Re: Microsoft Security Bulletin (MS00-005)

[secure () MICROSOFT COM (Microsoft Product Security Response Team)]

Hi Matt -

Our ultimate goal is to deliver all security patches through two
mechanisms:
*       WindowsUpdate for customers who would like to have all needed
patches automatically installed on their machines with a minimum of
effort.
*       The Download Center for customers who want to download patches
and install them manually, or who want to deploy patches throughout a
network.  The DC eventually will replace ftp.microsoft.com.

Right now, we're in transition.  We are no longer deploying patches to
the FTP site, and will soon start migrating older patches from the FTP
site to the DC.  All new patches are being deployed to the DC.  In some
cases, they're also being deployed to the WindowsUpdate site.  Whether
or not a patch goes to WindowsUpdate depends on what platform it's
intended for -- Windows 95, 98 and 2000 support WindowsUpdate, but
Windows NT 4.0 does not.

There's usually a lag between when we deploy a patch via the DC, and
when it's available via WindowsUpdate.  As you can imagine, it's a
mammoth job to set up and test the scripts to sniff every possible
combination of machines, OSes, and applications, and apply the right
version of the patch to each one.  As a result, WindowsUpdate is
refreshed according to a predefined schedule.  When a patch is ready for
release, we deploy it to the DC, and then put it into the queue for the
next WindowsUpdate refresh.  That way, customers can assess the tradeoff
between the urgency of the patch and the ease of installation, and
choose whether to get it immediately from the DC or wait until it's
available from WindowsUpdate.

Hope that helps explain what we're doing.  Regards,

Secure () microsoft com

Microsoft has a new acknowledgment policy for security bulletins.
http://www.microsoft.com/security/bulletins/policy.asp

-----Original Message-----
From: Matt Davis [mailto:bigdog () DOGPOUND VNET NET]
Sent: Wednesday, January 19, 2000 2:01 PM
To: BUGTRAQ () SECURITYFOCUS COM
Subject: Re: Microsoft Security Bulletin (MS00-005)

Which brings up a good question..  What makes a vulnerability
WindowsUpdate material?

Why does Microsoft not put all security/bug fixes on the Windows Update
site as recommended updates?

On Wed, 19 Jan 2000 bugtraq () NS DOOMSDAY COM wrote:

>       Interesting that this is not a part of Windows 98's Windows
> Update.  If it was a serious enough vulnerability to fix you would
think
> that it would also be easy to download and install without subscribing
to
> any security related lists.  :>
>
>       _John

---
Matt Davis - ICQ# 934680
http://dogpound.vnet.net/~bigdog/
NoWonder UNIX Tech - http://www.nowonder.com

I think someone should have had the decency to tell me the luncheon was
free. To make someone run out with potato salad in his hand, pretending
he's throwing up, is not what I call hospitality.


<HR NOSHADE>
<UL>
<LI>application/x-pkcs7-signature attachment: smime.p7s
</UL>