
Microsoft’s February security update release delayed to March - amitmittal1993
https://blogs.technet.microsoft.com/msrc/2017/02/14/february-2017-security-update-release/
======
namtrac
Since Flash update is now bundled with Windows Updates it means that Edge
users will be using vulnerable Flash for one more month, wow :/

~~~
billpg
The "Disable Falsh" button is under Advanced Settings on Edge. Switched it off
and I barely notice anything is missing these days.

~~~
popey456963
True, but for the 90% of users of Edge that aren't technical, going into
advanced settings and disabling flash is probably beyond their abilities.

------
yuhong
Also see [https://bugs.chromium.org/p/project-
zero/issues/detail?id=99...](https://bugs.chromium.org/p/project-
zero/issues/detail?id=992)

~~~
acqq
I'd like to know if the "project zero" publishes to everybody the security
issues discovered in Google products before Google has a chance to update the
software? Or does this policy exist only for the other companies? Can we even
know?

~~~
yuhong
[https://bugs.chromium.org/p/project-
zero/issues/detail?id=86...](https://bugs.chromium.org/p/project-
zero/issues/detail?id=860)

------
mtgx
I don't get it. So because of one issue, they're not going to deliver any
other security patch either?

~~~
noinsight
Microsoft stopped distributing individual patches, all updates are now rolled
up into one package. Therefore, if one patch causes issues, none of them can
be released.

Windows 10 already worked like that, last fall they started doing the same for
older OS'es.

See:
[https://blogs.technet.microsoft.com/windowsitpro/2016/08/15/...](https://blogs.technet.microsoft.com/windowsitpro/2016/08/15/further-
simplifying-servicing-model-for-windows-7-and-windows-8-1/)

~~~
mtgx
More of a reason to call that bundling "dumb".

Seriously, think about all the different issues Windows 10 has caused to
people's computers. So if one issue damages a computer, they can't send any of
the other updates to that model of laptop?

They should be striving towards higher modularity, not a lower one.

------
akerro
One foreign government organisation must be hacked this month, but NSA doesn't
have enough time, so they asked MS to delay patches.

~~~
DCKing
I wish people thought a bit more critically when invoking NSA conspiracies in
these matters. If the NSA was the primary cause, wouldn't it be _much_ easier
to simply silently exclude those specific unwanted updates from an otherwise
regular Patch Tuesday, instead of having Microsoft announce very publicly and
vocally that something is 'off' in this patching round?

Not saying the NSA doesn't influence Microsoft or others to withhold patches,
but seeing the invisible hand of the NSA everywhere is not helpful for
determining and criticizing when they do influence things. People seem to be
able to suspend their critical thinking too easily whenever the NSA can be
invoked.

~~~
akerro
It was a joke.

~~~
DCKing
Poe's law I guess then, sorry about that. You didn't make it easy to see,
judging by the serious responses you got!

~~~
akerro
>judging by the serious responses you got!

Yup, I'm surprised too ;) At least it shows how much respect MS and NSA have
now.

------
ocdtrekkie
Wow. That is a BIG screw up if they're having to push an entire month's
security updates across the board.

If anyone from Microsoft reads this: This is why cumulative updates suck, and
you shouldn't force them on everyone. :)

~~~
jedberg
It has nothing to do with cumulative updates.

They push once a month because back in the day they pushed whenever they had
an update, and enterprises really hated that because it meant that sometimes
1000s of computers were all out of commission running updates at the same
time.

So MS and the enterprises agreed on a specific day of the month that updates
would get pushed, so that the enterprises could plan accordingly as best fit
their needs.

Some enterprises just run the updates that night and let everyone know to
expect some slowness or downtime, and some of them only let the update run on
their testing machines so they can validate the update in their environment
before allowing it out to all the other machines.

But the main point is that the updates are predictable because that is what
the customers asked for.

~~~
danieldk
_enterprises really hated that because it meant that sometimes 1000s of
computers were all out of commission running updates at the same time._

If a computer has to go out of commission for a security update, you are doing
it wrong (as an OS vendor). Doing cumulative updates is only band-aid. The
real solution is make the OS modular and reliable enough to replace/restart
components while it is running.

~~~
danieldk
To the downvoters: Red Hat, et al. can roll out security updates on running
systems. Except for kernel updates, though kexec avoids long restarts.

~~~
notalaser
This is a somewhat unpleasant semi-misconception. You _can_ , indeed, update
everything but the kernel without rebooting. In fact, I suspect you could even
replace the kernel image and the modules while they're running (but this will
certainly break any attempt to load modules at a later point without rebooting
first). (Edit: most distributions choose to keep the old image along in case
the new one breaks. It's relatively unfrequent now, but back in 2003...)

 _Generally_ , however, processes don't get restarted after updates and
libraries don't get reloaded, so without rebooting, you're still running the
unpatched versions.

I don't know if RHEL has a clever way to figure out what needs to be restarted
(it's not _entirely_ impossible, thanks to systemd), but pretty much everyone
under "et al." has this problem.

See Peter Larsen's comment here:
[https://lwn.net/Articles/702664/](https://lwn.net/Articles/702664/) for a
more authoritative take on this, I deserted to BSD land long ago...

tl;dr Rolling out the updates without restarting is one thing, and it's done,
and Microsoft could do it too, they just take the easy route. _Applying_ them
without restarting is a very different and far murkier story.

~~~
IsmaOlvey
If memory serves, Microsoft cannot actually do it, due to differences in file
system semantics. In Windows, it's not possible to replace a file that's in
use.

~~~
throwawayish
DLLs and other components installed system-wide are almost never the same
file: Updates install new versions of most DLLs into the SxS system and
compatible applications load newer versions when they are restarted.

~~~
digi_owl
Unless they bring their own version, something that has been a issue at least
once.

