Patch Tuesday needs to be reviewed

Topic

New Reply

Dear AskWoody readers and contributors.
I think it would be very nice to review the fatal concept of Microsoft’s Patch Tuesday. I think the main goal to amaze the public users is fulfilled.

We cant belive what we are seeing every month. Computers slowed down, broken printing, non-responsive systems, infinite boot loops, re-setting your default apps, more commercials (paid promotion), …

Whoever thought it would be good idea to roll updates periodically, even when no vulnerability is discovered, should be fired. Out of the cannon. Into to the sun.

Can I also mention energy consumption just because it needs to be downloaded (sometimes multilple atteptms are required) and istalled? The computing time needed to do this * 1 000 000 000 computers is a hell lot of energy! Add 30% because its buggy and needs to be done repeatedly.

Who cares about shiny new buttons and brand new commercials? We want reliable system, that will reflect actual situation. Is there a threat? Adapt! Create patch and roll it out! Apart of goal to large ammount of money, Microsoft (and its management) should also think about social responsibility they have! To me, it seems more like slavery than providing software. And they should also accept the truth, that their product, service or whatever Windows it is, sucks. No matter how much “lipstick on a pig” they put.

Welcome, to the world of tomorrow! Where your computer is not your computer anymore! It belongs to the company, which you payed money for the operating system, which controls you PC now, which collects your data (anonimised they say) and which puts adware into another paid product – ad for O365 inside O2019.
LINK HERE

@Susan Bradley, as a “frontliner” can you refer to higher places in Microsoft, that this concept of patching needs to be revised? Or at least to hire the testing dept againg? Quality of patches is really really low. I would like to tell them my opinion personally, but Im nobody, nobody would listen. My voice would disapear in myriads of other voices calling for change.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

3 users thanked author for this post.

blue289stang, Cybertooth, Fred

Reply | Quote

Replies

doriel wrote:

Or at least to hire the testing dept againg?

Why hire when Microsoft has 10M unpaid Insider testers and more beta testers, and that in addition to Billion beta customers running telemetry ?
Why pay for something you get for free ?

You haven’t suggested a better security, bugs, features.. update system.

1 user thanked author for this post.

wavy

Reply | Quote

Thanks, Alex. I understand your point. But the functionality and milions of bugs every month/week proves my statement.

Its not my duty to betatest something I bought for 100 EUR approximately.

Why to pay something, that I can delagate to unaware users? Sad thought. Also dont forget to make all those features opt-out, so users will send telemetry unintentionally.

I respect your opinion, but my experience is different.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

2 users thanked author for this post.

Cybertooth, Fred

Reply | Quote

doriel wrote:

Thanks, Alex. I understand your point. But the functionality and milions of bugs every month/week proves my statement.

Its not my duty to betatest something I bought for 100 EUR approximately.

Why to pay something, that I can delagate to unaware users? Sad thought. Also dont forget to make all those features opt-out, so users will send telemetry unintentionally.

I respect your opinion, but my experience is different.

Well Doriel, you do not offer some better update product, that’s just the responsibility of Windows. In the old days it used to be much better, though the revenues were bad for dividend. Your voice is heared here, but if it will be brought deeper into Redmond, I doubt it. There is too much at stake for all the socalled caretakers earning bucks on this.
Hopefully Linux Mint or Ubuntu will fill in the needs.

* _ ... _ *

2 users thanked author for this post.

Cybertooth, doriel

Reply | Quote

Sorry, but I’m not sure what you’re getting at here. This seems like it better belongs in the Rants forum because it reads more like a rant.

You start off by criticizing Patch Tuesday but then go on to criticize Microsoft 365 and its subscription-model… Not to mention that you seem to fundamentally misunderstand the primary purpose of Patch Tuesday, which is when monthly security updates are released. It’s been that way since the days of Windows XP.

Are you to expect Microsoft to just stop releasing updates altogether?

Firstly, focus. Patch Tuesday, like it or hate it, is absolutely essential for the security of Windows. Every good software developer must have a plan for releasing security updates. For software that is very widely used, it must be a regular occurrence. New vulnerabilities are discovered all the time, and they must be patched in a timely manner. A security patch a month is fairly common across the tech world and there is no reason why Microsoft should abandon this.

I don’t know what makes you think Microsoft releases updates “even when no vulnerability is discovered”. That’s ridiculous and incorrect. Vulnerabilities are discovered all the time.

Your paragraph about “lipstick on a pig” is so incoherent that I’m not even going to try to address it.

But, on the principle of good faith, I will presume that what you are actually asking for is for Microsoft to do better QA testing for their patches. Patches remain necessary for ensuring the security of Windows, but they should install easily and be thoroughly tested for any bugs or issues. That way, installing patches is painless and won’t result in functionality being inexplicably broken.

This is what I would prefer. The concept of Patch Tuesday is fine; it’s the buggy patches themselves that are the problem. Make it so that patches install cleanly and smoothly with fewer hiccups, and then I’ll be comfortable with installing updates overnight and being able to log on in the morning knowing that my computer has been patched and that I’ll be able to do work on my computer that day, rather than working on my computer.

Reply | Quote

I think the patches seeming to cause problems more often than they used to is due to vast increase of the number of different systems (installed software and devices) out there and the impossibility to test all of them in the time frame for the next patch release (including beta testers). Rarely the patch will have a negative effect on a lot of systems, but most often the negative effect of a patch is seen only in specific uncommon setups (which the QA never tested).

Advancements mean the updates are not just about a single device (the PC), but about all the devices you can connect to the PC as well as the PC causing a lot more to be affected by an update.

I read about users unhappy about Windows when a patch causes them a problem and I understand. I consider such occurrences a necessary “cost” to enjoy the advances in technology safely and consider that “cost” less than the “cost” without the new security protection.

Dana:))

HTH, Dana:))

1 user thanked author for this post.

doriel

Reply | Quote

Agreed, the topic should be moved to rant, because thats is what it really is. I do not critise the subscription Office model here. I criticise the adware built into paid software.

But, on the principle of good faith, I will presume that what you are actually asking for is for Microsoft to do better QA testing for their patches. Patches remain necessary for ensuring the security of Windows, but they should install easily and be thoroughly tested for any bugs or issues. That way, installing patches is painless and won’t result in functionality being inexplicably broken.

Im thinking about your post and it makes good points. Even criticising my post, which I humbly accept. Ill try to explain more what makes me crazy.

Promise to make our computers safer shouldnt bring the risk of braking my computer. Yes, many vulnerabilities are discovered and repaired with each patch, but do you also look, if those vulnerabilies are exploted in the wild? Or is it just a hypothetical situation? Not all of them can be exploited.
I also think, that some vulnerabilities can be introduced with new functions, because they bring new attack vectors and ITS NOT PROPERLY tested.

I understand the fundament of making system safer. But most of PC infections comes from the malicious links, adult movie sites and opening fake attachments. Its user behavior that determinates the risk of “unsecure system”.
If we invest more in user education, it could lower the number of risks. If you put mindlessly your credit card number on random webpage, of course you will lose your money. Why should other users suffer then? Is this what “secure system” all about? Keeping our money safe? Keeping our data safe?

Lipstick on a pig is good comparsion. Look at Windows 11. Its good old Windows that can be sold as new OS.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

Reply | Quote

doriel wrote:

Yes, many vulnerabilities are discovered and repaired with each patch, but do you also look, if those vulnerabilies are exploted in the wild? Or is it just a hypothetical situation? Not all of them can be exploited.

So only bugs already being used by bad guys should be patched?

It makes more sense to be proactive and prevent malicious use.

If a flaw can’t be exploited it’s not fixed by a security patch.

Reply | Quote

So only bugs already being used by bad guys should be patched?
It makes more sense to be proactive and prevent malicious use.

Its hard to create meaningful answer, when replying to such knowledgeable people as you are. You know way more than I do, which I value very much. I thank for the ZDI articles, I didnt know exact process and timelines of fixing bugs.

Now I can uderstand, that Microsoft is “pushed” into fixing those bugs due to some given timeline. Some is easy to fix, some is very complex to fix (print nightmare). We cant use “one size fits all” here. Should only exploited vulnerability be fixed? Maybe, but maybe some require proactive attitude, cause they are more likely to be exploited. But the ammount of updates is excessive (not only in Microsoft products) and not properly tested, and I stand by my opinion. And it can break a lot of systems, change settings people did, …

From my angle of view (and experience), successfull way is not to complete task, just because you need to do “check” in your monthly checklist. And I bet this happens a lot, not only in Microsoft.

Healthy attitude, when somebody is complaining, is to take step back and ask yourself: “is it really the way I see it, or may it be otherwise?”

I did this with my post here. And I listen to what you say, but I still believe, that you can see, what Im talking about.

Realeasing patches for OS and for Office this often, may be not sustainable.

Interesting is, that Apple and its closed ecosystem is much much safer. Linux may be the most dangerous of all three platforms here. Windows is trying to emulate and promise something that is simply not achievable, by my opinion.

At home I am happy with my GNU/Linux distro, nothing disturbs me, forces me to restarts, slows down my computer nor uses 70% of download bandwidth to download another update.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

2 users thanked author for this post.

Cybertooth, Fred

Reply | Quote

https://www.zerodayinitiative.com/blog/2022/8/11/new-disclosure-timelines-for-bugs-from-faulty-patches

More folks in the industry are complaining.  And it’s not just Microsoft btw.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

doriel

Reply | Quote

More about that the reasons for that from ZDI here too:

Sloppy Software Patches Are a ‘Disturbing Trend’

1 user thanked author for this post.

doriel

Reply | Quote

doriel wrote:

At home I am happy with my GNU/Linux distro

… with monthly updates for even unexploited security flaws?

Reply | Quote

[doriel]

Maybe sometimes, not sure. I dont install updates immediatelly after they are released. With simple dnfdragora tool, I can install updates which I need, and Install them when I need.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

• This reply was modified 2 years, 9 months ago by doriel. Reason: answers

1 user thanked author for this post.

Fred

Reply | Quote

b wrote:

doriel wrote: At home I am happy with my GNU/Linux distro

And so it is.

* _ ... _ *

Reply | Quote