Microsoft's stated that out-of-band releases will occur if a patch is ready enough, and there's reason to release the patch (e.g. an exploit circulating in the wild). From what I heard today, regression testing is still being performed on the patch they are intending to release.
Cheers Ken -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hank Arnold Sent: Wednesday, 4 January 2006 9:35 PM To: [email protected] Subject: RE: [ActiveDir] OT: WMF issue - patch on the 10th As one who lived through the days of patches generated at random (and often re-issued with corrections) I really appreciate the "Patch Tuesday" approach. It used to be a given that you applied *NO* update until you waited a decent interval to see what problems the user community reported.... Now, the risk is minimal and automatic patching (except for servers) is the norm... Add to that the fact that existing tools and practicing "safe computing" protect you from virtually all attacks and I think we are *way* better ff than we used to be....... I think, though, that it might be useful for MS to be a bit more aggressive in getting out security updates, especially critical ones like the WMF exposure. How about a "Critical Patch Tuesday" (say the 4th Tuesday) used only when a fix can't wait until Patch Tuesday"? Regards, Hank Arnold -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley Sent: Tuesday, January 03, 2006 12:33 PM To: [email protected] Subject: [ActiveDir] OT: WMF issue - patch on the 10th What's Microsoft's response to the availability of third party patches for the WMF vulnerability? Microsoft recommends that customers download and deploy the security update for the WMF vulnerability that we are targeting for release on January 10, 2006. As a general rule, it is a best practice to utilize security updates for software vulnerabilities from the original vendor of the software. With Microsoft software, Microsoft carefully reviews and tests security updates to ensure that they are of high quality and have been evaluated thoroughly for application compatibility. In addition, Microsoft's security updates are offered in 23 languages for all affected versions of the software simultaneously. Microsoft cannot provide similar assurance for independent third party security updates. Why is it taking Microsoft so long to issue a security update? Creating security updates that effectively fix vulnerabilities is an extensive process. There are many factors that impact the length of time between the discovery of a vulnerability and the release of a security update. When a potential vulnerability is reported, designated product specific security experts investigate the scope and impact of a threat on the affected product. Once the MSRC knows the extent and the severity of the vulnerability, they work to develop an update for every supported version affected. Once the update is built, it must be tested with the different operating systems and applications it affects, then localized for many markets and languages across the globe. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
