Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Microsoft Explains Unusual Approach To Recent Security Update


03 Oct 2010   #1

Windows 7 Pro & Vista Home Premium
 
 
Microsoft Explains Unusual Approach To Recent Security Update

Microsoft has this week issued a patch for a bug in the system used to develop active web pages. In a change from the company's normal procedures, the update had already been made available for manual downloading before testing was complete.

The bug affected ASP.NET (Active Server Pages), a Microsoft system for creating dynamic rather than static web pages. That could cover a journey planner site that created custom results for the reader, as opposed to a page simply listing bus timetables.

Passwords Exposed by Flaw

The security flaw meant hackers could bypass encryption and see information about the page that was stored on the website server. In some circumstances, the hacker could even tamper
with the data, which in some cases included user names and passwords.

Two independent researchers discovered the bug in September and presented their findings at a security conference. Microsoft then issued a temporary workaround and began working on a more permanent fix.

Manual First, Automatic Later

The company did issue an update this past Tuesday but, surprisingly, given that it was a security fix, only made it available for manual download from its security site. At the time, it promised a full automatic update would soon follow. (Source:eweek.com)

Microsoft's reasoning for this move was that it had evidence the security flaw was being actively exploited by hackers. However, by Tuesday it hadn't yet fully completed its standard testing program for patches sent out to every Windows computer. It decided that in the meantime it should make the patch available to those who most needed it, specifically people running ASP.NET-based sites.

Administrators Agitated

Despite the logic of such a move, the situation has not been ideal for tech administrators.
Many have a carefully designed policy for installing patches from the automatic update system across their entire network, a policy that doesn't cover manually visiting Microsoft's site and actively downloading patches. There have been reports of numerous enquiries to

Microsoft from administrators uncertain whether they need to get patches and, if so, exactly which to get. (Source:computerworld.com)

Microsoft then sent out the patches through Automatic Updates on Thursday. To some that's a good sign, showing the Redmond firm rapidly responding to the problem. To others, it's a sign that the company could probably have got away with waiting a couple of extra days, using only the Automatic Updates, and avoiding any confusion.

As always, it comes down to the balance between security and convenience, a balance that may always prove a point of contention.

Source: http://www.infopackets.com/news/security/2010/20101001_microsoft_explains_unusual_approach_to_re cent_security_update.htm


My System SpecsSystem Spec
.

03 Oct 2010   #2

Windows 7 & Windows Vista Ultimate
 
 

IMO, the reasoning for handling the release was clearly explained in the MSDN Blog post, Out of Band Release to Address Microsoft Security Advisory 2416728.

Quote:
The security update is fully tested and ready for release, but will be made available initially only on the Microsoft Download Center. This enables us to get the update out as quickly as possible, allowing administrators with enterprise installations, or end users who want to install this security update manually, the ability to test and update their systems immediately.
Emphasis: "The security update is fully tested and ready for release"

Placing the update on the the Microsoft Download Center for system administrators to easily access and test within their environments was a fast way to make the update available in environments that were most vulnerable. As was clearly stated:

Quote:
Windows desktop systems are listed as affected, but consumers are not vulnerable unless they are running a Web server from their computer.
Thus, there was not the same urgency to push to Automatic Updates as getting it to the corporate environment.
My System SpecsSystem Spec
Reply

 Microsoft Explains Unusual Approach To Recent Security Update




Thread Tools




Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 07:06 PM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33