Microsoft Explains Unusual Approach To Recent Security Update

Microsoft has this week issued a patch for a bug in the system used to develop active web pages. In a change from the company's normal procedures, the update had already been made available for manual downloading before testing was complete.

The bug affected ASP.NET (Active Server Pages), a Microsoft system for creating dynamic rather than static web pages. That could cover a journey planner site that created custom results for the reader, as opposed to a page simply listing bus timetables.

Passwords Exposed by Flaw

The security flaw meant hackers could bypass encryption and see information about the page that was stored on the website server. In some circumstances, the hacker could even tamper
with the data, which in some cases included user names and passwords.

Two independent researchers discovered the bug in September and presented their findings at a security conference. Microsoft then issued a temporary workaround and began working on a more permanent fix.

Manual First, Automatic Later

The company did issue an update this past Tuesday but, surprisingly, given that it was a security fix, only made it available for manual download from its security site. At the time, it promised a full automatic update would soon follow. (Source:eweek.com)

Microsoft's reasoning for this move was that it had evidence the security flaw was being actively exploited by hackers. However, by Tuesday it hadn't yet fully completed its standard testing program for patches sent out to every Windows computer. It decided that in the meantime it should make the patch available to those who most needed it, specifically people running ASP.NET-based sites.

Administrators Agitated

Despite the logic of such a move, the situation has not been ideal for tech administrators.
Many have a carefully designed policy for installing patches from the automatic update system across their entire network, a policy that doesn't cover manually visiting Microsoft's site and actively downloading patches. There have been reports of numerous enquiries to

Microsoft from administrators uncertain whether they need to get patches and, if so, exactly which to get. (Source:computerworld.com)

Microsoft then sent out the patches through Automatic Updates on Thursday. To some that's a good sign, showing the Redmond firm rapidly responding to the problem. To others, it's a sign that the company could probably have got away with waiting a couple of extra days, using only the Automatic Updates, and avoiding any confusion.

As always, it comes down to the balance between security and convenience, a balance that may always prove a point of contention.

Source: http://www.infopackets.com/news/security/2010/20101001_microsoft_explains_unusual_approach_to_re cent_security_update.htm

IMO, the reasoning for handling the release was clearly explained in the MSDN Blog post, Out of Band Release to Address Microsoft Security Advisory 2416728.

The security update is fully tested and ready for release, but will be made available initially only on the Microsoft Download Center. This enables us to get the update out as quickly as possible, allowing administrators with enterprise installations, or end users who want to install this security update manually, the ability to test and update their systems immediately.

Emphasis: "The security update is fully tested and ready for release"

Placing the update on the the Microsoft Download Center for system administrators to easily access and test within their environments was a fast way to make the update available in environments that were most vulnerable. As was clearly stated:

Windows desktop systems are listed as affected, but consumers are not vulnerable unless they are running a Web server from their computer.

Thus, there was not the same urgency to push to Automatic Updates as getting it to the corporate environment.