Comments on: Microsoft's patchwork mess

ZDNet's David Berlind explains why a sometimes infuriatingly complicated patch process reveals both timing flaws and potential vulnerabilities in Microsoft's thinking.

I Agree, but...

I'm Reading your article just a few hours after release. My PC automaticly downloaded the update your complaining about yesterday.

My concern is for the large corporation. They disable windows automatic update, and replace it with somthing far less efficent. A normal Large Corporate system is usually weeks/months behind on updates.

Faster than you could write/publish a complaint My Personal PC has already updated itself. What's the glitch in CNET's processes.

[Dachi]

I have to agree

I thought that was pretty well said, I have always believed Microsoft?s patch descriptions to be vague at best. I am hardly a new computer user, and I usually know exactly what it is that I need to download. Even then I find Microsofts descriptions impossible to decyper.

"This critical patch is for a security hole that allows remote compromise of Microsoft windwos" KB # 987359-825872135

I remember having a Difficult I had trying to find the patch for the RPC/DCOM (MS03-026) vuln (Blaster/Nachi)

You could not even put a new machine online for 6 seconds without getting infected, and there was no big red flashing download link on the front page of Microsoft.com?

No, windows update did not even contain the term RPC in the patch description. ***??

Sure it was marked "Critical" but so was the update for the offenive symbol fix in the bookshelf font.

How is is that those two problems can possibly be given the same level of severity??

They need to include actual descriptions for people looking for them, and create another seperate severity level reserverd only for high thread remotely exploitable security problems, not changes to 1 font symbol in a font not more than 3 people have ever used.

[wrwjpn]

They should, but?

Yes, they should label their updates accordingly for the average
user. But if they list the real danger, what will most users think
of?

They would probably consider moving to another platform or
actually request that they fix the problems. MS hasn't been able
to fix the problems because the OS is so bloated and they have
so many pieces tied into the system that to fix the problem is to
open it to another hack.

Basically they have to keep patching or they have to admit their
OS is useless. As I use Linux (Red Hat) Mac OS X , and Windows
2000. Of the 3, I spend the most time updating, patching, and /
or scanning for virus, worms, or other malicious problems, you
can take an educated guess as to which I am referring to.

Longhorn, which is still at least 2 years away, will most likely be
more of the same. MS says they have made gains in their
security, but why have they allowed old holes to seep back into
their software?

I await a reply form MS on this dropping of the ball.

[John Kuzak]

getting infected

http://www.analogstereo.com/mini_cooper_owners_manual.htm

microsoft mess

unless we want perpetual fixes, security messes, and crashes we must abandon microsoft windows!

[wrwjpn]

Why?

What I think most users want to know is "Why?".

What makes their OS so full of holes that other OSes don't have? Some have said it is DOS, others says it is just sloppy programming. Which is correct or what is the real reason?

I don't want to hear somebody say because MS has the largest share. That can't be the only reason.

Bill

[dhk]

MS programmed the holes themselves

From the beginning, MS wanted to use its OS to retrieve information about PC users and what they were buying. This information is used to determine which companies MS will go after (either to buy outright or to buy stock in -- for incorporating into its own stuff, for investment purposes, or to undermine the product because they fear it as a rival).

To do the above, they placed a large number of backdoors and tunnels into their software (and engaged in illegal monopolistic practices to ensure MS Windows would be on all PCs and in that way they would have access to everyone's PC).

Hackers simply use the backdoors and tunnels that are already there for MS's use. It is one of the reasons that MS patches are usually incomplete or partial patches -- MS has no intention of actually closing off access.

These are not programming flaws, but flaws of judgement (and development).

I've seen nothing posted anywhere that says the IE patch for this particular problem actually works, or even that the MS patch for the web servers works. The reason this hack has been contained is simple. The Russian authorities closed down the web server that was receiving the information.