Security Patch Creation at Microsoft

devonshire writes "Officials at the Microsoft Security Response Center have provided a detailed look at the process used to create security patches. From the time the first vulnerability data is received from grey hats to the time a bulletin is shipped, it's a pretty interesting look at how they handle the information flow and patch testing and why it takes so darn long to release an IE update."

Re:Testing is only a priority on closed source app

[Atrax]

are you seriously suggesting you'd just release a brand new patch into the wild without even cursory testing?

who's going to want to install it? when everyone is a guinea pig, a certain reluctance to jump in first may manifest itself.

Re:Liars

[cperciva]

Despite what the article says, what do you think Microsoft owes you in this case?

Nothing. However, I do believe that they owe the public, and their shareholders, the truth about how they handle security issues -- which, judging by my experience, they did not provide in the linked news article -- and I believe that they should take every opportunity available to improve their security, including working with the people who report security issues to them.

You are an academic nobody in their eyes, despite any delusions of grandeur you may possess.

Maybe; or maybe not. I'm not just an academic who happened to stumble across a security problem; I'm also a FreeBSD deputy security officer. I may not have quite as much experience at dealing with security issues as they have, but I don't think I'm a complete "nobody" in security circles either.

Re:Testing is only a priority on closed source app

[xtracto]

Although teorethicaly it is possible to sell OSS, it is not proffitable.

Why would someone want to buy something he can download for free in other place?, if people tend to "download for free" something that they CAN NOT (by law) use for free??

Of course, now you will tell me that RedHat, Mandrake, etc etc are making buisness with OSS, but the truth is they are making buisness SELLING SERVICES, not the software.

Now, I am a programmer (well, I was a programmer before I started my PhD), I really like to program, when I was in the University I was a Linux advocate (although when I was in High School I was a FreeBSD advocate... can you imagine I bought FreeBSD without really knowing what was it... then when it arrived I spent like 3 weeks installing it, I was like 13 or something).

But, after I finished the University I had written some programs which I wanted to sell, hell I DO know how to program...

I put them like shareware on the internet, it was cool, but I also wanted to "contribute" to the OSS, in the "real world" (i.e. outside the net in my life) I was trying to get a job, As I lived in Mexico that was no easy task, so all my income was from my shareware programs and some money my parents gave me.

But I WANT to program for a living, and that is NOT possible with OSS, only people who have a name and are at the top position in this "OSS" power hierarchy can do it.

There where possibilites of open sourcing my programs and then proffiting with the "customer" services, of course the money I would get there was going to be a hell less than the money I won with my shareware (which was not a lot of course) and besides I DID NOT studied any kind of administration or client service degree I AM A FUCKING PROGRAMER and I want to program because THAT IS WHAT I KNOW HOW TO DO!!

So no, it is not possible to live selling OSS, it MAY be possible to live selling a service but not by pure development.

And of course it is possible to get hired in a company which develop open source as a branch (IBM, Sun, Mandrake, etc) and you could say that you earn your living with OSS... but the one that is paying you is the company.

Nowadays I am making my PhD outside Mexico (no, not in the US, in Europe). I have a wider view of this OSS, and althouh I understand it is great for acadamey (in fact I OSS it every day) It is NOT right for the commercial developer... And now as I have seen the Programming buisness is very crowded I have decided to enter the academy buisness, that way when I return to my country with a Europe degree I would be able to enter and teach somewhere at least...

And, I will be able to use and create OSS (of course as a side project JUST FOR FUN). At the end, that is why the OSS projects propsere, people do them JUST. FOR. FUN.

Re:Right

[DogDude]

I do run a business, in fact. And yes, I could pay somebody a small fortune to review patches for me. With most applications, TCO is already down the toilet just with the time it would take to *find* somebody who could do it, never mind actually paying the person. Case in point... the last Firefox upgrade broke all of our machines (Firefox quit working on all of my machines... I hope that was all that was effected). IE has never done that. Insignficiant program, true, but what am I supposed to do... hire somebody to review each of Firefox's releases to tell me whether or not they'll work? Am I supposed to spend, what, $10-20K to have a Unix programmer come in to analyze the latest Firefox build and tell me where the problem is? That's insane. Instead, we simply removed Firefox from all of our machines, and went with IE, which was already properly tested before being pushed out to users. Much cheaper. Much simpler. Much quicker time for me to get back to the core of my business (which trying to get broken web browsers to work).