The reality of patching

On December 4, 2009, in Rants, by


Remember that skit with Lily Tomlin where she represented the phone company?

“We are omnipotent”.  There are times I think people think that Microsoft’s patching department thinks like this.

There are folks out there that think there are divisions in Redmond that are tasked with spyware better known as Windows Genuine Advantage and Office Genuine Advantage.

There are folks out there that think there are engineers in Redmond that have remote control buttons that remotely reboot computers at night for patching just at the opportune time to have the person lose data.

The reality is vastly different.

Fact 1:  Windows update settings never spontaneously change.  Ever.  If you think your settings changed, look in the windowsupdate.log file in the c:\windows directory.  You will probably find that either something got installed that changed the settings, or that you forgot that you set them that way. 

Fact 2:  Periodically the AU engine underneath Windows updates gets updated.  This engine update occurs even if you have it set to ‘notify only’.  This is updating the under plumbing of the AU engine.  It’s happened several times in the past.  And it always silently updates just fine in the past.  They do blog and warn people it’s coming (see the blog for details)

Fact 3:  Security patches get deployed on the second Tuesday of the month.  Then there are non security updates that get released at the end of the month on the 4th Tuesday.  You can track these releases by looking at this .  There is a set release intended. 

Fact 4:  Not all patches are security patches.  Thus there are times you don’t NEED to get patches on asap.  Conversely there are times you want to push up the deployment of a service pack that you’d otherwise hold back on.  Windows 2008 sp2 is one of these “you want it on the box” service pacsk.

Fact 5:  The people who code up Windows genuine advantage and Office genuine advantage do not secretly work for Apple, nor do they code spyware into the software.  While some argue that the WGA and now OGA should only do the test for validation once, the argument from the Redmond camp is that you need to protect yourself and retest the validity of software to ensure that you didn’t get ripped off from a repair person.  I say they need to make the replacement media easier to get.  I’m still not sure if I should be more mad at OEMs or more mad at Microsoft for how hard it is to get repair media but that’s another rant blog post for another day.

Fact 6:  Microsoft documents what each patch does and what the known issues are in each security bulletin at the top of each section.  You think I magically know the side effects?  I read the bulletins.  I also look at the patches being installed and unlike some vendors and journalists that were taken to task by Ed Bott, the goal for each Tuesday patching is to first step back and ask yourself if it makes any sense that the patch is doing what you think it’s doing.  Prevx’s claims that the updates were hardening registry keys didn’t make sense.  Microsoft would have documented these changes.  They don’t randomly throw out code.  And for all of the pain of patch Tuesday you think you see, there are gazillions of folks that get through Patch Tuesday just fine.

Fact 7:  Microsoft never blocks your Windows update settings.  If they are blocked you are either in a domain and the group policy on the server is controlling it, you have had a malware infection and the malware mangled the registry keys, or you’ve installed some lovely security software that decided that their security center was so vastly better than Microsoft’s that they’ve taken it over.

Fact 8:  That warning the system gives you in the beginning of the install that they warn you to choose to install updates during the installation because if you don’t the install could fail and you could be insecure is false.  At the present time, there are no installer only patches that fix things during the install.  Furthermore installing security updates during the intial install is placing the system more at risk as I guarantee that the Server teams and the Win7 teams are not testing build installs every time a patch comes out.  When the system is built, the firewall is enabled on the nic anyway, so exactly how do they think you are more at risk from attack is beyond me as well.  Not to mention most of us build servers and workstations behind firewalls anyway.

At the end of the day if you really think the operating system you use is that out to get you, maybe you need to find another operating system.  Because there is an element of trust that must be made with all software vendors. 

To the folks at Prevx who just damaged the trust of patching just a little bit more due to the “black screen of death” story fiasco ….way to go guys and thanks for the help in destroying it more.


Comments are closed.