That is where the free WSUS 3.0 product is targeted. One server to do all
the downloads and then you approve the ones you want to deploy and then your
client PCs just get them under their normal Windows Automatic Update process
(but this time they point to your WSUS server internally instead of going
external).
Sounds good - by "one server", do you mean a server dedicated to this
task alone, or can that be the only server you have? Will it run on
SBS, or is there a different solution for that?
This is good, but it's still not scaling all the way down to a single
PC that has everything important on it. Those users have no choice
but to trsut patches not to mess up.
Windows *almost* offers a mitigation, but screws it up (or rather,
doesn't see the need to work the way I'd hoped it would).
There's an Automatic Updates option to "download now, but let me
decide when to install them". When I read that, I thought it would
put me in full control over such updates (e.g. "...when or IF to
install them") but it does not. If I click "no, don't install these",
it will stealth them in via the next shutdown.
This is a pity, because otherwise it would facilitate this policy:
- download patches as soon as available but DO NOT INSTALL
- watch for reports of problems with patches
- watch for reports of exploits
- if exploits, get offline and install already-downloaded patches
- else if no "dead bodies" reported from patch bugs, install patches
- but if reports of "dead bodies", can avoid the relevant patches
As it is, if I don't want MS ramming "code of the day" when my back is
turned, I have to disable downloading updates altogether, so...
- do NOT download patches as soon as available
- watch for reports of problems with patches
- watch for reports of exploits
- if exploits, have to stay online to download patches -> exploited
- if no "dead bodies" from patch bugs, downloads and install patches
- but if reports of "dead bodies", can avoid the relevant patches
There is almost no such thing as flawless software and particularly when
you are talking about tens of millions of lines of code in an OS.
Sure, and the lesson is to design and code with this in mind, reducing
automatic exposure of surfaces to arbitrary material, and ensuring
that any code can be amputated immediately, pending patch.
If all non-trivial code has bugs, and you need bug-free code, then the
solution is to keep that code trivial ;-)
I see this as akin to hi-wear surfaces within mechanical systems.
You'd nearly always design such systems so that hi-wear parts are
cheap and detatchable for field replacement, e.g. pressed steel bore
within an aluminium block, piston rings that are not built permanently
into the piston, removable crank bearings rather than ball bearings
running directly on crank and case surfaces, etc.
I don't see enough of that awareness in modern Windows. If anything,
the trend is in the other direction; more automated and complex
handling of material that the user has indicated no intention to
"open", poor or absent file type discipline, subsystems that cannot be
excluded from installation or uninstalled, etc.
Every major OS vendor on the planet regularly ships patches and updates for
their products.
They do indeed, yes, and many vendors are lagging behind MS in
sensible practice. For example, Sun were still allowing Java applets
to "ask" the JRE to pass them through to older versions "for backward
compatibility", and installing new JRE versions did not get rid of old
ones, allowing these to remain a threat.
But the bottom line is, it's a suspension of disbelief to trust patch
code (that may be hastily developed under present exploits) to work
when slid under installed applications that could not possibly have
been written for such code, especially when the reason to swallow such
code is because the same vendor messed up when writing the same code
under less-rushed pre-release circumstances.
What should have happened, is that the first time some unforgivable
code defect allowed widespread exploitation (say, the failure to check
MIME type against file name extension and actual material type when
processing in-line files in HTML "message text"), the vendor should
have been stomped so hard that they'd dare not make the same sort of
mistake again.
Instead, the norm is for swave vendors to fail so regularly that we
have to automate the process of "patching". Vendors can do this by
making the patch material available on a server, leaving it to the
user to cover the cost of obtaining it. Meanwhile, stocks of
defective product are not recalled, nor are replacement disks added to
these packages, so what you buy after the fact is still defective, and
still have to be patched at your expense.
Couple that with the common advice to "just" wipe and re-install, and
you will be constantly falling back to unpatched status, and having to
pull down massive wads of "repair" material - something that just is
not possible to do via pay-per-second dial-up.
I was impressed when MS shipped XP SP2 CDs to end users, as well as
the security roll-up CDs for Windows all the way back to Win98. But
we still need the ability to regenerate a fully-functional and
fully-patched OS installation and maintenance disk - something that
"royalty" OEMs don't provide their victims even at purchase time.
Then that is their problem
Not really, no. The problem arises from a bug rate within exposed
surfaces that is unsustainable for the extent of those surfaces,
forcing too many patches to manage manually. Yes, it becomes our
problem, but we didn't cause it other than by choosing to use a
platform that is so widely used that it is immediately attacked.
That equation not only favors minority platforms such as Mac OS and
Linux, it also favors an abandonment of personal computing for SaaS,
for which the risks are currently way under-estimated.
Note that I don't see the need to patch as an MS issue, given that (as
you mention) all equally-complex systems have similar needs to patch.
What puts MS on the sharp end, is the degree of exposure - like the
difference between the bearing on your boot hinge, and the bearing
that holds the crankshaft in the engine block.
It's been amusing to see how well (or rather, how poorly) Apple's
Safari browser has fared, when exposed to the same "wear".
A trend I really don't like, is where relatively trivial software
vendors jump on the "update" bandwagon, leveraging this to re-assert
thier choice of settings or "call home". It's bad enough that buggy
code quality is rewarded with tighter vendor dependency, as it is.
I have worked with enterprise across this whole spectrum from full dedicated
patch management teams that perform full and complete regression testing for
all patches they need to roll out internally to extremely poor ad hoc
solutions and minimal testing,.
I'm not talking entrerprises, here. They are well-positioned to
manage the problem; it's the "free" end-users with thier single PCs or
small peer-to-peer LANs I'm thinking about.
Collectively, all those loose systems can act as very large botnets.
------------ ----- ---- --- -- - - - -
The most accurate diagnostic instrument
in medicine is the Retrospectoscope
