By Susan Bradley
Microsoft may call it Patch Tuesday, but I call it the day that I start watching for the "dead bodies." You know what I mean, don’t you? The anxiety you feel when you press the button to reboot your computer after the security patches are applied? Will the system arise from the reboot to compute again? Will your data survive another trip through the patch process?
Whether you’re patching a workstation, a standalone computer, or a fleet of servers, there are tips and tricks to help you make the journey through Patch Tuesday easier.
I’ll first bring you up to date on issues I’ve seen regarding the patches Microsoft released in January. Following that, please see my Special Report on how to cope when you have a "dead computer" thanks to a patch (and how to keep it from keeling over in the first place).
January patches included Internet Explorer patches. Not!
Microsoft’s January 11 patches caused some confusion as to whether or not they included needed fixes for Internet Explorer. As was previously reported, in the last Windows Patch Watch, they did not.
The only patch that had an impact on Internet Explorer was the MS05-001 HTML patch. However, this is not a cumulative Internet Explorer patch to fix reported vulnerabilities. There are still several issues that leave Internet Explorer vulnerable and subject to security issues.
I still recommend that you disable ActiveX scripting, run with Internet Explorer in high security, and/or use an alternative browser that you configure as defensively as possible. Always "think before you click" before visiting any Web site.
There is a documented issue with MS05-001 causing problems with HTML-based help files and Web-based applications. This can cause these to fail if the patch is installed before a separate workaround is applied. There’s guidance on how to fix the issue in Knowledge Base article 892675.
Windows AntiSpyware beta hoses Media Center Extender
Microsoft’s "Media Center Extender" can’t establish a remote connection after you install the Windows AntiSpyware beta on a computer running Windows Media Center Edition 2005. There’s no fix yet, except to uninstall the AntiSpyware software, according to Microsoft KB article 892374.
SPECIAL REPORT: The best way to patch without fatalities
The best way to ensure that you’ll have a successful patching process is to make sure your system is healthy to begin with.
Ask yourself, does it reboot without any issues on a regular basis? Do you have protection against malware, viruses, and have a firewall? Do you not accept patches for drivers?
I have personally seen Windows Update offer me driver patches in the Critical Security Patch window on Dell workstations. Each Original Equipment Vendor apparently has the right to offer updates in this section, which I expect to be restricted to security updates only.
As a rule, I never apply driver patches from Windows Update. If I feel a driver patch is warranted, I’ll visit the hardware vendor’s Web site to find the appropriate patch.
Next come some basic rules of applying patches. While I turn on automatic patching on my workstations, I don’t do it on any of my servers and certainly don’t allow any systems to automatically reboot.
I would much rather reboot when I decide, ensuring that all other programs are closed before rebooting. Furthermore, I don’t personally say "Yes, please reboot" when a patch session prompts me. I’ll manually click on Start, Shut down to ensure that the system properly closes down.
In reviewing the listserves and newsgroups, I haven’t noticed any major issues with the January patches that would cause me to hold off patching machines. In fact, I patched all of my workstations and servers on the Friday after Patch Tuesday. I personally wait until Friday to fully roll out all patches, just in case I run into any issues. I then have the weekend to recover, should something bad occur.
While I can say that I honestly have not had a bad patch experience in a long time, as a general rule I don’t patch before a crucial business deadline. I always wait for a time when I can deal with unexpected issues, should any arise. I always assure myself that the machine reboots without any issues before applying patches.
The bad reboot
I’ve been there. You reboot your system and it just does not come back to life. Rats! Now what do you do?
For Windows XP, there are several options, including the option of booting into the "Last Known Good Configuration." I personally have been able to insert the Microsoft Windows XP CD-ROM, allow the computer to boot from the CD, and then perform a "repair install" of XP. This resulted in no loss of data when I was faced with a particularly unsuccessful update.
Remember that if all else fails, you can always call the technical support line of Microsoft. Any issue with a security patch is a free call, but that still means you have to deal with the after-effects. In the U.S., you can call Microsoft at 866-727-2338 if you have any issue with a patch. In other countries, check Microsoft’s support page to look up the correct local number.
As cheap as USB pen drives are these days, I recommend that you save any critical documents to external devices and drives. From a 1 gig USB drive to a Mirra Personal Server, all of us need to make sure that we have backup devices for our critical information. It’s critical with today’s large hard drives that we have backups.
Finally, in many cases your system will give you hints as to what is wrong with it.
If you have Windows XP or 2000, start the Control Panel, open Administrative Tools, then Event Viewer, and view the "log" files. Inside the viewer are two logs that I review: application and system. If you see any "red stop signs," double-click these entries and write down the error codes. Then visit Eventid.net, which can give you helpful hints on corrective actions.
It takes a community
Microsoft has a bimonthly newsletter for home users that you can subscribe to, along with a series of videos on the Protect Your PC site. Also, the Microsoft Security Community for Home Users and a brand new antispyware forum for administrators were recently opened. The antispyware service was launched with the sponsorship of Shavlik, a patch management vendor.
Additionally, a new independent forum and listserve called SpywareManagement.org has been set up. These resources are intended to help system administrators and security professionals stay current with the latest industry trends, tips, tricks and techniques for managing spyware in the enterprise.
A trend in retail computers and external testing
I recently purchased a computer from a retail computer store and was annoyed at the number of third-party applications that were loaded up.
I’ve found that computer vendors may be including their own update engines, such as Big Fix Consumer Edition, to assist in applying updates from the vendor. This may cause confusion as to what application is updating and whether it is a security update.
As a general rule, security patches from Microsoft only come out on the second Tuesday of each month, unless the security issue is highly, highly critical. Microsoft tests patches both internally and externally to ensure their reliability with real-world systems, but only tests Microsoft patches. If you apply patches with OEM patch mechanisms, you may have to contact the computer manufacturer to get support.
A healthy system makes for an easier patching experience. As I stated earlier, ensure your system is operating properly before patching to have the best patching experience.