Folly of Patching - MS Style
From: Mark Deason (mdeason_at_SILVERSIDE.NET)
Date: Tue, 12 Aug 2003 17:05:46 -0700 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
After seeing some of the many posts regarding the DCOM exploit and it's
inevitable worm now in the wild, I wanted to say that MS practices regarding
patching still leaves me scratching my head. There are semi-humorous
articles like this one discussing some of initiatives regarding the role of
MS to "step up user education":
I don't really think it's a lack of education and complexity so much as
*inconsistency* and here's where:
- Inconsistency in results
Read: previous threads: MS03-026 - are you patched? Windows Update isn't
sure! Between MSBA and Windows Update and others, you've got to watch the
file's version for yourself it seems...
- Inconsistency in format
Not all people have the resources to run SUS. Let's take a brief look at the
output from a sample Windows Update Catalog download with the directories
and executable structure that MS is using for the common man:
Note: All exist within the
\Software\en\com_microsoft.windowsxp\x86WinXP\com_microsoft directory for
the following subdirectories and patches:
811493_XP_5951_Rec\Q811493_WXP_SP2_x86_ENU.exe -u -z -q
811630_XP_SP1_5915\Q811630_WXP_SP2_EN.exe -u -z -q
817606_XPSP2_WinSE_43844_Critical\Q817606_WXP_SP2_x86_ENU.exe -u -z -q
818043_Recommended_XPSP2_WinSE_35746\WindowsXP-KB818043-x86-ENU.exe -u -z -q
821557_WXP_SP2_WinSE_46728\WindowsXP-KB821557-x86-ENU.exe -u -z -q
823559_WXP_WinSE_48629\WindowsXP-KB823559-x86-ENU.exe -u -z -q
And my personal favorite - two flavors of the DirectX v9 patch...
819696_XPSP2_WinSE_45821_Crit_ehome\Q819696_WXP_SP2_x86_ENU.exe -u -z -q
How refreshing - we have platform, processor base and nature of update all
rolled into a distinct, easy to understand matrix of patches. ;) Didn't the
directory hierarchy give me a majority, if not all, of the necessary
information? I'm pretty simple - just the facts like the KB article as the
executable; they can't even settle on that as it's referred to as Q for some
and KB for others.
For those that use this, they recognize the /Q for quiet or the -u -z -q
notation for the same thing less pesky tasks like rebooting a system. But
wait, there's more! Not only do you have to traverse the above, you have to
run a /? to determine which package uses what switches. Simply put, if I
let my people put out this type of trash, I'd get canned.
- Inconsistency in application
Do I need say anything more about those poor folks as of late that used the
Q823803 patch (read thread:MS03-029 Q823803 RAS services no longer
starting). Regression testing is more important than wasting your
customer's time by removing and reapplying patches. Note to MS: The idea
here is to get NT4 customer's confident in your ability so their willing to
move legacy apps to Windows Server 2003...
I thought it would be a great time to get a discussion going again to let MS
know the term "Trustworthy" needs to be just that.
Director of IT
Silverside Equipment Inc.
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
With a growth rate exceeding 110%, the TICSA security practitioner
certification is one of the hottest IT credentials available. And now, for
a limited time, you can save 33% off of the TICSA certification exam! To
learn more about the TICSA certification, and to register as a TICSA
candidate online, just go to