[13522] in bugtraq
Re: Microsoft Security Bulletin (MS00-005)
daemon@ATHENA.MIT.EDU (Microsoft Product Security Respons)
Sun Jan 23 23:17:51 2000
Mime-Version: 1.0
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=SHA1;
boundary="----=_NextPart_000_000C_01BF6423.7E61B9F0";
protocol="application/x-pkcs7-signature"
Message-Id: <D1A11CCE78ADD111A35500805FD43F580438FEF8@RED-MSG-04>
Date: Fri, 21 Jan 2000 15:23:41 -0800
Reply-To: Microsoft Product Security Response Team <secure@MICROSOFT.COM>
From: Microsoft Product Security Response Team <secure@MICROSOFT.COM>
X-To: "BUGTRAQ@SECURITYFOCUS.COM" <BUGTRAQ@SECURITYFOCUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
This is a multi-part message in MIME format.
------=_NextPart_000_000C_01BF6423.7E61B9F0
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_000D_01BF6423.7E61B9F0"
------=_NextPart_001_000D_01BF6423.7E61B9F0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Hi Matt -
Our ultimate goal is to deliver all security patches through two
mechanisms:
* WindowsUpdate for customers who would like to have all needed
patches automatically installed on their machines with a minimum of
effort.
* The Download Center for customers who want to download patches
and install them manually, or who want to deploy patches throughout a
network. The DC eventually will replace ftp.microsoft.com.
Right now, we're in transition. We are no longer deploying patches to
the FTP site, and will soon start migrating older patches from the FTP
site to the DC. All new patches are being deployed to the DC. In some
cases, they're also being deployed to the WindowsUpdate site. Whether
or not a patch goes to WindowsUpdate depends on what platform it's
intended for -- Windows 95, 98 and 2000 support WindowsUpdate, but
Windows NT 4.0 does not.
There's usually a lag between when we deploy a patch via the DC, and
when it's available via WindowsUpdate. As you can imagine, it's a
mammoth job to set up and test the scripts to sniff every possible
combination of machines, OSes, and applications, and apply the right
version of the patch to each one. As a result, WindowsUpdate is
refreshed according to a predefined schedule. When a patch is ready for
release, we deploy it to the DC, and then put it into the queue for the
next WindowsUpdate refresh. That way, customers can assess the tradeoff
between the urgency of the patch and the ease of installation, and
choose whether to get it immediately from the DC or wait until it's
available from WindowsUpdate.
Hope that helps explain what we're doing. Regards,
Secure@microsoft.com
Microsoft has a new acknowledgment policy for security bulletins.
http://www.microsoft.com/security/bulletins/policy.asp
-----Original Message-----
From: Matt Davis [mailto:bigdog@DOGPOUND.VNET.NET]
Sent: Wednesday, January 19, 2000 2:01 PM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Re: Microsoft Security Bulletin (MS00-005)
Which brings up a good question.. What makes a vulnerability
WindowsUpdate material?
Why does Microsoft not put all security/bug fixes on the Windows Update
site as recommended updates?
On Wed, 19 Jan 2000 bugtraq@NS.DOOMSDAY.COM wrote:
> Interesting that this is not a part of Windows 98's Windows
> Update. If it was a serious enough vulnerability to fix you would
think
> that it would also be easy to download and install without subscribing
to
> any security related lists. :>
>
> _John
---
Matt Davis - ICQ# 934680
http://dogpound.vnet.net/~bigdog/
NoWonder UNIX Tech - http://www.nowonder.com
I think someone should have had the decency to tell me the luncheon was
free. To make someone run out with potato salad in his hand, pretending
he's throwing up, is not what I call hospitality.
------=_NextPart_001_000D_01BF6423.7E61B9F0
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2788.0">
<TITLE></TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=3D2 FACE=3D"Arial">Hi Matt -</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Arial">Our ultimate goal is to deliver all =
security patches through two mechanisms:</FONT>
<UL>
<LI><FONT SIZE=3D2 FACE=3D"Arial">WindowsUpdate for customers who would =
like to have all needed patches automatically installed on their =
machines with a minimum of effort.</FONT></LI>
<LI><FONT SIZE=3D2 FACE=3D"Arial">The Download Center for customers who =
want to download patches and install them manually, or who want to =
deploy patches throughout a network. The DC eventually will =
replace ftp.microsoft.com.</FONT></LI>
<BR>
</UL>
<P><FONT SIZE=3D2 FACE=3D"Arial">Right now, we're in transition. =
We are no longer deploying patches to the FTP site, and will soon start =
migrating older patches from the FTP site to the DC. All new =
patches are being deployed to the DC. In some cases, they're also =
being deployed to the WindowsUpdate site. Whether or not a patch =
goes to WindowsUpdate depends on what platform it's intended for -- =
Windows 95, 98 and 2000 support WindowsUpdate, but Windows NT 4.0 does =
not. </FONT></P>
<P><FONT SIZE=3D2 FACE=3D"Arial">There's usually a lag between when we =
deploy a patch via the DC, and when it's available via =
WindowsUpdate. As you can imagine, it's a mammoth job to set up =
and test the scripts to sniff every possible combination of machines, =
OSes, and applications, and apply the right version of the patch to each =
one. As a result, WindowsUpdate is refreshed according to a =
predefined schedule. When a patch is ready for release, we deploy =
it to the DC, and then put it into the queue for the next WindowsUpdate =
refresh. That way, customers can assess the tradeoff between the =
urgency of the patch and the ease of installation, and choose whether to =
get it immediately from the DC or wait until it's available from =
WindowsUpdate.</FONT></P>
<P><FONT SIZE=3D2 FACE=3D"Arial">Hope that helps explain what we're =
doing. Regards,</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Arial">Secure@microsoft.com</FONT>
</P>
<P><U><FONT SIZE=3D2 =
FACE=3D"Arial"> &nbs=
p;  =
; =
&=
nbsp; </FONT></U>=20
<BR><I><FONT SIZE=3D2 FACE=3D"Arial">Microsoft has a new acknowledgment =
policy for security bulletins. <A =
HREF=3D"http://www.microsoft.com/security/bulletins/policy.asp" =
TARGET=3D"_blank">http://www.microsoft.com/security/bulletins/policy.asp<=
/A></FONT></I></P>
<BR>
<P><FONT SIZE=3D2 FACE=3D"Arial">-----Original Message-----</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">From: Matt Davis [<A =
HREF=3D"mailto:bigdog@DOGPOUND.VNET.NET">mailto:bigdog@DOGPOUND.VNET.NET<=
/A>]</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">Sent: Wednesday, January 19, 2000 2:01 =
PM</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">To: BUGTRAQ@SECURITYFOCUS.COM</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">Subject: Re: Microsoft Security =
Bulletin (MS00-005)</FONT>
</P>
<BR>
<P><FONT SIZE=3D2 FACE=3D"Arial">Which brings up a good question.. =
What makes a vulnerability</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">WindowsUpdate material?</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Arial">Why does Microsoft not put all =
security/bug fixes on the Windows Update</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">site as recommended updates?</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Arial">On Wed, 19 Jan 2000 =
bugtraq@NS.DOOMSDAY.COM wrote:</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Arial">> =
Interesting that this is not a part of Windows 98's Windows</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">> Update. If it was a serious =
enough vulnerability to fix you would</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">think</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">> that it would also be easy to =
download and install without subscribing</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">to</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">> any security related lists. =
:></FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">></FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">> =
_John</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Arial">---</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">Matt Davis - ICQ# 934680</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial"><A =
HREF=3D"http://dogpound.vnet.net/~bigdog/" =
TARGET=3D"_blank">http://dogpound.vnet.net/~bigdog/</A></FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">NoWonder UNIX Tech - <A =
HREF=3D"http://www.nowonder.com" =
TARGET=3D"_blank">http://www.nowonder.com</A></FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Arial">I think someone should have had the =
decency to tell me the luncheon was</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">free. To make someone run out with =
potato salad in his hand, pretending</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">he's throwing up, is not what I call =
hospitality.</FONT>
</P>
</BODY>
</HTML>
------=_NextPart_001_000D_01BF6423.7E61B9F0--
------=_NextPart_000_000C_01BF6423.7E61B9F0
Content-Type: application/x-pkcs7-signature;
name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="smime.p7s"
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJ/TCCAj0w
ggGmAhEAzbp/VvDf5LxU/iKss3KqVTANBgkqhkiG9w0BAQIFADBfMQswCQYDVQQGEwJVUzEXMBUG
A1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVibGljIFByaW1hcnkgQ2Vy
dGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTYwMTI5MDAwMDAwWhcNMjgwODAxMjM1OTU5WjBfMQsw
CQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVi
bGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
MIGJAoGBAOUZv22jVmEtmUhx9mfeuY3rt56GgAqRDvo4Ja9GiILlc6igmyRdDR/MZW4MsNBWhBiH
mgabEKFz37RYOWtuwfYV1aioP6oSBo0xrH+wNNePNGeICc0UEeJORVZpH3gCgNrcR5EpuzbJY1zF
4Ncth3uhtzKwezC6Ki8xqu6jZ9rbAgMBAAEwDQYJKoZIhvcNAQECBQADgYEATD+4i8Zo3+5DMw5d
6abLB4RNejP/khv0Nq3YlSI2aBFsfELM85wuxAc/FLAPT/+Qknb54rxK6Y/NoIAK98Up8YIiXbix
3YEjo3slFUYweRb46gVLlH8dwhzI47f0EEA8E8NfH1PoSOSGtHuhNbB7Jbq4046rPzidADQAmPPR
cZQwggMuMIICl6ADAgECAhEA0nYujRQMPX2yqCVdr+4NdTANBgkqhkiG9w0BAQIFADBfMQswCQYD
VQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVibGlj
IFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTgwNTEyMDAwMDAwWhcNMDgwNTEy
MjM1OTU5WjCBzDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRy
dXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9SUEEgSW5j
b3JwLiBCeSBSZWYuLExJQUIuTFREKGMpOTgxSDBGBgNVBAMTP1ZlcmlTaWduIENsYXNzIDEgQ0Eg
SW5kaXZpZHVhbCBTdWJzY3JpYmVyLVBlcnNvbmEgTm90IFZhbGlkYXRlZDCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEAu1pEigQWu1X9A3qKLZRPFXg2uA1Ksm+cVL+86HcqnbnwaLuV2TFBcHqB
S7lIE1YtxwjhhEKrwKKSq0RcqkLwgg4C6S/7wju7vsknCl22sDZCM7VuVIhPh0q/Gdr5FegPh7Yc
48zGmo5/aiSS4/zgZbqnsX7vyds3ashKyAkG5JkCAwEAAaN8MHowEQYJYIZIAYb4QgEBBAQDAgEG
MEcGA1UdIARAMD4wPAYLYIZIAYb4RQEHAQEwLTArBggrBgEFBQcCARYfd3d3LnZlcmlzaWduLmNv
bS9yZXBvc2l0b3J5L1JQQTAPBgNVHRMECDAGAQH/AgEAMAsGA1UdDwQEAwIBBjANBgkqhkiG9w0B
AQIFAAOBgQCIuDc73dqUNwCtqp/hgQFxHpJqbS/28Z3TymQ43BuYDAeGW4UVag+5SYWklfEXfWe0
fy0s3ZpCnsM+tI6q5QsG3vJWKvozx74Z11NMw73I4xe1pElCY+zCphcPXVgaSTyQXFWjZSAA/Rgg
5V+CprGoksVYasGNAzzrw80FopCubjCCBIYwggPvoAMCAQICEAVbo7ZcNCuluzJSdf+s4CIwDQYJ
KoZIhvcNAQEEBQAwgcwxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2ln
biBUcnVzdCBOZXR3b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvUlBB
IEluY29ycC4gQnkgUmVmLixMSUFCLkxURChjKTk4MUgwRgYDVQQDEz9WZXJpU2lnbiBDbGFzcyAx
IENBIEluZGl2aWR1YWwgU3Vic2NyaWJlci1QZXJzb25hIE5vdCBWYWxpZGF0ZWQwHhcNOTkxMjMw
MDAwMDAwWhcNMDAxMjI5MjM1OTU5WjCCASoxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYD
VQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3Jl
cG9zaXRvcnkvUlBBIEluY29ycC4gYnkgUmVmLixMSUFCLkxURChjKTk4MR4wHAYDVQQLExVQZXJz
b25hIE5vdCBWYWxpZGF0ZWQxNDAyBgNVBAsTK0RpZ2l0YWwgSUQgQ2xhc3MgMSAtIE1pY3Jvc29m
dCBGdWxsIFNlcnZpY2UxKzApBgNVBAMUIk1pY3Jvc29mdCBTZWN1cml0eSBSZXNwb25zZSBDZW50
ZXIxIzAhBgkqhkiG9w0BCQEWFHNlY3VyZUBtaWNyb3NvZnQuY29tMIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQC5p8rQpjuPFFZf+KLtESi391k/8oOw6zOIOx6odUMFfulf0clSmvKn8ubcfOeR
/4n0uTGhvBnMO0zP/g6xKoDwFIzY/5DNY2VmZ7wLIxpvfwDjBTSAdw53t60rJzs8PmB26FgbJ69B
Y+rnsR3xg+HUok+BIvYS6GTHUzmwQdonEQIDAQABo4IBBjCCAQIwCQYDVR0TBAIwADCBrAYDVR0g
BIGkMIGhMIGeBgtghkgBhvhFAQcBATCBjjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNp
Z24uY29tL0NQUzBiBggrBgEFBQcCAjBWMBUWDlZlcmlTaWduLCBJbmMuMAMCAQEaPVZlcmlTaWdu
J3MgQ1BTIGluY29ycC4gYnkgcmVmZXJlbmNlIGxpYWIuIGx0ZC4gKGMpOTcgVmVyaVNpZ24wEQYJ
YIZIAYb4QgEBBAQDAgeAMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwudmVyaXNpZ24uY29t
L2NsYXNzMS5jcmwwDQYJKoZIhvcNAQEEBQADgYEAOZ+QMi8SC6JAG4j9hdZPbZtHPPsJ0o8g7g2y
N6IBGcQkiuxStuH+QfYv1P6/o14un3gk1CEFmNvj2a9ed1Ah7rbhM+jdhsS4zdZvIevU7AQzfY6Z
FNfi6feQlseXgvKD0kSIvhyw9sUu4vvugYN4wtiYJRFHDCUKm4L2+Cs2pXsxggMcMIIDGAIBATCB
4TCBzDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5l
dHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9SUEEgSW5jb3JwLiBC
eSBSZWYuLExJQUIuTFREKGMpOTgxSDBGBgNVBAMTP1ZlcmlTaWduIENsYXNzIDEgQ0EgSW5kaXZp
ZHVhbCBTdWJzY3JpYmVyLVBlcnNvbmEgTm90IFZhbGlkYXRlZAIQBVujtlw0K6W7MlJ1/6zgIjAJ
BgUrDgMCGgUAoIIBkDAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0w
MDAxMjEyMzIzMzlaMCMGCSqGSIb3DQEJBDEWBBQDtRA8BZrwkw73y/Z/Cb4nfKOwGTA8BgkqhkiG
9w0BCQ8xLzAtMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMAcGBSsOAwIaMAoGCCqGSIb3DQIFMIHy
BgkrBgEEAYI3EAQxgeQwgeEwgcwxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW
ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRv
cnkvUlBBIEluY29ycC4gQnkgUmVmLixMSUFCLkxURChjKTk4MUgwRgYDVQQDEz9WZXJpU2lnbiBD
bGFzcyAxIENBIEluZGl2aWR1YWwgU3Vic2NyaWJlci1QZXJzb25hIE5vdCBWYWxpZGF0ZWQCEAVb
o7ZcNCuluzJSdf+s4CIwDQYJKoZIhvcNAQEBBQAEgYBBMjG2hMnf8Mxh6iYB7QcJpNMJEdlbktnL
v42p7aOudLBdpzainc9/clcj+R7RdbtaOHrSUhnKwuKpWUJgd9VH6j/qMEPEy9Ue2omIPwCFUHs5
fTGqnwUFfFMs0au86SPly+v9817zO4A1oItikks2cn7fZTc6kID8rztPQ/08rgAAAAAAAA==
------=_NextPart_000_000C_01BF6423.7E61B9F0--
