×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Security Patch Creation at Microsoft

CowboyNeal posted more than 8 years ago | from the inside-looks dept.

Security 274

devonshire writes "Officials at the Microsoft Security Response Center have provided a detailed look at the process used to create security patches. From the time the first vulnerability data is received from grey hats to the time a bulletin is shipped, it's a pretty interesting look at how they handle the information flow and patch testing and why it takes so darn long to release an IE update."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

274 comments

patch info (-1, Troll)

lifo-fifo (880292) | more than 8 years ago | (#12777876)

Ever notice the "beat the rush and see it early" link at the top of slashdot when a new story is about to come out?

Sounds good, doesn't it? To be able to view the pages linked to in the article before the tens of thousands of other slashbots click to view them.

Did it ever occur to you that you're taking part in cyber-terrorism?

That's right: Slashdot's editors are cyber-terrorists. They coordinate a DOS against small websites, and they attempt to collect moeny from people who wish to be spared the effects of said DOS. Terrorism, plain and simple.

You can fight this and other crimes by slashdot's editors by joining anti-slash [anti-slash.org] . Anti-slash is committed to forcing the editors to own up to their numerous crimes against the geek community. Until our demands are met, we will relentlessly discredit them as a news service through trolling and other means.

Also, props to poopbot and the alan thicke troll. We remember your accomplishments.

In sacred jihad,

jihadi_31337

| _ __ | |
_) |_|_)__/_| |
(_) o

Re:patch info (0)

Anonymous Coward | more than 8 years ago | (#12778264)

You mod this troll, but it's absolutely correct. The main benefit of subscribing is to view the site mentioned in the article, before it is 'slashdotted'.

Next week's headline: (5, Funny)

Anonymous Coward | more than 8 years ago | (#12777878)

New Windows worm circumvents Microsoft patching process

Testing is only a priority on closed source apps (1, Insightful)

Dancin_Santa (265275) | more than 8 years ago | (#12777887)

Windows and IE being no exception. The very fact that users have neither access to the source code nor the ability to build the application sources means that any testing must be done "in-house". This is going to slow down the release cycle by exactly the amount of time it would take to run all the regression tests.

With Open Source, a patch can be released right away and users can compile in the new sources themselves. Any issues can be immediately identified and reported back to the maintainers, often with both the offending source code and potential fixes to the patch. Without the lengthy QA cycle, Open Source patches are much more immediate than any Closed Source shop could ever hope to achieve.

Re:Testing is only a priority on closed source app (0)

Anonymous Coward | more than 8 years ago | (#12777893)

With Open Source, a patch can be released right away and users can compile in the new sources themselves. Any issues can be immediately identified and reported back to the maintainers, often with both the offending source code and potential fixes to the patch. Without the lengthy QA cycle, Open Source patches are much more immediate than any Closed Source shop could ever hope to achieve.

Or, in other words, with OSS, everyone is a tester!

Re:Testing is only a priority on closed source app (5, Insightful)

Atrax (249401) | more than 8 years ago | (#12777899)

are you seriously suggesting you'd just release a brand new patch into the wild without even cursory testing?

who's going to want to install it? when everyone is a guinea pig, a certain reluctance to jump in first may manifest itself.

Re:Testing is only a priority on closed source app (0)

Anonymous Coward | more than 8 years ago | (#12777915)

real OSS projects actually have an organizational structure.. a closer knit group of users associated with the project will test and comment (or fix) problems they see with code. when the code seems to be good, it is released to the public as an actual release.

Re:Testing is only a priority on closed source app (4, Insightful)

Atrax (249401) | more than 8 years ago | (#12777982)

real OSS projects actually have an organizational structure.. a closer knit group of users associated with the project will test and comment (or fix) problems they see with code. when the code seems to be good, it is released to the public as an actual release.

So what's different about that compared to the pre-release testers employed by Microsoft? not a lot, it may seem. Besides, my reading of the OP's post didn't indicate this was the meaning at all.

The fact is, going back to the OP's harebrained scheme, that no-one is going to apply a patch to a critical environment unless it's been through major testing. Sure, your l33t box under your desk which you rebuild every week anyway? patch it with whatever you like, but a production database server pushing out data to thousands of clients? I want that bastard tested thoroughly before the patch ever hits the net.

Re:Testing is only a priority on closed source app (0, Flamebait)

BigBuckHunter (722855) | more than 8 years ago | (#12778081)

The fact isthat no-one is going to apply a patch to a critical environment unless it's been through major testing

At the risk of staying on topic:
The fact is that no-one is going to have a critical environment that uses IE. If you're using wininet or winhttp for your mission critical apps, shame on you.

BBH

Re:Testing is only a priority on closed source app (4, Interesting)

Atrax (249401) | more than 8 years ago | (#12778099)

Was I talking about IE? Was the OP? Surely we were debating the patch process in general, not specifically IE?

Besides which, a hell of a lot of corporates consider their intranet (extranet/web) apps 'critical'. IE (or other browser) is a major component in that mission-critical situation, wouldn't you say?

I'm just so good (4, Funny)

Urusai (865560) | more than 8 years ago | (#12778197)

I write code to accomplish what I intend, and I succeed. I don't need to test. What needs testing is other peoples' crappy code that my code depends on. I'm looking at you, GW BASIC maintainers!

Re:Testing is only a priority on closed source app (3, Interesting)

noidentity (188756) | more than 8 years ago | (#12778210)

are you seriously suggesting you'd just release a brand new patch into the wild without even cursory testing?

You can always release a patch to the patch if any problems are found with it :)

But seriously, it makes most sense to correct most bugs (that will be caught in the short-term) before a wide release, where there is a single copy of the source, rather than after release, where there are as many copies as there are users.

With open-source anybody is free to provide this service. If the author only has the time/motivation to do barely-tested releases, why reject his code? Someone else with the desire can do testing and make releases to a wider audience that are more stable, and users can choose between the two options (or more). These can even form without any direct arrangement between the various parties.

Re:Testing is only a priority on closed source app (1)

gl4ss (559668) | more than 8 years ago | (#12778284)

not everyone. but if you got, say 30 people in the inner testing circle.

you know, that would be the "in house" testing, and if it's a trivial fix, adding of one length check or whatever, it wouldn't matter.

Re:Testing is only a priority on closed source app (1)

Umbral Blot (737704) | more than 8 years ago | (#12777910)

This is only true for big-name projects. Small opensource projects are probably less well supported than their small corperate counterparts. As a lone developer without the hardware and backing of a company I can't patch and identify issues as I would like. As to users giving you feed back. HA! The best I get is once in a while someone tells me that something crashes. I might die of shock if someone sent me fixed source code.

Re:Testing is only a priority on closed source app (2, Interesting)

Renegade Lisp (315687) | more than 8 years ago | (#12777976)

As to users giving you feed back. HA! The best I get is once in a while someone tells me that something crashes. I might die of shock if someone sent me fixed source code.

Remember what ESR wrote about this? "If you treat your users as if they were your most valuable resource, they will respond by becoming your most valuable resource."

In other words, I think this is all about community-building, and I grant you that this may be beyond what you can do as a single developer who simply shares some code with the world. Still, I have found ESR's statement to be quite true in my own projects, and it only takes a small effort to express this attitude in the e-mails you send to your bug reporters.

Re:Testing is only a priority on closed source app (2, Insightful)

zallus (714582) | more than 8 years ago | (#12777933)

Well, Microsoft does have Automatic Update working for them. They may have slower patch creation times, but they can push the created patch to you much more quickly. If you were a corporate executive, would you say that you'd rather immediately install an externally verified patch, or take your own company's time and resources to verify the patch? Sure, for large, computer-intensive operations like air traffic control or medical care, you'd need to verify the patch either way. But if it just means that a secretary wouldn't be able to play Solitare, and especially if your company doesn't have any individually-designated "Computer Security" positions, I think you'd install the patch right away. Also, it'd be ill-advised for an open-source shop to not regression-test patches before release anyway. I don't want to see the size of your Bugzilla database.

Re:Testing is only a priority on closed source app (3, Insightful)

timbo234 (833667) | more than 8 years ago | (#12777981)

Linux distro's have automatic updates too and the distro maintainer assumes the role of testing the application with the new patch applied.

The GP was only half-right by saying that 'a patch can be released right away and users can compile in the new sources themselves' is a strength of OSS. In reality only small numbers of users do this themselves, most simply get it through their distro's auto update feature after its been tested and qa'd by the distro maintainers.

Re:Testing is only a priority on closed source app (3, Insightful)

dword (735428) | more than 8 years ago | (#12777944)

Again, you keep saying how good OSS is compared to CSS. Now tell me, honest, if you write an application and someone tells you they can sell it for $100/copy and give you 50% of each. Would you still make it open-source? What you said is true, but I'm tired of everyone bragging about how "cool" OSS is. Yes, it's cool, but writing it isn't...

Re:Testing is only a priority on closed source app (2, Insightful)

Dancin_Santa (265275) | more than 8 years ago | (#12777956)

Isn't the writing of Open Source software the whole point?

If no one wanted to write it, OSS wouldn't even exist.

Re:Testing is only a priority on closed source app (1, Interesting)

Anonymous Coward | more than 8 years ago | (#12777983)

I find it strange that open-source application authors never, themselves, sell their product as well. Why wasn't the creator of WINE the founder of TransGaming or CrossOver Office?

Re:Testing is only a priority on closed source app (1)

umkendaj (810823) | more than 8 years ago | (#12778004)

I don't think that the biggest point behind the OSS movement is necessarily the cost of the software, but rather access to the source code. In a business environment, a lot more money goes into support for the software, than the actual software. I feel that a lot of applications could quite easily be sold for a profit, even though they are open source.

Re:Testing is only a priority on closed source app (1)

jalet (36114) | more than 8 years ago | (#12778070)

You may want to learn other people's experiences.

I write Free Software, have PLEASURE doing so, and sell it as well.

All this without any third party keeping 50% of it (modulo the PayPal fees).

Granted this doesn't amount to millions, but it is just a side job, since I've already got a full time job. This works just fine anyway.

The proof here [librelogiciel.com] .

Re:Testing is only a priority on closed source app (3, Funny)

cmad_x (723313) | more than 8 years ago | (#12778166)

You can sell OSS.

Re:Testing is only a priority on closed source app (5, Insightful)

xtracto (837672) | more than 8 years ago | (#12778283)

Although teorethicaly it is possible to sell OSS, it is not proffitable.

Why would someone want to buy something he can download for free in other place?, if people tend to "download for free" something that they CAN NOT (by law) use for free??

Of course, now you will tell me that RedHat, Mandrake, etc etc are making buisness with OSS, but the truth is they are making buisness SELLING SERVICES, not the software.

Now, I am a programmer (well, I was a programmer before I started my PhD), I really like to program, when I was in the University I was a Linux advocate (although when I was in High School I was a FreeBSD advocate... can you imagine I bought FreeBSD without really knowing what was it... then when it arrived I spent like 3 weeks installing it, I was like 13 or something).

But, after I finished the University I had written some programs which I wanted to sell, hell I DO know how to program...

I put them like shareware on the internet, it was cool, but I also wanted to "contribute" to the OSS, in the "real world" (i.e. outside the net in my life) I was trying to get a job, As I lived in Mexico that was no easy task, so all my income was from my shareware programs and some money my parents gave me.

But I WANT to program for a living, and that is NOT possible with OSS, only people who have a name and are at the top position in this "OSS" power hierarchy can do it.

There where possibilites of open sourcing my programs and then proffiting with the "customer" services, of course the money I would get there was going to be a hell less than the money I won with my shareware (which was not a lot of course) and besides I DID NOT studied any kind of administration or client service degree I AM A FUCKING PROGRAMER and I want to program because THAT IS WHAT I KNOW HOW TO DO!!

So no, it is not possible to live selling OSS, it MAY be possible to live selling a service but not by pure development.

And of course it is possible to get hired in a company which develop open source as a branch (IBM, Sun, Mandrake, etc) and you could say that you earn your living with OSS... but the one that is paying you is the company.

Nowadays I am making my PhD outside Mexico (no, not in the US, in Europe). I have a wider view of this OSS, and althouh I understand it is great for acadamey (in fact I OSS it every day) It is NOT right for the commercial developer... And now as I have seen the Programming buisness is very crowded I have decided to enter the academy buisness, that way when I return to my country with a Europe degree I would be able to enter and teach somewhere at least...

And, I will be able to use and create OSS (of course as a side project JUST FOR FUN). At the end, that is why the OSS projects propsere, people do them JUST. FOR. FUN.

Re:Testing is only a priority on closed source app (4, Insightful)

shmlco (594907) | more than 8 years ago | (#12778002)

With Open Source, a patch can be released right away and users can compile in the new sources themselves. Any issues can be immediately identified and reported back to the maintainers...

Which is basically a fancy way of saying you're going to treat your user base as guinea pigs and let them test your patch for you.

Hopefully any "issues" they have will not have been fatal...

Re:Testing is only a priority on closed source app (5, Interesting)

Dancin_Santa (265275) | more than 8 years ago | (#12778065)

As an Open Source developer, I'm not in this for the money. If I were, you can bet the project would be Closed Source.

Rather, I want this project to be open and usable for all. To that end, I license it under the GPL and anyone is free to use it.

So my users are partners with me. They are not my guinea pigs. Though I maintain control over the project, there is no set-in-stone law that no one else may fork the project. In fact, they are encouraged to, if they feel it necessary.

I release the patches, and they accept them or reject them, depending on their own circumstances. I don't rule them with an iron fist. I consider them my Knights of the Round Table where they all have the right to say what they want and none is any greater than the other.

So maybe you think that users are passive slugs, but I'd rather give them the benefit of the doubt.

Re:Testing is only a priority on closed source app (3, Insightful)

Tune (17738) | more than 8 years ago | (#12778178)

Thanks for mentioning the pros of Open Source. I agree, but that's not the point.

Even OSS developers do some testing before they release their code. At least for the larger (multi-developer) code bases. Quality is essential if you don't want to scare your users/co-developers away. And quality is only partially a result of programming skills.

Now you may point at the difference in emphasis between informal release-testing and formal QA in the legal sense. But it's just rediculous to assume that OSS solves everithing to the point where you just merge & release everthing you type and/or every patch submitted to you without even looking at it.

--
It is impossible to make anything foolproof because fools are so
ingenious.

Re:Testing is only a priority on closed source app (2, Insightful)

zootm (850416) | more than 8 years ago | (#12778245)

Thanks for posting that, I'd mod you up if I had points. Which, typically, I don't.

Open source doesn't eliminate the need for testing, but it can make it easier, and specifically make it easier for knowledgable users to fix bugs themselves and contribute back. As for the testing release issues, it wouldn't be much more trouble for closed-source systems to release nightly builds to the world to test, just less tempting to test.

The fact that users can fix bugs themselves, though, is not an excuse for releasing buggy software. By all means give users who want a bleeding-edge release access to your newest and greatest (but maybe not quite fully-tested) code, but don't go around releasing such code as your official version. Give it some time, test it a bit, before putting that out. Just because people can bug test and fix their own software doesn't mean that they should be made to.

OSS can make testing easier, but it does not, as you point out, remove the need for it. For anything above a "hobby" project, for things you actually expect people to use, it's just irresponsible not to undergo at least some testing. Overuse of "caveat emptor" just makes OSS look unprofessional -- which is fine, but it could cause problems when trying to break into more corporate grounds. The people who say both that companies should use more OSS, and that OSS doesn't need to be tested, really need to re-evaluate at least one of those viewpoints.

I sense I'm ranting, so I'll stop.

Re:Testing is only a priority on closed source app (2, Insightful)

slashdotnickname (882178) | more than 8 years ago | (#12778260)

clearly, there are many different types of software users... from those that actively contribute to it's code, to those that test out the latest versions and report bugs, to pure users that just want to use your tool to get their own stuff done.

most users fall in the last category and they'll quickly jump ships if your stuff is too buggy/unusable and/or there's something better out there user-wise... case in point, firefox, where the majority of the 30+ million downloaders were not open-source contributers but rather software users that found something better.

but hey, if you're just interested in chucking untested code out there for your "partners" then more power to you... this "passive slug" will be supporting more serious projects.

Re:Testing is only a priority on closed source app (0)

Anonymous Coward | more than 8 years ago | (#12778044)

"With Open Source, a patch can be released right away and users can compile in the new sources themselves. Any issues can be immediately identified and reported back to the maintainers, often with both the offending source code and potential fixes to the patch."

That might work for your basment project with 3 users, but wont work if you roll out something that companies actually use and rely on, and I bet its more expensive having someone sitting and testing your "Open source patches" then actually pay for it in the first place.

Re:Testing is only a priority on closed source app (2, Insightful)

interiot (50685) | more than 8 years ago | (#12778179)

Have you heard of Debian Sarge, perhaps? Whose release is so monomumental that, along with the revelation of Deep Throat, the switching of Apple to Intel, and the release of Duke Nukem forever, pretty much portends the second coming of something of terribly great importance?

If Debian isn't the epitome of an Open Source project that's overly obsessed with quality releases, at the expense of frequent releases, I don't know what is.

Re:Testing is only a priority on closed source app (1)

The Great Wazzoo (798980) | more than 8 years ago | (#12778269)

Syntax error: you made statements where you obviously intended to ask confirmation about some random thoughts you had. Next time, try using the question-mark construction. E.g:

"Isn't it true that testing is only a priority on closed source apps?".

Which would of course have been answered with "no". Recommended reading available on request.

And this is why inux is liable to remain Geek-only (4, Insightful)

samael (12612) | more than 8 years ago | (#12778352)

"Oh, it's ok, we'll release a patch instantly and the users can review/compile it themselves."

I don't know about you, but I have things I actually want to _use_ my computer for - I don't want to have to review any code changes for patches/upgrades/new versions and check them before I do an install.

Not that I even have the technical know-how to do that for the vast numbers of programs out there.

Typical corporated programming (5, Interesting)

guruevi (827432) | more than 8 years ago | (#12777895)

Instead of just believing the people that there is a problem, they have to test it out and develop a plan and then reprogram the piece. I hate that. In my company they have implemented such system too and if you have a problem you have to wait a month before it is planned in (if it is accepted by a group of non-technical managers) and then another month before it is fixed making a problem sometimes last for over 6 months and after an endless amount of pointless meetings there is finally some kind of fix. Programmers in corporation are under a lot of (time) pressure and that is not good as it makes them make mistakes. But they have to be able to make quick fixes (as is with most Linux projects) without any corporate meetings or managers.

Re:Typical corporated programming (4, Interesting)

Atrax (249401) | more than 8 years ago | (#12778039)

Your company just seems to have a problem of balance. Your company may have a slow process, but equally they'd be insane to lean too much the other way and just let the techies spin out patches willy-nilly without fear or favour.

Striking a balance is the trick, and non-technical managers will tend towards the extremely cautious end of the scale without their caution being necessarily grounded in a realistic appraisal of the problem. They don't realy understand it, so they go slowly and have accountability at every step.

Sounds like you might want a shorter chain of command, with technically knowledgable managers making the calls.

How you get that to happen, well, I really don't know. A new CEO might be a start (it's worked at my old company)

Re:Typical corporated programming (4, Interesting)

Tune (17738) | more than 8 years ago | (#12778126)

Either you have no idea about how (software) project management works or you have seen some worst-in-class examples at your company. Testing and reproducing a bug is *very* important. Bypassing that step is a guarantee to waste valuable programmer's time on non-issues. In a healthy organization with averagely skilled testers, this part of testing takes a couple of hours at most.

Next is bug fixing. This is by far the most variable and unpredictible part, requiring the best of any programmer. It may take minutes or it may take weeks. Besides good programmers, good process can be of great help here.

Finally comes the release testing, which is what the article is talking about. This phase is essential: *never* trust a programmer if he says its "fixed and I tested it". Generally, programmers are simply incapable of testing their own stuff. I know as a programmer. Release-testing takes a considerable, but predictable amount of time, assuming the programmer did a good job. Skipping this phase will sooner or later lead to disasters like the recent Netscape 8 release.

Now I agree with your complaint on workload and lack of tech-savvy managers, but it's nonsense to say that the process as a whole sucks.

That's the right attitude to take (1)

samael (12612) | more than 8 years ago | (#12778362)

If you don't test the error, how do you know that (a) there really is an error and (b) where/what the error actually is?

Sure, the process should be streamlined so that you don't take months to do that, but then the process described in the article _doesn't_ take months if it's handled properly.

UDP Floods (4, Interesting)

Anonymous Coward | more than 8 years ago | (#12777898)

I don't think there's a single service on a windows box that can withstand a UDP flood. This has been known to be an effective DoS method for years...roommate using all the bandwidth with bittorrent? Playing Doom3 in the middle of the night with the volume jacked up?

Send a UDP flood to ANY of the services which are actively listening by default, problem solved. Where's the triage team on that one? I guess 99.9% resource consumption isn't a vulnerability in their eyes.

Re:UDP Floods (0, Flamebait)

Anonymous Coward | more than 8 years ago | (#12778116)

Try not running an unpatched copy of Windows from 2001. Ever hear of SP2?

1,000,000 monkeys (0, Flamebait)

weighn (578357) | more than 8 years ago | (#12777901)

so, after all we've been led to believe, Windaz patches aren't being written by one-million monkeys?

Re:1,000,000 monkeys (0, Troll)

Infinityis (807294) | more than 8 years ago | (#12777950)

Nope. Accodring to Microsoft, it's the open source software that is being written by one million monkeys.

Re:1,000,000 monkeys (1)

Atrax (249401) | more than 8 years ago | (#12777964)

According to Microsoft, it's the open source software that is being written by one million monkeys.

Sometimes, you have to consider the possibility that they may be right [slashdot.org]

Re:1,000,000 monkeys (1)

RollingThunder (88952) | more than 8 years ago | (#12777975)

If you visit http://www.thedailywtf.com/ [thedailywtf.com] you'll find that the monkey to programmer ratio is easily a million to one these days.

Re:1,000,000 monkeys (1)

paranoidgeek (840730) | more than 8 years ago | (#12778164)

The articles listed on the site arent from monkeys but programmers who are given the wrong tools ( VB/ASP seems to be a big one ) and put on the wrong projects ( complex multi user database ) when they have skills in different areas ( small VB apps ) but an interest in some "big" project. So they get creative when they realise although they have no idea how to sort a SQL query they know how to retrive rows one by one .. so they do that ... of cause those of us who just go "ORDER BY `something` DESC" would laugh when they write a loop trying every single "something" in order.

- A DailyWTF reader

Nice to know that... (2, Insightful)

Anonymous Coward | more than 8 years ago | (#12777912)

Microsoft's non-security is well organised. :-)

From the article: (3, Interesting)

guruevi (827432) | more than 8 years ago | (#12777918)

It's not easy to test an IE update. There are six or seven supported versions and then we're dealing with all the different languages. Our commitment is to protect all customers in all languages on all supported products at the same time, so it becomes a huge undertaking. 1: languages shouldn't be a problem, that is (hopefully) not completely split up throughout the source code is it? aargh!!!! 2: I know only a 3 SUPPORTED IE versions (IE 5, IE 6 and IE 7)

Re:From the article: (2, Insightful)

XanC (644172) | more than 8 years ago | (#12777925)

I would imagine that the IE version that runs on each OS (2K, XP, 2K3, etc) is probably unique enough to warrant a full battery of tests.

Re:From the article: (0)

Anonymous Coward | more than 8 years ago | (#12777929)

IE on Win98/ME
IE on Win2K/XP
IE on MacOSX
IE on MacOS9
IE on WinCE

And then for each language.

Re:From the article: (1)

Tune (17738) | more than 8 years ago | (#12778213)

Also, a single binary doesn't imply a single test.
Ie, an install may work when connected to a LAN but may fail when off-line. Testing involves numerous configurations. Think laptops, slow hardware, custom OS installs, partitioning, auto-upgrade vs manual upgrade...

Re:From the article: (1)

LuckyStarr (12445) | more than 8 years ago | (#12778340)

Looks to me like a borked drivermodel, unstable hardware-abstraction and a general nonpredictability of the os' behaviour. It (difference of on-line and off-line installs) also looks like a total design failure of the software management facility of the os.

My question is: Why does Microsoft expect its users to do the job of the os?! And by that I include Microsoft in it's userbase. They should have designed a system which requires them to do the test only once. Can't imagine how much time they must burn up every day!

Ah... never mind. Just grumbling.

Re:From the article: (5, Funny)

N3Roaster (888781) | more than 8 years ago | (#12777934)

You missed the funniest bit:

This is exactly why it can take a long time to ship an IE patch. [snip] We have to make sure it doesn't break the Internet.

So, the next time someone tells you, "The Internet is broken," you can just blame Microsoft for putting out an IE patch too quickly.

Re:From the article: (1, Insightful)

timmarhy (659436) | more than 8 years ago | (#12777967)

they are a fucking multi BILLION DOLLAR company, dont' they DARE try and cry about being short on man hours.

Re:From the article: (1)

Neoprofin (871029) | more than 8 years ago | (#12778095)

Having a billion trillion programmers doesn't mean you have enough of them working on any given project such as patching IE. Microsoft, like any company, has to strike the balance between having availible staff for sporadic large scale security crisis, and not just having superflous programmers laying around.

multiple code paths (1)

Gary W. Longsine (124661) | more than 8 years ago | (#12777988)

Well, there are major sub-versions, too, like IE5.5SP2, etc.

Several times over the years I've discovered multiple code paths in Windows which apparently perform the same function. I discover them because performing what is ostensibly the same act via more than one of the typically myriad interface controls to initiate the given desired action sometimes differ ever so slightly (note the sarcasm in my voice) in result. I've seen these sorts of artifacts all the way up through Windows 2000. This problem exists without looking at multiple languages and how functions may vary on that axis -- who knows.

It's clear that the design of Windows contributes to the difficulty of patching and testing it. Given that, it's impressive that they can deliver interim security patches at all. The track record of not breaking random other stuff when they fix a buffer overflow vulnerability has been pretty good lately.

Re:From the article: (2, Interesting)

Vo0k (760020) | more than 8 years ago | (#12778145)

1: languages shouldn't be a problem, that is (hopefully) not completely split up throughout the source code is it?

You'd be surprised. Very surprised.
Things are far more screwed up than you'd think. An article on development of a new OS release would come in handy, but putting things shortly, somewhere between 60 and 80% down the way with the development of the new OS, the code is branched into "local versions" which are independently developed by corresponding local Microsoft divisions. Bugfixes, features etc are usually shared, but only "usually", and the final code base varies wildly. There's no simple way to "translate" a version of Windows, or port features from one to the other. That's why each language has separate service pack and the service packs for them show up at wildly varying intervals - each team has to roll their own. That's why e.g. people in Poland used german version of WinNT instead of polish one on mission-critical positions - because it's more stable. There's way more to "local versions" than plain "local language files". The design is consistent thorough the system, but the code behind it may be completely different, even if it's not really localization-related.

IE is the internet? (5, Funny)

gd2shoe (747932) | more than 8 years ago | (#12777921)

"This is exactly why it can take a long time to ship an IE patch. We're dealing with about 440 different updates that have to be tested [for different versions]. We have to test thoroughly to make sure it doesn't introduce a new problem. We have to make sure it doesn't break the Internet."

? ? ? ? ? ?

Re:IE is the internet? (2, Insightful)

Atrax (249401) | more than 8 years ago | (#12777938)

To the consumer, yes. IE is 'the internet'. Besides which, a patch which had a regression flaw and opened something exploitable by a major worm could cause mayhem beyond just breaking windows clients. A massive DDOS caused by a hole in IE? that would be nice, eh?

Re:IE is the internet? (1)

gd2shoe (747932) | more than 8 years ago | (#12777966)

True, true, but this slip refers to your first point. Apparently, MSCR's Stephen Toulouse thinks so as well (though he may have phrased it from a users point of view. If it was intentional, there should have been italics or something to mark such.).

Re:IE is the internet? (1)

Atrax (249401) | more than 8 years ago | (#12777999)

to be fair, it did seem to me like an offhand remark, so perhaps the esteemed journos being paid to write the puff should have italicized it. Hard to know without having the original remark handy, but as this was at TechEd, maybe a video or audio piece will become available...

Re:IE is the internet? (2, Funny)

Infinityis (807294) | more than 8 years ago | (#12777941)

They should check with Al Gore before they do anything that could break his internet...

Oh give the man a break... (2, Interesting)

Kjella (173770) | more than 8 years ago | (#12777990)

We have to make sure it doesn't break the Internet [web access provided by IE, which as far as our customers go means breaking the Internet]

The Internet wouldn't be broken as such, but I doubt the users would see it that way. To them, it doesn't matter if it is the browser, the connection or the servers (massive worm?) that is broken. They can't do what they want, hence it is broken. It is as simple as that.

Kjella

Re:Oh give the man a break... (1)

gd2shoe (747932) | more than 8 years ago | (#12778022)

Granted. Several things went into my post. First, I thought it funny that an MSRC rep slipped and suggested that IE was as good as synonomous with the internet. Second, I'm tired. That excalates irrational thought.

If he meant to say that customers would see the internet as broken, there should have been some designation of such in the article. It's the lack of italics that an intentional statment should have that makes it funny (don't know if the quote was verbal or written. Hardly matters; still funny while I'm still tired ;) ).

LOLZERS! (1, Funny)

Anonymous Coward | more than 8 years ago | (#12778117)

OMG! IE is not teh internet. AOL is!! every1 noes that d00d! ROFL!!!11

Yes (2, Funny)

samael (12612) | more than 8 years ago | (#12778201)

For 90% of people, the web is the internet.

For 88% of them, the internet is IE.

Which means that 79.2% of people think that the internet is IE.

Pick me, pick me! (5, Funny)

Infinityis (807294) | more than 8 years ago | (#12777928)

I know the process!

1. Identify holes in current software
2. Release patches that only fix some of the holes
3. Start charging for tools to take care of the rest of the holes
4. Profit!

(If you're from Indonesia, no problem, the software will only cost $1 anyways)

Re:Pick me, pick me!...Alternate Patch Process (5, Funny)

darkPHi3er (215047) | more than 8 years ago | (#12778104)

Customers Complain About a New Security Hole. The number of complaints reaches Management's "Action Threshold". The Patch Process is started.

1. First, blame the customers' other software packages for the insecurity.

2. Then, blame the customers' for failing to apply services and hot fixes in a timely fashion.

3. Security Focus (or another of the Sec/Priv sites) calls up and threatens to "out" the hole if it isn't fixed.

4. Accuse the complaining entity of having a "partisan" agenda against your company, initiate "Four Corners" Stall -- while you try to figure out if you actually CAN patch the damn thing

5. As the news of the new exploit makes it into IRC and the UGs' Forums you issue an indignant press release stating that it has never been proven that the new exploit has even been used and is principly "theoretical".

6. As your Patch Team frantically works to get the patch out, explain that even though the chances of this exploit being used WERE previously slender or non-existent, now that some details of the exploit have been malicously leaked, HEAVY SIGH, you'll now go ahead and fix it.

7. Issue the patch, take credit for being "Right on Top" of security issues, explain how much money and time you are spending to counter the effects of the "Few Bad People" on the Internet.

8. News start to come in that your patch has broken a number of somewhat older apps -- explain that Users have a responsiblity to use "current" software products and refer them to Sales.

9. News of another exploit comes in --GOTO 1

BTW, this is pretty much AN INDUSTRY STANDARD APPROACH

In Commerical Software, it's the FEW companies that DON'T do some version of this that are the (delightful) and unfortunately RARE exception.

Real world equivalent (4, Funny)

Anonymous Coward | more than 8 years ago | (#12777939)

Microsoft is adding a patch to a pair of jeans, but it's difficult because after all the previous patches the pair of jeans looks like a spherical ball of patches 10 feet in diameter.

The reason (1, Funny)

CrackedButter (646746) | more than 8 years ago | (#12777940)

why it takes so long to issue a patch is because it takes 8 days a week for them to get off their ass .

Re:The reason (0)

Anonymous Coward | more than 8 years ago | (#12777973)

I tried reading that several times over but could not understand what the hell you meant. Don't bother trying again.

Re:The reason (1)

DigiShaman (671371) | more than 8 years ago | (#12778146)

Naaa. The real reason is the multi levels of bureaucracy in your typical bloated corporation. Just imagine having to get each request approved by management throughout the process of start to finish.

Hahaha. (3, Funny)

BJH (11355) | more than 8 years ago | (#12777953)

We have to make sure it doesn't break the Internet.

Don't worry, guys, no matter how badly you screw up it won't hurt the Internet - because the Internet doesn't run on Microsoft boxes. Hard to imagine, I know, but true.

Re:Hahaha. (1)

baadger (764884) | more than 8 years ago | (#12778057)

Yeah because all that matters is you keep them Linux webserver farms up serving next to no requests because 80-90% of clients are dead in the water.

I'm sure the likes of Amazon.com would appreciate that so much. Thanks.

What part... (1)

BJH (11355) | more than 8 years ago | (#12778103)

...of the phrase "the Internet" are you having trouble understanding?

Hint: Internet != WWW

Re:What part... (1)

baadger (764884) | more than 8 years ago | (#12778198)

It's very unlikely IE would ever be broken to a serious extent. "We don't want to break the Internet" was only a half serious exclaimation at the end of a sentence, something in speech would accompany a change of tone. Perhaps you missed that implied tone or my obvious sarcasm in my previous post.

But since we are taking it so seriously maybe you should the impact of such an occurance.

Along with e-mail (especially for business) the WWW is what the average user of the internet at large pay their ISP bill for. What % of resource at your average datacentre is powering WWW orientated services? 80%?

I consider "rendering pointless" as breaking the Web and, since the Web is big part of it, the Internet as well.

It could have an effect equivalent of the Blaster worm - but in reverse. People would stop surfing the web and it would effect revenues of hundreds of online orientated businesses - like Amazon.

Stop ranting that the Web != the Internet, the two terms are widely used interchangeably because the Web is probably second only to file sharing (maybe) and e-mail. Sure you could argue the likes of Skype and IM are making it less so - but what about the new boom in browsers and the likes of Google Maps and other web applications increasing the webs value?

I bet you've even said "surfing the net" or misused it yourself.

So quit exploiting turns of phrase and taking things so literally just because you want to make it look like Microsoft, or rather a mere mortal working, for them is stupid.

Re:Hahaha. (1)

MoriaOrc (822758) | more than 8 years ago | (#12778151)

Assuming that the ~90% of people who use IE will all upgrade their clients the day of release is just a little far fetched, don't you think?

MY XP box is still virus free and still not 'owned (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#12777961)

Goes to show that running a XP box really is a safe thing to do.

Re:MY XP box is still virus free and still not 'ow (0)

DrSkwid (118965) | more than 8 years ago | (#12778115)

so what ?

I have a Win95 OSR2 net connected box here that has never been owned either

B*llsh*t ! (0)

Anonymous Coward | more than 8 years ago | (#12778006)

"Why it take so long" ... because MS does not want to stuff-up the IE team as it is not a immediate profit source.

I am not blaming them, it is a normal enterprise goal : cut cost, increase margin ....

But as we all know MS do not care about IE (anticipated IE7 will be a small improvement only, nothing comparable to Dean Edwards's IE7 fix, by the way), there is no reason for any of us to use their tool.

After having dominated the browser world, Netscape has sunk because they did not care of improving the quelity of the standard support, binging new functionalities and making their product fast&stable. Now it is MS turn to fall in the trap ...

Bye,bye IE ... we will (not!) miss you.

Re:B*llsh*t ! (1)

baadger (764884) | more than 8 years ago | (#12778119)

I suspect IE7 will fix most if not all of the existing CSS functionality. A native code fix for them is better than iffy javascript implementations (although admitedly I use it myself) anyday.

Re:B*llsh*t ! (1)

TLLOTS (827806) | more than 8 years ago | (#12778335)

If IE7 does fix all the CSS issue's, then expect some rather unhappy users of longhorn when they go to the numerous sites that have worked around earlier versions of IE and all its flaws, and find that suddenly their websites look all funny.

I'm personally not going to hold my breath waiting for Microsoft to implement proper CSS support.

The Big Blue E (5, Funny)

value_added (719364) | more than 8 years ago | (#12778048)

"It's not easy to test an IE update .... We have to make sure it doesn't break the Internet."

Sometime a joke doesn't need a punch line.

Ha! (4, Funny)

KenFury (55827) | more than 8 years ago | (#12778097)

"It's not easy to test an IE update .... We have to make sure it doesn't break the Internet."

Here I fixed it for you.

"It's not easy to test an IE update .... We have to make sure it breaks Firefox and Opera."

Better

Are monkeys involved? (1)

noidentity (188756) | more than 8 years ago | (#12778101)

I haven't RTFA, but I'm guessing there will be mention of lots of monkeys banging away at keyboards and one big balding monkey boss who is able to speak one word of English starting with the letter 'D'.

Liars (5, Informative)

cperciva (102828) | more than 8 years ago | (#12778110)

Quoth the article:
We respond immediately to the initial vulnerability report and provide the researcher with contact names, e-mail addresses and phone numbers. We make it clear we want to work closely with the researcher to pinpoint the problem and get it fixed. We commit to providing [researchers] with a progress report on the Microsoft investigation every time they ask for one

My experience directly contradicts this on all points.

When I reported the hyperthreading security flaw [daemonology.net] to Microsoft, I was provided with the first name of the person who was responsible for dealing with it ("Christopher"), but I was not provided with his last name, phone number, or any e-mail address (apart from the generic secure@microsoft.com address which I used to report the problem). Later the issue was transferred to "Brian" -- again, no last name, no email address, and no phone number.

Over the following two months, I heard from three independent third parties that Microsoft was "very concerned" about this issue, and had "several people" looking at it; but they never made it clear that they wanted to work closely with me -- in fact, they ignored all my attempts at co-operation.

Finally, prior to releasing my paper, I sent several emails to Microsoft asking about their progress and asking for a vendor statement for my web site; again, they did not respond.

Re:Liars (0, Flamebait)

Anonymous Coward | more than 8 years ago | (#12778152)

Colin,

Despite what the article says, what do you think Microsoft owes you in this case?

Seriously.

The answer to any of your requests for progress reports is going to be (at best) "and you are...?" They've already got your papers, what more do they need? In fact, they've got the inside scoop on the Intel chips and dedicated Intel engineers working specifically on this problem for Microsoft. The two companies are so closely related and dependent upon each other that this is simply the reality of the situation.

You are an academic nobody in their eyes, despite any delusions of grandeur you may possess.

So yeah, they are talking out their ass in the article. SURPRISE!!!

Not.

Re:Liars (5, Insightful)

cperciva (102828) | more than 8 years ago | (#12778228)

Despite what the article says, what do you think Microsoft owes you in this case?

Nothing. However, I do believe that they owe the public, and their shareholders, the truth about how they handle security issues -- which, judging by my experience, they did not provide in the linked news article -- and I believe that they should take every opportunity available to improve their security, including working with the people who report security issues to them.

You are an academic nobody in their eyes, despite any delusions of grandeur you may possess.

Maybe; or maybe not. I'm not just an academic who happened to stumble across a security problem; I'm also a FreeBSD deputy security officer. I may not have quite as much experience at dealing with security issues as they have, but I don't think I'm a complete "nobody" in security circles either.

I'd say the difference is... (4, Insightful)

Kjella (173770) | more than 8 years ago | (#12778132)

...purely political.

Microsoft wants to give you one "bad news" per month. Predictable, patch time is "low" meaning the time between release and installation is low. It is easy for IT staff to work that way, you can schedule it.

OSS will give you a patch per issue, patch time is near instant, but they keep coming at you all the time, whenever you can't afford to waste time installing them. That is why you need a distro to keep you patched at all times.

The rest? Bullcrap. The security patches for Linux don't cause more regression issues than Windows. Like Microsoft, they do audits but instead of one "catch 'em all" release, they do several. In short, it is to make Windows look good.

Kjella

FROSYT PIST (-1, Flamebait)

Anonymous Coward | more than 8 years ago | (#12778212)

'Yes' to 4ny

why patching ie takes so long (0)

Anonymous Coward | more than 8 years ago | (#12778251)

The reason is takes so long to get an IE patch out of the door is because the IE code base is a complete and utter mess. The reason the IE code base is a complete and utter mess is because Microsoft hacked the thing together in a few weeks to put Netscape out of business. Unfortunately having done this they didn't then do the next thing the should have and could have afforded to do - basically junk it and do the job properly. This is also why IE still has more holes in it then your average sieve.


note to /. editors: Some of these "I am a human script" images are, as far as I can work out, impossible for mere humans to read....

"enter the numbers" images (0)

Anonymous Coward | more than 8 years ago | (#12778346)

note to /. editors: Some of these "I am a human script" images are, as far as I can work out, impossible for mere humans to read....

So log in, earn your karma bonus and they'll go away. And you can still post anonymous, like meeeee!

The real reason it all takes so long ... (-1)

Anonymous Coward | more than 8 years ago | (#12778354)

...is that they have to consult with Al Gore whether a patch will break the Internet.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...