It was a releif to see such a relatively short list, especially since I need to install them tonight in preparation of taking off for the rest of the year this weekend!
J.Ja
Discussion on:
View:
Show:
I get a total of 3 work weeks' worth of time off each year. Since I work from home, sick days simply do not exist. I took a few days off here and there, so yeah, I have a massive store of days off. Since I'm getting married this Sunday, I needed the time off for the honeymoon, then the holiday season silliness (I've got to drive 4 hours round trip to the wife's family at some point, and the 8 hour each way drive to my grandmother's too), then I have some time to relax, and back to work!
The way I did it though, was to break by back in October and December. I have my TR blogs all written through most of January at this point. All of my work projects for the year have been done, and the last 2 weeks have been doing small tasks like documentation, tightening up the firewall a bit, etc. So my time off was gained at the expense of squeezing 12 months of major projects into 11 months (including an NT 4 -> 2008 migration, Exchange install, major shift to Hyper-V and VMs, etc.).
J.Ja
The way I did it though, was to break by back in October and December. I have my TR blogs all written through most of January at this point. All of my work projects for the year have been done, and the last 2 weeks have been doing small tasks like documentation, tightening up the firewall a bit, etc. So my time off was gained at the expense of squeezing 12 months of major projects into 11 months (including an NT 4 -> 2008 migration, Exchange install, major shift to Hyper-V and VMs, etc.).
J.Ja
...Time to think bigger.
Next year, save the mileage on car/butt/soul and invite everybody to your place for the holidays! Then the only problem you have is getting them all out the door before New Year...
tom
Next year, save the mileage on car/butt/soul and invite everybody to your place for the holidays! Then the only problem you have is getting them all out the door before New Year...
tom
I really wish I could try the "come to my house" trick... but my family in Florida and my wife's family in Charleston do not travel well, unfortunately. So I get to do the drive.
It's not so bad, it's a nice way to get a huge block of time with my family, even if it involves a sore back and gas station restrooms. The little one travels well (at least in a car, I am concerned that he may not sit still through the plan ride to CA next week), and gives us no grief either.
J.Ja
It's not so bad, it's a nice way to get a huge block of time with my family, even if it involves a sore back and gas station restrooms. The little one travels well (at least in a car, I am concerned that he may not sit still through the plan ride to CA next week), and gives us no grief either.
J.Ja
I believe I have 7 more daze left this year..... 
Going away for the holiday season?
Going away for the holiday season?
More of it is for my honeymoon than anything else... getting married this Sunday, then off to San Diego for a week. Then we get back, and get to bounce all over SC and then FL visiting family.
J.Ja
Then we get back, and get to bounce all over SC and then FL visiting family.J.Ja
I have a great deal of respect for Eric Shultz and he has this to say about 076:
"This new flaw enables attackers to gain access to your computer password and allows them to remotely access your system without your knowledge. This can happen if you click on an evil URL related to Windows Media items (typically audio and/or video clips). In this scenario, when a user clicks on an evil link, their password, or representations of their password, are sent to an evil server where the attacker can replay these credentials to log back on to the user's computer. It's similar to the 08-068 attack (credential reply), but uses different communication mechanisms to logon to the computers. Microsoft says that windows media player doesn't play by the same rules as the Operating System, and that's why this issue wasn't fixed in the November patch release. This issue could become very serious if attackers figure out how to create the evil URLs. I'd get this one patched right away (even though Microsoft only rates this as Important)."
"This new flaw enables attackers to gain access to your computer password and allows them to remotely access your system without your knowledge. This can happen if you click on an evil URL related to Windows Media items (typically audio and/or video clips). In this scenario, when a user clicks on an evil link, their password, or representations of their password, are sent to an evil server where the attacker can replay these credentials to log back on to the user's computer. It's similar to the 08-068 attack (credential reply), but uses different communication mechanisms to logon to the computers. Microsoft says that windows media player doesn't play by the same rules as the Operating System, and that's why this issue wasn't fixed in the November patch release. This issue could become very serious if attackers figure out how to create the evil URLs. I'd get this one patched right away (even though Microsoft only rates this as Important)."
Good to know, thanks! At the end of the day, yeah, it is less than "Critical" if you have truly locked down your users to not be admins, but still really "Important" (my unprovable opinion). But I do know that far too many users who have dangerous computing habits are runing around with local admin rights, and that is provable fact.
J.Ja
J.Ja
What do you mean, "relatively small?" With 28 total patches, this is the largest Patch Tuesday ever! (http://blogs.zdnet.com/security/?p=2284)
While the bug count being fixed is high, the patch count is low. Also note that Ryan counts a huge Office patch which addresses 8 bugs. This article doesn't handle Office bugs. Even still, I would count it as 1 patch, not 8 bugs. There's a culmulative IE patch, of course that is going to fix lots of things. And there is another path which addresses 2 bugs. And then you have 1 bulletin with 3 KB attached to it, depending on which OS you have and services are installed. So yes, while this round may address a large number of bugs, the reality is, no system will be getting 28 patches, they'll be getting a much smaller number. For example, my servers last night ended up with 4 - 6 patches each, which isn't too bad, especially since some of those patches were the mid-month stuff.
At the end of the day, for the system administrator stuck in the office installing (or worse, troubleshooting) the patches, it's the number of patches, not the bug count resolved, that makes a Patch Tuesday "light" or "heavy".
J.Ja
At the end of the day, for the system administrator stuck in the office installing (or worse, troubleshooting) the patches, it's the number of patches, not the bug count resolved, that makes a Patch Tuesday "light" or "heavy".
J.Ja
I wish your post would have pointed out that the patch comes with an update to the Active-X control. I'm always suspicious that someone could have highjacked the Microsoft site and is installing something malicious.
Especially since the installer wasn't signed by "Microsoft Corp." It appeared to be signed by some Microsoft department that had its own signature. That scared me, since it could have been fraudulent.
Especially since the installer wasn't signed by "Microsoft Corp." It appeared to be signed by some Microsoft department that had its own signature. That scared me, since it could have been fraudulent.
Unfortunately, the new installer was not mentioned in any of the bulletins that I read. I didn't even find out about it myself until I tried to install these patches after this "went to press". 
I think it's rather silly for the patch mechanism to not be included in the patches, frankly. But that's how they do it...
J.Ja
I think it's rather silly for the patch mechanism to not be included in the patches, frankly. But that's how they do it...
J.Ja
The new control manages the download. To install as part of the download, they would have to install it, reboot, and then install the rest and reboot again. People got tired of that.
I was surprised that you would write the report before trying the install. Kind of like the astronauts reporting what it is like on the moon's surface and then going there.
I was surprised that you would write the report before trying the install. Kind of like the astronauts reporting what it is like on the moon's surface and then going there.
When we decided on the timing on the report, we made the decision to try it with the current timing first (publishing as soon as details are available), rather than waiting a bit later and discovering things like the new installer, or a few other items than on previous months have become obvious after we published. Since this is a feature we've only been running for a few months, we are still adjusting "the formula" of it, based in large part on the feedback that we receive. There is definitely the possibility that we may delay publishing for a day until we have tried the patches ourselves and hopefully found the "gotchas". At the same time, the feedback that we have already gotten (all subjective, not objective) leans towards a quicker publishing, combined with this forum for people who've had issues to post about it.
Part of the conundrum, is that many sys admins have taken to patching on Tuesday. So many hackers look at the patch list, see what it changes, and target their efforts on what it fixes, hoping to deploy an exploit at hit the systems that are unpatched. So it's a toss up... do we publish sooner, to help those who will be patching that night? Or do we wait a day or two until we (hopefully) find out every detail? So far, the stuff we miss has been relatively minor, but that doesn't mean we'll never miss something major, like a patch that completely breaks stuff.
J.Ja
Part of the conundrum, is that many sys admins have taken to patching on Tuesday. So many hackers look at the patch list, see what it changes, and target their efforts on what it fixes, hoping to deploy an exploit at hit the systems that are unpatched. So it's a toss up... do we publish sooner, to help those who will be patching that night? Or do we wait a day or two until we (hopefully) find out every detail? So far, the stuff we miss has been relatively minor, but that doesn't mean we'll never miss something major, like a patch that completely breaks stuff.
J.Ja
In Vista Home Premium, KB951338 update prevents opening PowerPoint (Office 2007) from within in MS Mail. Work around?? Not yet.
Anyone encounter USB issues after the patches on Vista X64?
My cannon scanner stopped working, that is until I removed my USB flash key and rebooted. The scanner vanishes again after I plug it in (I hear 20 connect/disconnects in the process). weird.
My cannon scanner stopped working, that is until I removed my USB flash key and rebooted. The scanner vanishes again after I plug it in (I hear 20 connect/disconnects in the process). weird.
Too late, I installed only the critical patches to my WinXP Pro SP3 w/IE7 -- had to undo everything via Norton GoBack. One or more of the patches caused me to have no internet access. I don't have time to debug every darn patch so I threw them all out. I'm sick and tired of MS patches causing some kind of system or networking problem. Bah. This has happened so many times that I now have a new philosophy. I have a Checkpoint firewall that includes firmware updates, I use Online Armor (paid version), WinPatrol Plus, F-PROT Antivirus, SiteHound for safe surfing, and I don't go to "questionable" web sites nor do I download unknown e-mail or spam, because I use Mailwasher Pro. (Finally had to dump SpySweeper because they stuck in their new antivirus without any prior notification.) Yes, I'm paranoid, but so far I've never had a virus, spyware, rootkit, or any of the other nasties out there, and believe me, I check all the time. So why do I need any of MS's trash ruining my humble home/office network of five computers? I don't! Woo hoo, I'm free at last!
You have given yourself a false sense of security here. Why? Because all of you protections will work, until someone exploits a known security problem using a new piece of code that these systems don't know to look for. It's like avoiding the flu by staying away from everyone you know has the flu, instead of getting a flu shot. It will probably work for a really long time, but you're still playing the odds that you never meet someone with a disease and no symptoms.
I don't run *any* anti-spam, anti-virus, or anti-malware, and the only two viruses I've gotten in 20 or so years of computing, were a Word macro virus in 1999, and a dinky virus ages back, that I knew was a virus before I got it. Having safe computing practices, and putting your PC behind a router with no ports open, does as much, if not more, than any amount of software based protection, IMHO.
J.Ja
I don't run *any* anti-spam, anti-virus, or anti-malware, and the only two viruses I've gotten in 20 or so years of computing, were a Word macro virus in 1999, and a dinky virus ages back, that I knew was a virus before I got it. Having safe computing practices, and putting your PC behind a router with no ports open, does as much, if not more, than any amount of software based protection, IMHO.
J.Ja
I'm behind a Checkpoint firewall that has embedded code, updated constantly, that addresses all the current exploits, and all ports are stealth. I also enable customized rules, not only in the hardware but also in Online Armor. Checkpoint is an industry standard and having been an IT/IS director in the past 15 years, as well as mainframe "big iron" and HP/UX and IBM AIX tech support earlier (dating back to IBM mainframes in 1969) I have a pretty high degree of confidence I'm safe. I didn't mention HostsMan and HostsServer which constantly update bad web sites and blocks them. SiteHound does the same thing. I also haven't had reason to use IE for at least two years. I've locked down every PC on my network by stripping out WinXP's questionable services. As I've stated previously, I have *never* had a virus, spyware, malware, rootkit or other nasty. Perhaps I've been lucky, or perhaps it's because I'm paranoid and quite vigilant. The worst thing that's happened, constantly, is the MS updates and their mischief, an ongoing aggravation. I have been director of desktop, network and server support for 8000 PCs and about 100 servers of various flavors, just one of several positions as director. I believe that puts me in the category of somewhat able to protect myself. But I believe we are saying the same thing, both of us behind a good firewall that's stealthed and both very careful, practicing safe computing practices. I simply don't click on unknown sites and never go to questionable ones, ever. However, as I used to tell my staff at every company I worked for, the only safe computer is one that's turned off. Thanks for your comments!
You can put up all of the shields you want, leaving the base OS itself unpatched is still risky business. Again, all it takes is for something to go through that exploits a well known hole, using code that does not match known profiles, and all of those security measures are for naught... yet the problem could have been prevented by simply patching the base OS. If you feel comfortable with that setup, you feel comfortable with it, but I would beleive that your overall level of knowledge has kept you a heck of a lot safer than the average user to begin with.
J.Ja
J.Ja
Oh, Mr. Garlic, that's a good idea! Maybe string around my DSL router and my Checkpoint firewall as well as my PC. Did I mention I also use FlashBlock and NoScript in FF? I finally dropped PreEmpt because I don't use IE any longer.
=;o)
Well Justin James, if you're comfortable relying on MS to come out with patches to your OS once a month and thus feeling secure about it, but chancing thrashing your PC(s), then that's fine for you. But I refuse to unwisely turn over security to MS and suffer from the belief they are doing so in a timely and effective manner. I didn't say I have unpatched OSes, I have five of them, all with XP SP3, all have IE7, although we don't use it.
I'm just not going to keep continuing this exercise in frustration on my two main working PCs -- Einstein says that's the definition of insanity. My two laptops and one netbook are kept current with critical updates. The *only* exception I make now is if and when I get an urgent update message from Windows Secrets, telling me about a critical patch that simply *must* be installed. That's why such newsletters exist, that's why AskWoody exists, because MS cannot perform 100% all the time to protect us. MS may or may not do a good job (which is why we're going back and forth on this), but if you're one of the unfortunate small percentage of users whose system becomes unusable because of a patch, or several patches, then you are 100% down. I cannot even count the number of times I've waited to patch an OS with those so-called critical updates, then done so, got burned and had to undo everything by way of GoBack. I view MS as way behind in acknowledging and fixing exploits and many security vendors are doing a much better job. Just MHO.
I prefer to rely on those vendors and their software who update every day, or even every few days. That, to me, is more timely protection that MS's once a month Patch Tuesday. I don't fault MS, it's impossible to test every permutation of hardware and software on earth before rolling out their patches. And of course every bad guy out there wants to bring down the 900 pound gorilla so the fun never ends.
There's an amazing freebie out there for those of us who are super paranoid (I'll admit to that, it's an ugly world with lotsa bad guys doing mischief and worse). When in doubt, I run anything questionable, including FF if necessary, using SandboxIE. You can isolate any application -- WMP, RealPlayer, MS Word, Excel, you name it, you can sandbox it. Let's face it, you know the ways someone can compromise your system, there are only so many entry points. SandboxIE is one of those "can't live without" and it's free!
=;o)
Well Justin James, if you're comfortable relying on MS to come out with patches to your OS once a month and thus feeling secure about it, but chancing thrashing your PC(s), then that's fine for you. But I refuse to unwisely turn over security to MS and suffer from the belief they are doing so in a timely and effective manner. I didn't say I have unpatched OSes, I have five of them, all with XP SP3, all have IE7, although we don't use it.
I'm just not going to keep continuing this exercise in frustration on my two main working PCs -- Einstein says that's the definition of insanity. My two laptops and one netbook are kept current with critical updates. The *only* exception I make now is if and when I get an urgent update message from Windows Secrets, telling me about a critical patch that simply *must* be installed. That's why such newsletters exist, that's why AskWoody exists, because MS cannot perform 100% all the time to protect us. MS may or may not do a good job (which is why we're going back and forth on this), but if you're one of the unfortunate small percentage of users whose system becomes unusable because of a patch, or several patches, then you are 100% down. I cannot even count the number of times I've waited to patch an OS with those so-called critical updates, then done so, got burned and had to undo everything by way of GoBack. I view MS as way behind in acknowledging and fixing exploits and many security vendors are doing a much better job. Just MHO.
I prefer to rely on those vendors and their software who update every day, or even every few days. That, to me, is more timely protection that MS's once a month Patch Tuesday. I don't fault MS, it's impossible to test every permutation of hardware and software on earth before rolling out their patches. And of course every bad guy out there wants to bring down the 900 pound gorilla so the fun never ends.
There's an amazing freebie out there for those of us who are super paranoid (I'll admit to that, it's an ugly world with lotsa bad guys doing mischief and worse). When in doubt, I run anything questionable, including FF if necessary, using SandboxIE. You can isolate any application -- WMP, RealPlayer, MS Word, Excel, you name it, you can sandbox it. Let's face it, you know the ways someone can compromise your system, there are only so many entry points. SandboxIE is one of those "can't live without" and it's free!
When you said that you "threw the whole darned thing out", I was under the impression that you were no longer performing patching.
Do I count on patches alone to provide protection? Heck no, that's suicide! But at the same time, I have not had the problems that you've seen, either. Over the last few years, Windows patches have not caused me any issues. Honestly, I don't lock down my network nearly as tightly as I prefer, due to business reasons. We made the choice to not be quite so tight, knowing the risks, in favor of having a network that is convenient to use. I think there is a fine balance between security and ease of use. When you really lock it down, users get frustrated and angry. And at the end of the day, the folks who sign my paychecks are users too.
J.Ja
Do I count on patches alone to provide protection? Heck no, that's suicide! But at the same time, I have not had the problems that you've seen, either. Over the last few years, Windows patches have not caused me any issues. Honestly, I don't lock down my network nearly as tightly as I prefer, due to business reasons. We made the choice to not be quite so tight, knowing the risks, in favor of having a network that is convenient to use. I think there is a fine balance between security and ease of use. When you really lock it down, users get frustrated and angry. And at the end of the day, the folks who sign my paychecks are users too.
J.Ja
Something in this bunch of patches repeatably gives me BSOD on boot in Vista Ult. 64. If I install them I can't boot. If I uninstall them from Safe Mode I can.
Come on Microsoft, I thought I was using Vista instead of Linux because I could trust that NOT to happen any more!
Come on Microsoft, I thought I was using Vista instead of Linux because I could trust that NOT to happen any more!
Since downloading the Windows updates from last week my Vista machine is now completely knackered. I'm not sure what it is, but it is now stuck in a loop installing part 3 of 3 0%, which then results in an automatic reboot, only to appear back on the same screen.
I have to do a system restore every morning to log in, then it automatically updates and breaks
I have to do a system restore every morning to log in, then it automatically updates and breaks
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
