未加星标

Microsoft: No More Pick-and-Choose Patching

字体大小 | |
[系统(windows) 所属分类 系统(windows) | 发布者 店小二04 | 时间 2016 | 作者 红领巾 ] 0人收藏点击收藏

Adobeand Microsoft today each issued updates to fix critical security flaws in their products. Adobe’s got fixes for Acrobat and Flash Player ready. Microsoft’s patch bundle for October includes fixes for at least five separate “zero-day” vulnerabilities ― dangerous flaws that attackers were already exploitingprior to today’s patch release. Also notable this month is that Microsoft is changing how it deploys security updates, removing the ability for windows users to pick and choose which individual patches to install.


Microsoft: No More Pick-and-Choose Patching
Zero-day vulnerabilities describe flaws that even the makers of the targeted software don’t know about before they start seeing the flaws exploited in the wild, meaning the vendor has “zero days” to fix the bugs.

According to security vendor Qualys , Patch Tuesday updates fix zero-day bugs in Internet Explorer and Edge ― the default browsers on different versions of Windows. MS16-121 addresses azero-day in Microsoft Office . Another zero-day flaw affects GDI+ ― a graphics component built into Windows that can be exploitable through the browser. The final zero-day is present in the Internet Messaging component of Windows.

Starting this month, home and business Windows users will no longer be able to pick and choose which updates to install and which to leave for another time. For example, I’ve often advised home users to hold off on installing .NET updates until all other patches for the month are applied ― reasoning that .NET updates are very large and in my experience have frequently been found to be the source of problems when applying huge numbers of patches simultaneously.

But that cafeteria-style patching goes out the…err…Windows with this month’s release. Microsoft made the announcement in May of this year and revisited the subject again in August to add more detail behind its decision:

“Historically, we have released individual patches for these platforms, which allowed you to be selective with the updates you deployed,” wrote Nathan Mercer , a senior product marketing manager at Microsoft. “This resulted in fragmentation where different PCs could have a different set of updates installed leading to multiple potential problems:

Various combinations caused sync and dependency errors and lower update quality

Testing complexity increased for enterprises

Scan times increased

Finding and applying the right patches became challenging

Customers encountered issues where a patch was already released, but because it was in limited distribution it was hard to find and apply proactively

By moving to a rollup model, we bring a more consistent and simplified servicing experience to Windows 7 SP1 and 8.1, so that all supported versions of Windows follow a similar update servicing model. The new rollup model gives you fewer updates to manage, greater predictability, and higher quality updates. The outcome increases Windows operating system reliability, by eliminating update fragmentation and providing more proactive patches for known issues. Getting and staying current will also be easier with only one rollup update required. Rollups enable you to bring your systems up to date with fewer updates, and will minimize administrative overhead to install a large number of updates.”

Microsoft’s patch policy changes are slightly different for home versus business customers. Consumers on Windows 7 Service Pack 1 and Windows 8.1 will henceforth receive what Redmond is calling a “Monthly Rollup,” which addresses both security issues and reliability issues in a single update. The “Security-only updates” option ― intended for enterprises and not available via Windows Update ― will only include new security patches that are released for that month.

What this means is that if any part of the patch bundle breaks, the only option is to remove the entire bundle (instead of the offending patch, as was previously possible). I have no doubt this simplifies things for Microsoft and likely saves them a ton of money, but my concern is this will leave end-users unable to apply critical patches simply due to a single patch breaking something.

It’s important to note that several update types won’t be included in a rollup, including those for Adobe Flash Player. As it happens,Adobe today issued an update for its Flash Player browser plugin that fixes a dozen security vulnerabilities in the program. The company said it is currently not aware of any attempts to exploit these flaws in the wild (i.e., no zero-days in this month’s Flash patch).


Microsoft: No More Pick-and-Choose Patching
The latest update brings Flash to v. 23.0.0.185 for Windows and Mac users alike. If you have Flash installed,you should update, hobble or remove Flash as soon as possible. To see which version of Flash your browser may have installed, check out this page .

The smartest option is probably to ditch the program once and for all and significantly increase the security of your system in the process. I’ve got more on that approach (as well as slightly less radicalsolutions ) in A Month Without Adobe Flash Player .

If you choose to update, please do it today.The most recent versions of Flash should be available from this Flash distribution page or the Flash home page. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.). Chrome and IE should auto-install the latest Flash version on browser restart (users may need to manually check for updates in and/or restart the browser to get the latest Flash version).

Finally, Adobe released security updates that correct a whopping 71 flaws in its PDF Reader and Acrobat produc

本文系统(windows)相关术语:三级网络技术 计算机三级网络技术 网络技术基础 计算机网络技术

主题: WindowsChromeWindows 7OfficeFirefox
分页:12
转载请注明
本文标题:Microsoft: No More Pick-and-Choose Patching
本站链接:http://www.codesec.net/view/481630.html
分享请点击:


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 系统(windows) | 评论(0) | 阅读(36)