SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Slow Fixes


Slow Fixes

Author
Message
Steve Jones
Steve Jones
SSC Guru
SSC Guru (332K reputation)SSC Guru (332K reputation)SSC Guru (332K reputation)SSC Guru (332K reputation)SSC Guru (332K reputation)SSC Guru (332K reputation)SSC Guru (332K reputation)SSC Guru (332K reputation)

Group: Administrators
Points: 332502 Visits: 20119
There's an interesting piece at the Washington Post on Microsoft's delays in releasing patches, with some analysis showing that when the flaw is disclosed to the public, a patch comes out much quicker. After some analysis over the last 3 years and researched the dates Microsoft knew about the issue and the dates that the patches were released.


Surprise, when everyone knows, the patches come out quicker. It seems that the piece is intended to take a shot at Microsoft's patching process, and maybe it is, but there are some interesting things in there to talk about. First of all is the time lag.


Is this any different from any software vendor or even internal corporate software? If your boss knows, or the client knows, don't you work a little harder and a little quicker? Isn't it more critical and don't you rush things in addition to working harder when it's a "public" patch that is needed?


I'm sure we all do. And it's human nature to put more effort into something that's widely perceived as an issue and less effort if you know that you may have more time. We all do that and our work schedules, effort, and productivity change depending on a variety of things, including the importance of the work.


The piece also leaves open a number of questions and mentions this, noting that the analysis might be flawed. There's no mention of if the rushed (or delayed) patches had to be repatched later. There's concern over patches applying to one area, but other similar flaws found in other parts of the software remaining unpatched. That's something for sure that should be examined in looking for re-patches or whether things are rushed. There's also the lack of examination on what else was happening inside Microsoft, and whether people working on other projects had to be pulled off them. We all know that delays things as well. They take time to get their head back into code, they may be annoyed, a critical person could be out, etc.


Not to mention that the statistical methods might not be the best ones. I'll leave that to the mathematicians to figure out.


Patching is hard. As is finding bugs. I think Microsoft has done a much better job over the last 3-4 years and the quality of software, at least SQL Server, has improved. However there is still definitely room for improvement.


Steve Jones

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com

Michael Lysons
Michael Lysons
Hall of Fame
Hall of Fame (3.5K reputation)Hall of Fame (3.5K reputation)Hall of Fame (3.5K reputation)Hall of Fame (3.5K reputation)Hall of Fame (3.5K reputation)Hall of Fame (3.5K reputation)Hall of Fame (3.5K reputation)Hall of Fame (3.5K reputation)

Group: General Forum Members
Points: 3500 Visits: 1519

From my experience:

If a user reports a bug then the QA time would be right on it. If an in-house tester found a bug after release then we'd probably wait until the next scheduled release to fix it.

Of course, the severity of the bug is always taken into consideration: I assume Microsoft do the same. For example, when writing financial software, if a bug was found that caused figures to be incorrect, we'd patch that straight away. If the GUI was awry then we'd leave it until the next release.

I think severity should be the main consideration, and then you can take into account who knows about it. If it's non-severe and the user doesn't know, then why bother alerting them?


William Plummer
William Plummer
SSC Veteran
SSC Veteran (265 reputation)SSC Veteran (265 reputation)SSC Veteran (265 reputation)SSC Veteran (265 reputation)SSC Veteran (265 reputation)SSC Veteran (265 reputation)SSC Veteran (265 reputation)SSC Veteran (265 reputation)

Group: General Forum Members
Points: 265 Visits: 6

I begin my software development career using CPM to make machine control systems with the Motorola 6809 processor. I remember it taking 4 to 5 hours after identifying a minor problem in code, such as a timer change, to get the changes made, compiled and burned back into the EPROM's. Today, that kind of change would take minutes or seconds depending on the nature of the control system.

When DOS came along and I discovered how easy it was to write code and use real programs to make my work easier, I became a fan of Mr. Gates. Through the years the Microsoft team has amazed me with how they have met the competition and eventually chosen paths that for the most part, have helped the whole IT industry.

Please don't get me wrong, everyone needs competition to help them rethink bad decisions and I wish all MS competitors’ success as they help us all see new and better ways to use our computers for greater productivity. But, come on, give the big guy his due... It's a better world with MS than it ever was without it...

Patches, who uses stinking patches anyway???


Alex-217289
Alex-217289
Mr or Mrs. 500
Mr or Mrs. 500 (579 reputation)Mr or Mrs. 500 (579 reputation)Mr or Mrs. 500 (579 reputation)Mr or Mrs. 500 (579 reputation)Mr or Mrs. 500 (579 reputation)Mr or Mrs. 500 (579 reputation)Mr or Mrs. 500 (579 reputation)Mr or Mrs. 500 (579 reputation)

Group: General Forum Members
Points: 579 Visits: 3
It really comes down to a certain level of integrity. Either you have it or not. Just because the client doesn't know about it, doesn't mean that you should lolly gag around and wait until the next scheduled release to fix a bug.

In fact, the motivation for working harder and quicker should be to fix the bug before the customer finds out, not solely because they already know and you have to get it out the door. This kind of attitude is exactly why software has become the bloated, inefficient code it has.

I long for the days where your salary is based on the quality and accuracy of your coding. There would be far fewer "engineers" out there to compete with in this market.

Just my 2 pence.


Cheers,

Alex


Rogue DBA
Hugo Kornelis
Hugo Kornelis
SSC-Dedicated
SSC-Dedicated (34K reputation)SSC-Dedicated (34K reputation)SSC-Dedicated (34K reputation)SSC-Dedicated (34K reputation)SSC-Dedicated (34K reputation)SSC-Dedicated (34K reputation)SSC-Dedicated (34K reputation)SSC-Dedicated (34K reputation)

Group: General Forum Members
Points: 34654 Visits: 13127

Hi Steve,

I'm not surprised. When you think about it, it makes sense.

The risk of releasing patches without extensive testing is high. Of course, nobody expects patches and hotfixes to get the same amount of testing service packs do. But I'm sure that the people at Microsoft try to get as much as possible of the more important tests done before releasing anything.

If a potential security hazard has been identified in-house but is not public yet, the risk of customers being exploted by hackers is low. After all, they'll have to find the exploit first.

However, once a security hazard is known to the public, it's also known to the hackers. You can be sure that every hacker will try to use it as much as possible before MS releases a patch. The risk for customers to be exploited gets extremely high.

For patches to secure non-public security problems, the choice MS has is to release before finishing all tests (high risk) or postpone release (low risk). For patches to secure publicly known security problems, the choice MS has is to release before finishing all tests (high risk) or postpone release (extremely high risk). In both cases, MS will choose the option with the lowest possible risk.

Best, Hugo




Hugo Kornelis, SQL Server/Data Platform MVP (2006-2016)
Visit my SQL Server blog: http://sqlblog.com/blogs/hugo_kornelis
Stewart Rawson
Stewart Rawson
Grasshopper
Grasshopper (24 reputation)Grasshopper (24 reputation)Grasshopper (24 reputation)Grasshopper (24 reputation)Grasshopper (24 reputation)Grasshopper (24 reputation)Grasshopper (24 reputation)Grasshopper (24 reputation)

Group: General Forum Members
Points: 24 Visits: 20

I think the delay makes plenty of sense - in an ideal world (where the PR guys don't exist), things should be prioritised according to needs, not demands. As an old boss of mine was very fond of saying "You seem to have mistaken this place for a democracy!"


nunYoBidnez
nunYoBidnez
Mr or Mrs. 500
Mr or Mrs. 500 (502 reputation)Mr or Mrs. 500 (502 reputation)Mr or Mrs. 500 (502 reputation)Mr or Mrs. 500 (502 reputation)Mr or Mrs. 500 (502 reputation)Mr or Mrs. 500 (502 reputation)Mr or Mrs. 500 (502 reputation)Mr or Mrs. 500 (502 reputation)

Group: General Forum Members
Points: 502 Visits: 132
Don't be naive!


Kindest Regards,

The art of doing mathematics consists in finding that special case which contains all the germs of generality.


Tatsu
Tatsu
Hall of Fame
Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)

Group: General Forum Members
Points: 3816 Visits: 307

Here is a key point in the article:

Toulouse pointed to one particularly problematic patch that took the company 200 days to fix: a vulnerability in a component of Windows (and many other networking applications) known as ASN.1, at the time considered the largest vulnerability in the history of the Windows operating system. In the course of testing the patch for that flaw -- reported by security researchers at Aliso Viejo, Calif.-based eEye Digital Security -- Microsoft was forced to reset the process at least twice as internal developers found additional problems that were being masked by previously unknown glitches in the fix.

I would prefer that Microsoft (or any other software vendor) take the time to fully test the patch before releasing it. This can be a lengthy process but if the vulnerability has not be disclosed to the public then the software vendor responsible to take the time to make sure that the patch is not going to cause any problems with the software and, more importantly, not expose any additional vulnerabilities.

I would guess (or at least give the benefit of the doubt) that a good amount of the delay in patches for vulnerabilities that have not received "full disclosure" has to do with testing and the other patches pose a bit more risk to the users. Then again, I am fairly optimistic



Bryant E. Byrd, BSSE MCDBA MCAD
Business Intelligence Administrator
MSBI Administration Blog
Chris-232075
Chris-232075
Ten Centuries
Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)

Group: General Forum Members
Points: 1118 Visits: 248

I'm sorry, but I'm afraid that I can't buy into the "let he who is without sin cast the first stone" defense. When I slap down my several hundred dollars for a MS product I expect it to be secure and bug free. Of course, it never is. Am I surprised? No. Am I disappointed? Continually.

Continual hot fixes, patches and service packs are a sad testament to the quality of MS products, and delaying any such updates for any reason other than to assure quality is unethical.


K. Brian Kelley
K. Brian Kelley
Keeper of the Duck
Keeper of the Duck (57K reputation)

Group: Moderators
Points: 57504 Visits: 1917
1) As has been pointed out on numerous security lists, many of the big name vendors have problems with bugs and security. The list of Oracle bugs fixed in this latest release is some 82 in number. Some of those vulnerabilities have existed for years. As a matter of fact, David Litchfield called them out on this fact. Also, he pointed out that one of the fixes they did previously only prevented the sample exploit code he provided them. It didn't actually solve the problem. I'm not saying all this to bash Oracle but to point out as software gets more and more complex, more issues come about.

2) The WMF vulnerability is something left over in the APIs from the 3.1 days. There was a reason for some of it in the 3.1 days, not necessarily all of it, but in those days all code was essentially trusted. Having to be backward compatible in large measure does cause these sorts of things to happen. And not being backward compatible can be a death sentence. Amiga, anyone (though Commodore's poor marketing has a lot of the blame, too).

3) Microsoft was releasing hotfixes as soon as they were ready. And then they started getting complaints from sysadmins. Having to patch systems 5 or 6 times a month when no exploit code was known circulating was killing IT shops. It's one thing to patch a critical vulnerability that's being exploited. It's another thing to have a whole slew of patches to deploy. So Microsoft asked and the responses they got back led them to the once a month release. To which many, many sysadmins thanked them.

K. Brian Kelley
@‌kbriankelley
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum








































































































































































SQLServerCentral


Search