Nearly half of Microsoft 2010 security patches have known problems
Last month's fix of a broken Windows Server patch got me thinking -- just how often does Microsoft release a patch that it knows has problems? The answer: nearly half the time. How often are those problems so severe they fry your system? That's less clear, but it seems as if the answer is, "not all that often."
Microsoft patches with known problemsMicrosoft MCTS Training has so far released 45 updates in 2010, some fixing multiple vulnerabilities. Of them, 20 were released with a known problem (see list below) but of those, only two had issues severe enough to warrant a fix and re-release of the patch altogether. Those two patches were MS10-024 and MS10-025. Both were originally released during April's patch cycle. 024 was re-released in July after users began reporting that the patch hosed their systems and that Microsoft's workarounds didn't work. 025, also originally released in the April Patch Tuesday, was re-released two weeks later.
"The [025] bulletin was rated critical and affected Windows Media Services. On April 21st, Microsoft pulled the bulletin from their webpage as they found the patch did not fully fix the vulnerability as intended. On April 27th, Microsoft re-released the bulletin as it addressed the vulnerability as originally intended. With this bulletin, this had a pretty low impact on administrators as it only affected Windows 2000 SP4 with Windows Media Services installed. This service is not installed by default, so this type of software scenario is typically quite rare," explains Jason Miller, data and security team manager for patch management vendor, Shavlik Technologies, Minneapolis.
The number of re-releases isn't a good indicator of how many bulletins hose a users's systems. As Miller notes, each bulletin may fix multiple vulnerabilities and if Microsoft changes one patch, it may not re-release the whole bulletin. Users might get a cumulative patch bulletin for the product (common for Internet Explorer, for instance). One would assume that these new fixes are rolled into the next service pack, too.
Additionally, Microsoft will re-release a bulletin not because the patch is faulty but because it is updating the list of software known to be affected (usually adding, not subtracting) or because Windows Update is just plain confused. "There are cases where a patch will be detected as missing when it is actually installed. Microsoft MCTS Certification has made changes to patches addressing these detection and deployment issues. If the patch has already been applied, no action is required by the administrator as the vulnerability has been fixed," Miller adds.
Still, I wanted some measure of how many patches cause problems. So I counted the number of bulletins released in 2010 with stated known issues. This doesn't indicate how badly these issues might affect the performance of the machine it was meant to fix. For instance, below is the known issue and its fix for MS10-040, a June patch rated "important" that fixes a hole in IIS.
Read the views of online Certification Experts, which provide the real questions and correct answer and explanation for the students / professionals who are seeking or enhancing their level of expertise. more at certkingdom.com
July 30, 2010
Nearly half of Microsoft 2010 security patches have known problems
Nearly half of Microsoft 2010 security patches have known problems
Last month's fix of a broken Windows Server patch got me thinking -- just how often does Microsoft release a patch that it knows has problems? The answer: nearly half the time. How often are those problems so severe they fry your system? That's less clear, but it seems as if the answer is, "not all that often."
Microsoft patches with known problemsMicrosoft MCTS Training has so far released 45 updates in 2010, some fixing multiple vulnerabilities. Of them, 20 were released with a known problem (see list below) but of those, only two had issues severe enough to warrant a fix and re-release of the patch altogether. Those two patches were MS10-024 and MS10-025. Both were originally released during April's patch cycle. 024 was re-released in July after users began reporting that the patch hosed their systems and that Microsoft's workarounds didn't work. 025, also originally released in the April Patch Tuesday, was re-released two weeks later.
"The [025] bulletin was rated critical and affected Windows Media Services. On April 21st, Microsoft pulled the bulletin from their webpage as they found the patch did not fully fix the vulnerability as intended. On April 27th, Microsoft re-released the bulletin as it addressed the vulnerability as originally intended. With this bulletin, this had a pretty low impact on administrators as it only affected Windows 2000 SP4 with Windows Media Services installed. This service is not installed by default, so this type of software scenario is typically quite rare," explains Jason Miller, data and security team manager for patch management vendor, Shavlik Technologies, Minneapolis.
The number of re-releases isn't a good indicator of how many bulletins hose a users's systems. As Miller notes, each bulletin may fix multiple vulnerabilities and if Microsoft changes one patch, it may not re-release the whole bulletin. Users might get a cumulative patch bulletin for the product (common for Internet Explorer, for instance). One would assume that these new fixes are rolled into the next service pack, too.
Additionally, Microsoft will re-release a bulletin not because the patch is faulty but because it is updating the list of software known to be affected (usually adding, not subtracting) or because Windows Update is just plain confused. "There are cases where a patch will be detected as missing when it is actually installed. Microsoft MCTS Certification has made changes to patches addressing these detection and deployment issues. If the patch has already been applied, no action is required by the administrator as the vulnerability has been fixed," Miller adds.
Still, I wanted some measure of how many patches cause problems. So I counted the number of bulletins released in 2010 with stated known issues. This doesn't indicate how badly these issues might affect the performance of the machine it was meant to fix. For instance, below is the known issue and its fix for MS10-040, a June patch rated "important" that fixes a hole in IIS.
Last month's fix of a broken Windows Server patch got me thinking -- just how often does Microsoft release a patch that it knows has problems? The answer: nearly half the time. How often are those problems so severe they fry your system? That's less clear, but it seems as if the answer is, "not all that often."
Microsoft patches with known problemsMicrosoft MCTS Training has so far released 45 updates in 2010, some fixing multiple vulnerabilities. Of them, 20 were released with a known problem (see list below) but of those, only two had issues severe enough to warrant a fix and re-release of the patch altogether. Those two patches were MS10-024 and MS10-025. Both were originally released during April's patch cycle. 024 was re-released in July after users began reporting that the patch hosed their systems and that Microsoft's workarounds didn't work. 025, also originally released in the April Patch Tuesday, was re-released two weeks later.
"The [025] bulletin was rated critical and affected Windows Media Services. On April 21st, Microsoft pulled the bulletin from their webpage as they found the patch did not fully fix the vulnerability as intended. On April 27th, Microsoft re-released the bulletin as it addressed the vulnerability as originally intended. With this bulletin, this had a pretty low impact on administrators as it only affected Windows 2000 SP4 with Windows Media Services installed. This service is not installed by default, so this type of software scenario is typically quite rare," explains Jason Miller, data and security team manager for patch management vendor, Shavlik Technologies, Minneapolis.
The number of re-releases isn't a good indicator of how many bulletins hose a users's systems. As Miller notes, each bulletin may fix multiple vulnerabilities and if Microsoft changes one patch, it may not re-release the whole bulletin. Users might get a cumulative patch bulletin for the product (common for Internet Explorer, for instance). One would assume that these new fixes are rolled into the next service pack, too.
Additionally, Microsoft will re-release a bulletin not because the patch is faulty but because it is updating the list of software known to be affected (usually adding, not subtracting) or because Windows Update is just plain confused. "There are cases where a patch will be detected as missing when it is actually installed. Microsoft MCTS Certification has made changes to patches addressing these detection and deployment issues. If the patch has already been applied, no action is required by the administrator as the vulnerability has been fixed," Miller adds.
Still, I wanted some measure of how many patches cause problems. So I counted the number of bulletins released in 2010 with stated known issues. This doesn't indicate how badly these issues might affect the performance of the machine it was meant to fix. For instance, below is the known issue and its fix for MS10-040, a June patch rated "important" that fixes a hole in IIS.
Subscribe to:
Posts (Atom)
