesday. I would of course suspect the former before the latter.

Re:Otherwise known as... (0)

Anonymous Coward | more than 6 years ago | (#19071847)

A zero-day exploit is one that has not been patched yet. That's why they are called zero day, because there was no time prior to the exploit to avoid it (except maybe obvious things like closing ports and stuff).

Riiight... (1)

Starteck81 (917280) | more than 6 years ago | (#19070945)

That's like saying there are too many cracks in a large damn so you might as well give up on trying to patch them.

Volume of patches won't get better (2, Interesting)

Dynedain (141758) | more than 6 years ago | (#19070953)

"The sheer volume of the patches Microsoft releases each month makes it quite difficult for even the most conscientious IT department to get every patch out to all of the affected systems in a reasonable amount of time."
"

So the sheer volume of daily patches would make this better?

Now, MS should take a clue from Apple and have a lot more "rollup" packages than they currently do.

Re:Volume of patches won't get better (0, Troll)

aichpvee (631243) | more than 6 years ago | (#19071177)

Also wouldn't hurt to take a lesson from apple and scrap their operating system and start over with a *nix.

Re:Volume of patches won't get better (3, Insightful)

gad_zuki! (70830) | more than 6 years ago | (#19071251)

Patch day was started because administrators didnt want random patches being pushed out at random times. Its supposed to help the process by giving people a schedule, especially for people who arent using SUS.

The real question is when are they going to patch the patch system. The 100% CPU svchost bug is killing me and KB916089 (and its predecessor) doesnt do squat.

Re:Volume of patches won't get better (1)

Chosen Reject (842143) | more than 6 years ago | (#19071739)

Oh thank you. My wife's laptop has been going crazy with svchost using up insane amounts of CPU and memory. I seriously thought it was virus for a long time until I ran it through several anti-virus programs, then I noticed it went craziest in conjunction with Yahoo's IM client. But even after removing that it still was weird. I didn't know what else to think. I hadn't thought that it would be a bug (I don't know why not, it's MS after all?). At least now I know who to blame.

Re:Volume of patches won't get better (1)

suv4x4 (956391) | more than 6 years ago | (#19072191)

Oh thank you. My wife's laptop has been going crazy with svchost using up insane amounts of CPU and memory. I seriously thought it was virus for a long time until I ran it through several anti-virus programs, then I noticed it went craziest in conjunction with Yahoo's IM client.

Actually, SVCHOST at 100% doesn't necessarily mean it's the bug this KB article is talking about. SVCHOST, as the name suggests, is a host process for services. Any service that it hosts could cause the CPU utilization.

You need to download proper tools (such as Process Explorer by SysInternals /owned by Microsoft/ - freeware tool) and see which exactly service causes the problem.

It *could* be a virus, or a poorly written service, or a service in conflict with some hardware/software piece on your system.

Re:Volume of patches won't get better (0)

Anonymous Coward | more than 6 years ago | (#19072225)

Re:Volume of patches won't get better (2, Funny)

Intron (870560) | more than 6 years ago | (#19071433)

To reduce the problems caused by the volume of daily patches, they could save them until a particular time and refer to that as "patch minute". I propose that they make this 5:35 pm in each local timezone to catch the IT staff who are trying to sneak out and have a home life.

Re:Volume of patches won't get better (1)

jimstapleton (999106) | more than 6 years ago | (#19071481)

I agree, on both counts

The author of the article is an idiot or never andministrated massively patched software if he thinks that more frequent and releases would make things easier.

If there is any testing, the majority of it would be redundant between patch stuff, to make sure critical things weren't inadvertantly broken. Say that takes 1 day per patch set, now if there are 10 patch sets in a month instead of 1, you just had 10 days spent.

That being said, while a release-when-done actually make an administrators job harder to keep a system up-to-date with the current patches, it would improve the security of the OS.

Ideally, I'd say something between that and what we have now would be good, once a week patches - not quite frequent/randome dates, but the time between a fix being available and a release would not exceed a week, instead of potentially being up to a month.

I hate "rollups". (1)

khasim (1285) | more than 6 years ago | (#19071851)

At least with "Windows Update" I can, somewhat, limit the amount of crap going onto my systems.

But a far FAR better solution is Debian's approach. I get TINY patches and ONLY for what is specifically running on my system.

It is so much simpler and easier to test with that approach.

Particularly when compared to things like WinXP's sp2 (with firewall) approach.

Re:I hate "rollups". (1)

peragrin (659227) | more than 6 years ago | (#19071995)

while ideal MSFT couldn't do that.

according to MSFT own developers the windows codebase is filled with circular dependancies. Think the backup department of the government department of redundcies.

Unitl they actually break compatibility, and actually rewrite the codebase instead of just porting windows XP to the Win2k3 kernel, and make the whole system modular, your going to get massive patches.

How does this help (1)

Zadaz (950521) | more than 6 years ago | (#19071001)

How does the existence (or not) of Patch Tuesday change the number of patches deployed on your network?

And why are you relying on MS to keep your network secure?

Re:How does this help (0)

Anonymous Coward | more than 6 years ago | (#19072279)

And why are you relying on MS to keep your network secure?

Small businesses don't have the money to pay a network security expert.

SUS (2, Insightful)

u-bend (1095729) | more than 6 years ago | (#19071011)

I'm not a fan of MS, nor am I a network administrator, but if you're running a network large enough for patching to be a big problem, shouldn't you have a PDC or BDC or something like that that runs SUS? Then you can choose which patches get installed to clients, and when, right? Probably an oversimplification, but it helped in management of our M$ boxes at a previous job.

Re:SUS (1)

sanityfeactory (1085371) | more than 6 years ago | (#19071239)

Actually its not much of a simplification. SUS can deploy patches across M$ networks with little to no impact. The biggest problem most sadmins find in large enterprises are legacy systems that are only patched periodically (once a quarter). Microsoft exposes patches ahead of their automated install date (via Auto-Update) too. So, if you're a good sadmin you're probably waiting for the out-of-cycle release of said fix so that you can smoke it on your enterprise *long before* "patch Tuesday." Its actually kind of funny to read all this belly aching. Cry me a river, how hard can it really be? Back in the day, we had ~10,000 servers to update and used VBS and batch files to make most of that happen. If you're still deploying .msi by remoting to each and every server in your stable your making it difficult on yourself.

Re:SUS (1)

LurkerXXX (667952) | more than 6 years ago | (#19072193)

Umm, those large corporate customers that wanted patch Tuesday, so they can test their huge suite of in-house-developed apps against all the patches at once *DO* have machines running WSUS.

Testing is a huge issue. Rolling out the patches isn't. If the testing takes 2 weeks, and MS releases a new patch every other day for 10 days, they don't want to suddenly have 10-weeks worth of testing in the pipeline. They want to do it all at once.

Reality check:

Often hackers do come out with new novel exploits for unknown (to the public) bugs. Most often these days, when a new bug is found either by MS or a responsible security hacker (who tells MS about it and gives them a reasonable amount of time to create/test a patch before releasing details to the public), the hackers leap on the new patch, do a diff on the system between a newly patched and unpatched system, and reverse-engineer a bug to expoit unpatched machines. They then release the exploit to that vulnerablity, and make bot-nets out of unpatched boxes.

By releasing patches as each becomes available, you create that huge ugly pipeline for the corporate folks to deal with, so if they want to wait on testing until a few patches accumulate, some of those exploits have now been released way way before testing gets done (or even started), and their machines get nailed. By releasing them monthly, you narrow down that time-window of exploitable machines to two-weeks or less for that company.

And if an in-the-wild exploit is found for something, MS does often release an out-of-cycle patch, so that folks can patch as soon as the patch is available.

In short, having WSUS available is NOT the issue.

The Real Reason for Patch Day (3, Insightful)

Gary W. Longsine (124661) | more than 6 years ago | (#19071013)

Dennis Fisher fails to grok. Patch Day was created because Microsoft was getting hammered by the poor press which resulted from releasing many patches in one month. Patch Day, as much as it sucks, is probably here to stay.

Re:The Real Reason for Patch Day (1)

Trailrunner7 (1100399) | more than 6 years ago | (#19071283)

That's not true. MS gets killed no matter whether they release 15 patches in one day or 15 over the course of a month. The question is when they release them in relation to when the vuln is disclosed. Waiting 3 weeks makes no sense.

Re:The Real Reason for Patch Day (2, Funny)

sharkey (16670) | more than 6 years ago | (#19071663)

Dennis Fisher fails to grok.

True. Patch Tuesday will arrive when waiting is filled.

Not MS' problem (1)

l4m3z0r (799504) | more than 6 years ago | (#19071051)

Sounds to me like your IT staff doesn't know how to do their job effectively. Many companies and schools with hundreds or thousands of computers are able to stay patched. It might be more prudent to fire your current IT staff and hire some people that are capable enough to apply patches quickly and remotely without trouble.

Re:Not MS' problem (1)

sqlrob (173498) | more than 6 years ago | (#19071407)

The problem isn't application (or shouldn't be). The problem is testing custom business critical apps, or other third party apps that may break.

Re:Not MS' problem (2, Insightful)

danlor (309557) | more than 6 years ago | (#19071493)

Sounds to me like you are the problem. That's a heinous comment.

Patching is dangerous. It is not for the foolhardy, or ignorant. Your IT department is there to protect you from the "just do it" mentality. Trust them, and when they wine about problems in the process, take heed.

Our systems have been taken down twice this year due to bad patches from good old MS. Patches that we in IT were FORCED to deploy before proper testing. Guess who has control of the process in our organization now?

WSUS (1)

dotegg (553623) | more than 6 years ago | (#19071053)

Ever heard of Microsoft WSUS client? With it you can push out patches to all your MS clients immediately.

Re:WSUS (1)

LurkerXXX (667952) | more than 6 years ago | (#19072257)

Which reduces the time needed to test patches before rolling them out, how?

The corporate folks that wanted patch tuesday already have WSUS servers. That's not the issue.

Patch Tuesday (2, Insightful)

Anonymous Coward | more than 6 years ago | (#19071083)

My understanding is that they basically did it to allow IT guys to schedule their downtime and patching, instead of having to scramble every time MS releases a patch in the middle of the week. Which is how it used to work, up until 2003 or so.

Re:Patch Tuesday (1)

guruevi (827432) | more than 6 years ago | (#19072503)

From what I remember (it's only been 4 years, don't you remember anything? Or were you too young?) is that Microsoft started to grow a clue about security and had to bring out a patch to their Operating System as good as every single day (for ME, XP, ...). Of course this was to the great amusement of press, Netcraft and *nix sysadmins that boast 100's of years of uptime and Microsoft's marketing machine decided that: if we bring them out only once a month, we can combine them in a roll-up and it won't look all that bad anymore. They gave it the spin of 'easier for sysadmins' but real sysadmins knew you could schedule them (at least back then, haven't been using Windows lately but I noticed my parents' machine automagically reboots at night - creepy isn't it) either within your organization or locally.

The Problem is Volume (1)

Sean0michael (923458) | more than 6 years ago | (#19071115)

It sounds like the problem is not that they only come out once a month, but that so many are released that it takes a long time to apply the patches. If they released one patch every day, it would still take a while to patch every system, especially for large companies or companies with tons of computers.

It sounds to me like the only real solution is to make better code so that you do not have to release patches as often. It might just be an inevitability that IT must live with.

I call Bullshit on the Red Bull (3, Insightful)

The Media Mechanic (1084283) | more than 6 years ago | (#19071139)

"Known in some circles as Black Tuesday, the second Tuesday of each month in the last few years has become a kind of national day of mourning in the IT industry, as admins call all hands on deck and load up on pizza and Red Bull for the long night ahead."


I call bullshit on this anecdotal bit of trivia. Is the author of the article actually suggesting that some companies rush to test the new Winblows patches all through the night on Tuesday so that the patches are ready to deploy on Wednesday ? This sounds like a fresh steaming load of bullshit... what places actually force their employees to work ridiculous hours like this just due to an arbitrary vendor schedule! I would not work at such a place, regardless of the amount of free pizza or Redbull available.

My point is that this bit of exaggeration in the article has no basis in fact and should be supported by quotes from someone who actually enforces this policy at their IT department.

Re:I call Bullshit on the Red Bull (3, Informative)

Zontar_Thing_From_Ve (949321) | more than 6 years ago | (#19071331)

Is the author of the article actually suggesting that some companies rush to test the new Winblows patches all through the night on Tuesday so that the patches are ready to deploy on Wednesday ? This sounds like a fresh steaming load of bullshit...

You may be right. My previous job was with a company that did a lot of VAR stuff, including various email systems. It didn't matter to us what you wanted - Notes, Exchange, Unix, anti-virus, anti-spam - we could sell you whatever combinations you wanted. I didn't work with Exchange, but the Exchange guys told me that in the past they used to rush out and patch systems with every "critical" Microsoft patch release and then they applied some patch that totally broke Exchange. The patch had nothing to do with Exchange, but it broke it. It took hours to fix the broken servers. After that fiasco, we regarded all Microsoft patches as suspect and we had a group in another state that one of their jobs was to test new patches on Exchange servers and see if Exchange still worked. It didn't matter to us how "critical" Microsoft considered a patch. We didn't patch any of Exchange servers until our test group gave the OK, which was usually a month later.

Re:I call Bullshit on the Red Bull (1)

MSFanBoi2 (930319) | more than 6 years ago | (#19071367)

I totally agree. Patch Tuesday hits, we test in the lab thru Thursday and on Friday push the updates via WSUS 3.0.

I really don't know what the problem is. It only takes about 4 hours of testing and less than an hour to push. No late nights, no impact, it just gets done.

Of course MS can always go the Apple route and wait months to release 100 MB+ patch rollups...

Mod parent up Re:I call Bullshit on the Red Bull (1)

vic-traill (1038742) | more than 6 years ago | (#19071431)

Workstation patches roll in enterprises of any size via WSUS or similar. As far as testing of workstations patches go, that's Microsoft's job. You hold the w/s patches for a few days on your WSUS server, wait to see if there are any issues, and if not, let them roll. If we had to test w/s patches on a per patch basis, we wouldn't be able to run the enterprise. If we were patching w/s's outside of a WSUSish service, w/s's wouldn't get patched.

So, WSUS manages the roll-out of patches to workstations, and you can roll 'em one by one, or in bulk, whichever is your druthers.

The server side is obviously a different kettle of fish. We're not an MS shop in terms of our primary directory (although we sync our directory to an AD instance) or file and print services, so rolling to our MS application servers is a not-so-onerous exercise.

My opinion (1)

t00le (136364) | more than 6 years ago | (#19071169)

I am all for regular patches, whether weekly or daily for that matter.

The majority of home users I hope patch occasionally, which alleviates a fair amount of trojan'able machines. On the corporate side we personally run internal Windows Update Servers where we can auto-schedule approved updates and push them out on a schedule. The whole concern about the corporate side is laughable since most large Windows shops have some form of patch management, (granted my reference is from ten large corporations) whether internal update servers or pushed updates using something else. The bottom line is Microsoft knows they have security problems and they update it on a schedule.

My concern is not the people that have licensed copies of Windows, but the ones that do NOT and are unable to patch their systems. I think a good portion of the machines that are compromised are non-licensed or cracked versions, which is somewhat amusing.

Why would Microsoft keep bootleg copies from being updated seems more logical to make it "non-networkable" instead of "non-updateable"

End Patch Tuesday (-1, Flamebait)

It doesn't come easy (695416) | more than 6 years ago | (#19071193)

Switch to Linux.

Re:End Patch Tuesday (4, Insightful)

businessnerd (1009815) | more than 6 years ago | (#19071441)

Except for the fact that Linux also requires patching. Every other day I have a little star on my desktop notifying me of updates to various libraries, applications, and yes the kernel itself. Mac's have patches too. This is not necessarily a Windows vs. , this is about what the best way of releasing patches is. It's an Incremental vs. Bulk release debate. MS chose the bulk method. Is that a good decision? Maybe, maybe not. Regardless of the OS, patching is always required. No piece of software is bulletproof.

Re:End Patch Tuesday (1)

fred fleenblat (463628) | more than 6 years ago | (#19071889)

The fine point is that you can get away with not patching desktop linux/unix/macos machines for *years* w/o any problems. Only full internet facing servers really need to be up to date on the patches. In contrast, any windows box that can surf the net or receive email is a sitting duck, whether it's behind a firewall or not.

What makes them sitting ducks? Probably a lot of factors. Throwing patches at machines is a coping strategy, not a solution.

Re:End Patch Tuesday (1)

timbck2 (233967) | more than 6 years ago | (#19072053)

Apple tends to release patches in bulk as well (bundled into a "Security Update"). The only difference between Microsoft's bulk release method and Apple's bulk release method is that Microsoft's is on a schedule.

Re:End Patch Tuesday (1)

blhack (921171) | more than 6 years ago | (#19072075)

I would liken linux patches to a database app i recently wrote for my company. I work in the automotive industry, and the app was designed to look through a database for a specific set of parameters. Basically it alerted people via email when certain types of vehicles got checked into our inventory. The app was done, it ran smoothly without crashing, but most importantly it ran. That was a couple of weeks ago. Now, i might be driving home from work, or sitting at my desk reading /. and an idea might *POP* into my head for a way to make the app just a SHADE faster, or some very obscure but totally cool other functionality that it could have. THAT is a linux patch, something that maybe isn't completely necessary, but is pretty darn cool, and might protect against an obscure sort of attack.

A windows patch would be something much more critical. IT would have been if i had released my app onto the webserver a couple of days before it was actually ready, then realized that it had some HUGE flaw (red cars crash the system or something crazy), but that i couldn't recall it, because that would involve re-signing up a few thousand people up for alerts...or migrating the data over by hand.
Now pretend that half of these MISSION CRITICAL patches that i release also create other HUGE mission critical problems. Say, i fixed red cars crashing the system by calling them rouge, but now all the old RED cars are still there, now there are TWO of everything....so now if you search through the DB by VIN or something like that....you find two of everything...CRAP!!! BUT OH NO!!! sometimes we actually have the same car checked in twice intentionally!!! SO how do you tell which is whic0h!?!?

SO yes, linux also releases patches all the time, but they are MUCH less critical.

Re:End Patch Tuesday (1)

businessnerd (1009815) | more than 6 years ago | (#19072427)

While many of the patches in Linux are just as you say, merely enhancements (many OSS apps seem to be a constant WIP), there are still plenty of patches that are bug fixes. I'm pretty sure that when Mozilla releases a patch for Firefox, they are not adding enhancements, or re-writing the code to be faster (unless the way they wrote it caused serious issues). Most Firefox patches are bug fixes. That's why they change my version from 2.0.0.2 to 2.0.0.3 and not to 2.5 or 3.0. That's why you also call it a patch, and not a full release. Patches are critical and done when absolutely necessary. Adding a spellchecker "cause it totally be cool" is not critical or absolutely necessary, and that's why that stuff is reserved for bigger releases.

Re:End Patch Tuesday (1)

suv4x4 (956391) | more than 6 years ago | (#19072267)

It's an Incremental vs. Bulk release debate.

There's of course the option of releasing it both ways and people can click an option in Windows Update which they prefer.

Of course, if you release patches both ways, it leaves the bulk updaters more vulnerable, as hackers would reverse engineer from the earlier release.

So the immediate patches should be only for known exploits already in the wild, and bulk for the rest.

Re:End Patch Tuesday (2, Interesting)

harry666t (1062422) | more than 6 years ago | (#19072297)

Patching MS products is broken...

I haven't patched anything from MS since years, but as far as I recall there was always some downtime due to reboots after applying a patch. I think MS had to release patches monthly, else there would be more downtime. Now that the Patch Tuesday goes to /dev/den it is going be much harder to schedule the updates. How this could be fixed, dunno. One thing that comes into my mind is that I never had to reboot my Debian box after applying any updates (except after kernel update). I guess Windows needs to be more modular, so people could swap broken components on the fly. Dunno, apt ftw.

I think the Patch Tuesday is here to stay, at least 'till the end of this year (vista sp1?).

Fix The Real Problem (2, Insightful)

EXTomar (78739) | more than 6 years ago | (#19071257)

The original reason why "Patch Tuesday" was created was because too many were giving feedback to Microsoft that their patching process was far too disruptive to their enterprise. Before "Patch Tuesday", you could check any particular machine, at any time of day or week, and regardless of its role or usage it may have a patch pestering people that it needs to be applied and the machine rebooted. "Patch Tuesday" essentially is a "work around" to condense all of these patches that could be highly disruptive into a smaller, brief time frame.

The real problem is the patching system Microsoft chose is highly disruptive. Too many still demand user attention even if applied remotely by an administrator. Although less often, too many still require a reboot which is a larger disruption to the user's work. Should Microsoft consider changing how patching is done so that it isn't so "hands on" and pesters the users and administrators to take action? Improve patching to the point where patches can be applied painless from the IT Center and "Patch Whateverday" goes away.

My Thoughts (5, Informative)

KenshoDude (1001993) | more than 6 years ago | (#19071265)

I am the Sys Admin for ensuring that our roughly 1800 desktops and notebooks get updated with the latest updates. Microsoft's strategy is the very least of my concerns. The patches show up on WSUS the Wednesday morning after they are released. I read up on them, noting any "caveats" in the KB articles and inform our help desk if I find anything signficant. Then, I set my approvals and decline any superseded updates. The clients check in and install the updates over night. I am not sure where all this talk about long nights with Red Bull and whatever come into play. If we have mission critical systems, we withold approval for that group for a week or so until we are confident that there are no undisclosed "caveats." Super simple.

I like having a regular schedule for updates. But I wouldn't mind a little more frequency. Why not the first and third tuesday of every month? Sounds reasonable to me.

Now if were only that easy for all the other software vendors out there like Adobe (Acrobat / Flash), Sun (Java), and so on. Where are their enterprise patch management solutions? Why can't I configure my Java clients to check into to one of my servers to automatically apply security updates? Instead I have to spend more money on a 3rd party patch management solution. And I haven't found one yet that is as reliable and simple as WSUS.

Re:My Thoughts (1)

Brad_sk (919670) | more than 6 years ago | (#19071439)

Nice to see some reply giving MS their deserved credit and not just crying likr other slashdot posts. I am not saying MS has THE best solution, but I do agree that their solution is better than others in the industry (inluding Linux) and yes, may be twice a month is better.

Re:My Thoughts (0)

Anonymous Coward | more than 6 years ago | (#19071949)

Java gave us a problem because it could not be updated automatically. We deployed an image with a broken version of java accross about 1000 workstations, in several months long rollout at our community college.

Any browser loading this java dies, and we must log into machines to remove the old version ourselves, and then install the new one... we have removed admin rights so our users can't do it alone. Upgrading alone fails because Java 1.3 runtimes co-inhabiting with old versions (our broken one still crashes things until it is explicitly removed.) In any case, our team lead (the same one who failed to test Java when creating the image) refused to do anything, claiming that java would update itself [nope, even if set up in the Control Panel, java needs 1) user intervention 2) admin rights, which ours lack]. He stalled and let the issue die, though I repeatedly mention it. I still find machines that haven't been hand-patched, and the master image STILL hasn't been fixed. Time to quit.

shit..&. (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#19071311)

anyo8e that Thinks racist? How is

Volume? Where? (0)

Anonymous Coward | more than 6 years ago | (#19071401)

The sheer volume of the patches Microsoft releases each month makes it quite difficult for even the most conscientious IT department to get every patch out to all of the affected systems in a reasonable amount of time.'
http://www.microsoft.com/technet/security/current. aspx [microsoft.com]
What volume is he referring to? Microsoft release seven (7) patches for the month of May. There were a whopping 6 for April. I am the person doing patches for a Fortune 500 company. More or less, ITMU does it for me. The sky is not falling.

This round broke live update... (0, Troll)

Tmack (593755) | more than 6 years ago | (#19071523)

At least for me, I applied the "IE6 cumulative service pack blah blah blah" update that the windows update thingy told me needed updating, rebooted, and about 5 minutes later, it popped up again, asking to install the same thing. Since I dont even use IE, I dont really care, I just wish the updater would quit thinking it needs to update what it just updated!

tm

Really? (0)

Anonymous Coward | more than 6 years ago | (#19071579)

The sheer volume of the patches Microsoft releases each month makes it quite difficult for even the most conscientious IT department to get every patch out to all of the affected systems in a reasonable amount of time.

I have to question this statement. I work (in Engineering, not IT) at a large company with over 100,000 employees. I don't know the details, but the IT department has the patching thing down to a science. Like clockwork, we first get an email when Patch Tuesday rolls around telling us that new patches are coming in the next couple of days and they'll require a reboot. Then by Thursday night, every PC is automatically patched and rebooted. If you shut off your PC every night, the patch simply happens next time you boot up (get some coffee while you wait). Otherwise it happens when you're not there, late at night. If you're actually working during that time, you have the option to delay the reboot. All in all, the process is completely seamless.

Granted, I don't know how much testing they do -- or how much they can do in such a short period of time after initial release. We had one patch a few weeks ago (not a Patch Tuesday patch) that apparently hosed the video drivers of some small percentage of deployed PCs, but the fix was rolled out quickly. Thankfully my PC is so goddamn old that it was unaffected. And of course, I still do my real work on the unix side, so a dead PC would only kill my occasional MS Office stuff. Can't say that about most people, though.

Cmon....the patch management tools are FREE (1)

zerofoo (262795) | more than 6 years ago | (#19071683)

Windows Server Update Services is free and it works like a champ. This free tool has enabled every machine on our networks to remain up to date on patches. It usually takes a couple of days for all of our machines to check-in and install the updates due to roaming users. It only requires a few clicks on my part.

I'll admit that it doesn't make testing any easier, but it does give you the ability to block patches until you have tested them for stability.

I usually test patches for a few days against major apps before approving the updates for installation.

If you have a large number of apps that continually break, then the problem is not patch management, it's vendor management.

-ted

WSUS works well for me (1)

GreenEnvy22 (1046790) | more than 6 years ago | (#19071753)

WSUS combined with good AD group policy rules keeps my 60 or so clients happily updated, I rarely have to manually go download and install a patch.

They should have a patch hour (1)

niceone (992278) | more than 6 years ago | (#19071929)

They should have a patch hour, it would be every day - just like a happy hour, but without the half price drinks. Um, or the happiness.

Leave it! (1)

antdude (79039) | more than 6 years ago | (#19071941)

I actually like this monthly Tuesdays schedule (gets me excited ;)). Once in a while for urgent updates.

I do also notice sometimes the fourth Tuesdays of each month might have other non-critical releases.

Billg's Response (2, Funny)

Anonymous Coward | more than 6 years ago | (#19072197)

End patch Tuesday? That's the dumbest fucking idea I've heard since I've been at Microsoft.

Corporations have no one to blame but themselves (1)

realmolo (574068) | more than 6 years ago | (#19072205)

In my experience, the whole reason that you have to "test" patches on corporate machines is that the vast majority of the custom-made and "niche" software that many businesses rely on is HORRIBLE. Bug-ridden, non-standard, breaks every rule. Hell, a lot of it is still 16-bit Windows (and even DOS) software with only minor modifications to keep it working under modern OSs. And so, every update causes problems, because it only barely works anyway.

If corporations were better at updating their software (and determining which software to use in the first place), they wouldn't have to be scared of "Patch Tuesday".

No (2, Insightful)

Kjella (173770) | more than 6 years ago | (#19072569)

A bug might have been there for one year, two years, five years. The chance someone will find it by accident in the next two weeks (average delay to release) is rather slim. On the other hand you know the moment the patch is out, hackers will reverse engineer it within a short period of them. That leads to the following conclusions:

1. You have to patch within a short period of release
2. One patch may break any functionality, so you must test all of it
3. If Microsoft releases patches all the time, you must test all the functionality all the time

In 99% of the companies out there, that's just not going to happen. I love getting daily patches, my desktop or home server isn't a critical business machine. I'm mostly interested in avoiding someone hacking it so I have to set it up again, far more than a broken patch. At the very least that leaves the machine in a "known broken" state that hopefully be fixed by another patch, where as a decent virus infection might end in a reinstall. For many a corporate machine down means you're down. Sales lost, salaries roll and nothing gets done. Sometimes data gets stolen but most of the time the cost is downtime - whether it's broken software or infected software. Quite often the solution is the same - rollback to a known good state (after you've figured out how to not get reinfected). Under those conditions I see why they prefer a mad scramble every patch Tuesaday instead of a mad scramble all the time.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...