Security Patch Creation at Microsoft

devonshire writes "Officials at the Microsoft Security Response Center have provided a detailed look at the process used to create security patches. From the time the first vulnerability data is received from grey hats to the time a bulletin is shipped, it's a pretty interesting look at how they handle the information flow and patch testing and why it takes so darn long to release an IE update."

1,000,000 monkeys

[weighn]

so, after all we've been led to believe, Windaz patches aren't being written by one-million monkeys?

Re:Testing is only a priority on closed source app

[BigBuckHunter]

The fact isthat no-one is going to apply a patch to a critical environment unless it's been through major testing

At the risk of staying on topic:
The fact is that no-one is going to have a critical environment that uses IE. If you're using wininet or winhttp for your mission critical apps, shame on you.

BBH

Re:UDP Floods

Try not running an unpatched copy of Windows from 2001. Ever hear of SP2?

Re:Liars

Colin,

Despite what the article says, what do you think Microsoft owes you in this case?

Seriously.

The answer to any of your requests for progress reports is going to be (at best) "and you are...?" They've already got your papers, what more do they need? In fact, they've got the inside scoop on the Intel chips and dedicated Intel engineers working specifically on this problem for Microsoft. The two companies are so closely related and dependent upon each other that this is simply the reality of the situation.

You are an academic nobody in their eyes, despite any delusions of grandeur you may possess.

So yeah, they are talking out their ass in the article. SURPRISE!!!

Not.