Do Emergency Microsoft, Oracle Patches Point to Wider Issues? (computerweekly.com) 49
"Emergency out-of-band fixes issued by enterprise IT giants Microsoft and Oracle have shone a spotlight on issues around both update cycles and patching," reports Computer Weekly:
Microsoft's emergency update, KB5085516, addresses an issue that arose after installing the mandatory cumulative updates pushed live on Patch Tuesday earlier this month. According to Microsoft, it has since emerged that many users experienced problems signing into applications with a Microsoft account, seeing a "no internet" error message even though the device had a working connection. This had the effect of preventing access to multiple services and applications. It should be noted that organisations using Entra ID did not experience the issue.
But Microsoft's emergency patch comes just days after it doubled down on a commitment to software quality, reliability and stability. In a blog post published just 24 hours prior to the latest update, Pavan Davuluri of Microsoft's Windows Insider Program Team said updates should be "predictable and easy to plan around".
Michael Bell, founder/CEO of Suzu Labs tells Computer Weekly that Microsoft's patch for the sign-in bug follows "separate hotpatches for RRAS remote code execution flaws and a Bluetooth visibility bug. Three emergency fixes in eight days does not shout reliability era." Oracle's patch, meanwhile, addresses CVE-2026-21992, a remote code execution flaw in the REST:WebServices component of Oracle Identity Manager and the Web Services Security component of Oracle Web Services Manager in Oracle Fusion Middleware. It carries a CVSS score of 9.8 and can be exploited by an unauthenticated attacker with network access over HTTP.
But Microsoft's emergency patch comes just days after it doubled down on a commitment to software quality, reliability and stability. In a blog post published just 24 hours prior to the latest update, Pavan Davuluri of Microsoft's Windows Insider Program Team said updates should be "predictable and easy to plan around".
Michael Bell, founder/CEO of Suzu Labs tells Computer Weekly that Microsoft's patch for the sign-in bug follows "separate hotpatches for RRAS remote code execution flaws and a Bluetooth visibility bug. Three emergency fixes in eight days does not shout reliability era." Oracle's patch, meanwhile, addresses CVE-2026-21992, a remote code execution flaw in the REST:WebServices component of Oracle Identity Manager and the Web Services Security component of Oracle Web Services Manager in Oracle Fusion Middleware. It carries a CVSS score of 9.8 and can be exploited by an unauthenticated attacker with network access over HTTP.
What "wider issues"? (Score:5, Insightful)
Vibe-coding?
Re: (Score:3)
oracle's critical remote execution vulnerability over unauthenticated http in their 12.2 identity manager and web services manager seems to be about 7 years old so, no. or, not yet. the best is still to come!
Re: (Score:2)
about 7 years old so, no
Yeah. But it is a typical oracle.
Re: (Score:2)
More likely Vibe-hacking.
Funny! (Score:3)
Re: (Score:2)
Depends (Score:5, Insightful)
I think Microsoft in general does a great job considering they test numerous software packages going back decades, as I understand it.
"
The real question is, each time this happens, do they sit down and have a meeting and discuss why the problem happened, what they can do to keep it from happening again, and then implement a solution in their testing? If so then it's fine. It's only if they fail to learn from each emergency that we have a problem.
Same should apply to Oracle.
Also not sure why we're discussing these specific Microsoft and Oracle bugs. The bugs are not similar at all. Microsoft's isn't even a security issue like Oracle's is.
Re:Depends (Score:5, Informative)
Re: (Score:2)
The problem with the vast amount of hardware turf that Microsoft covers is different from say, Apples, because Apple highly controls their hardware platforms, and Microsoft by its nature, cannot.
Add in driver components, software legacies, and Microsoft users continue to pay this tax, generation after generation. So indeed these issues ARE similar.
When Oracle updates key functionality, they risk a domino effect, just as Microsoft does. The QA feedback loop can help, but all old code must become crusty becau
Re: (Score:2)
Microsoft Windows (just Windows, not all the other stuff) is a massive bloat-fest. It's a whole load of interconnected mess, so it's likely impossible to fully test one bit without also testing a load of other stuff too. Then Microsoft also has to test their stuff on a whole room full of different hardware, just to cover their partners, never mind all the other vendors that matter.
There's no way Microsoft can test everything, all the time. It's likely just too big a problem for anything other than maybe a b
Apply Betteridge's Law (Score:5, Insightful)
And the law of large numbers. Statistically, there will but patch clusters, the same way there are clusters of every other random-ish event. The fact that one happens to occur right after Microsoft promises a commitment to predictable patch schedules means not just nothing the but opposite. Any commitment to doing better means that they recognize they haven't been doing well enough, and obviously it's not possible to do significantly better immediately; changing processes takes time, and observing the effects of those changes takes even longer.
So, no, this cluster of patches doesn't tell us anything in particular beyond what we already knew: That emergency patches are relatively common.
Re: (Score:2)
So, no, this cluster of patches doesn't tell us anything in particular beyond what we already knew: That emergency patches are relatively common.
Considering that Microsoft has been promising this exact same type of improvement since the release of XP Service Pack 3, the words spoken now are worthless platitudes provided to ensure the smoothness of the theft of your money. There is zero reality behind any of their promises.
Re: (Score:2)
So, no, this cluster of patches doesn't tell us anything in particular beyond what we already knew: That emergency patches are relatively common.
Considering that Microsoft has been promising this exact same type of improvement since the release of XP Service Pack 3, the words spoken now are worthless platitudes provided to ensure the smoothness of the theft of your money. There is zero reality behind any of their promises.
I'm just talking about statistical patterns. I know little about Microsoft patches. I abandoned Windows in 2001, right around the time XP was released, and have never looked back.
It points to AI slop code (Score:2, Interesting)
It's a huge problem but there isn't really a solution.
Re: (Score:2, Interesting)
There is a solution to the AI slop problem: Hire competent, experienced engineers and let them make the tech decisions. That is just not a solution Microsoft can implement, because they do not have the understanding what it takes to make solid products. They would have the money and if they offer enough, they would even get some of the really good engineers that have turned away from Microsoft in disgust a long time ago.
What likely does not have a solution is the sheer mountain of technological debt they ha
Re: (Score:3)
Even re-architecting might not fix their problem. It depends upon how much their software people are relying upon bot generated code. Given their famous attention to detail, what's the likelihood that they are pushing out code they do not understand because "it worked"? The hardest bugs do not show up in test harnesses. So if they have built up a giant sticky wad of code they do not understand, there's no going through it all quickly if that is even possible. If they re-architect with the same software dep
Re: (Score:1)
That is why I wrote "And it needs to be done by the right people" ...
Re: (Score:2)
Even re-architecting might not fix their problem. It depends upon how much their software people are relying upon bot generated code. Given their famous attention to detail, what's the likelihood that they are pushing out code they do not understand because "it worked"? The hardest bugs do not show up in test harnesses. So if they have built up a giant sticky wad of code they do not understand, there's no going through it all quickly if that is even possible. If they re-architect with the same software dependence on bots, they haven't really solved the underlying issue which is the way they build stuff.
Imagine though, if you have a system where you have no idea what is in the software, and the number of actual thinking people is dropping to a negligible number.
There may be a tipping point where the proverbial shit hits the fan, and there is no competent person to look at it, analyze it, or fix it. What now, Saint Peter?
Sounds like Windows 11.
Re: (Score:2)
There may be a tipping point where the proverbial shit hits the fan, and there is no competent person to look at it, analyze it, or fix it. What now, Saint Peter?
I believe there was a documentary predicting this exact scenario?
Stupido, Dumb and Dumber, Idiocracy? Something like that.
What we need are the programmers from the 70s, 80s and 90s that went into those cryo-sleep chambers to wake up and rearchitect these codebases from scratch in Assembly and C.
Re: (Score:2)
There may be a tipping point where the proverbial shit hits the fan, and there is no competent person to look at it, analyze it, or fix it. What now, Saint Peter?
I believe there was a documentary predicting this exact scenario? Stupido, Dumb and Dumber, Idiocracy? Something like that.
What we need are the programmers from the 70s, 80s and 90s that went into those cryo-sleep chambers to wake up and rearchitect these codebases from scratch in Assembly and C.
I'm in a similar field. RF. We are in a time whereThe RF spectrum is about as clogged as it can get, teetering on the edge of becoming a train wreck. Yet people who know the nuances of keeping signals away from each other are becoming rare.
We had this weird dichotomy of people thinking "Radio is obsolete - if you are technical minded, go for digital technology and science!" while forgetting that a cellular phone is a little walkie-talkie, bluetooth is GHz band transmission, and so on. And we forget that o
Re: (Score:2)
No surprise this idiocy is happening in other areas too. There is a special kind of mental disability you need to have (or acquire) to be an economics graduate: A total inability to see more than a few months into the future and a total inability to do any kind of risk management. It worked? Everything must be more than fine and surely we can do it cheaper, right?
That is why people with critical institutional and technological skills are not treated even remotely at their value, let alone critical for organ
Re: (Score:1)
No surprise this idiocy is happening in other areas too. There is a special kind of mental disability you need to have (or acquire) to be an economics graduate: A total inability to see more than a few months into the future and a total inability to do any kind of risk management. It worked? Everything must be more than fine and surely we can do it cheaper, right?
That is why people with critical institutional and technological skills are not treated even remotely at their value, let alone critical for organizational survival. Tech history is full of big names that are not around anymore or only in massively reduced forms. And in most cases, it is because some "managers" did not manage to think.
Beancounter think. Yes, you can increase profits for the quarter if you gut the place. We were taken over by the bean counters where I retired from.
What was once an accounting office with 3 people, ended up becoming the largest group in the place. They gutted overhead, sucking it all up to pay themselves. I was mandated to travel to conferences at least once every other year. I couldn't perform the mandate, because there was no more overhead money.
Crazy thing was, my mandate didn't go away. I asked h
Re: (Score:2)
Well, that is certainly what they are planning. Just one problem: The evidence is mounting that LLMs cannot replace competent engineers.
Re: It points to AI slop code (Score:2)
Stagnation for Microsoft is basically them shoveling money into their coffers. Innovation is where they fuck up.
Re: (Score:2)
The problem with that is that external pressure to get better is raising, both from reliability requirements and from security requirements. In this case, stagnation means getting worse and worse.
PE standards of suck-sess. (Score:3)
GitHub apparently has dropped below 90% uptime and it's very likely because they are using AI slop to write important code and it doesn't work.
For companies needing uptime measured somewhere above 99%, that kind of downtime will force them to question why GitHub is anywhere near a DR plan.
It's a huge problem but there isn't really a solution.
Uh, that’s a rather odd response. Cause? Check. Effect? Check. Solution? Stop the cause or accept the effect; an 80% uptime rate within 6 months. IF the other half of the users left still give a shit about a solution by then.
* Gives GitHub the Private Equity side-eye *
Heeeey. Wait a minute. Did someone..
Re: PE standards of suck-sess. (Score:2)
Issue is overblown. It's essentially limited to things like Actions that aren't their core offering, but a way to drive Azure revenue. If your automated code checks and PR notifications are delayed by a couple hours, it's rarely that big of an impact. In addition, finding a slice of time with 90% uptime is not the same as operating with 90% uptime.
Yes, at least for Microsoft (Score:5, Insightful)
It is called a mountain of technological debt. The whole thing is a fragile mess and cannot be fixed anymore, but any changes come with huge risks. Essentially, fixing one thing breaks three others in surprising and unexpected places. Which is pretty much the pattern we are seeing.
As to that "commitment to software quality, reliability and stability", that is just them acknowledging there is a serious issue because they understand they cannot hide it. So they decided to at least get some fake appearance of honesty out of it. Of course, the commitment is not real. Same as "Security is our highest priority" stated by MS twice now after massive screw-ups. The screw-ups simply continued after that.
Hence MS will just continue to slowly make things worse, because the mess they made cannot be fixed and their business model requires constant changes in functionality, which the most effective enemy of "quality, reliability and stability". In a sense, MS products are low key "constant delivery scams", where the next version or the one after is promised to finally be the one that is great and will make it all worthwhile. They would actually need to throw it (Windows, Office, Azure, etc.) away and start over and they would need to get actually competent and experienced engineers to make the decisions. People which they probably do not even employ anymore and whose value MS management never understood.
Well, guess what, if you massively prioritize revenue over engineering quality, you can, in a over-hyped and immature field, make stellar profits for a while. What you cannot do is deliver a good product. And at some time (and MS is there already), you cannot even deliver a mediocre product anymore.
Re: (Score:2)
Simplify. The best part is no part. The parts omitted never fail. They don't require maintenance, supply chains, continuous improvement.
Re: (Score:2)
Indeed.
Re: (Score:2)
Imagine this: Microsoft could re-write Windows using a system of modular components, each highly specialised. Each component would do one thing and do it well. each with a well understood boundary.
Wait ... what? What do you mean its be done before?
(Those that do not understand Unix are bound to re-implement it, badly).
Re: (Score:2)
I do not think Microsoft is capable of that. Solid engineering? Depending on and trusting in what others have found to work well? Admitting they have a severe problem? I do not think they can do any of those.
Doubled down on a commitment to software quality.. (Score:5, Funny)
Microsoft's emergency patch comes just days after it doubled down on a commitment to software quality, reliability and stability.
Yet still released Windows 11.....
Re: (Score:2)
Microsoft's emergency patch comes just days after it doubled down on a commitment to software quality, reliability and stability.
Yet still released Windows 11.....
And W11 is getting worse. That is disturbing, because Windows versions generally improved over time, not regressed.
I guess the point is that while These emergency patches may or may not point to a wider issue. That however does not mean there is no wider issue. I'm not involved with anything Oracle, so can't comment knowledgeably on that, but Microsoft and Windows? Oh hell yeah.
Re: Doubled down on a commitment to software quali (Score:2)
Windows peaked with 2000. It most definitely does NOT get better over time.
Patching: the permanent coping mechanism (Score:1)
Yes, the issues are the underlying technology is defective.
Security controls such as MFA, endpoint protection, and deep packet inspection are compensating layers added atop an inherently unsafe computing substrate. Their very existence shows that the underlying architecture fails to provide strong isolation, integrity, or trust guarantees by default.
Modern systems still rely on large, complex TCBs (Trusted Computing Base), expansive
Microsoft yes, Oracle no? (Score:3)
warning (Score:2)
So that's why (Score:3)
So that's why why my Windows PIN shat itself a few days ago.
Luckily my internet was working, so Windows was at least able to send a ping out to Microsoft Authenticator to approve my sign-in. Last time Windows Hello shat itself, Xfinity was having an outage, and that left me with no way to log into my computer until the internet came back.
For those of you still grandfathered in with local accounts, this will be your future too, before long.
Re: So that's why (Score:2)
"For those of you still grandfathered in with local accounts, this will be your future too, before long."
No, it won't. I use Pro edition.
Yes (Score:2)
They are continuing to follow fads and introduce new "features" that nobody wants, and that can't easily be uninstalled
They need to stop adding this crap, and provide easy ways to uninstall it
They need to use every tool they have, including AI, to find bugs and security weaknesses
If something is good, people will choose it voluntarily and even pay for it
If something is installed by default and can't be removed, it's likely not good
We need a reliable OS
It's no longer an emergency (Score:2)
If you do it several times a week.