Slow == Better, ask Microsoft!

Zaelath · Post by **Zaelath** » May 16, 2006, 2:33 am

Unfuckingbelieveable, well.. if it wasn't MS. Here's a quote from an MS whitepaper explaining how they update on a scheduled basis, where as their Linux competitors release patches as soon as possible (only they try to make out that delaying patches is better for you, umm somehow)

Automatic updates
The Microsoft Update process, which leverages Microsoft’s Windows Update Service, has
received acknowledgement from the software industry as being a model process: “This is one
of those instances, and they happen more often than you’d think, where Microsoft sets the
tone for the rest of industry. They didn’t invent the security advisory, and heaven knows they
wish they didn’t have to be so expert in it, but they listened to their customers and they have
the process down”4. Much like its Linux competitors, Microsoft offers software patches for both
security and feature enhancement.
Unlike its Linux competitors Red Hat and Novell, Microsoft releases monthly, scheduled,
cumulative updates ensuring all customers who update are fully up to date even if they’ve
missed an update in the past. For enterprise customers, Microsoft offers the Advanced
Notifi cation Program, which alerts your system administrators about what updates are included
and what issues are addressed three days before we release each update. For critical
security updates, Microsoft proactively contacts customers to ensure they are aware of the
availability of the update and the nature of the fi x and to encourage responsible updating and
secure computing.
In addition to the scheduled, cumulative updates, Microsoft provides hotfi xes on an ongoing
basis for specifi c issues that we identify internally or that result from customer requests. These
hotfi xes are then also included as part of the monthly patch. As necessary, Microsoft also
releases critical security updates as they are available.
With Novell’s SUSE Linux, Novell rolls out updates as they approve them; the updates are not
tied to a standard release schedule. Novell notifi es administrators through their update tool,
YaST, as updates are released. Administrators can pick and choose which updates to install.
In the Red Hat update model, if you do not automatically update your system with the Red Hat
Up2Date tool, you receive errata update notices from the RHEL mailer, which outlines new,
approved open source community and Red Hat–developed patches. As with Novell’s SUSE
Linux, Red Hat does not release updates on a fi xed schedule. Instead they release them on an
“as available” basis.

Never mind that scheduled updates for high impact vulnerabilities has seen the community release their own unapproved patches; a really bad precedent which will likely lead to backdoored patches from unknown vendors eventually.

Slow == Better. It's right there in black and white

Oh yeah, extra points to them for trying to make people think that if you miss an up2date/yum update you won't get it next month (or whatever day you decide to patch).

Aruman · Post by **Aruman** » May 16, 2006, 12:05 pm

I don't see anything int here where they state Slow==Better

In addition to the scheduled, cumulative updates, Microsoft provides hotfi xes on an ongoing
basis for specifi c issues that we identify internally or that result from customer requests. These
hotfi xes are then also included as part of the monthly patch. As necessary, Microsoft also
releases critical security updates as they are available.

What this tells me is they have a specific date each month where updates(if any) are posted. In between those dates hotfixes can be posted, which are then put into the monthly update.

I think those responsible probably appreciate having a specific date to do non-critical updates. Isn't it more efficient to apply all non-critical updates once a month, instead of x times a month. The fewer interruptions the better? Of course the critical updates should be applied ASAP.

I suppose it is more dependent on how important the uninterrupted use of workstations or servers is. Am I wrong in thinking that way?

Zaelath · Post by **Zaelath** » May 16, 2006, 10:09 pm

So it says yes, but in reality? Have there not been two critical issues in the last few months for which there was going to be no patch until patch Tuesday, so people rolled their own?

Here's the thing; if you want Linux updates on the second Tuesday each month, run the updater on the second Tuesday each month. If you want updates applied daily, run it daily. And what have you in between. There is nothing forcing you to spend more precious administrator time (most of whom seem to be about 20% utilized) doing patching all the time, and delaying them artificially doesn't reduce your TCO, it just increases your exposure/risk.

MS then proceed (in the paper http://download.microsoft.com/download/ ... dology.pdf) to rabbit on about CAN-2004-1234 taking a long time to be fixed; well yes, there was a community fix within a couple days for those that needed it, and it was a "local user" DOS bug, about as low down on the priority list as possible. If a local user wants to DOS a machine, there's far, far, easier ways than exploiting this bug.

I don't think Linux is the best server for all applications, and it's rubbish as a desktop at the moment, but the propaganda MS produces is only exceeded by that from the War on Terror for incredulous hilarity.

Aruman · Post by **Aruman** » May 16, 2006, 10:13 pm

Zaelath wrote:... but the propaganda MS produces is only exceeded by that from the War on Terror for incredulous hilarity.

I see rubbish from a lot of different companies... MS isn't the only guilty party, but one of the more visible ones.

Animalor · Post by **Animalor** » May 16, 2006, 11:06 pm

http://www.neowin.net/index.php?act=view&id=33220

Apple ain't any better waiting for the next release (in this case 7.1) of Quicktime/iTunes to fix 31 security vulnerabilities that could cause to a PC or a Mac to be compromised.

Kelshara · Post by **Kelshara** » May 17, 2006, 12:20 am

Aruman wrote: I think those responsible probably appreciate having a specific date to do non-critical updates. Isn't it more efficient to apply all non-critical updates once a month, instead of x times a month. The fewer interruptions the better? Of course the critical updates should be applied ASAP.

I suppose it is more dependent on how important the uninterrupted use of workstations or servers is. Am I wrong in thinking that way?

Yes and no. Any admin with some self respect will not patch from Microsoft Update anyway. We push it out from our own server and there is really no downtime on our workstations for it. The servers I refuse to patch without having tested it myself on a test server first (no I don't trust MS patches, have had severe issues with them in he past) so these I am fine with having on a schedule.

That said, Microsoft is extremely slow to respond to hotfixes and exploits. There have been several times where third parties have released patches days before MS does, and a few times when MS has not even acknowledged the problem until a third party patch was released. That, imo, is simply unacceptable.

Aruman · Post by **Aruman** » May 17, 2006, 4:29 am

Kelshara wrote: That said, Microsoft is extremely slow to respond to hotfixes and exploits. There have been several times where third parties have released patches days before MS does, and a few times when MS has not even acknowledged the problem until a third party patch was released. That, imo, is simply unacceptable.

I'd agree with that... but what benchmark are you using for 'slow' other than what 3rd parties accomplish it in. Faster isn't always better.

MS should be faster than a 3rd party though, considering the resources MS has.