Microsoft cancels February 2017 security update release (microsoft.com)
26 points by amitmittal1993 1 hour ago | 13 comments





Also see https://bugs.chromium.org/p/project-zero/issues/detail?id=99...

Wow. That is a BIG screw up if they're having to push an entire month's security updates across the board.

If anyone from Microsoft reads this: This is why cumulative updates suck, and you shouldn't force them on everyone. :)

It has nothing to do with cumulative updates.

They push once a month because back in the day they pushed whenever they had an update, and enterprises really hated that because it meant that sometimes 1000s of computers were all out of commission running updates at the same time.

So MS and the enterprises agreed on a specific day of the month that updates would get pushed, so that the enterprises could plan accordingly as best fit their needs.

Some enterprises just run the updates that night and let everyone know to expect some slowness or downtime, and some of them only let the update run on their testing machines so they can validate the update in their environment before allowing it out to all the other machines.

But the main point is that the updates are predictable because that is what the customers asked for.

enterprises really hated that because it meant that sometimes 1000s of computers were all out of commission running updates at the same time.

If a computer has to go out of commission for a security update, you are doing it wrong (as an OS vendor). Doing cumulative updates is only band-aid. The real solution is make the OS modular and reliable enough to replace/restart components while it is running.

To the downvoters: Red Hat, et al. can roll out security updates on running systems. Except for kernel updates, though kexec avoids long restarts.

This is a somewhat unpleasant semi-misconception. You can, indeed, update everything but the kernel without rebooting. In fact, I suspect you could even replace the kernel image and the modules while they're running (but this will certainly break any attempt to load modules at a later point without rebooting first). (Edit: most distributions choose to keep the old image along in case the new one breaks. It's relatively unfrequent now, but back in 2003...)

Generally, however, processes don't get restarted after updates and libraries don't get reloaded, so without rebooting, you're still running the unpatched versions.

I don't know if RHEL has a clever way to figure out what needs to be restarted (it's not entirely impossible, thanks to systemd), but pretty much everyone under "et al." has this problem.

See Peter Larsen's comment here: https://lwn.net/Articles/702664/ for a more authoritative take on this, I deserted to BSD land long ago...

tl;dr Rolling out the updates without restarting is one thing, and it's done, and Microsoft could do it too, they just take the easy route. Applying them without restarting is a very different and far murkier story.

An important part to me is that usual linux updates don't cause the next reboot to take longer, or require multiple reboots. You can install the update without rebooting; it only applies on the next reboot.


Even if that were the case, many enterprises would still want to perform testing before deployment or require updates to be part change management.

> It has nothing to do with cumulative updates.

well. Let's say you have 10 security flaws to patch. 9 patches are fine, but in 1 you have detected a show-stopping issue.

If all you can deploy is one cumulative update, then that one issue is stopping the whole update. If you can deploy patches one-by-one (all on the same patch day, yes, but still separate from each other), then you can ship 9 patches for 9 holes and hold the one patch back until next month.

Of course you could also create a new cumulative update containing only 9 patches, but I assume that's more difficult to do and will require more testing.

If anything the cumulative patch is better, not worse. It's much harder to validate nine individual patches than a single cumulative update.

What happens if patch seven fails? How about six? How about six and seven? There are an exponential number of failure cases with multiple patches vs one.

What are these security fixes that they fail so much? Although there are of course tough bugs with tough fixes, the vast majority presumably consists of off-by-ones, simple buffer overflows, use-after-free, etc.

Because the PC is an open platform, people can modify it in all kind of ways. A patch can for example fail if the user has for one reason or another removed or disabled a system component that is needed to validate or processes that patch.

I think the cumulative patches work fairly well, they install much faster than the old ones. I am however troubled by the amount of security fixes Microsoft has to do every month. This shows that security is mostly an afterthought at Redmond.

Not really. It was in the bad old days, pre-XP SP1. Nowadays it's part of the design process for everything.

I think it's more due to the sheer surface.

And for comparison, I think Ubuntu updates almost as much. It just reboots less due to architectural differences.




