Light patching for Windows tomorrow.....

[Gary]

Microsoft is planning a light Patch Tuesday for November with just three bulletins that collectively address a total of 11 security vulnerabilities.

The trio cover flaws in Office (and Powerpoint) for Windows, Office for Mac 2011 and Forefront Unified Access Gateway. The Office for Windows patch is rated critical while the other two updates are rated as important.

Its amazing how any company can put out a brand new product and a week or so later it needs security patches 

Note that a that a recently discovered zero-day vulnerability in Internet Explorer remains unfixed in this round of patches.

http://www.theregister.co.uk/2010/11/05/ms_november_patch_tuesday/

[Rik]

Well, they can't rush things can they, Gary.

[Gary]

Well, they can't rush things can they, Gary.

Office for Mac 2011 has been out about a week ish (I'm avoiding, its buggy right now) and already it needs patching 

[armadillo]

Its amazing how any company can put out a brand new product and a week or so later it needs security patches 

I think this is easy to understand. How many developers can Microsoft employ on, say, the OS? 100? 200? 50? Out in the wide world, there are perhaps several million clever script kiddies competing for the kudos of breaking it. I million people for one hour is approx the same as 100 people for a whole year if they work 24 hours per day, 3 years if they work a standard pattern.

[Gary]

I think this is easy to understand. How many developers can Microsoft employ on, say, the OS? 100? 200? 50? Out in the wide world, there are perhaps several million clever script kiddies competing for the kudos of breaking it. I million people for one hour is approx the same as 100 people for a whole year if they work 24 hours per day, 3 years if they work a standard pattern.

I see your point, but a week? That still seems a bit of a blunder, if software built from the ground up to be more secure is not in just over seven days, well I do wonder if I will just use a 'Bic" style laptop online and keep my main machine patched but more isolated.

[Lance]

Of course, its more likely that the problem was identified at some point after the software going RTM so it could be at least a week.

[armadillo]

I agree that testing will continue after product release.

I also think that the importance of security patching for clued up home users is very overrated. In a corporate environment, you have to do it because you never know when someone will do something silly.

[Gary]

Of course, its more likely that the problem was identified at some point after the software going RTM so it could be at least a week.

True, Lance. Maybe its just that the drive to find holes is greater now than it ever was, and the Promise find them in the coding stage is harder to achieve than people thought.

[esh]

Of course, its more likely that the problem was identified at some point after the software going RTM so it could be at least a week.

Absolutely. Half the software (games or otherwise) I purchase these days has half a dozen patches immediately after I've installed it. I have no idea why people are flipping out over this at all -- most of the points have already been listed.

• Manpower limit - there is only so much one man can test
• Time limit - Eventually those CDs have got to be pressed
• Hardware limit - some inconvenient berk out there is going to try and run it on a Cyrix 100 or something
• Popularity - it's not only popular software, but it's popular to try and hack it, and popular to bash it when people *do* hack it
• Internet proliferation - pretty much everyone who runs modern software has net access for patching (laziness or convenience? you decide)

The open source motto for product releases is typically 'release early, release often'. Okay, you don't have the source code to hand to fix it yourself, but I suspect hardly anyone bothers to fix Linux/OpenOffice/etc bugs themselves either. As long as Microsoft patch them in reasonable time -- of which yes, they have had a spotty history, but I think a week is good -- then all is fair and well. No bit of software is going to be perfect on release, or probably *ever* be perfect. The best you can do is read the bug reports, prioritise them, and fix as best you can.

[Gary]

Absolutely. Half the software (games or otherwise) I purchase these days has half a dozen patches immediately after I've installed it. I have no idea why people are flipping out over this at all -- most of the points have already been listed.

• Manpower limit - there is only so much one man can test
• Time limit - Eventually those CDs have got to be pressed
• Hardware limit - some inconvenient berk out there is going to try and run it on a Cyrix 100 or something
• Popularity - it's not only popular software, but it's popular to try and hack it, and popular to bash it when people *do* hack it
• Internet proliferation - pretty much everyone who runs modern software has net access for patching (laziness or convenience? you decide)

The open source motto for product releases is typically 'release early, release often'. Okay, you don't have the source code to hand to fix it yourself, but I suspect hardly anyone bothers to fix Linux/OpenOffice/etc bugs themselves either. As long as Microsoft patch them in reasonable time -- of which yes, they have had a spotty history, but I think a week is good -- then all is fair and well. No bit of software is going to be perfect on release, or probably *ever* be perfect. The best you can do is read the bug reports, prioritise them, and fix as best you can.

Its down to cost, holding back costs, they have a known list of bugs but anything they consider not a deal breaker they leave till later versions, which makes sense, it just seems a pity that security is included in that, possibly.