-----Original Message-----
From: Windows NTBugtraq Mailing List
[mailto:[EMAIL PROTECTED]]On Behalf Of Russ
I've waited for a week now to get additional information on the cause
of the problems with MS01-052. Microsoft have seen fit not to provide
us with any additional information beyond;
"The issue is a result of a human error in the patch building
process. Microsoft deeply apologizes for any problems this has
caused. We assure you that a thorough investigation is being
conducted into the cause of this problem and aggressive steps are
being taken to prevent it from happening again."
- From that statement Microsoft expects to reassure us that when we
implement their push feature of Windows Update, we won't find our
machines disabled, unable to reboot, or unable to function the
service a Hotfix is intended to patch. We have to accept that the
"aggressive steps" they refer to were not thought of as part of the
Microsoft Strategic Technology Protection Program (MSTPP),
implemented two weeks before this broken Hotfix was released to the
public.
There's no way I could trust such a process without the knowledge
that when they screw up, they're going to make every effort to
provide me sufficient information with which I can trust their future
actions.
MS01-052, as initially made available to the public, could not
possibly have passed even basic testing. You installed it, rebooted,
and the system stopped functioning properly. You either ended up with
a BSOD, or your Terminal Services were unresponsive.
1. They have claimed that it was a packaging error. "The issue is a
result of a human error in the patch building process.", yet it still
took them 4+ days to get a revised version of the patch out. The
timeframe suggests it was something other than a packaging error.
NTBugtraq advised the public that the patch was broken, Microsoft did
not see fit to inform people who had already downloaded the patch
that it would break their systems. Sure, they stopped making it
available, but what of the people who had already downloaded it?
2. According to;
http://www.microsoft.com/technet/columns/security/sectour.asp
"When all of the packages have been built, they must be digitally
signed - after all, we need a way to assure our customers that they
really did come from Microsoft. Then it's back to the test lab again.
This time, we verify that the digital signature on each package is
correct, that the package installs and uninstalls correctly, and we
verify once again that the patch works as advertised once it's
installed."
Obviously MS01-052 didn't follow that process, any idiot would have
been able to see that it killed the Terminal Services it was intended
to fix. So how come the stated process, the one that has such new
focus and emphasis, failed to follow its own basic steps?
What went wrong? Who screwed up? Which part of the process failed,
and how can we be expected to believe its being fixed?
3. MS01-052 was only the second Hotfix to be produced after the
announcement of the MSTPP. It should have been produced under the
glaring light of the new focus and emphasis that Microsoft has stated
is being applied to security issues. The MSTPP announcement stated a
new mechanism for getting Hotfixes out to customers was in the works,
one that would allow fixes to be pushed out to clients automatically.
Microsoft stated, in the Security Bulletin revision they published on
MS01-052 v2.0, "Because the patches were only available for a few
hours, only a small number of customers had downloaded them." Whether
or not this is true isn't important, under the MSTPP such a
distribution of a Hotfix could be in the systems of millions of users
in the same amount of time.
Clearly the new focus and emphasis failed to catch this problem, or
acknowledge that Hotfixes are often rapidly downloaded and deployed.
The MSTPP announcement was full of bluster but didn't follow through
with effective process changes to ensure it could fulfill its stated
goals. While the automatic update client is still pending, what can
we look forward to? More of this type of ineffective and destructive
patches being automatically installed on everyone's systems?
4. It took 4+ days to get a replacement patch. How, under the process
of the MSTPP, will Microsoft handle this situation in the future?
Will Microsoft automatically remove defective patches from systems
which have automatically applied them? What if the problem affects
networking components which prevents the machine from being able to
reach the Microsoft site for such information (information that tells
it to remove a defective patch)?
Will users go to connect to their servers only to find out that an
automatically applied Hotfix has rendered it inaccessible, or
possibly even brought the system down?
5. Hotfixes, like all Microsoft software, contain the standard
Disclaimer;
"The information provided in the Microsoft Knowledge Base is provided
"as is" without warranty of any kind. Microsoft disclaims all
warranties, either express or implied, including the warranties of
merchantability and fitness for a particular purpose. In no event
shall Microsoft Corporation or its suppliers be liable for any
damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Microsoft Corporation or its suppliers have been advised of the
possibility of such damages. Some states do not allow the exclusion
or limitation of liability for consequential or incidental damages so
the foregoing limitation may not apply."
How can Microsoft reasonably make the claims they do about their new
focus and emphasis on "Get Secure" and "Stay Secure" when there is no
"fitness for a particular purpose" on a Hotfix, who's sole purpose in
life is to rectify a software problem that Microsoft has
acknowledged. It must be "fit for a particular purpose", it must fix
the problem they state they are fixing. When it doesn't, disclaimers
shouldn't apply.
Especially since that disclaimer also says they won't be liable for
any damages incurred. In an automatic update scenario, coupled with
an ineffective and flawed Hotfix production process, customers should
be able to rest assured Microsoft will make restitution when they
break customers systems. You can put limitations on this, but the
bottom line is that when a patch is pushed to the public which breaks
all systems its applied to (as is the case with MS01-052 v1.0),
Microsoft should be culpable.
Their lack of willingness to accept that responsibility suggests we
cannot trust a push mechanism from Microsoft. This extends to
Software Subscription as well.
6. Clearly there is absolutely no need for an automatic push
mechanism for Hotfixes before we have Federated Corporate Windows
Update. Who in their right mind, based on this experience if nothing
else, would allow their systems, typically critical systems which
need patches sooner than other systems, to be automatically updated
without prior testing of the patch? I sure wouldn't recommend it to
anyone.
So why give us the push client before we're able to push from our own
Windows Update server?
Finally, many of you submitted messages to NTBugtraq expressing your
outrage at the way this patch was handled. Knowing the process
Microsoft uses to produce patches, I defended them to the extent that
I believed there was going to be an explanation forthcoming.
NTBugtraq's not meant to be a venting forum, but maybe if I'd let
more of you express your concerns Microsoft may have responded.
I normally defend Microsoft, something I'm frequently criticized for.
I privately sent email to Microsoft to encourage them to address this
issue publicly, at least for NTBugtraq subscribers, to reassure us.
They've decided not to do that, and they haven't responded privately
to my request on your behalf.
You might want to contact Microsoft yourself, at
[EMAIL PROTECTED], to see if they can offer you an explanation
that responds to some or all of the concerns above.
Cheers,
Russ - NTBugtraq Editor
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
------
You are subscribed as [email protected]
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe send a blank email to [EMAIL PROTECTED]
