Security Patch Creation at Microsoft

devonshire writes "Officials at the Microsoft Security Response Center have provided a detailed look at the process used to create security patches. From the time the first vulnerability data is received from grey hats to the time a bulletin is shipped, it's a pretty interesting look at how they handle the information flow and patch testing and why it takes so darn long to release an IE update."

Next week's headline:

[Anonymous Coward]

New Windows worm circumvents Microsoft patching process

IE is the internet?

[gd2shoe]

"This is exactly why it can take a long time to ship an IE patch. We're dealing with about 440 different updates that have to be tested [for different versions]. We have to test thoroughly to make sure it doesn't introduce a new problem. We have to make sure it doesn't break the Internet."

? ? ? ? ? ?

Pick me, pick me!

[Infinityis]

I know the process!

1. Identify holes in current software
2. Release patches that only fix some of the holes
3. Start charging for tools to take care of the rest of the holes
4. Profit!

(If you're from Indonesia, no problem, the software will only cost $1 anyways)

Re:From the article:

[N3Roaster]

You missed the funniest bit:

This is exactly why it can take a long time to ship an IE patch. [snip] We have to make sure it doesn't break the Internet.

So, the next time someone tells you, "The Internet is broken," you can just blame Microsoft for putting out an IE patch too quickly.

I'm Confused

[TheStupidOne]

Microsoft makes security patches? And tests them too?

Real world equivalent

[Anonymous Coward]

Microsoft is adding a patch to a pair of jeans, but it's difficult because after all the previous patches the pair of jeans looks like a spherical ball of patches 10 feet in diameter.

The reason

[CrackedButter]

why it takes so long to issue a patch is because it takes 8 days a week for them to get off their ass .

Re:IE is the internet?

[Infinityis]

They should check with Al Gore before they do anything that could break his internet...

Hahaha.

[BJH]

We have to make sure it doesn't break the Internet.

Don't worry, guys, no matter how badly you screw up it won't hurt the Internet - because the Internet doesn't run on Microsoft boxes. Hard to imagine, I know, but true.

The Big Blue E

[value_added]

"It's not easy to test an IE update .... We have to make sure it doesn't break the Internet."

Sometime a joke doesn't need a punch line.

Ha!

[KenFury]

"It's not easy to test an IE update .... We have to make sure it doesn't break the Internet."

Here I fixed it for you.

"It's not easy to test an IE update .... We have to make sure it breaks Firefox and Opera."

Better

Re:Pick me, pick me!...Alternate Patch Process

[darkPHi3er]

Customers Complain About a New Security Hole. The number of complaints reaches Management's "Action Threshold". The Patch Process is started.

1. First, blame the customers' other software packages for the insecurity.

2. Then, blame the customers' for failing to apply services and hot fixes in a timely fashion.

3. Security Focus (or another of the Sec/Priv sites) calls up and threatens to "out" the hole if it isn't fixed.

4. Accuse the complaining entity of having a "partisan" agenda against your company, initiate "Four Corners" Stall -- while you try to figure out if you actually CAN patch the damn thing

5. As the news of the new exploit makes it into IRC and the UGs' Forums you issue an indignant press release stating that it has never been proven that the new exploit has even been used and is principly "theoretical".

6. As your Patch Team frantically works to get the patch out, explain that even though the chances of this exploit being used WERE previously slender or non-existent, now that some details of the exploit have been malicously leaked, HEAVY SIGH, you'll now go ahead and fix it.

7. Issue the patch, take credit for being "Right on Top" of security issues, explain how much money and time you are spending to counter the effects of the "Few Bad People" on the Internet.

8. News start to come in that your patch has broken a number of somewhat older apps -- explain that Users have a responsiblity to use "current" software products and refer them to Sales.

9. News of another exploit comes in --GOTO 1

BTW, this is pretty much AN INDUSTRY STANDARD APPROACH

In Commerical Software, it's the FEW companies that DON'T do some version of this that are the (delightful) and unfortunately RARE exception.

LOLZERS!

[Anonymous Coward]

OMG! IE is not teh internet. AOL is!! every1 noes that d00d! ROFL!!!11

Re:Testing is only a priority on closed source app

[cmad_x]

You can sell OSS.

I'm just so good

[Urusai]

I write code to accomplish what I intend, and I succeed. I don't need to test. What needs testing is other peoples' crappy code that my code depends on. I'm looking at you, GW BASIC maintainers!

Yes

[samael]

For 90% of people, the web is the internet.

For 88% of them, the internet is IE.

Which means that 79.2% of people think that the internet is IE.

Do you think if Bill Gates...

[Your Average Joe]

got laid in high school, do you think there'd be a Microsoft?

Of course not.

You got to spend a long time stuffed in your own locker with your underwear wedged up your ass before you start thinkin "I'm going to take of the world with computers! you'll see, I'll show them."

Re:Testing is only a priority on closed source app

[Toby_Tyke]

The fact is that no-one is going to have a critical environment that uses IE

Really? Thats great news! I'll just go and tell my boss that none of our web based apps are "mission critical". He'll be thrilled that we don't have to worry about them anymore.

Obligatory Dilbert quote

[goombah99]

Dilbert: As part of your ISO 9000 certification do you have a defined pathing process and what is it?

Elbonian Balmer: We hold a village meeting where we boast of skill and curse the devil spawned enduser.

Elbonian Gates: Sometimes we Juggle.

Elbonian Balmer: The at the last second we slam out some code and go roller skating.

What always cracked me up about that joke is that it is defined process and therefor meets the requirements of iso 9000 certification.