Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Security Bug Microsoft IT

Security Patch Creation at Microsoft 274

devonshire writes "Officials at the Microsoft Security Response Center have provided a detailed look at the process used to create security patches. From the time the first vulnerability data is received from grey hats to the time a bulletin is shipped, it's a pretty interesting look at how they handle the information flow and patch testing and why it takes so darn long to release an IE update."
This discussion has been archived. No new comments can be posted.

Security Patch Creation at Microsoft

Comments Filter:
  • by Anonymous Coward on Friday June 10, 2005 @03:22AM (#12777878)
    New Windows worm circumvents Microsoft patching process
  • by gd2shoe ( 747932 ) on Friday June 10, 2005 @03:35AM (#12777921) Journal
    "This is exactly why it can take a long time to ship an IE patch. We're dealing with about 440 different updates that have to be tested [for different versions]. We have to test thoroughly to make sure it doesn't introduce a new problem. We have to make sure it doesn't break the Internet."

    ? ? ? ? ? ?

  • by Infinityis ( 807294 ) on Friday June 10, 2005 @03:37AM (#12777928) Homepage
    I know the process!

    1. Identify holes in current software
    2. Release patches that only fix some of the holes
    3. Start charging for tools to take care of the rest of the holes
    4. Profit!

    (If you're from Indonesia, no problem, the software will only cost $1 anyways)
  • by N3Roaster ( 888781 ) <nealw@a c m .org> on Friday June 10, 2005 @03:38AM (#12777934) Homepage Journal
    You missed the funniest bit:

    This is exactly why it can take a long time to ship an IE patch. [snip] We have to make sure it doesn't break the Internet.

    So, the next time someone tells you, "The Internet is broken," you can just blame Microsoft for putting out an IE patch too quickly.
  • by TheStupidOne ( 872664 ) on Friday June 10, 2005 @03:38AM (#12777937)
    Microsoft makes security patches? And tests them too?
  • by Anonymous Coward on Friday June 10, 2005 @03:38AM (#12777939)
    Microsoft is adding a patch to a pair of jeans, but it's difficult because after all the previous patches the pair of jeans looks like a spherical ball of patches 10 feet in diameter.
  • The reason (Score:2, Funny)

    by CrackedButter ( 646746 ) on Friday June 10, 2005 @03:39AM (#12777940) Homepage Journal
    why it takes so long to issue a patch is because it takes 8 days a week for them to get off their ass .
  • by Infinityis ( 807294 ) on Friday June 10, 2005 @03:39AM (#12777941) Homepage
    They should check with Al Gore before they do anything that could break his internet...
  • Hahaha. (Score:3, Funny)

    by BJH ( 11355 ) on Friday June 10, 2005 @03:42AM (#12777953)
    We have to make sure it doesn't break the Internet.

    Don't worry, guys, no matter how badly you screw up it won't hurt the Internet - because the Internet doesn't run on Microsoft boxes. Hard to imagine, I know, but true.
  • by value_added ( 719364 ) on Friday June 10, 2005 @04:06AM (#12778048)
    "It's not easy to test an IE update .... We have to make sure it doesn't break the Internet."

    Sometime a joke doesn't need a punch line.
  • Ha! (Score:5, Funny)

    by KenFury ( 55827 ) <kenfury@@@hotmail...com> on Friday June 10, 2005 @04:21AM (#12778097) Journal
    "It's not easy to test an IE update .... We have to make sure it doesn't break the Internet."

    Here I fixed it for you.

    "It's not easy to test an IE update .... We have to make sure it breaks Firefox and Opera."

    Better

  • by darkPHi3er ( 215047 ) on Friday June 10, 2005 @04:24AM (#12778104) Homepage
    Customers Complain About a New Security Hole. The number of complaints reaches Management's "Action Threshold". The Patch Process is started.

    1. First, blame the customers' other software packages for the insecurity.

    2. Then, blame the customers' for failing to apply services and hot fixes in a timely fashion.

    3. Security Focus (or another of the Sec/Priv sites) calls up and threatens to "out" the hole if it isn't fixed.

    4. Accuse the complaining entity of having a "partisan" agenda against your company, initiate "Four Corners" Stall -- while you try to figure out if you actually CAN patch the damn thing

    5. As the news of the new exploit makes it into IRC and the UGs' Forums you issue an indignant press release stating that it has never been proven that the new exploit has even been used and is principly "theoretical".

    6. As your Patch Team frantically works to get the patch out, explain that even though the chances of this exploit being used WERE previously slender or non-existent, now that some details of the exploit have been malicously leaked, HEAVY SIGH, you'll now go ahead and fix it.

    7. Issue the patch, take credit for being "Right on Top" of security issues, explain how much money and time you are spending to counter the effects of the "Few Bad People" on the Internet.

    8. News start to come in that your patch has broken a number of somewhat older apps -- explain that Users have a responsiblity to use "current" software products and refer them to Sales.

    9. News of another exploit comes in --GOTO 1

    BTW, this is pretty much AN INDUSTRY STANDARD APPROACH

    In Commerical Software, it's the FEW companies that DON'T do some version of this that are the (delightful) and unfortunately RARE exception.

  • LOLZERS! (Score:1, Funny)

    by Anonymous Coward on Friday June 10, 2005 @04:28AM (#12778117)
    OMG! IE is not teh internet. AOL is!! every1 noes that d00d! ROFL!!!11
  • by cmad_x ( 723313 ) on Friday June 10, 2005 @04:45AM (#12778166)
    You can sell OSS.
  • by Urusai ( 865560 ) on Friday June 10, 2005 @04:57AM (#12778197)
    I write code to accomplish what I intend, and I succeed. I don't need to test. What needs testing is other peoples' crappy code that my code depends on. I'm looking at you, GW BASIC maintainers!
  • Yes (Score:3, Funny)

    by samael ( 12612 ) <Andrew@Ducker.org.uk> on Friday June 10, 2005 @05:01AM (#12778201) Homepage
    For 90% of people, the web is the internet.

    For 88% of them, the internet is IE.

    Which means that 79.2% of people think that the internet is IE.
  • by Your Average Joe ( 303066 ) on Friday June 10, 2005 @07:33AM (#12778580)
    got laid in high school, do you think there'd be a Microsoft?

    Of course not.

    You got to spend a long time stuffed in your own locker with your underwear wedged up your ass before you start thinkin "I'm going to take of the world with computers! you'll see, I'll show them."
  • by Toby_Tyke ( 797359 ) on Friday June 10, 2005 @07:59AM (#12778656) Journal
    The fact is that no-one is going to have a critical environment that uses IE

    Really? Thats great news! I'll just go and tell my boss that none of our web based apps are "mission critical". He'll be thrilled that we don't have to worry about them anymore.
  • by goombah99 ( 560566 ) on Friday June 10, 2005 @10:10AM (#12779503)
    Dilbert: As part of your ISO 9000 certification do you have a defined pathing process and what is it?

    Elbonian Balmer: We hold a village meeting where we boast of skill and curse the devil spawned enduser.

    Elbonian Gates: Sometimes we Juggle.

    Elbonian Balmer: The at the last second we slam out some code and go roller skating.

    What always cracked me up about that joke is that it is defined process and therefor meets the requirements of iso 9000 certification.

We will have solar energy as soon as the utility companies solve one technical problem -- how to run a sunbeam through a meter.

Working...