|
 |
 | |
Tablet
Premium
join:2003-01-15
Czech
| I do not understand one thing. If it is so hard to fix and test security vulnerabilities, why doesn't Microsoft hire more staff to catch up? If thousand people is not enough, then hire ten thousand. I think money are not problem in this case. It's not that there is nothing to fix, it's just it appears MS doesn't care.  | |
|
| 
AthlGrond
Premium,MVM
join:2002-04-25
Aurora, CO
 ·Comcast
| Re: Microsoft Security Bulletins for 12/9/2003 said by Tablet  :
I do not understand one thing. If it is so hard to fix and test security vulnerabilities, why doesn't Microsoft hire more staff to catch up? If thousand people is not enough, then hire ten thousand.
My guess would be that too many cooks spoil the broth. | |
|
dave
Premium,MVM
join:2000-05-04
not in ohio | Brooke's law: adding manpower to a late project makes it later.
Gordon Bell also said something to the effect of 'doubling the manpower doubles the schedule'. | |
|
Skipdawg
The Original
Premium,ExMod 2001-03
join:2001-04-19
The Void | jbMSFT thanks for the heads up. I was going to go look after surfing BBR 
--
arf, bow wow, woof! | |
|
miketavares
join:2000-12-10
North Dighton, MA
| what would be really helpful would be a timeframe when you suspect these patches will be released. This is a month in which many IT departments are short staffed due to the holidays and as in our case had arranged to coverage to have the people here to do do our testing and applying of the patches. Now that all goes by the wayside.
--
I was here | |
|
Alwill
Lost time is never found again.
Premium
join:2002-09-25
Sydney, OZ | And there's still the Outlook Express address book tilde (~) file problem to be fixed. | |
|
antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
| said by JmanB :
As you may know, today is our scheduled day for the monthly security bulletin release. I'm just posting to clarify that we are NOT releasing any bulletins today.
Rats! I miss them. Just kidding. Thanks for the heads up.
Will there be one next week due to delays (assuming no emergency bulletins) or next month's second Tuesday?
--
-- Ant @ The Ant Farm: »antfarm.ma.cx | |
|
JmanB
Premium,VIP
join:2003-08-27
Redmond, WA
 ·Vonage
| Here's some Q&A that might help answer some questions:
Q: So, Microsoft is not releasing any patches today. Does this mean that there aren’t any known vulnerabilities that need patching?
A: Microsoft is committed to delivering security bulletins on the second Tuesday of each month and there are no bulletins ready for distribution at this time. Microsoft is almost always investigating potential and existing vulnerabilities in an effort to help protect our customers. Creating patches that effectively fix vulnerabilities is an extensive process involving a series of sequential steps. Microsoft works to ensure the quality of all products, and a patch release is treated much like a small scale product release in terms of quality control. Microsoft would not release a product until it was tested and proven reliable, and patch releases are no different.
Q: If you don’t have any patches to release today, then what has the Microsoft Security Response Center been working on for the last month?
A: Microsoft is almost always investigating potential and existing vulnerabilities in an effort to help protect our customers. Creating patches that effectively fix vulnerabilities is an extensive process involving a series of sequential steps. There are many factors that impact the length of time between the discovery of a vulnerability and the release of a patch, and every vulnerability presents its own unique challenges. When a potential vulnerability is reported, designated product specific security experts investigate the scope and impact of a threat on the affected product. Once the MSRC knows the extent and the severity of the vulnerability, they work to develop a patch for every supported version affected. Once the patch is built, it must be tested with the different operating systems and applications it affects, then localized for all markets and languages across the globe. In some instances, multiple vendors are affected by the same or similar issue, which requires a coordinated release. Microsoft works to ensure the quality of all products, and a patch release is treated much like a small scale product release in terms of quality control. Microsoft would not release a product until it was tested and proven reliable, and patch releases are no different.
Q: Several “critical” Internet Explorer vulnerabilities were released two weeks ago. Why aren’t you issuing patches to fix these vulnerabilities?
A: Microsoft is investigating public reports of possible vulnerabilities in Internet Explorer. Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a fix through our monthly patch release process or an out-of-cycle patch, depending on customer needs. Currently we have not been made aware of any active exploits of the reported vulnerabilities or customer impact at this time, but we are aggressively investigating the public reports.
Security response requires a balance between time and testing, but Microsoft will only release a patch - when warranted – that is as well engineered and thoroughly tested as possible - whether that is a day, week, month or longer. In security response, an incomplete patch can be worse than no patch at all if it only serves to alert malicious hackers to a new issue.
Bottom line: we care enough to make sure that our patches are tested as much as possible. We will only release a patch out of the monthly cycle if the situation requires it. Since we are not releasing any patches for the official December release date, the next scheduled patch release will be the second Tuesday in January 2004 (1/13/2004).
I would like to invite you to attend the following events where you can ask questions of Mike Nash who is the Vice President of the Microsoft Seucrity Business Unit (SBU):
1. Web Chat: Trustworthy Computing with Mike Nash
Thursday December 11, 2003 - 9:00 - 10:00 A.M. Pacific Time
Link to chat:
»communities2.microsoft.com/home/···34000081
2. Web Cast: Microsoft Executive Circle Webcast: Monthly Update from Microsoft's VP for Security: Securing the Perimeter through Best Practices and Increasing System Resiliency in Windows XP SP2
Tuesday, December 16, 2003 - 8:30 - 9:30 A.M. Pacific Time
Link to webcast:
»msevents.microsoft.com/CUI/Event···re=en-US
--
Jerry Bryant - Microsoft IT Communities. This posting is provided "AS IS" with no warranties, and confers no rights. | |
|
| 
antiserious
The Future ain't what it used to be
Premium
join:2001-12-12
Scranton, PA
| Re: Microsoft Security Bulletins for 12/9/2003 said by JmanB :
Security response requires a balance between time and testing, but Microsoft will only release a patch - when warranted – that is as well engineered and thoroughly tested as possible - whether that is a day, week, month or longer. In security response, an incomplete patch can be worse than no patch at all if it only serves to alert malicious hackers to a new issue.
... good one! ...  ...
... I feel any additional comment is unnecessary ...
--
... "Sometimes you're the Bird ... sometimes you're the Windshield" ... | |
|
| | |
| | | |
| | | |
| | | | 
Bubba
GIT-R-DONE
Premium,MVM
join:2002-08-19
Around, Us
·Comcast
| Re: Microsoft Security Bulletins for 12/9/2003 said by JmanB :
Our engineering team is aware of this issue. I don't have a status on a fix but a bug has been entered.
Thanks Jerry and I have to believe what you share until I see otherwise that they are indeed working this issue and not yanking my chain.
Thanks as always for the info.
--
"I R 1" | |
|
| | | | |
| | | | | |
| | | | |
|
|
mrgeek
Premium
join:2002-12-13
Dundee, IL
clubs: | Windows update is giving me a security update, KB810217.
--
A wise man is nothing more than an old fool | |
|
| |
|
antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
| I noticed my office machine with Windows XP Home SP1 (Dell OEM; all updates except yesterday's update that is mentioned) showed this update. I cannot find this FrontPage Server Extensions package in Windows' Add/Remove Components list. I don't think XP Home even has this feature.
I am not going to get it until I hear words from Microsoft. 
--
-- Ant @ The Ant Farm: »antfarm.ma.cx | |
|
|
| anthrorules
Premium
join:2003-09-14
Rollinsville, CO | Re: Microsoft Security Bulletins for 12/9/2003 I just installed...haven't re-booted yet, but soon will. | |
|
| | |
| | | anthrorules
Premium
join:2003-09-14
Rollinsville, CO
 ·Qwest.net
 ·IonSKY
| Re: Microsoft Security Bulletins for 12/9/2003 Okay, re-booted (sorry, it took me awhile, I was installing an external hard drive) and haven't noticed anything out of the ordinary, I did install both updates that appeared in my updates list:
Update for Microsoft Windows XP (KB826942)
Security Update for Windows XP (KB810217)
I don't know if this makes any difference, but I've not noticed any crazy textbox scrolling since I updated, but that doesn't imply that the either of the above updates fixed the helicious update on November 11,2003 that raved havic on most people's computers running Windows.
--
Earthlink/Direcway SRS - DW4000 | ver. 4.2.1.10 | Proxy/Port 83 | G4R | 970 | Dell Dimension 4550 - WinXP Pro SP1 - 256MB Ram |ZA+ 4.5 | AVG 7.0 - Resident | BitDefender 7.1 Free - On-Demand |TDS3 | Ad-Aware | SpyBot S&D | MailWasher Pro | |
|
GuruGuy
join:2002-12-16
Atlanta, GA
| Yep, I had 3 machines that had the KB810217 available. Installed 2 of them, one failed. After rebooting the failed machine and reattempting, it was no longer available for download, even though the history shows the failed install, I can't download it and it's not available........way to go MS$. Technet says nothing released on Dec 9, yet you have this listed as being a critical update on the Windows Update site, and on one machine with Auto Update turned on, the notification popped up stating that KB810217 was available.......after researching this, it appears that KB810217 was released in November! So what gives....is it a re-release or did someone screwup?
--
GuruGuy | |
|
|
antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
|  Re: Microsoft Security Bulletins for 12/9/2003
-------- Original Message --------
Subject: Re: KB810217 - MS03-051 - Appreared today via Windows Automatic Update - Why?
Date: Wed, 10 Dec 2003 11:55:29 -0800
From: Lucy [MS]
Newsgroups: microsoft.public.windowsupdate
References:
Hi Joe,
This was an issue on our end. Yesterday we made changes to the detection
for this update and that's why Windows Update is offering the update today.
Thanks,
Lucy [MS]
--
For those who use Windows XP Home SP1 and do not have FrontPage Server Extensions installed in Windows' Add/Remove Components.
-------- Original Message --------
Subject: Re: KB810217 - MS03-051 - Appreared today via Windows Automatic Update - Why?
Date: Wed, 10 Dec 2003 11:59:42 -0800
From: Lucy [MS]
Newsgroups: microsoft.public.windowsupdate
References:
Hi Ant,
Do you have the web server extensions?
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bin
fp4autl.dll
Thanks,
Lucy [MS]
--
-- Ant @ The Ant Farm: »antfarm.ma.cx | |
|
|
MrFixIT
Premium
join:2002-04-12
here
| Thanks for the updates JmanB !
BTW - did anyone else notice the cut and paste job at the end of first two answers?
quote:
Microsoft works to ensure the quality of all products, and a patch release is treated much like a small scale product release in terms of quality control. Microsoft would not release a product until it was tested and proven reliable, and patch releases are no different.
--
You are depriving some poor village of its idiot. | |
|
GuruGuy
join:2002-12-16
Atlanta, GA
| This was an issue on our end. Yesterday we made changes to the detection
for this update and that's why Windows Update is offering the update today.
----------------
What does she mean that's why they are offering it today? I haven't seen it since it appeared lastnight and then disappeared..........
--
GuruGuy | |
|
|
antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
| Re: Microsoft Security Bulletins for 12/9/2003 Very confusing! Even on a clean XP Professional!
I asked Lucy if this update was an error to show up:
"No, it's not an error. This is a valid update. If you have the web server extensions then Windows Update will offer the update to install."
Anyways, share your finds on msnews.microsoft.com newsgroup server in microsoft.public.windowsupdate newsgroup.
--
-- Ant @ The Ant Farm: »antfarm.ma.cx | |
|
|
GuruGuy
join:2002-12-16
Atlanta, GA | Well now it's back again! Wish the hell they'd make up their mind...it's here, it's gone, it's here, it's gone.....
--
GuruGuy | |
|
skj
Welcome to the far side of reality
Premium,Mod
join:2002-04-04
Atlanta, GA | When you click on "read more..." for the update it takes you to a page which states: " No Security Bulletins for December Monthly Release (December 9, 2003) " A bit confusing to say the least. | |
|
| Mele20
Premium
join:2001-06-05
Hilo, HI
| Re: Microsoft Security Bulletins for 12/9/2003 >When you click on "read more..." for the update it takes you to a page which states: " No Security Bulletins for December Monthly Release (December 9, 2003)
I just ran Windows Update and the critical patch is shown, but I have no "read more" place to click! I have never, ever before seen a critical patch on Windows Update site where I could not learn more about the patch! If I hadn't just read the Cnet article and what Lucy had to say via antdude's post, I would be wondering if someone had hacked into Windows Update and was spoofing us! I'd say Cnet's characterization of Microsoft confusing itself is a bit mild!
I checked and I do have the web server extensions that Lucy mentions located where she indicates. I guess I am one of those to whom the update was supposed to be offered in November but was not. However, I do NOT have XP home edition. I have XP Pro version SP1a. Lucy says this fix is for those with XP HOME SP1 who don't have FrontPage Server Extension in Add/remove. Well I have XP PRO and I don't have this extension in Add/remove but I have it nonetheless. So, where do I fit in this scenario?
To confuse matters further, where is the Microsoft Security Bulletin for this? I received nothing in my email yesterday or today. I do not have automatic update turned on. I rely on the Security Bulletin List serve and this site for notifications. So where is the security bulletin for this? Even if this patch is just a reissue for those who were not offered the patch last month for some strange reason, then why is there not a Bulletin explaining this and why have I not received this Bulletin in my email?
--
"Everything can be taken from a man or woman but one thing: the last of the human freedoms - to choose one's attitude in any given set of circumstances, to choose one's destiny." Victor Frankl - Man's Search for Meaning | |
|
mrgeek
Premium
join:2002-12-13
Dundee, IL
clubs:
1 edit | I wish jbMSFT would stop by and clear this up for us.
--
A wise man is nothing more than an old fool | |
|
|
|
|
Microsoft Security Bulletins for 12/9/2003
Re: Microsoft Security Bulletins for 12/9/2003
Re: Microsoft Security Bulletins for 12/9/2003
