JmanB
Premium,VIP
join:2003-08-27
Redmond, WA
 ·Vonage
|  Microsoft Security Bulletins for 12/9/2003
As you may know, today is our scheduled day for the monthly security bulletin release. I'm just posting to clarify that we are NOT releasing any bulletins today.
Thanks!
--
Jerry Bryant - Microsoft IT Communities. This posting is provided "AS IS" with no warranties, and confers no rights. |
|
R2
R Not
Premium,MVM
join:2000-09-18
Long Beach, CA
clubs: |  Waah!!! Can't they at least fix my Scroll bar and my TechNet Deeptree bar???  |
|
Tablet
Premium
join:2003-01-15
Czech
| reply to JmanB
I do not understand one thing. If it is so hard to fix and test security vulnerabilities, why doesn't Microsoft hire more staff to catch up? If thousand people is not enough, then hire ten thousand. I think money are not problem in this case. It's not that there is nothing to fix, it's just it appears MS doesn't care.  |
|
Bubba
GIT-R-DONE
Premium,MVM
join:2002-08-19
Around, Us
 ·Comcast
| reply to R2
said by R2  :
Waah!!! Can't they at least fix my Scroll bar and my TechNet Deeptree bar???
My chosen words have escalated every time I attempt to use the scroll bar and thu dang thing dances around out of control....Grrrrrrrrrrr
--
"I R 1" |
|
AthlGrond
Premium,MVM
join:2002-04-25
Aurora, CO
·Comcast
| reply to Tablet
said by Tablet :
I do not understand one thing. If it is so hard to fix and test security vulnerabilities, why doesn't Microsoft hire more staff to catch up? If thousand people is not enough, then hire ten thousand.
My guess would be that too many cooks spoil the broth. |
|
dave
Premium,MVM
join:2000-05-04
not in ohio | reply to JmanB
Brooke's law: adding manpower to a late project makes it later.
Gordon Bell also said something to the effect of 'doubling the manpower doubles the schedule'. |
|
Skipdawg
The Original
Premium,ExMod 2001-03
join:2001-04-19
The Void |  reply to JmanB
jbMSFT thanks for the heads up. I was going to go look after surfing BBR
--
arf, bow wow, woof! |
|
miketavares
join:2000-12-10
North Dighton, MA
| reply to JmanB
what would be really helpful would be a timeframe when you suspect these patches will be released. This is a month in which many IT departments are short staffed due to the holidays and as in our case had arranged to coverage to have the people here to do do our testing and applying of the patches. Now that all goes by the wayside.
--
I was here |
|
Alwill
Lost time is never found again.
Premium
join:2002-09-25
Sydney, OZ | reply to JmanB
And there's still the Outlook Express address book tilde (~) file problem to be fixed. |
|
antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
|  reply to JmanB
said by JmanB :
As you may know, today is our scheduled day for the monthly security bulletin release. I'm just posting to clarify that we are NOT releasing any bulletins today.
Rats! I miss them. Just kidding. Thanks for the heads up.
Will there be one next week due to delays (assuming no emergency bulletins) or next month's second Tuesday?
--
-- Ant @ The Ant Farm: »antfarm.ma.cx |
|
JmanB
Premium,VIP
join:2003-08-27
Redmond, WA
·Vonage
| reply to JmanB
Here's some Q&A that might help answer some questions:
Q: So, Microsoft is not releasing any patches today. Does this mean that there aren’t any known vulnerabilities that need patching?
A: Microsoft is committed to delivering security bulletins on the second Tuesday of each month and there are no bulletins ready for distribution at this time. Microsoft is almost always investigating potential and existing vulnerabilities in an effort to help protect our customers. Creating patches that effectively fix vulnerabilities is an extensive process involving a series of sequential steps. Microsoft works to ensure the quality of all products, and a patch release is treated much like a small scale product release in terms of quality control. Microsoft would not release a product until it was tested and proven reliable, and patch releases are no different.
Q: If you don’t have any patches to release today, then what has the Microsoft Security Response Center been working on for the last month?
A: Microsoft is almost always investigating potential and existing vulnerabilities in an effort to help protect our customers. Creating patches that effectively fix vulnerabilities is an extensive process involving a series of sequential steps. There are many factors that impact the length of time between the discovery of a vulnerability and the release of a patch, and every vulnerability presents its own unique challenges. When a potential vulnerability is reported, designated product specific security experts investigate the scope and impact of a threat on the affected product. Once the MSRC knows the extent and the severity of the vulnerability, they work to develop a patch for every supported version affected. Once the patch is built, it must be tested with the different operating systems and applications it affects, then localized for all markets and languages across the globe. In some instances, multiple vendors are affected by the same or similar issue, which requires a coordinated release. Microsoft works to ensure the quality of all products, and a patch release is treated much like a small scale product release in terms of quality control. Microsoft would not release a product until it was tested and proven reliable, and patch releases are no different.
Q: Several “critical” Internet Explorer vulnerabilities were released two weeks ago. Why aren’t you issuing patches to fix these vulnerabilities?
A: Microsoft is investigating public reports of possible vulnerabilities in Internet Explorer. Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a fix through our monthly patch release process or an out-of-cycle patch, depending on customer needs. Currently we have not been made aware of any active exploits of the reported vulnerabilities or customer impact at this time, but we are aggressively investigating the public reports.
Security response requires a balance between time and testing, but Microsoft will only release a patch - when warranted – that is as well engineered and thoroughly tested as possible - whether that is a day, week, month or longer. In security response, an incomplete patch can be worse than no patch at all if it only serves to alert malicious hackers to a new issue.
Bottom line: we care enough to make sure that our patches are tested as much as possible. We will only release a patch out of the monthly cycle if the situation requires it. Since we are not releasing any patches for the official December release date, the next scheduled patch release will be the second Tuesday in January 2004 (1/13/2004).
I would like to invite you to attend the following events where you can ask questions of Mike Nash who is the Vice President of the Microsoft Seucrity Business Unit (SBU):
1. Web Chat: Trustworthy Computing with Mike Nash
Thursday December 11, 2003 - 9:00 - 10:00 A.M. Pacific Time
Link to chat:
»communities2.microsoft.com/home/···34000081
2. Web Cast: Microsoft Executive Circle Webcast: Monthly Update from Microsoft's VP for Security: Securing the Perimeter through Best Practices and Increasing System Resiliency in Windows XP SP2
Tuesday, December 16, 2003 - 8:30 - 9:30 A.M. Pacific Time
Link to webcast:
»msevents.microsoft.com/CUI/Event···re=en-US
--
Jerry Bryant - Microsoft IT Communities. This posting is provided "AS IS" with no warranties, and confers no rights. |
|
antiserious
The Future ain't what it used to be
Premium
join:2001-12-12
Scranton, PA
| said by JmanB :
Security response requires a balance between time and testing, but Microsoft will only release a patch - when warranted – that is as well engineered and thoroughly tested as possible - whether that is a day, week, month or longer. In security response, an incomplete patch can be worse than no patch at all if it only serves to alert malicious hackers to a new issue.
... good one! ...  ...
... I feel any additional comment is unnecessary ...
--
... "Sometimes you're the Bird ... sometimes you're the Windshield" ... |
|
Bubba
GIT-R-DONE
Premium,MVM
join:2002-08-19
Around, Us
·Comcast
| said by antiserious :
I feel any additional comment is unnecessary ...
Disagree....I want my scroll bar back before they issue anymore updates
--
"I R 1" |
|
antiserious
The Future ain't what it used to be
Premium
join:2001-12-12
Scranton, PA
| ... good luck with that, Bubba ...  ...
... if they fix it enough, we'll be back to pencil and paper ... then I can use up all those yellow legal pads that followed me home from work ...
... ...
--
... "Sometimes you're the Bird ... sometimes you're the Windshield" ... |
|
JmanB
Premium,VIP
join:2003-08-27
Redmond, WA
·Vonage
| reply to Bubba
said by Bubba :
Disagree....I want my scroll bar back before they issue anymore updates
Our engineering team is aware of this issue. I don't have a status on a fix but a bug has been entered.
--
Jerry Bryant - Microsoft IT Communities. This posting is provided "AS IS" with no warranties, and confers no rights. |
|
Bubba
GIT-R-DONE
Premium,MVM
join:2002-08-19
Around, Us
·Comcast
| said by JmanB :
Our engineering team is aware of this issue. I don't have a status on a fix but a bug has been entered.
Thanks Jerry and I have to believe what you share until I see otherwise that they are indeed working this issue and not yanking my chain.
Thanks as always for the info.
--
"I R 1" |
|
Marilla
I Am My Own Arbiter
Premium
join:2002-12-06
Belpre, OH
| reply to JmanB
Thanks for the info, JmanB , and to the rest of you.. you are all nuts!!! |
|
R2
R Not
Premium,MVM
join:2000-09-18
Long Beach, CA
clubs: | reply to JmanB
How about my TechNet and MSDN Deeptree bar?? Are they working on that yet?? |
|
antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
|  reply to JmanB
CNET mentioned this...
»news.com.com/2100-7355_3-5118292···nefd_top
FYI.
--
-- Ant @ The Ant Farm: »antfarm.ma.cx |
|
Michael
Premium
join:2001-05-06
Canada
| reply to JmanB
Re: Microsoft Security Bulletins for 12/9/2003
said by JmanB :
Our engineering team is aware of this issue. I don't have a status on a fix but a bug has been entered.
Thanks for the update JmanB
--
For Optimized |
|
