Jumping the Shark

On December 10, 2008, in Security, by

Have we gotten to the point where blogs have “jumped the shark“?

Tuesday was Patch Tuesday.  And these days when I step back and realize all of the resources and links and blogs and urls that I go to, to get patching information, one has to step back and say “okay, gang, I think we need to get this a bit more under control”.

Let’s use December’s patches as an example of the process I go through.

Step one I’m signed up for the Microsoft security bulletins to know what security patches are expected. 
Type of communication — email http://www.microsoft.com/technet/security/bulletin/notify.mspx always sign up for the Comprehensive alerts.  Once I receive that I dig into each bulletin checking the sections on the bulletin for “known” issues.

This month on one bulletin you had to click on the known issues link and then drill into each Office patch to find the ONE patch that had post install issues (http://support.microsoft.com/kb/956329/ you may have to accept the license terms after the install on Word 2002).  But make no mistake, any issues that Microsoft knows about patch deployment at the time of release they DO INDEED disclose them. The issue with this past patch Tuesday is that they had several ‘composite’ patches that had multiple parts and was patching multiple products.

I also watch http://isc.sans.org/diary.html?storyid=5449 site for their recap and risk analysis of the patches.

Then I also watch the RSS feed of the Microsoft download site. Many times there are patches and documents that are of interest that hit there first:  http://www.thundermain.com/rss

Next I go to the MSRC blog http://blogs.technetc.com/msrc , the Security Vulnerability Research and Defense blog at http://blogs.technet.com/swi/ and lately I keep an eye on the Malware blog – http://blogs.technet.com/mmpc/ and the SDL blog as sometimes they explain issues there as well — http://blogs.msdn.com/sdl/

But given that Patch Tuesday many times isn’t just about security patches, I also review KB894199 http://support.microsoft.com/kb/894199 as that’s “supposed” to be a definitive listing of patches on Microsoft update.

But sometimes it’s not and teams will place their patches on Patch Tuesday so as to minimize rebooting.  The idea being if a patch may reboot a box they want it on a day that you don’t mind if there’s already a reboot that you have to do. 

Currently I have to watch the EHLO blog for it’s patching information for Exchange.  Normally I will have a pre-clue as I’ll notice that a Exchange rollup update will hit the download site and then it will be placed on Microsoft update later.

http://msexchangeteam.com/archive/2008/11/21/450151.aspx Currently there is an issue where if you have not installed Update rollup 4, you will be offered via MU Update rollup 5 and then because of a detection issue you’ll get Update rollup 4 offered.  It won’t cause any issues but you may see this building a new box nonetheless where you will get 5 offered, you’ll install it and then when you MU again, 4 will be reoffered even though you have 5.  The good news is that it won’t cause any issues.  And I DO recommmend that you install these Updates for Exchange as Update Rollup 4 gets rid of that annoyance of all the failed security logins on your security event logs.  The reason I know that little tidbit of information about the detection is that it’s buried in comment number 23 on that blog page:  http://msexchangeteam.com/archive/2008/11/21/450151.aspx

**cue shark jumping**

It’s at that moment when I found detection information buried in a comment on the blog was when I really started to think we’ve gone too far making blogs distributed technical information.

Now I’ve been close to yelling Uncle on following patch deploying and issues prior to this when it came to Vista SP1 issues.  For a while there, the only definitive place to know what was happening with the release and re-release of Service Pack 1 and the patching issues it had was on the Vista team blog — http://windowsteamblog.com/blogs/windowsvista/default.aspx

Oh and I better not forget the other blogs that are specifically related to MU, WSUS and WSUS issues.  The Microsoft update blog is here — http://blogs.technet.com/mu/ but it’s not the definitive place per se to know what patches are on MU, it’s merely an alert of update changes, category additions and what not.  Then there’s the WSUS blog http://blogs.technet.com/wsus/ also more geared to categories but there are times the do discuss issues going on with WSUS.  Now this one — http://blogs.technet.com/sus is a definite keeper.  But don’t let the name fool you.  It’s not the precursor to WSUS the old Software Update Services, no this one is the Support team blog and is indeed VERY helpful if you are a WSUS admin.  It’s the one that links to that Driver clearing out tool for WSUS.

Now fortunately I do not have to deal with SMS and MOM.  If I did the blog to watch is http://blogs.technet.com/smsandmom/.  Nor do I have to deal with TMG server or SCE (those that are EBS server folks need to watch the ISA/TMG blog at http://blogs.technet.com/isablog/ and the System Center Essentials blog at http://blogs.technet.com/systemcenteressentials/)

For Office I like to keep an eye on David LeBlanc’s blog http://blogs.msdn.com/david_leblanc/ as he’ll have Office security changes that he discusses, and then to keep an eye on the news, Ryan Naraine’s twitter feed (yeah I know twitter… http://twitter.com/ryanaraine) will sometimes point me to some late breaking stuff.  Don’t forget the gang at Websense for great alerts http://securitylabs.websense.com/, as well as sign up for the ISC notifications from here http://isc.sans.org/notify.html.

Oh but you want to watch if there’s any trending issues with patches do you?  Well then we go over to www.patchmanagement.org and sign up for the PatchManagement listserve and the WSUS listserve over there where admins ask questions, and comment about issues.  Another resource to go through is the http://mspatchwatch.com/ Patch Watch web site.  And last but not least you can wait until I sift through all that and write up a recap for www.windowssecrets.com

Don’t get the wrong idea here.  I LOVE blogs.  I don’t for one moment want to change the ability to get late breaking information out  in a manner and communicate effectively.  I love the communication and interaction and feel that they have vastly helped in many many cases.  But it’s on structured days like Patch Tuesday that one starts to wonder if there is a better way for the more “normal” admin and not the news patching junkie that I am.  If I’m ready to yell “Uncle” here, what is everyone else thinking?

I honestly don’t think I’m asking too much for there to be a place that I can tell people to go to be ‘the’ launch place for the patches that may hit a server or workstation.  Now I’m not asking to include such corner apps as like Biztalk server or Performance server so that I know when their products get service packs, I’m just wanting one place for Microsoft update and WSUS content.  A launching off pad so that I don’t have to tell people all the blogs, urls and places I hang out on Patch Tuesday.

I still think we need a definitely spot.  Linkable KB.  Building off the foundation of this document — http://support.microsoft.com/kb/894199 but making it “the” source for information.

What do you think?  Am I asking too much? 

P.S. I almost forgot.  When I start to look for information to proactively block things like ActiveX controls and what not, I’ll dig up this post – http://msinfluentials.com/blogs/jesper/archive/2006/09/19/Block-VML-Zero_2D00_Day-Vuln-on-a-domain.aspx for guidance.  I’m thinking some of those ActiveX controls flagged in http://www.microsoft.com/technet/security/Bulletin/ms08-070.mspx may need to be proactively blocked if the risk and threats start looking like that.  For the risk of attack I look to my own environment.  The surfing habits of my users.  What rights they have (the more you have non admins, the better off you are), what applications they use.  Some of our folks do Internet research for issues and topics and thus you never know what a link might do.  Bottom line I will deploy all of the patches, but it’s a matter of timing in the office and you always want to build in time.

Stay tuned for another post about the risk of patching in general and how to mitigate that.

P.P.S.  I must have gone off the deep end not to remind you of the blog you need to have tattooed on your forehead if you touch Small Business Server boxes — http://blogs.technet.com/sbs


3 Responses to Jumping the Shark

  1. indy says:

    Not sure you have the right term “jumping the shark,” yet your post is spot on and there are too many sources of information STILL, in 2008, for my comfort. There needs to be better communication from Microsoft about these patches, I’m still not sure why I have to sign up for a to see a webcast about patches being released, video is a horrible format for information about patches. I can’t skim or search the parts I need.

    This patch cycle I had something strange happen on my home box. 5 of the patches didn’t install, the machine reboot, then those 5 installed fine, then machine reboot again. The troubleshooting for why the patches didn’t install the first time were generic patching issues and didn’t address my issues.

    The reboot for Vista for a patch seems to take a good 2x as long as even my much older XP boxes. This applies to machines both on and off domains. Downright frustrating. Someone should benchmark the application of patches, because I feel like Vista is dog slow in this area compared to previous OS’s.

    But I digress. Thanks for posting some new resources. We still shouldn’t have to go to so many sources for this type of information…

    Oh we also had a few Office XP weirdness. People that attempted to load say a Word document via explorer this a.m. instead of Word, received a weird error message about not having a printer installed. closing word and reopening resolved. I didn’t look into, was far too limited in scope.

  2. Joe_Raby says:

    Honestly, with all the research and reading, how do you get enough time to actually deploy those updates??! (I mean, it’ll take nearly a month to get through all that!) 😉

  3. David Moisan says:

    Susan, did you see this during December’s Patch Tuesday? At both my sites (SATV and my personal box) I saw the December 2008 Malicious Software Removal Tool listed under “Expired” early Wednesday morning (when both sites get synced.) Today’s sync had the December MSRT come up as expected and the tool is on at least my Vista box.

    No word of this so far on the WSUS blog.