Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Microsoft Bug Operating Systems Windows IT

Tuesday Was Microsoft's Last Non-Cumulative Patch (helpnetsecurity.com) 222

There was something unique about this week's Patch Tuesday. An anonymous Slashdot reader quotes HelpNetSecurity: It was the last traditional Windows Patch Tuesday as Microsoft is moving to a new patching release model. In the future, patches will be bundled together and users will no longer be able to pick and choose which updates to install. Furthermore, these new 'monthly update packs' will be combined, so for instance, the November update will include all the patches from October as well.
Last month a Slashdot reader asked for suggestions on how to handle the new 'cumulative' updates -- although the most common response was "I run Linux."
This discussion has been archived. No new comments can be posted.

Tuesday Was Microsoft's Last Non-Cumulative Patch

Comments Filter:
  • by King_TJ ( 85913 ) on Saturday September 24, 2016 @11:43PM (#52955885) Journal

    I think if the patches are bundled together now - you basically have to treat them as one larger patch. In other words, nothing changes except any time you find you did one and it breaks something, you roll the whole collection back until it can be rectified.

    IMO, Microsoft's Windows Updates have been a huge, overly confusing mess for a long time anyway. I used to use WSUS to centrally administer them and for our small to mid-sized company, it became more trouble than it was worth. I like the advantage that you only have to download the patches once to the central WSUS server and then all the clients grab copies from there to save your Internet bandwidth. But in practice, our workforce is mobile enough that it's almost better we just let their laptops grab updates over the net from wherever they're at so they get patched more quickly.

    Sifting through all of their patches and deciding when it was safe to "release" them was getting to be way more time-consuming for I.T. than it should have been. So often, you have slews of patches that wind up marked "superseded" by other patches, and there are weird dependencies too. Can't do certain patches unless you've done others first. (Why not automate all of that so any patch dependent on another one just auto-applies the required one as part of its installation?)

    If you do a fresh install of Windows 7 these days? The update process is PAINFUL! You'll literally need to leave the PC downloading updates for a good 8-10 hours or more before it finally starts doing anything obvious. (It seems that it needs so many individual patches to get current, it overwhelms their updater service trying to sort through all of it and prepare to download them in the proper order?)

    • good to fix the 2-3 reboot passes to get systems up today + all of the optional stuff that does not auto install.

      Also all of the hot fixes as well.

    • by dbIII ( 701233 )

      If you do a fresh install of Windows 7 these days? The update process is PAINFUL! You'll literally need to leave the PC downloading updates for a good 8-10 hours or more before it finally starts doing anything obvious

      On the most recent one I did updating was completely broken. For days. Even printer drivers were unavailable. It turned that that turning updates off - rebooting - then turning them on again allowed that 8-10 hours or more.
      The way it behaves changes frequently.

      • by Zocalo ( 252965 )
        Then you're doing it wrong. You need to either, 1) slipsteam your install media with all the patches and do your build(s) that way, or 2) disconnect the network, install from SP1 media, reboot, then install the "Convenience Update" (KB3125574) (AKA SP2, released in April), reboot again, then connect it up and let it get the remaining post-April updates. Both approaches are far from perfect, and still have the odd glitch, but they are a lot more efficient than letting an new SP1 install try to patch itself
        • by dbIII ( 701233 )

          and still have the odd glitch

          Indeed, which is why I had to do it the way I said in the end after an offline WSUS tool and other attempts did not work.
          The way it behaves changes frequently, which is very annoying and means that what is good advice a month ago is often not relevant today.

    • by Anonymous Brave Guy ( 457657 ) on Sunday September 25, 2016 @01:26AM (#52956115)

      For general information, if you're installing a fresh Windows 7 now (starting from SP1, presumably) then it seems by far the fastest way to get a system reasonably well patched is to install the Convenience Rollup (KB3125574) and if necessary its prerequisite (KB3020369) from the Microsoft Update Catalog. That immediately brings you up to somewhere around April 2016 in terms of patch level, and you can download the required files quickly from the Catalog site and then install them locally using WUSA without waiting around for hours while Windows Update does whatever its current broken mess needs to do now. The most recent time I did this was just a few days ago, and after doing that it was then another couple of hours for Windows Update to find the rest and install the remaining security updates, but at least it could be done in an afternoon instead of leaving the new PC overnight and hoping it might have found something by the morning. Spybot Anti-Beacon or some similar tool can still turn off the various telemetry junk that you can't now individually because it's all bundled into the CR update.

      Incidentally, for those who would prefer to keep security patching their existing Windows 7 systems but not get anything else, there are reportedly (direct from a Microsoft source) going to be monthly security-only bundles as well, but you'll have to get those from Microsoft Update Catalog manually as well, they won't be advertised or pushed out through Windows Update. So it looks like the new SOP is to turn off Windows Update entirely (as a bonus, you get back that CPU core that's been sitting at 100% running the svchost.exe process containing the Windows Update service for the last few months) and instead just go along and manually download the security bundle each month to install locally.

      Of course, Microsoft Update Catalog requires Internet Explorer 6.0 or later and won't run with any of the other modern browsers, but I'll live with using IE to access it if it means I get security-patched but otherwise minimally screwed up Windows 7 machines for another 3 years.

      Also, it's been confirmed that this policy will apply to all editions of Windows 7. It's not an Enterprise-only feature and doesn't require the use of WSUS etc. Let's hope they stick to their word on this one.

      • The Convenience Rollup is kept on my keyring USB stick as its just soooo much easier than dealing with a system that may not have had a patch on it in years.

        And as far as these new crap "mega updates"? Just turn off Windows Update and use WSUS Offline [wsusoffline.net] which last I checked is doing just as you described and grabbing the manual security updates, only you get them nicely bundled with a script that will install them all (and do any reboots required) and shut down the system, hassle free. I highly recommend it.

        • Totally second WSUS offline, it's a life saver for those systems that just refuse to update.
        • by lgw ( 121541 )

          So how do we know WSUS Offline isn't primarily a malware vector? This seems like the very best way to build a botnet: hijack Windows Update. Or, even if they're honest, what a target!

          MS has clearly lost its way when 3rd-party Windows distros start looking like the best security practice.

          • Uhhhh...can you read? Because that is really all you have to be able to do to check WSUS Offline since the GUI is really just a front end for some scripts which are in a folder appropriately labeled "cmd" so you can just open them in the text editor of your choice and see what its doing.

            It also doesn't try to obfuscate in ANY way what it is doing or who it is calling if you are using the Offline Generator to generate an Offline Update client (it currently supports Vista-10 including the server variants, VER

      • Have a few Win7 installs that I use rarely, so I tried to download it on Linux.

        https://support.microsoft.com/... [microsoft.com]

        sends you to

        http://catalog.update.microsof... [microsoft.com]

        which says

        This website does not offer updates for the operating system on this computer. [no shit, Sherlock]
        This website only provides updates for computers running Windows 2000 Sp3, Windows XP or Windows Server 2003 and later. If you prefer to use a different Windows operating system, you can obtain updates from the Microsoft Download Center."

        So I

        • I mean, it would be absolute madness to download a patch on one machine to use on another (or several others).

          Well, this IS Microsoft, after all. Not only designing for the lowest common denominator, but effectively mandating that anyone who actually has a clue constrain himself to that level, regardless. They've only been doing this for about 20 years now.

          I put up with it for 10 of them.

          • Thinking about this, I had similar problems when XP SP2 or 3 came out. My home connection was slow and flaky so I tried to download it at work, except my work machine was on W2K...

            IIRC I eventually found some masonic sysadmin page with direct ftp:// [ftp] links. Anybody remember those?

      • by King_TJ ( 85913 )

        Yes, it's good advice to try to install the "Convenience Rollup" on a fresh Win 7 SP1 install before trying to update the rest of the OS.
        But from my experience with that? You absolutely *do* have to install the prerequisite KB30203369 first, or else it won't do a thing. And when you download and run that prerequisite, it still has to go through some type of "searching for updates" process which seems to involve communicating with the Windows Update servers Microsoft hosts. I had a lot of problems with THAT

        • by lgw ( 121541 )

          Yes - IME you're totally screwed if your network stack is hosed, or you accidentally have the same IP address or hostname as another machine. What a mess.

    • I think if the patches are bundled together now - you basically have to treat them as one larger patch. In other words, nothing changes except any time you find you did one and it breaks something, you roll the whole collection back until it can be rectified.

      To a certain degree, it's already that way.

      This month, I have a customer with a Hyper-V cluster which one of the six patches screwed up iSCSI while backing up. And a customer with a Terminal Server which one of the six patches screwed up Terminal Services. And a customer with Exchange that one of the six patches broke Backup Exec being able to see inside the database to restore individual files.

      Only in the case of the TS problem has it been tracked down to a single patch - by Microsoft. The other two

      • VSS is your friend; or should be your customer's friend. We have it on a nightly scheduled on all our servers on top of Back Up Exec. They could roll-back to the previous night on a System State restore, disable auto-updates, at least until you had the time to do troubleshooting on the patches.
    • by ddtmm ( 549094 )

      If you do a fresh install of Windows 7 these days? The update process is PAINFUL! You'll literally need to leave the PC downloading updates for a good 8-10 hours or more before it finally starts doing anything obvious.

      I think that was the intent.

    • I did recently install a Win7 machine from scratch. After the install I installed the August rollup, and then ran windows update. That thing must have run for a full day before it concluded that there were only 24 updates that were required (half of which were .NYET).

      Microsoft announced that they are going to do similar rollups for .NYET.

    • by ncc74656 ( 45571 ) *

      If you do a fresh install of Windows 7 these days? The update process is PAINFUL! You'll literally need to leave the PC downloading updates for a good 8-10 hours or more before it finally starts doing anything obvious.

      That's why you slipstream updates into your installation image. Slipstreaming the various post-SP1 patch rollups as they're released will slash your installation time significantly, and there are only a relative handful of them at this point.

      The only thing slipstreaming doesn't cover is upd

    • by Wolfrider ( 856 )

      --You can speed up Win7 updates A LOT just by using WSUS Offline Update. Download once, burn to DVD and update the client PC with that.

      --Win7 "official" update process is horribly broken and CPU intensive, to the point where the CPU fan on a laptop I inherited had basically failed due to 100% continuous use.

      http://www.wsusoffline.net/doc... [wsusoffline.net]

      --Note that you may have to run the WSUS updater on the client multiple times and reboot/repeat, but this is still *much* better than doing it the traditional way. Afte

  • In other words.. (Score:2, Insightful)

    by Anonymous Coward

    "You want security patches? Welp, you're gonna have to accept Telemetry too."

    • by Z00L00K ( 682162 ) on Sunday September 25, 2016 @12:18AM (#52955977) Homepage

      And this is what's most worrying, we don't really know what's in "Telemetry", and I have a feeling that it's going to be a problem.

      And we can't figure out which part of a future monolithic patch that actually causes the system to behave bad, some patches aren't even possible to uninstall without a lot of hard work.

  • response (Score:5, Insightful)

    by markdavis ( 642305 ) on Sunday September 25, 2016 @12:09AM (#52955947)

    >"Last month a Slashdot reader asked for suggestions on how to handle the new 'cumulative' updates -- although the most common response was "I run Linux.""

    Yep, still run Linux...
    I install whatever I want, whenever I want, however I want, on what I want. My machine belongs to me.

    • Yes, running Linux is still the best option, for most Windows users.

      Obviously if you are required to use software that only runs on Windows --perhaps you are a photographer who has to submit his finals in Photoshop format-- then you are stuck in the Microsoft microbiome. Too bad.

      But most Windows users are not being coerced into that submissive role; they could switch to something like an Ubuntu LTS and be happy --and more productive at lower long term cost-- than if they continue to pay to be a commodity

  • Will there still be zero day fixes?

    As in small updates for just that one fix mid mouth? and then for full one at the end of mouth?

  • Can we get something like windows 10.01 10.02?

    Or Windows 7 sp2 or SP1.5

    Windows 8.2 or 8.1.5?

    • by sexconker ( 1179573 ) on Sunday September 25, 2016 @12:40AM (#52956023)

      MS won't release SPs anymore because all of their shit in place says SPs add to the support length of the OS.
      That's why Windows 8.1 happened instead of Windows 8 SP 1.
      That's why 7 had only 1 SP despite desperately needing another. It's so bad Windows Update doesn't work on a fresh Windows 7 install until it crashes twice over 36 hours. The third time usually works after another 8-12 hours.

      • by Anonymous Coward

        actually, it's because "service packs" require testing and they don't employ patch testers anymore.

    • What is effectively Windows 7 SP2 is called the Convenience Rollup instead, probably because it avoids complications about extending support dates if a new Service Pack is released, and it's found as KB3125574. See my first post to this discussion [slashdot.org] for more about how to use it, including installing it without waiting an eternity for Windows Update to get its act together.

    • Can we get something like windows 10.01 10.02?

      Or Windows 7 sp2 or SP1.5

      Windows 8.2 or 8.1.5?

      Sure. It's already there. Just gotta understand how Microsoft versions Windows now.

      • - Think of "Windows 10" as a brand name, like "Mac OS X", instead of "the tenth version of Windows".
      • - Run this from Powershell: get-item 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\' and you will see values like CurrentVersion (6.3), ReleaseId (1507, 1511 or 1607), CurrentBuild (10240, 10586 or 14393), and UBR (17113, 589 or 189 if you're fully patched)
      • - You can also see those numbers by typing "winver".
      • - Release
  • by Calydor ( 739835 ) on Sunday September 25, 2016 @02:39AM (#52956191)

    So what exactly are they going to do? Are we going to download the entirety of updates that have ever been released for Windows every month? That seems like a crazy waste of bandwidth, especially for people with slow or capped connections.

    • Well, hopefully that will end the "system being at updates n-10, have to patch n-9, then n-8, then n-7 ....."
    • Microsoft has shown, via the 6.5gb Windows 10 "upgrade", they care little about anyone's slow or capped connections.
    • by denbesten ( 63853 ) on Sunday September 25, 2016 @01:09PM (#52957871)

      ...Are we going to download the entirety of updates that have ever been released for Windows every month? ...

      If you update online you get just the changes. If you download and install you get the whole thing.

      Microsoft answered this and many other concerns on their blog [microsoft.com] last month. Your particular answer can be found in the comments.....

      Nathan Mercer
      September 15, 2016 at 8:37 am

      ... Monthly rollup will grow to be about the same size as Convenience rollup update. If you install via WU or WSUS you can take advantage of the Express feature to just have deltas going across the network. Security-only update will obviously be much smaller.

      • In addition, from the same blog [microsoft.com] post:

        Over time, Windows will also proactively add patches to the Monthly Rollup that have been released in the past.

        Probably meaning telemetry and all the other things people have explicitly not installed (like Silverlight - for which "patches" appear in WU, even though I don't have it installed).

        • Damn. Missed this bit of good news in the blog [microsoft.com] in my previous post:

          Microsoft Update Catalog
          The Microsoft Update Catalog website is being updated to remove the ActiveX requirement so it can work with any browser. Currently, Microsoft Update Catalog still requires that you use Internet Explorer. We are working to remove the ActiveX control requirement, and expect to launch the updated site soon.

  • Does anyone know what will happen to those of us deferring upgrades? I got weird errors and lost my HFS partition last time it happened. Do we get a separate set of updates, or will we be forced to grab the anniversary update despite the bugs?
  • Has anyone at the top of Microsoft figured that corporate suicide isn't an achievement they should be aiming for? They keep trying harder for it every year and eventually, with enough effort, will be proud recipients.

    • Has anyone at the top of Microsoft figured that corporate suicide isn't an achievement they should be aiming for? They keep trying harder for it every year and eventually, with enough effort, will be proud recipients.

      No they won't die. Have you never seen The Terminator, Westworld or similar films and stories about The Thing That Won't Die ?

      Microsoft is that - The Thing That Won't Die. No matter how much it is whacked, or whacks itself, it just gets up again like a zombie with even more wounds spouting pus over anyone who goes near it and keeps on walking and trampling with empty eye sockets and flailing arms, just like in a horror movie.

      • Microsoft is that - The Thing That Won't Die. No matter how much it is whacked, or whacks itself, it just gets up again like a zombie with even more wounds spouting pus over anyone who goes near it and keeps on walking and trampling with empty eye sockets and flailing arms, just like in a horror movie.

        (cough) SCO Group [wikipedia.org] (cough)

    • by gweihir ( 88907 )

      So far it works for them. There are enough people that think Win10 is great. Of course, the corporate market is another story.

  • by ErichTheRed ( 39327 ) on Sunday September 25, 2016 @07:44AM (#52956643)

    Having done the end user computing engineering thing for quite some time, I've had to deal with Windows Update in places as large as 40,000+ PCs. There's a conundrum in the cumulative patching model -- it's super-easy for IT, but could leave some places more vulnerable.

    The problem is that the more diverse a company's IT needs are, and the more proprietary software they rely on, the less able they are to just roll out a bundle of fixes to everyone and call it a day. I think Microsoft is forgetting how much some companies are relying on desktop Windows for line of business applications...it's almost like everyone there has drunk deep of the Cloud/Surface/Phone/Tablet/Web Services kool aid, and just assumed those crappy 20 year old applications have disappeared along with desktop/laptop use cases. In their minds, the only thing they have to make sure works correctly on site is Internet Explorer/Edge and Office.

    Admittedly, updates are a confusing mess of semi-circular dependencies and it is very difficult for Microsoft to test even common combinations. But, making them all cumulative means this...Assume you have 10 updates in a bundle, 6 work fine everywhere, 1 breaks 40 PCs in Department A, 1 breaks the LOB app running on all 18,000 PCs you run, 1 breaks a behavior in IE some junky internal web app running on 2,300 PCs and 1 breaks the CEO's computer. All those computers have to wait until the problem is solved to get the protection for the 6 vulnerabilities, and they will continue to be unpatched since the bundle is cumulative.

    The other thing I'm not a fan of is the removal of any sort of information about what gets patched. There used to be comprehensive descriptions of what was patched, and companies who knew what they were doing could direct testing to the right application groups. That's the other thing that's going away this month. We're a big Microsoft shop so we're pretty much resigned to upgrading to Windows 10...I guess we'll see what happens. Microsoft's been trying to cremate Windows 7 ever since early this year, messing with support dates and not backporting features. We'll see if Microsoft's "update rings" strategy that they're recommending everyone migrate to is workable.

    • I did a factory reset on a laptop to get back to 8. It started out with 181 updates and took over 8 hours to accomplish this. I turned it on the next day only to discover there were 21 more updates. I do not know if it is windows 10 or slashdot software but to type in this comment I attach a external keyboard since if I type on the laptop keyboard it goes crazy on me making it most difficult to type. Microsoft's games are the worst. I was playing Treasure Hunter and all at once it quit on me I restar

  • Apart from the obvious-but-snarky ("Install Linux! hoho I'm so clever!"), you can indefinitely postpone all Windows updates on all versions of Windows 10 by stopping (and disabling if you find a way) the Windows Update service.

    Of course, you lose the security updates if you do that too. Whether that's massively important to you depends on how often you run executables downloaded from the Internet, and what TCP/IP services you run on your computer.

    Obviously "No security updates" is a bad thing, but if W

    • by gweihir ( 88907 )

      That we even have to consider such "solutions" shows how fundamentally broken both Windows and the relevant consumer-protection laws are.

    • by lgw ( 121541 )

      Of course, you lose the security updates if you do that too. Whether that's massively important to you depends on how often you run executables downloaded from the Internet, and what TCP/IP services you run on your computer.

      Your security beliefs are about 10 years out of date, unless you consider JS to be an "executable downloaded from the Internet". Almost all malware targeted at home computers is "no click required": mostly malicious JS, but occasionally PDF, or even jpg (remember what that was a joke?), served via ad networks.

      So "whether that's massively important to you" depends on whether the machine is used to visit any web sites that serve ads, unless you completely disable JS.

      no security updates might be the better of two evils, especially if you don't use IE or Edge

      Is MS combining OS and browser updates (an

  • This is the correct answer.

    • by gweihir ( 88907 )

      Unfortunately, I am also a gamer, so that does not (yet) work well. But I am strongly thinking about a gaming-only PC and a separate one for working on things, surfing, email, etc. with Linux.

  • I really see no other purpose to this than bundling spyware with security-updates. Seems running Windows securely and reliably is going to get even more difficult than, for example, Linux. (Although systemd is trying to change that...)

  • Finally! This is the way Apple has done it forever and it is sooo much nicer from a user experience perspective. Some may whine about having to accept everything MS wants to push at them, but it's time for them to deal with it and move on. The Windows update process has been essentially broken for the past two decades (>5 hour patch installs on a freshly Windows is *not* acceptable), and it's finally getting fixed. A momentous day.
    • by Ash-Fox ( 726320 )

      Finally! This is the way Apple has done it forever and it is sooo much nicer from a user experience perspective.

      From a user perspective, it's awful when you just want something that works and nobody can help you.

      I still haven't figured out why Sierra users get "Authentication failed" when I see "opendirectoryd: ODNodeCreateWithNameAndOptions completed" in the logs and get errors like "opendirectoryd: ODNodeCustomCall failed with error 'Invalid credentials' (5000)" with no actual logging of the event happeni

Most people will listen to your unreasonable demands, if you'll consider their unacceptable offer.

Working...