Fog Creek Software
Discussion Board

Microsoft Security patch MS04-011

Did anyone install this and then wish they hadn't? Try to uninstall with the System process running at almost 100%...

JFC, how much testing does Microsoft do before releasing these things?

Interaction Architect
Saturday, May 1, 2004

Interaction Architect
Saturday, May 1, 2004

Look at the drivers that this thing fails with.  One of them is Dlttape.sys.  Gee could that likely be on any servers?  How nice.  Way to go you enterprise computing midgets.  That will be a nice surprise for the admin that has Windows update itself automatically.  So all you people here that say it's not hard to patch.  It doesn't take time.  Just automate it.  Well some customers just got f'd over for about the 37,000th time.  When will we learn.  If you depend on a computer don't load Windows on it.  Simple, really. 

Microsoft makes nice desktops, but they are a joke when it comes to enterprise computing.

Saturday, May 1, 2004

"Microsoft makes nice desktops, but they are a joke when it comes to enterprise computing. "

Yeah, nobody runs Windows on the enterprise because of this. Everyone knows Windows won't run the enterprise.  That's why you don't see any large companies with Windows servers. None. None whatsoever.

Here's your sign
Saturday, May 1, 2004

I don't mean ignorant people don't use them for enterprise computing, they surely do.  I just meant Microsoft doesn't understand enterprise computing.  Giving people patches that cause servers to go to 100% cpu usage is stupid, AND preventable.

Saturday, May 1, 2004

And the fact that the unix core has had 30 years to evolve doesn't mean shit.

By the way, I know of atleast one major cluster that use Windows NT, so there you go..

Saturday, May 1, 2004

I remember hearing this sort of stuff in the early 90's.

"windows is a toy and there's no way we're replacing our Unix machines with THAT."

"Macs are far superior to anything else and that's KPMG has committed to using Macintoshes throughout the world."

"OS/2 is a much better operating system and that's why we've committed the bank to an OS/2 strategy."

"Command lines are much better. That's why Windows will never replace DOS."

Saturday, May 1, 2004

Not sure about the OS/2 one, but in the early 90's, those would surely all be comments about windows *desktops*.

I don't really understand how this kind of problem gets through. IPsec is set to Auto by default - in this case it is almost as if they really didn't install it themselves to see if it worked, something I have thought was ridiculous to suggest in the past.

Sunday, May 2, 2004

Maybe this is their subtle way to encouraging people to upgrade to Windows Server 2003. :-D

Brad Wilson (
Sunday, May 2, 2004

"Maybe this is their subtle way to encouraging people to upgrade to Windows Server 2003. :-D"

Still, it looks like they tested it on one or two machines and threw it out for public consumption

Sunday, May 2, 2004

Security patches are always a compromise between a quick fix and rigorous testing.  You are complaining about how you feel that Microsoft didn't test MS04-011 well enough.  However, MANY people complain that Microsoft doesn't patch vulnerabilities quick enough.

First, people complained the patches weren't tested enough.  Then people complain that they aren't patched fast enough.  Damned if they do, and damned if they don't.

To be fiar, given how many patches come out for all of the different Microsoft products, I think the frequency from problematic patches is actually quite low.

Myron A. Semack
Sunday, May 2, 2004

in general microsoft patches are pretty good.
but they do seem to occasionally miss the 'common case'. is that what people are saying happened here? a default machine setup + patch = unusable machine?

Monday, May 3, 2004

No, it doesn't sound like a default machine will have a problem, but a large number might (IPSec and DLT tapes are pretty popular things to have running on your server).

Brad Wilson (
Monday, May 3, 2004

I had done a Windows update on my wife's PC running W2K. It identified the security patches needed and I installed them. It then took _hours_ to uninstall the offending patch.

Interaction Architect
Monday, May 3, 2004

I installed it as part of windows update process this morning (Dell C600 laptop).  First boot seemed OK, then the slowness hit...
I've used "OS cd boot - repair console" method to disable every user-installed service and also disabled any system-type service that could be without trashing the system.  Still the slowness.  (The examples in the issues statement were just that - examples of specific files that are proven to cause the problem.  Implicit in that is that there are who knows how many other drivers involved....)  I can't wait for updates to the item  - I mean I really can't wait, so
I'm about to uninstall it BUT our IT dept just sent out the approved fix for the sasser worm, which is of course ms04-11!
Fortunately I'm on the list for a new laptop in next couple weeks.  But I'm dreading the calls from my relatives whom I've pushed to auto-updates, and whom I will have to assist with this issue.

Chuck Zearfoss
Monday, May 3, 2004

-----Original Message-----
From:    Name (Softlab) [SMTP:Name@SOFTLAB.CO.UK]
Sent:    Tuesday, May 04, 2004 9:03 AM
Subject:    Re: ISA questions

> And, if I've missed something, I'm sure Ian will point it out.  ;)

lol! Right now, Ian is too busy watching MS04-011 kill Dell/EMC SANS,
and having Dell Gold Support run round trying to fix it.

Gah. That patch is pure evil, still. At least we're protected by other
actions (my wings are like a shield of steel).

On topic, your reply seems right. Although I think I missed the
original mail.


Enterprise computing
Tuesday, May 4, 2004

*  Recent Topics

*  Fog Creek Home