Why does MS have so many fixes to their o/s software?

Now that the end of the world is past tense I wanted to ask you guys some simple questions.

Why is it that MS needs to issue fixes to their o/s software?

They should in my view by now KNOW how to produce one has next to no holes, no flaws in security at all.

I recently restored an image W7 64 bit from 2 years back then updated. I got 260+ fixes. Then it hit me!

As well they invent EMET which has mitigations in it for common hacker and virus methods. Why not build these mitigations into the o/s?

I must be missing something.

 

Quick, name one flawless human on the face of the earth that makes no mistakes. It's impossible to make anything flawless, let alone something as complicated as an OS with millions of lines of code. Believe me, I get frustrated as crap with "Patch Tuesday". I mean, by now it seems like a joke. But I'm not a programmer and never have been. At least they do issue patches, even if I sometimes shake my head at the pace of them. Windows 8 is an example of them trying to go with more native security measures, unfortunately they screwed with the user experience which has made the better security an ignored point. But even it doesn't have flawless security and never will.

 

Programming is difficult. What you're asking for is a team of programmers who can understand every line of the system, millions and millions of lines of code, and then understand the implication of every line of code as it interacts with other code.

This is not practical.

EMET implements some more "experimental" mitigation techniques. The good ones, DEP/ASLR/SEHOP/ForceASLR are part of the OS. The AntiROP mitigations are new, and not tested. They could be added to the OS eventually but they're not particularly powerful on their own and at this point it makes more sense to deploy them through EMET. The others like HeapSpray and EAF are so simple to bypass it's not really worth including outside of EMET.

 

I always found it unusual when people complain about patches, to any kind of software, be it games, programs, OS, kernel, etc. Essentially updates are free improvements (usually) to the software you're using. The more the merrier. Buying an OS from Microsoft and getting free updates for 12 years is insanely good.

It makes me think of how horrible the days used to be in the 90s/early 00s. There was no patching software, or it was buying a floppy disk or CD. When games had bugs, you lived with it.

 

I think one overlooked reason is that Windows updates are mostly incremental, not differential. So you save a bit of bandwidth downloading them if you're mostly up to date; but if you're behind, or installing a new system, you get hit up for hundreds of MB, multiple reboots, and several hours of your time.

 

Also, it's not just MS, linux is the same way.. It's the nature of software. Imagine trying to make something work the same way on all the various hardware configurations available today. No easy task...

 

You're forgetting that MS has to be backward compatible in many aspects. They could abandon all previous versions of MSOffice (for instance), but then they would be faced with hoards of angry users. When MS Excel in 2013 must also be compatible with a spreadsheet created in 1998, of course there are going to be ugly, sloppy security holes.

 

ALL software has bugs, and always will; there's no such thing as completely bug-free software (even if it works perfectly for you). Windows also has to accommodate an almost infinite amount of 3rd party software, and for an almost infinite number of uses -- all the apps that you want to run, and the things you want to do with your computer. This means making it flexible, offering a wide variety of features, and most of all it means balancing usability; if they cripple something too much or make something any more complex for the users then it can upset literally millions of people.

Most of the protections in EMET are built into Windows; not all 3rd party software can or does take advantage of it (some software can't).

MS could make an OS that is 99% secure, but then you'd be complaining about how the evil MS dictates what software you can use and how you use your computer, because it would be heavily crippled compared to the Windows that you know now.

 

There are even more updates on major Linux distros than on Windows, but I find them much less time-consuming to install.

 

Well, in my own opinion, Windows update sucks. It's more often than not slow just simply downloading them, the installation can be slow, especially if you've got to do the inevitable reboot and then wait at the "configuring" screen.

 

No thank you, I'll keep Windows Update I do think that Update has gotten slower than it used to be. Why? Not the slightest clue. Drivers, hmm, the one thing my Windows Update hardly ever shows updates for. I usually have to go hunt them down on my own

@Notok: Though I still believe in a Windows "repository", you have a point. There would be plenty that would not like a forced "one stop shop", secure as that could be if done right. I couldn't judge them, I've gotten used to traveling the web in search of new stuff to play with (how I love thee, Softpedia). Some folks aren't going to be happy no matter what you do *shrug*.

 

Very true. As far as timing goes, if I'm awake I let updates run after I've completed work or whatever I may be doing on the system. If I'm asleep, they'll come along on their own around 3 a.m.

 

Like you say, you're always going to upset folks. The Windows store is a good example, with people railing about how MS is trying to control what software you can use (as if Apple and Google didn't do the same).

I think that the main thing that stands in the way of a 'repository' for desktop apps is the sheer number of them. Download.com and Softpedia (my choice as well) do a good job, though. Maybe they should put something in to encourage users to use trusted download sites like these, without restricting them; maybe extend smartscreen to cover downloads (and not just files after they've been downloaded) and create a program for "trusted download sites."

 

It could be argued you need a more recent image than 2 years ago to restore to then you wouldn't have so many updates to apply.

 

Could not agree more, BBS days were yuck. I don't see the problem with updates, there will always be security holes that need patching.

 

I recently did clean Windows 7 installs on a couple of machines (the first one I ended up doing twice), and it took several hours for them to download and install.

I think the issue is just in how big they are. When you have 100 updates totaling several gigs, it's going to take a while to download and install.

 

Well, MS provides Security Updates on ISO-9660 DVD5 image.

Personally, I prefer to use WSUS Offline Update. It's open-source and licensed under "GNU GPL". This tool can help to save time and bandwidth, especially if you frequently re-install or restore image.

Source: Coverage of WSUS Offline Update

 

Code:

Why does Microsoft have so many fixes to their OS?

Go figure why...

 

Another reason that doesn't get mentioned as often boils down to simple math. At one time, an internet capable OS, fully equipped, used a couple hundred megabytes. Now, just the OS itself is several gigabytes in size. If one assumes the coding quality to be the same, you'll have between 10 and 30 times as many vulnerabilities, flaws, weaknesses, (insert term) as before, just because you have 10 to 30 times as much code.

 

Thanks to everybody for their posts.

Very interesting.

Just a few points as the orginal poster.

I am unconcerned about the method or bandwidth of these updates from MS.

I can grasp why others may be concerned.

My point was perhaps obtuse.

I am suspicious that many of these hundeds of fixes are repeats. The errors in logic occured in windows 95 again in 98 again in xp , vista and windows 7 and will show up again in windows 8. MS repeats errors that should not be repeated OR are we saying that they are all new errors.

Yes it is complex, yes millions of lines of code but do they lack the resources to do better, do they lack a coporate memory

 

Escalader, it's not a matter of resources or will; it's just the reality of software. Everyone makes mistakes, and nobody can foresee every possible problem.

Also keep in mind that new code introduces new issues, but overall Windows has become pretty solid (particularly compared to the pre-XP days). That's no small feat considering how many users there are -- each with unique environments and needs.

The bottom line is that there will always be bugs, no matter how many fixes they make. Continually creating and deploying fixes is the responsible thing to do.

When you only have a suspicion, you should look for evidence before asking for a factual rebuttal. But even if you're right, what difference does it make? What do you hope to accomplish? With all due respect, I can't help but wonder if you may just be looking for a reason to complain.

 

To be honest, 260+ updates/fixes from a 2 year old image restore does sound a bit high. I have reformatted Win 7 x64 many times in the past year or two and didn't have that many, even with an install of the original Win 7 disk.

If you install the original Win 7 disk, there are about 122 or so updates BEFORE you get to SP1, then another 70 or more after that. If you install the official Win 7 SP1 disk, you still get about 90 updates after that, before you're fully up to date. But either way, I don't count 260, so yes, that sounds high.

Sometimes weird things happen with the updates, so the process is occasionally flawed, but I find that in time, observing different reformats and updates, they usually do fix the various issues.

Anyway, for what it's worth, my 2 cents...