Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: Microsoft Explains Unusual Approach To Recent Security Update

03 Oct 2010   #1

Windows 7 Pro & Vista Home Premium
Microsoft Explains Unusual Approach To Recent Security Update

Microsoft has this week issued a patch for a bug in the system used to develop active web pages. In a change from the company's normal procedures, the update had already been made available for manual downloading before testing was complete.

The bug affected ASP.NET (Active Server Pages), a Microsoft system for creating dynamic rather than static web pages. That could cover a journey planner site that created custom results for the reader, as opposed to a page simply listing bus timetables.

Passwords Exposed by Flaw

The security flaw meant hackers could bypass encryption and see information about the page that was stored on the website server. In some circumstances, the hacker could even tamper
with the data, which in some cases included user names and passwords.

Two independent researchers discovered the bug in September and presented their findings at a security conference. Microsoft then issued a temporary workaround and began working on a more permanent fix.

Manual First, Automatic Later

The company did issue an update this past Tuesday but, surprisingly, given that it was a security fix, only made it available for manual download from its security site. At the time, it promised a full automatic update would soon follow. (

Microsoft's reasoning for this move was that it had evidence the security flaw was being actively exploited by hackers. However, by Tuesday it hadn't yet fully completed its standard testing program for patches sent out to every Windows computer. It decided that in the meantime it should make the patch available to those who most needed it, specifically people running ASP.NET-based sites.

Administrators Agitated

Despite the logic of such a move, the situation has not been ideal for tech administrators.
Many have a carefully designed policy for installing patches from the automatic update system across their entire network, a policy that doesn't cover manually visiting Microsoft's site and actively downloading patches. There have been reports of numerous enquiries to

Microsoft from administrators uncertain whether they need to get patches and, if so, exactly which to get. (

Microsoft then sent out the patches through Automatic Updates on Thursday. To some that's a good sign, showing the Redmond firm rapidly responding to the problem. To others, it's a sign that the company could probably have got away with waiting a couple of extra days, using only the Automatic Updates, and avoiding any confusion.

As always, it comes down to the balance between security and convenience, a balance that may always prove a point of contention.

Source: cent_security_update.htm

My System SpecsSystem Spec
03 Oct 2010   #2

Windows 7 & Windows Vista Ultimate

IMO, the reasoning for handling the release was clearly explained in the MSDN Blog post, Out of Band Release to Address Microsoft Security Advisory 2416728.

The security update is fully tested and ready for release, but will be made available initially only on the Microsoft Download Center. This enables us to get the update out as quickly as possible, allowing administrators with enterprise installations, or end users who want to install this security update manually, the ability to test and update their systems immediately.
Emphasis: "The security update is fully tested and ready for release"

Placing the update on the the Microsoft Download Center for system administrators to easily access and test within their environments was a fast way to make the update available in environments that were most vulnerable. As was clearly stated:

Windows desktop systems are listed as affected, but consumers are not vulnerable unless they are running a Web server from their computer.
Thus, there was not the same urgency to push to Automatic Updates as getting it to the corporate environment.
My System SpecsSystem Spec

 Microsoft Explains Unusual Approach To Recent Security Update

Thread Tools

Similar help and support threads
Thread Forum
An update on Microsoft’s approach to Do Not Track
Source: An update on Microsoft's approach to Do Not Track - Microsoft on the Issues
Update error 8007005 with microsoft security essentials update
Today it was an attempt to update Microsoft Security Essentials. Error code 80070005. Aaaaarrrggghhh
Windows Updates & Activation
Win 7 crashing after recent microsoft update, ntoskrnl.exe error
My win 7 started crashing after recent updates from Microsoft .... Blue screen is showing ntoskrnl.exe likely due to driver corruption. Below is the dumps for last 13 crashes please have a look and provide any guidance ... Thanks a lot in advance. System Information (local) ...
Windows Updates & Activation
Microsoft Explains and Defends Silent Fixes
Microsoft Explains and Defends Silent Fixes - Softpedia

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 17:42.
Twitter Facebook Google+ Seven Forums iOS App Seven Forums Android App