Re: Securing a Windows 2003 server
From: Jeff Cochran (jcochran.nospam_at_naplesgov.com)
Date: Sun, 16 May 2004 14:02:23 GMT
On Sun, 16 May 2004 09:59:51 +0000 (UTC), firstname.lastname@example.org
>In article <#1rjsAtOEHA.3044@TK2MSFTNGP10.phx.gbl>, <Karl> writes:
>>In regards to the fact the windows takes forever for a patch to get
>>released, you are forgetting the trials and tests they have to perform to
>>make sure it works. Just cause it fixes the issue doesn't mean that it
>>won't break somehtng else. They have to perform tests internally as well as
>>with other software companies to determine if they will hav an issue. And
>>don't forget the 1 million lines of code that they have to work with :)
>You are joking aren't you. The number of inadequately tested microsoft patches
>released is legendary - they either don't fix the problem or break something
>else. One of the main holdups for businesses is that they need to fully test
>all the patches on their systems before pushing them out having been bit in
>the past by patches which broke other applications. Microsoft's philosophy is
>the customer tests the products and the customer tests the patches.
>OK maybe I'm exagerating a bit but putting all the delays down to testing isn't
Well, actually, it is. There are actually very few Microsoft patches
released that cause issues in the field, and many of those are
attributable to oddball combinations of software, outdated hardware
drivers and third-party products.
Keep in mind that thousands of systems that crash on a patch is a
miniscule percentage of the Microsoft operating systems in use. And
it really does take a long time to test these patches on as many
combinations as possible, plus m ake sure they integrate with code
that hasn't even been released yet so mor patches don't need to be
done to undo previous patches.
Most Microsoft patches are out before the exploit is tracked in the
wild, yet still many admins and most home users get compromised
because they haven't installed the patch. Even with all the
automation available for updating the systems.
In comparison, many other OS patches take as long or longer. Just
count the number of Linux distros for which patches are unavailable
even after they appear for other distros. Sun is notorious for slowly
patching their operating systems, and most OS/400 and SystemXXX
patches from IBM never go to end users, they go to vendors who may or
may not release them.
There is no perfect method yet, and it's doubtful there ever can be
for patching and updating systems. Just the fact that the millions of
pirated Windows systems can't be patched leaves plenty of compromised
systems out there to attack the rest of us.