Re: Microsoft finally acknowledges the security drumbeats

From: Philip J. Koenig (See_email_@ddress_below.This_one_is.invalid)
Date: 01/29/02

From: Philip J. Koenig <See_email_@ddress_below.This_one_is.invalid>
Date: Tue, 29 Jan 2002 13:28:51 -0800

In article <>, spam@is.invalid
(John R Pierce) writes...
> On Tue, 29 Jan 2002 11:37:13 -0800, Philip J. Koenig
> <See_email_@ddress_below.This_one_is.invalid> wrote:
> >Another are the "security rollup" patches. This nonsense of
> >having to wade through piles of poorly-organized junk in
> >order to figure out what to patch, and do every one of them
> >separately (rebooting the #*(%&#*$#$ machine after every one)
> >is ridiculous.
> I haven't seen that scenario since the debacle of NT4 post service pack
> fixes when there was a *long* interval between SP4 and SP5/6, and each
> post-sp4 fix was a seperate install.

Well MS has a nasty habit of obfuscating what patches were released
when, playing with the file names and dates, etc.

It was only pretty recently (last last year as I recall) that they
put together this "security rollup" thing for NT, prior to that
any post-SP security patches had to be found/installed separately.

> >Like various other vendors, MS apparently
> >figures if they make it hard to ascertain out how many patches
> >they've released, dummies will be fooled into thinking the OS
> >is more bug-free than it really is. If they are really "getting"
> >it, they will dump this nonsense, and stop doing things like
> >constantly screwing around with file versions and dates to
> >keep people confused, etc.
> actually, for win2000 at least, their new 'corporate update' site can
> generate rollups of user selected patches... you decide, ok, I need patch
> X, Y, and Z here, it generates a single executable that installs those 3
> in one pass, this can in turn be mass deployed on a intranet using
> standard corporate software distribution systems such as SMS, Zenworks,
> etc.

Well they've had a "corporate update" site for quite a while (at
least since Win98 came out), I haven't seen the stuff you mention
yet, sounds like a big improvement.

As recently as 3-6 months ago they were still suggesting that
you manually use this separate tool (Qchain) to install multiple
hotfixes at the same time. Quoting from Q296861 ("last reviewed
June 13, 2001"):

> Microsoft has released a command-line tool named QChain.exe
> that gives system administrators the ability to safely chain
> hotfixes together. Hotfix chaining involves installing multiple
> hotfixes without rebooting between each installation. Without
> this tool, the only supported method is to reboot after each
> hotfix installation. The QChain.exe tool has the following
> benefits:
> * It increases uptime for servers because computers are not
> being rebooted between each hotfix installation.
> * It allows faster installations of multiple hotfixes on a
> single computer.
> * It is a solution that works on both Windows 2000 and Windows
> NT 4.0.

Philip J. Koenig         The Electric Kahuna Organization       [anti-spammed]
----------------Computers & Communications for the New Millennium-------------
* To send email, remove numbers and spaces:  pjkunet64 @  ekahuna27 . com    *
*           Email Blacklists: stop using innocent users as pawns.            *
* Simple answers are for simple minds.  Try a new way of looking at things.  *