Re: Critical Update Cumulative Patch (KB826939)
From: cquirke (MVP Win9x) (cquirkenews_at_nospam.mvps.org)
Date: 04/12/04
- Next message: comicfan: "adding extra ram with xp"
- Previous message: Box134: "Re: Maybe you can help"
- In reply to: JD: "Re: Critical Update Cumulative Patch (KB826939)"
- Next in thread: wojo: "Re: Critical Update Cumulative Patch (KB826939)"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 12 Apr 2004 08:58:23 +0200
On Fri, 9 Apr 2004 23:38:23 -0700, "JD" <Erehwon@Example.com> wrote:
>An interesting question. The download manually option offers a file that is
>9MB, whereas the same cumulative patch from Windows Update is 282 KB.
>How is this difference explained?
The small one is prolly one of those awful "live" installers that
ASSume you are online when you run them, being incomplete.
You know the drill; you pull down a patch from one PC, plonk it on
CDR, take it to another PC, try to install it, and watch it groping
for the Internet all the time. So you initiate a DUN connection
(which over here, costrs money per second) and it starts to pull, and
goes on and on for hours, and you have no idea when or if it will ever
finish. And even if it does finish properly (i.e. the line doesn't
drop) you have to repeat the whole mess on the next PC. YUKK!!
OTOH, not every "call home" goes about pulling extra stuff the
wretched download left out. Sometimes you'd be watching the progress
report text and notice this happens during "checking signatures
for..." steps. In that case, you can cancel the DUN popups and it
will carry on OK. But the DUN popups repeat the number of times as
set for DUN dial retries (can be 5, can be 10) and are NOT all grouped
at the start of the process... so you have to hang around for the
entire installation procedure to click away there things, sometimes
taking an hour and requiring over 50 click-aways. One too many Esc
keypresses and you abort the whole installation, of course.
I usually try to avoid writing long paragraphs such as the above,
because they are tedious to read. But not this time - maybe
subliminally it will drive home the message to any MS readers, the
message being: We want self-contained self-documenting re-usable patch
downloads that do NOT call home for any reasons whatsoever, please!!
;-)
>"Jason Tsang" <jason-onlineDEL@ETEmvps.org> wrote in message
>> Download the patch manually here
>> "JD" <Erehwon@Example.com> wrote in message
>> > The only critical update still being offered me, yet I'm confused as to
>> > why. If it only repeats all the previous critical updates, does it make
>> > sense to install it on top?
If it's a recent cumulative, then yes - there'd be value in installing
it, as it sets a new baseline that's easier to build from than an
ad-hoc collection of loose patches.
If it's an old cumulative, then one would be more worried about it
rolling back newer patches you'd applied earlier.
Even with loose patches, thetre's always the risk that mis-sequenced
patching can cause older patches to undo newer ones. I'm not sure if
Windows' patch tracking is smart enough to spot this and reset the
"patch xxxx is already installed" value when older patch yyyy
overwrites a fix applied by patch xxxx.
Often you will find multiple holes within the same .DLL, for example
in common suspects such as MSHTML.DLL (the HTML renderer used whenever
OE, Outlook, IE and anything else asks the OS to render HTML) or
WSCRIPT.EXE (the interpretation engine for stand-alone script files).
Let's say there's a patch for a MIME type checking defect (or rather,
absence of type checking) that an old patch fixes, and a later patch
for (say) a failure to check what security zone content is in. If
these both involve MSHTML.DLL and the older one is applied after the
newer one, the result will be a re-opened risk from zone leakage.
>> >What are savvy XP users doing with regard to this "patch"?
Well, in addition to the above concerns, there's always the worry that
a new patch may break things.
Combine that with doubts as to whether the patch can be cleanly
uninstalled, and you can see why some of us are (or, pre-Lovesan,
were) reluctant to apply all patches as soon as they appear!
Too many patches don't even try to maintain an uninstall path, relying
on System Restore rollback instead - and that REALLY sucks, given that
SR is a safety net for BAD installers that fail to maintain expected
standards for uninstallation (as well as other crunches unrelated to
installs, such as bad settings, user failure, bad exits that leave
files damaged after ChkDsk "fix" etc.)
For me, an index case is that of the ~ file bug that an OE patch
caused. This is still unfixed a year later, and the way it's
typically described as "harmless" makes me fear that MS still suffers
implication blindness.
Before the new patch, the address book resided in an unguessable
location with arbitrary name, meaning you'd need to query the registry
to locate it. After the patch, these ~ copies have known name and are
in guessable locations - requiring a much smaller beach-head to access
them. IOW, any of several "Mitigation: The attacker would have to
know the path and name of the file" holes can now be used to harvest
email addresses, either to spam or to send malware to/"from".
Even if a patch does uninstall properly, there's still the problem of
effects on later patches that share the same atoms. Going back to the
earlier example, if you were to uninstall the MIME-fixing patch, it
would also revert the zone leakage patch when it restores the
pre-existing MSHTML.DLL file (assuming this time the two patched had
been installed in the correct order, that is - else it would restore
the fixing of zone leakage that applying the older patch had broken).
These are not trivial issues for MS to address - i.e. think of it as a
"mission impossible" problem, rather than a poor attemptr to do
something that should be possible to do with 100% reliability.
It's far easier to apply fixes during product development, when the
order of fixes is controlled by the developer and the code is in place
before the new installation diverges from the known initial state (as
system-specific drivers, software and settings accumulate).
The lesson: Try *really* hard not to ship broken code :-)
>-------------------- ----- ---- --- -- - - - -
Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.
>-------------------- ----- ---- --- -- - - - -
- Next message: comicfan: "adding extra ram with xp"
- Previous message: Box134: "Re: Maybe you can help"
- In reply to: JD: "Re: Critical Update Cumulative Patch (KB826939)"
- Next in thread: wojo: "Re: Critical Update Cumulative Patch (KB826939)"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
