Wednesday, November 14, 2007

Silent cure, spreads disease (WSUS and Microsoft)

It's amazing, every few months it seems Microsoft gets called out on something that you just look and say... why? For example, today all across the US, WSUS servers began breaking with the dreaded "unknown error" problem. I'm not going to beat a dead horse since you can read about the issue in depth here, on, but rather I think I'll once again take a slightly different angle.

Here'a the short and ugly of it...

The problem was that on Sunday evening, Microsoft renamed a product
category entry for Forefront to clarify the scope of updates that will be
included in the future. Unfortunately, the company said, the category name that
was used included the word Nitrogen in double quotes (appearing as "Nitrogen").
A double quote is a restricted character within WSUS, which created an error
condition on the administration console.
This isn't the first time WSUS users
have run into trouble. After
May 2007 security updates
, several users reported WSUS malfunctions.
Put yourself in the following situation, and then ask yourself what your answer would be to my hypothetical question.

You're running a very large enterprise, 200+ servers, 1,000+ workstations all spread about in different locations. You depend on Microsoft to patch their software and you're using the native WSUS software to keep your systems up-to-date.

Given the above, what's worse... an unreliable patching tool, or no patching tool at all? The reason I pose this question to you, my readers, is because it's appalling what things system admins have to put up with. We're almost a decade into the patching circus and still the cure is often the cause of the disease? What's worse, now the "cure" is often a silent update that breaks several major components in key systems. This presents a different security challenge than people normally see. Let's assume that on a good day, WSUS patches 100% of your systems in record time, delivering peace of mind to your organization in a matter of minutes. Let's also say that on a critical day, MS WSUS breaks, and some major super-critical patch that's coming out today cannot go out. Does it even matter that you have the patch in hand when your delivery mechanism is busted?

I would argue that once again, this is a clear case where separate tools must be decoupled. You can't have the company that builds the software also writing the software that patches that buggy software. That's a case of the fox guarding the henhouse in the worst way.

To Microsoft I say "Shame on you!" for at least two reasons.

  1. First, you've clearly managed to have poor Quality Control (really? this many years later?) and you're introduced a bug in a major, mission-critical piece of software which manages our Microsoft infrastructure
  2. Second, you're obviously managed to send out this magical update without alerting anyone, or even hinting that a new update to the updater is up and on your systems
  3. Third... you still haven't learned.

That's really all there is - just another blunder. Maybe we're hearing about things like this because MS is such a big target but isn't that the bane of being the biggest? You should by now know you have the biggest target painted on your forehead, and every spotlight is on you waiting for you to screw up. Well, Microsoft, thank you for not letting me down, once again.

To be fair, I run gentoo linux, which over the years that I've updated my systems, has never broken itself...

No comments: