Security Patch Creation at Microsoft 274
devonshire writes "Officials at the Microsoft Security Response Center have provided a detailed look at the process used to create security patches. From the time the first vulnerability data is received from grey hats to the time a bulletin is shipped, it's a pretty interesting look at how they handle the information flow and patch testing and why it takes so darn long to release an IE update."
Next week's headline: (Score:5, Funny)
IE is the internet? (Score:5, Funny)
? ? ? ? ? ?
Pick me, pick me! (Score:5, Funny)
1. Identify holes in current software
2. Release patches that only fix some of the holes
3. Start charging for tools to take care of the rest of the holes
4. Profit!
(If you're from Indonesia, no problem, the software will only cost $1 anyways)
Re:From the article: (Score:5, Funny)
This is exactly why it can take a long time to ship an IE patch. [snip] We have to make sure it doesn't break the Internet.
So, the next time someone tells you, "The Internet is broken," you can just blame Microsoft for putting out an IE patch too quickly.
I'm Confused (Score:3, Funny)
Real world equivalent (Score:4, Funny)
The reason (Score:2, Funny)
Re:IE is the internet? (Score:2, Funny)
Hahaha. (Score:3, Funny)
Don't worry, guys, no matter how badly you screw up it won't hurt the Internet - because the Internet doesn't run on Microsoft boxes. Hard to imagine, I know, but true.
The Big Blue E (Score:5, Funny)
Sometime a joke doesn't need a punch line.
Ha! (Score:5, Funny)
Here I fixed it for you.
"It's not easy to test an IE update
Better
Re:Pick me, pick me!...Alternate Patch Process (Score:5, Funny)
1. First, blame the customers' other software packages for the insecurity.
2. Then, blame the customers' for failing to apply services and hot fixes in a timely fashion.
3. Security Focus (or another of the Sec/Priv sites) calls up and threatens to "out" the hole if it isn't fixed.
4. Accuse the complaining entity of having a "partisan" agenda against your company, initiate "Four Corners" Stall -- while you try to figure out if you actually CAN patch the damn thing
5. As the news of the new exploit makes it into IRC and the UGs' Forums you issue an indignant press release stating that it has never been proven that the new exploit has even been used and is principly "theoretical".
6. As your Patch Team frantically works to get the patch out, explain that even though the chances of this exploit being used WERE previously slender or non-existent, now that some details of the exploit have been malicously leaked, HEAVY SIGH, you'll now go ahead and fix it.
7. Issue the patch, take credit for being "Right on Top" of security issues, explain how much money and time you are spending to counter the effects of the "Few Bad People" on the Internet.
8. News start to come in that your patch has broken a number of somewhat older apps -- explain that Users have a responsiblity to use "current" software products and refer them to Sales.
9. News of another exploit comes in --GOTO 1
BTW, this is pretty much AN INDUSTRY STANDARD APPROACH
In Commerical Software, it's the FEW companies that DON'T do some version of this that are the (delightful) and unfortunately RARE exception.
LOLZERS! (Score:1, Funny)
Re:Testing is only a priority on closed source app (Score:3, Funny)
I'm just so good (Score:4, Funny)
Yes (Score:3, Funny)
For 88% of them, the internet is IE.
Which means that 79.2% of people think that the internet is IE.
Do you think if Bill Gates... (Score:4, Funny)
Of course not.
You got to spend a long time stuffed in your own locker with your underwear wedged up your ass before you start thinkin "I'm going to take of the world with computers! you'll see, I'll show them."
Re:Testing is only a priority on closed source app (Score:2, Funny)
Really? Thats great news! I'll just go and tell my boss that none of our web based apps are "mission critical". He'll be thrilled that we don't have to worry about them anymore.
Obligatory Dilbert quote (Score:4, Funny)
Elbonian Balmer: We hold a village meeting where we boast of skill and curse the devil spawned enduser.
Elbonian Gates: Sometimes we Juggle.
Elbonian Balmer: The at the last second we slam out some code and go roller skating.
What always cracked me up about that joke is that it is defined process and therefor meets the requirements of iso 9000 certification.