Microsoft's Patching System Needs Patching
from the whoops dept
Apparently, it’s Microsoft’s patching system that needs patching. Yesterday, we noted that Microsoft had decided to skip their monthly patching plans. However, imagine the surprise of the Microsoft people who made this decision to find out that a patch came out anyway. The company is apparently “investigating” how this rogue patch came out. In the meantime, I’m sure we can expect the patch patch sometime soon (probably not on the non-existent monthly schedule).
Comments on “Microsoft's Patching System Needs Patching”
Microsoft doesn't seem to want you to patch your s
Some days I don’t think that Microsoft wants you to be able to patch your systems. At least not without going through Windows Update, and we can see how well that is working….
Recently I tried to download all of the patches/service packs needed to bring a virgin install of SQL Server 2000 current. Now this is for a machine that I’m not physically in possession of, we need to collect all of the media/patches/etc. for a disconnected remote installation.
Guess what, there is no easy, or even strait forward way to accomplish this seemingly simple task. Go to MS site, get a list of all of the service packs/ updates for SQL Server 2000, MDAC, or any other component that may adversely effect a SQL installation, write those Q and MS numbers down (you’ll see why in a moment). Click on each of the links and read up on each of the dozen or more releases. Try to figure out which ones have been superseded by more recent ones. When you have figured out which ones you actually need, don’t bother to click the additional link it presents to go to yet another page to actually download it. That’s right, you can’t download the patch or update you are reading about from this page, you have to go to another page. The link provided will either take you to a nonexistent page or to the start page for Microsoft Download.
You still have those numbers I suggested you write down earlier, use either the MS number (ex: MSxx-xxx) or the Q number (Qxxxxxxxxx) to look up the update. Sometimes the MS number works, sometimes the Q numbers works, reread what’s there, it may not be the same as the Technet version. If you still think you need it, download it. Oh, since the text here is different than the page that the engine telling you which patches were available returned, you have to scrap that list of numbers you recorded earlier, and double check ALL of the available patches to make sure you didn’t miss any. Did you get manage to get all of that? I hope so, because otherwise there is probably some MSBlaster level vulnerability still open on your machine.
The preferred Microsoft way is to let your server connect to MSUpdate and it will automagically update your machine. Of course the fact that you have to allow Internet access to your servers doesn’t seem to bother MS to much, why should it bother you?
Did I hear someone say just use SUS (Software Update Service), that wouldn’t help. All SUS does is let you create a mirror of Microsoft’s Update Server in house. A computer that needs to be updated would still have to use the modified Windows Update to connect to that server. So instead of drop shipping a server to a remote office with a few CD-ROMS of media and updates we would have to send the original server, the software for the SUS client, another server with the SUS server that we had already configured with the current set of patches, after the remote IT staff had set up the server, they could update it against the second server SUS that we had sent. Since they don’t have Internet Access there, they could either send us back the SUS server so that we could update it, or we could keep a third SUS server and send periodic images of our SUS server to them, I don’t even know it that’s possible. I can see why so many Microsoft machines are not current with patches and updates.
Here’s a thought, Microsoft should provide an FTP site (I believe they used to) where you could download every security patch they have released for all of their products, organized be product name. Next Microsoft should release a simple tool, command line or GUI, either would be ok, (perhaps they already have) that would check all Microsoft products installed on a machine and install the needed patches from any available medium. A signature file describing the available patches would be on the FTP site. If you have all of the files on a CD-ROM or your local hard drive, it will install from there, or a network server, or even Microsoft’s Windows update site.
Recap: Set patch paths for Microsoft updater, it could default to Windows Update website and not save patches for most installations, In this way it would act functionally just like the current Windows update. If you need to update many machines, or machines without connectivity, log on to Microsoft’s patches and Updates FTP site. Download the signature file(s) and all of the available patches. Write this to a CD/DVD or put in on some centrally located server in your organization. Run the updater against which ever repository you have defined. Repeat on a regular basis, have simple straight forward method of keeping all of your machines patched updated and current.
I guess that would make too much sense.
Just my $0.02 (Canadian, before taxes)
Re: Microsoft doesn't seem to want you to patch yo
But making it easy for legitimate users to update makes it easy for the illigitimate users to update as well (as if that would stop them).
As if it wasn’t already outrageous enough that m$ releases a ‘final’ product that is actually beta software, but they actually charge a home user $250 cdn for the priviledge of testing it for them. Also, charge them for tech support when the OS commits suicide. Also, invent some proprietary network protocols, then charge extra for a NIX compatibility package. Also, give out free training material and software to the education system so that nobody learns anything(usefull). WOW what a deal – Sign me up!@!@!