Here we go Again! :-(

[Nick FitzGerald]

I assume you can point to non biased documentation of these flaws?

Ongoing discussions (some lasting more than two years) in various security
mailing lists have documented repeated failures of WU "technology". It turns
out that WU was yet another Microsoft-special -- a cheap'n'cheerful "let's
make it look like we're doing something useful" project glued on the end of
Windows 98 (originally) that was not designed for serious patch management
and distribution.

For example, until _very_ recently, WU would not do anything other than check
for registry values cretaed by patch installers depite the fact that most of
those installers (also written by MS remember!) would set those values _when
they started_ rather than after installing the patch and checking that the
right files had actually become active (and, in fact, very few of the patch
installers performed the latter step anyway, as was discovered for many
failed patch installations when folk started using tools designed to make
sure specific patches were installed rather than using MS' WU toy).

It works well for me. ...

And you know this because you have independently verified the proper
installation of all your WU-deployed patches on all 600 machines, right?

Or do you know this because the patch logs say that all those machines have
been patched and none require current patches?

... And it sure as shit is better then hand patching 600
PCs.

In that case I'm guessing that you chose the second option above, which means
there are very good odds that you have something in the range of 60 - 300 PCs
that WU/SUS reports as patched to MS03-026 ("the Blaster patch") that are, in
fact not patched to MS03-026 at all (this is based on published claims of
researched WU/SUS failure rates for this patch ranging from 10% to 50%).

If you _think_ WU/SUS is doing your patching for you, then you shouldn't be
using it as it is known to fail far too often to support such confidence.

For home users and very small businesses WU is the best we can hope for, but
at 600 PCs you should be doing something competent.

 

[Robert R Kircher, Jr.]

<snipped the soapbox>

Ya know it's a real shame that a simple conversation about how to patch
systems has to turn into a pissing match. I know of horror stories from
people that use/used Zen but I'm not going around pissing on that, and I
personally hate Novell. The OP asked for suggestion and I posted what works
for me. And yes I have tested it and still periodically pick out PCs on the
LAN to evaluate. So far so good. And no these are not 600 pc networks they
are 4 separate smaller networks. I wouldn't suggest using a single SUS
server for 600 client anyway.

And on top of all that Nick I don't see one single suggestion from you for
the OP so I have to believe that your just another one of those MS haters
that happened to hop on to my, god forbid, successful MS story so you could
voice you person platform.

At least Jeffery posted an article in answer to my request.

 

[Bill]

Ya know it's a real shame that a simple conversation about how to patch
systems has to turn into a pissing match.

Hey, pissing matches is what we do...and we do it well. You apparently
stumbled into alt.comp.virus.pissing-match where Nick reigns supreme.
If you don't like it go somewhere else. We like it here. That being
said, I'm going to go have another beer.

 

[=?ISO-8859-1?Q?=BBQ=AB?=]

And yes I have tested it and still periodically pick out PCs on
the LAN to evaluate.

Got an extimated sample size for the spot-checking you have done?

And on top of all that Nick I don't see one single suggestion from
you for the OP

Nick is not required to answer any question here. He's not even
required to post the accurate information he does, but I for one am
glad that he chooses to. For example, I don't check the primary
sources for info and would not know about the 10-50% failure rate of
the MS03-026 "Blaster" patch had Nick, who reads the sources as part
of making his living, not posted that info here.

so I have to believe that your just another one of
those MS haters that happened to hop on to my, god forbid,
successful MS story so you could voice you person platform.

Nick has legit concerns about WU and SUS - he posted opinions and
information to back up his opinions. Not a bad use of the
noosegroups IMO. OTOH, failing to address his specific concerns but
merely labeling him an MS hater, well, you know.

 

[Robert R Kircher, Jr.]

Hey, pissing matches is what we do...and we do it well. You apparently
stumbled into alt.comp.virus.pissing-match where Nick reigns supreme.
If you don't like it go somewhere else. We like it here.

LOL... I can piss with the best of them, and I don't know of NG out there
that doesn't have their own set of professional pissers.

In this case however someone asked for some help and pissing on one post
while offering nothing in the way of help to the OP is a complete waist of
time. If nick wants to get into a MS haters pissing match then he should
have the balls to start his own post and take on all comers. In the mean
time offer up some help to the OP and don't get your panties all in a wad.

That being
said, I'm going to go have another beer

A beer sounds good.

 

[Sugien]

Hey, pissing matches is what we do...and we do it well. You apparently
stumbled into alt.comp.virus.pissing-match where Nick reigns supreme.
If you don't like it go somewhere else. We like it here. That being
said, I'm going to go have another beer.

IMNSHO, the only thing Nick Fitgarbled reigns supreme at, is being an ars
wipe and at that he has no equal. He is supreme at quite a few other things
however like, having the smallest IQ and still have enough gray cells to be
able to comprehend how to post to Usenet, accusing new users of not having
enough intelligence to buy a computer let alone use one, accusing people of
stealing source code that is given away, telling users that if they are
stupid enough to not be able to use an AV product and keep it up to date
then they deserve to get infected, ect. ect. ect. However if I were to list
all his faults I doubt if my server would allow me to post it; because the
size of the post would vastly exceed the size of what my ISP allows an email
or Usenet post to be.

 

[FromTheRafters]

Got an extimated sample size for the spot-checking you have done?


Nick is not required to answer any question here. He's not even
required to post the accurate information he does, but I for one am
glad that he chooses to. For example, I don't check the primary
sources for info and would not know about the 10-50% failure rate of
the MS03-026 "Blaster" patch had Nick, who reads the sources as part
of making his living, not posted that info here.


Nick has legit concerns about WU and SUS - he posted opinions and
information to back up his opinions. Not a bad use of the
noosegroups IMO. OTOH, failing to address his specific concerns but
merely labeling him an MS hater, well, you know.

I wholeheartedly agree with this post!

If I am enjoying a Sunday drive, and my passenger points
out that the bridge up ahead washed out in the last rain, I
don't fault them for spoiling my leisurely drive.

 

[Bill]

I wholeheartedly agree with this post!

If I am enjoying a Sunday drive, and my passenger points
out that the bridge up ahead washed out in the last rain, I
don't fault them for spoiling my leisurely drive.

However, there is nothing quite as exilerating as telling someone that
the bridge washed out when it didn't and watching them drive 10 miles
out of their way.

 

[Robert R Kircher, Jr.]

Nick has legit concerns about WU and SUS - he posted opinions and
information to back up his opinions.

Backed his opinions with what? A gathering of other peoples opinions from
other news groups? Hell I can go to a NFL related news group and find
plenty of people who are more then happy to piss on MS. That's not facts.
Oh and these so-called facts have their basis on Windows 98? That's funny
all by it's self. .

Jeffery pointed to an article that provided more facts than Nick

The only *fact* that Nick points out is the reg check file check issues and
even he states that the issue has been corrected.

I've read the same posts and I've read the same articles... I've also used
the software which I suspect is a step further then Nick

Examine Nicks language. He uses phrases like;
cheap'n'cheerful "let's make it look like we're doing something useful"
also written by MS remember!
MS' WU toy
If you _think_ WU/SUS is doing your patching

He obvious holds no affections for MS (his right) and he obviously feel
people who do like MS are fools (also his right). Dose that make him right?
No. It makes him biased.

Has he used it? Has he tested himself? Can he point out issues that he's
seen directly? Most likely not, but if so lets hear about it. I have used
it and so far it has worked fine. Might it fail in the future, well sure,
just like Zen fails from time to time. Just like any software fails from
time to time.

Here's my facts to back my opinion. I have 4 networks ranging from 10 PCs
to 50 PCs. Each network has one server dedicated to SUS services (and other
light services). SUS checks for patches every night at midnight, clients
check the SUS repository at 3 am. When initially deployed on each LAN, I
physically check all the PCs to make sure patch was occurring properly.
Since then, I've made it a habit to check any PC that I have to "visit" to
ensure that they are actually patched. I may visit 1 a day, I may visit 20
a day. So far they have all been patch successfully. Luckily, the LANs env
is purely WIn2K and Win XP. I won't deal with Win 9x at all. I have that
luxury.

In about 8+ months of using SUS in production the only problems I've had is
the quirkiness of the web based management tool and a problem with getting
one LAN to update which was traced down to a mistake I made in the GPO
configuration.

These aren't just other peoples opinions to back up my opinions, they are
real world experiences. You and Nick and other can take it for what they
are worth (basically nothing until you do your own work with SUS) but it
doesn't change the fact that SUS has worked for me to date.

 

[David H. Lipman]

10 - 50% failure rate ?

I had a 100% success rate on hundreds of desktops and notebooks.
It wasn't a "blaster patch" - it was a RPC Buffer Overflow Vulnerability patch.
The latest is a RPC Server Service (RPCSS) Buffer Overflow Vulnerability patch.

Dave


| <|
| > And yes I have tested it and still periodically pick out PCs on
| > the LAN to evaluate.
|
| Got an extimated sample size for the spot-checking you have done?
|
| > And on top of all that Nick I don't see one single suggestion from
| > you for the OP
|
| Nick is not required to answer any question here. He's not even
| required to post the accurate information he does, but I for one am
| glad that he chooses to. For example, I don't check the primary
| sources for info and would not know about the 10-50% failure rate of
| the MS03-026 "Blaster" patch had Nick, who reads the sources as part
| of making his living, not posted that info here.
|
| > so I have to believe that your just another one of
| > those MS haters that happened to hop on to my, god forbid,
| > successful MS story so you could voice you person platform.
|
| Nick has legit concerns about WU and SUS - he posted opinions and
| information to back up his opinions. Not a bad use of the
| noosegroups IMO. OTOH, failing to address his specific concerns but
| merely labeling him an MS hater, well, you know.
|
| --
| »Q«
| "KEEP BIG BROTHER'S HANDS OFF THE INTERNET"
| By Senator John Ashcroft
| <http://usinfo.state.gov/journals/itgic/1097/ijge/gj-7.htm>

 

[David]

MS provides about a half dozen ways to do this and there are a number of
third party solutions. So maybe the solution is to use one product to deploy
fixes and another to verify them. Just make sure that the verification
software uses a different method of checking for the patches than the
deploying application uses.
SMS is a fairly good tool. You can add SUS to SMS to help deploy updates if
you prefer. SMS is highly configurable so you can set it up to track all
program files not just MS's. There are probably better alternatives that
will track this, particularly for those in mixed OS environments. Anyone?
In any case SMS will collect the files names, version info, file size etc.
of whatever files one wishes on systems at regular scheduled intervals and
you can tailor your collection of data and queries to look for specific
things. Patches, upgrades, malware, unauthorized applications......whatever.

Ongoing discussions (some lasting more than two years) in various security
mailing lists have documented repeated failures of WU "technology". It turns
out that WU was yet another Microsoft-special -- a cheap'n'cheerful "let's
make it look like we're doing something useful" project glued on the end of
Windows 98 (originally) that was not designed for serious patch management
and distribution.

10% to 50%? That is quite a wide range. Would that be 10% that actually fail
and 40% making that claim so they don't loose their jobs because they
themselves failed to update the systems they were responsible for Or
maybe an MS funded consultant claiming 10% and an Apple funded one claiming
50%

In that case I'm guessing that you chose the second option above, which means
there are very good odds that you have something in the range of 60 - 300 PCs
that WU/SUS reports as patched to MS03-026 ("the Blaster patch") that are, in
fact not patched to MS03-026 at all (this is based on published claims of
researched WU/SUS failure rates for this patch ranging from 10% to 50%).

It is great to bring to others attention where the bugs and problems lie in
certain applications, but how about also suggesting another product that
appropriately deals with these issues?

If you _think_ WU/SUS is doing your patching for you, then you shouldn't be
using it as it is known to fail far too often to support such confidence.

Double check things using different technologies where possible.

 

[=?ISO-8859-1?Q?=BBQ=AB?=]

10 - 50% failure rate ?

I had a 100% success rate on hundreds of desktops and notebooks.

You read Nick's post, right?

It wasn't a "blaster patch" - it was a RPC Buffer Overflow
Vulnerability patch. The latest is a RPC Server Service (RPCSS)
Buffer Overflow Vulnerability patch.

Yeah, I know. The MS03-026 patch was released before Blaster, which
exploited the vulnerability addressed by that patch. Pardon my
terrribly terribly sloppy use of the language.

 

[James Egan]

glad that he chooses to. For example, I don't check the primary
sources for info and would not know about the 10-50% failure rate of
the MS03-026 "Blaster" patch had Nick, who reads the sources as part
of making his living, not posted that info here.

You forgot to mention the "silent" which is quite important in this
regard.


Jim.

 

[Nick FitzGerald]

MS provides about a half dozen ways to do this and there are a number of
third party solutions. So maybe the solution is to use one product to deploy
fixes and another to verify them. ...

Yeah, but if you're going to go to that trouble for nothing better than the
detect and patch level of one of two tools, why not just decide to use one
or the other?

I doubt any professional system admin would ever find good grounds for using
WU-based update technology over (almost) any of the others...

... Just make sure that the verification
software uses a different method of checking for the patches than the
deploying application uses.

Or just use the update method that uses those better methods for detecting
what needs patching in the first place...

SMS is a fairly good tool. You can add SUS to SMS to help deploy updates if
you prefer. SMS is highly configurable so you can set it up to track all
program files not just MS's. There are probably better alternatives that
will track this, particularly for those in mixed OS environments. Anyone?
In any case SMS will collect the files names, version info, file size etc.
of whatever files one wishes on systems at regular scheduled intervals and
you can tailor your collection of data and queries to look for specific
things. Patches, upgrades, malware, unauthorized applications......whatever.

Yeah -- SMS is a pretty high overhead for anything under a medium-large
coporate to use though (yeah -- there'll be "odd" places where an admin has
good SMS skills and can use it, but if you have to train someone up and
design and roll it out on top of an existing implementation it will be a
pretty daunting task...).

10% to 50%? That is quite a wide range. Would that be 10% that actually fail
and 40% making that claim so they don't loose their jobs because they
themselves failed to update the systems they were responsible for Or
maybe an MS funded consultant claiming 10% and an Apple funded one claiming
50%

No. "at least 10%" was told me personally by a senior and very experienced
sys-admin in a large multi-national who has over 10,000 machines under his
purview (though I'm not sure what proportion of those the 10% failure rate
applied to, it is likely it was a goodly percentage). Up to 50% failure has
been cited by similarly experienced admins on lists such as NTBugtraq. Russ
Cooper (NTBugtraq moderator) has described all manner of braindead WU
stupidity over the last few years.

It is great to bring to others attention where the bugs and problems lie in
certain applications, but how about also suggesting another product that
appropriately deals with these issues?

I'm not sure enough of the grounds for recommending other "solutions" but it
is clear to me that there are better Windows patch management products than
WU and SUS.

Double check things using different technologies where possible.

Or just use them instead...

 

[David]

It's not that much trouble. Many of these tools run automatically.

Yeah, but if you're going to go to that trouble for nothing better than the
detect and patch level of one of two tools, why not just decide to use one
or the other?

Because what is best for detecting what needs updating in the first place is
not always best for determining if a patch installation was 100% successful.
It may be for some simply because of IT staff limitations, budget or
whatever else, but there are good reasons for making the initial detection
engine more efficient with resource use, since it is a relatively repetative
task.

Or just use the update method that uses those better methods for detecting
what needs patching in the first place...

Seems the discussion stems from someone who mentioned 600 systems.
Potentially appropriate for a network that size.
It certainly isn't appropriate for many and probably not for most networks
but nothing is "just right" for everybody. And it is certainly more
appropriate for some than any solution you seem to not want to suggest.
It isn't all that daunting. Easy to install and configure. Just takes some
basic knowledge of SQL queries to put it to better use than what the default
installation allows for. In any case a lot of enterprise solutions have
associated training and implementation costs. You simply have to look past
your own two feet to see if there is a longer term benefit for the
organization in which it is installed.

Yeah -- SMS is a pretty high overhead for anything under a medium-large
coporate to use though (yeah -- there'll be "odd" places where an admin has
good SMS skills and can use it, but if you have to train someone up and
design and roll it out on top of an existing implementation it will be a
pretty daunting task...).

If you actually took a look at some of the solutions, you might have
realized that SUS uses someone else's detection engine. One that has been
highly recommended by some of the WU critics by the way. So you might think
twice next time before you put SUS in the same boat as WU.

 

[Ed >:-)]

I assume you can point to non biased documentation of these flaws?

[Snip]

See "Windows Update Patch Process Faulty, Expert Says" By JAIKUMAR
VIJAYAN, Computerworld, AUGUST 18, 2003.

<http://www.computerworld.com/printthis/2003/0,4814,84084,00.html>

The man (?) said "non biased" Anything by the christ complex people at
M$ wouldn't be such.