This is a multi-part message in MIME format. ------=_NextPart_000_000C_01BF6423.7E61B9F0 Content-Type: multipart/alternative; boundary="----=_NextPart_001_000D_01BF6423.7E61B9F0" ------=_NextPart_001_000D_01BF6423.7E61B9F0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Hi Matt - Our ultimate goal is to deliver all security patches through two mechanisms: * WindowsUpdate for customers who would like to have all needed patches automatically installed on their machines with a minimum of effort. * The Download Center for customers who want to download patches and install them manually, or who want to deploy patches throughout a network. The DC eventually will replace ftp.microsoft.com. Right now, we're in transition. We are no longer deploying patches to the FTP site, and will soon start migrating older patches from the FTP site to the DC. All new patches are being deployed to the DC. In some cases, they're also being deployed to the WindowsUpdate site. Whether or not a patch goes to WindowsUpdate depends on what platform it's intended for -- Windows 95, 98 and 2000 support WindowsUpdate, but Windows NT 4.0 does not. There's usually a lag between when we deploy a patch via the DC, and when it's available via WindowsUpdate. As you can imagine, it's a mammoth job to set up and test the scripts to sniff every possible combination of machines, OSes, and applications, and apply the right version of the patch to each one. As a result, WindowsUpdate is refreshed according to a predefined schedule. When a patch is ready for release, we deploy it to the DC, and then put it into the queue for the next WindowsUpdate refresh. That way, customers can assess the tradeoff between the urgency of the patch and the ease of installation, and choose whether to get it immediately from the DC or wait until it's available from WindowsUpdate. Hope that helps explain what we're doing. Regards, Secureat_private Microsoft has a new acknowledgment policy for security bulletins. http://www.microsoft.com/security/bulletins/policy.asp -----Original Message----- From: Matt Davis [mailto:bigdogat_private] Sent: Wednesday, January 19, 2000 2:01 PM To: BUGTRAQat_private Subject: Re: Microsoft Security Bulletin (MS00-005) Which brings up a good question.. What makes a vulnerability WindowsUpdate material? Why does Microsoft not put all security/bug fixes on the Windows Update site as recommended updates? On Wed, 19 Jan 2000 bugtraqat_private wrote: > Interesting that this is not a part of Windows 98's Windows > Update. If it was a serious enough vulnerability to fix you would think > that it would also be easy to download and install without subscribing to > any security related lists. :> > > _John --- Matt Davis - ICQ# 934680 http://dogpound.vnet.net/~bigdog/ NoWonder UNIX Tech - http://www.nowonder.com I think someone should have had the decency to tell me the luncheon was free. To make someone run out with potato salad in his hand, pretending he's throwing up, is not what I call hospitality. ------=_NextPart_001_000D_01BF6423.7E61B9F0 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2788.0"> <TITLE></TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2 FACE=3D"Arial">Hi Matt -</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">Our ultimate goal is to deliver all = security patches through two mechanisms:</FONT> <UL> <LI><FONT SIZE=3D2 FACE=3D"Arial">WindowsUpdate for customers who would = like to have all needed patches automatically installed on their = machines with a minimum of effort.</FONT></LI> <LI><FONT SIZE=3D2 FACE=3D"Arial">The Download Center for customers who = want to download patches and install them manually, or who want to = deploy patches throughout a network. The DC eventually will = replace ftp.microsoft.com.</FONT></LI> <BR> </UL> <P><FONT SIZE=3D2 FACE=3D"Arial">Right now, we're in transition. = We are no longer deploying patches to the FTP site, and will soon start = migrating older patches from the FTP site to the DC. All new = patches are being deployed to the DC. In some cases, they're also = being deployed to the WindowsUpdate site. Whether or not a patch = goes to WindowsUpdate depends on what platform it's intended for -- = Windows 95, 98 and 2000 support WindowsUpdate, but Windows NT 4.0 does = not. </FONT></P> <P><FONT SIZE=3D2 FACE=3D"Arial">There's usually a lag between when we = deploy a patch via the DC, and when it's available via = WindowsUpdate. As you can imagine, it's a mammoth job to set up = and test the scripts to sniff every possible combination of machines, = OSes, and applications, and apply the right version of the patch to each = one. As a result, WindowsUpdate is refreshed according to a = predefined schedule. When a patch is ready for release, we deploy = it to the DC, and then put it into the queue for the next WindowsUpdate = refresh. That way, customers can assess the tradeoff between the = urgency of the patch and the ease of installation, and choose whether to = get it immediately from the DC or wait until it's available from = WindowsUpdate.</FONT></P> <P><FONT SIZE=3D2 FACE=3D"Arial">Hope that helps explain what we're = doing. Regards,</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">Secureat_private</FONT> </P> <P><U><FONT SIZE=3D2 = FACE=3D"Arial"> &nbs= p;  = ; = &= nbsp; </FONT></U>=20 <BR><I><FONT SIZE=3D2 FACE=3D"Arial">Microsoft has a new acknowledgment = policy for security bulletins. <A = HREF=3D"http://www.microsoft.com/security/bulletins/policy.asp" = TARGET=3D"_blank">http://www.microsoft.com/security/bulletins/policy.asp<= /A></FONT></I></P> <BR> <P><FONT SIZE=3D2 FACE=3D"Arial">-----Original Message-----</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">From: Matt Davis [<A = HREF=3D"mailto:bigdogat_private">mailto:bigdogat_private<= /A>]</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Sent: Wednesday, January 19, 2000 2:01 = PM</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">To: BUGTRAQat_private</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Subject: Re: Microsoft Security = Bulletin (MS00-005)</FONT> </P> <BR> <P><FONT SIZE=3D2 FACE=3D"Arial">Which brings up a good question.. = What makes a vulnerability</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">WindowsUpdate material?</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">Why does Microsoft not put all = security/bug fixes on the Windows Update</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">site as recommended updates?</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">On Wed, 19 Jan 2000 = bugtraqat_private wrote:</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">> = Interesting that this is not a part of Windows 98's Windows</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">> Update. If it was a serious = enough vulnerability to fix you would</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">think</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">> that it would also be easy to = download and install without subscribing</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">to</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">> any security related lists. = :></FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">></FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">> = _John</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">---</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Matt Davis - ICQ# 934680</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"><A = HREF=3D"http://dogpound.vnet.net/~bigdog/" = TARGET=3D"_blank">http://dogpound.vnet.net/~bigdog/></FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">NoWonder UNIX Tech - <A = HREF=3D"http://www.nowonder.com" = TARGET=3D"_blank">http://www.nowonder.com></FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">I think someone should have had the = decency to tell me the luncheon was</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">free. To make someone run out with = potato salad in his hand, pretending</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">he's throwing up, is not what I call = hospitality.</FONT> </P> </BODY> </HTML> ------=_NextPart_001_000D_01BF6423.7E61B9F0-- ------=_NextPart_000_000C_01BF6423.7E61B9F0 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJ/TCCAj0w ggGmAhEAzbp/VvDf5LxU/iKss3KqVTANBgkqhkiG9w0BAQIFADBfMQswCQYDVQQGEwJVUzEXMBUG A1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVibGljIFByaW1hcnkgQ2Vy dGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTYwMTI5MDAwMDAwWhcNMjgwODAxMjM1OTU5WjBfMQsw CQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVi bGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwgZ8wDQYJKoZIhvcNAQEBBQADgY0A MIGJAoGBAOUZv22jVmEtmUhx9mfeuY3rt56GgAqRDvo4Ja9GiILlc6igmyRdDR/MZW4MsNBWhBiH mgabEKFz37RYOWtuwfYV1aioP6oSBo0xrH+wNNePNGeICc0UEeJORVZpH3gCgNrcR5EpuzbJY1zF 4Ncth3uhtzKwezC6Ki8xqu6jZ9rbAgMBAAEwDQYJKoZIhvcNAQECBQADgYEATD+4i8Zo3+5DMw5d 6abLB4RNejP/khv0Nq3YlSI2aBFsfELM85wuxAc/FLAPT/+Qknb54rxK6Y/NoIAK98Up8YIiXbix 3YEjo3slFUYweRb46gVLlH8dwhzI47f0EEA8E8NfH1PoSOSGtHuhNbB7Jbq4046rPzidADQAmPPR cZQwggMuMIICl6ADAgECAhEA0nYujRQMPX2yqCVdr+4NdTANBgkqhkiG9w0BAQIFADBfMQswCQYD VQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVibGlj IFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTgwNTEyMDAwMDAwWhcNMDgwNTEy MjM1OTU5WjCBzDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRy dXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9SUEEgSW5j b3JwLiBCeSBSZWYuLExJQUIuTFREKGMpOTgxSDBGBgNVBAMTP1ZlcmlTaWduIENsYXNzIDEgQ0Eg SW5kaXZpZHVhbCBTdWJzY3JpYmVyLVBlcnNvbmEgTm90IFZhbGlkYXRlZDCBnzANBgkqhkiG9w0B AQEFAAOBjQAwgYkCgYEAu1pEigQWu1X9A3qKLZRPFXg2uA1Ksm+cVL+86HcqnbnwaLuV2TFBcHqB S7lIE1YtxwjhhEKrwKKSq0RcqkLwgg4C6S/7wju7vsknCl22sDZCM7VuVIhPh0q/Gdr5FegPh7Yc 48zGmo5/aiSS4/zgZbqnsX7vyds3ashKyAkG5JkCAwEAAaN8MHowEQYJYIZIAYb4QgEBBAQDAgEG MEcGA1UdIARAMD4wPAYLYIZIAYb4RQEHAQEwLTArBggrBgEFBQcCARYfd3d3LnZlcmlzaWduLmNv bS9yZXBvc2l0b3J5L1JQQTAPBgNVHRMECDAGAQH/AgEAMAsGA1UdDwQEAwIBBjANBgkqhkiG9w0B AQIFAAOBgQCIuDc73dqUNwCtqp/hgQFxHpJqbS/28Z3TymQ43BuYDAeGW4UVag+5SYWklfEXfWe0 fy0s3ZpCnsM+tI6q5QsG3vJWKvozx74Z11NMw73I4xe1pElCY+zCphcPXVgaSTyQXFWjZSAA/Rgg 5V+CprGoksVYasGNAzzrw80FopCubjCCBIYwggPvoAMCAQICEAVbo7ZcNCuluzJSdf+s4CIwDQYJ KoZIhvcNAQEEBQAwgcwxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2ln biBUcnVzdCBOZXR3b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvUlBB IEluY29ycC4gQnkgUmVmLixMSUFCLkxURChjKTk4MUgwRgYDVQQDEz9WZXJpU2lnbiBDbGFzcyAx IENBIEluZGl2aWR1YWwgU3Vic2NyaWJlci1QZXJzb25hIE5vdCBWYWxpZGF0ZWQwHhcNOTkxMjMw MDAwMDAwWhcNMDAxMjI5MjM1OTU5WjCCASoxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYD VQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3Jl cG9zaXRvcnkvUlBBIEluY29ycC4gYnkgUmVmLixMSUFCLkxURChjKTk4MR4wHAYDVQQLExVQZXJz b25hIE5vdCBWYWxpZGF0ZWQxNDAyBgNVBAsTK0RpZ2l0YWwgSUQgQ2xhc3MgMSAtIE1pY3Jvc29m dCBGdWxsIFNlcnZpY2UxKzApBgNVBAMUIk1pY3Jvc29mdCBTZWN1cml0eSBSZXNwb25zZSBDZW50 ZXIxIzAhBgkqhkiG9w0BCQEWFHNlY3VyZUBtaWNyb3NvZnQuY29tMIGfMA0GCSqGSIb3DQEBAQUA A4GNADCBiQKBgQC5p8rQpjuPFFZf+KLtESi391k/8oOw6zOIOx6odUMFfulf0clSmvKn8ubcfOeR /4n0uTGhvBnMO0zP/g6xKoDwFIzY/5DNY2VmZ7wLIxpvfwDjBTSAdw53t60rJzs8PmB26FgbJ69B Y+rnsR3xg+HUok+BIvYS6GTHUzmwQdonEQIDAQABo4IBBjCCAQIwCQYDVR0TBAIwADCBrAYDVR0g BIGkMIGhMIGeBgtghkgBhvhFAQcBATCBjjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNp Z24uY29tL0NQUzBiBggrBgEFBQcCAjBWMBUWDlZlcmlTaWduLCBJbmMuMAMCAQEaPVZlcmlTaWdu J3MgQ1BTIGluY29ycC4gYnkgcmVmZXJlbmNlIGxpYWIuIGx0ZC4gKGMpOTcgVmVyaVNpZ24wEQYJ YIZIAYb4QgEBBAQDAgeAMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwudmVyaXNpZ24uY29t L2NsYXNzMS5jcmwwDQYJKoZIhvcNAQEEBQADgYEAOZ+QMi8SC6JAG4j9hdZPbZtHPPsJ0o8g7g2y N6IBGcQkiuxStuH+QfYv1P6/o14un3gk1CEFmNvj2a9ed1Ah7rbhM+jdhsS4zdZvIevU7AQzfY6Z FNfi6feQlseXgvKD0kSIvhyw9sUu4vvugYN4wtiYJRFHDCUKm4L2+Cs2pXsxggMcMIIDGAIBATCB 4TCBzDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5l dHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9SUEEgSW5jb3JwLiBC eSBSZWYuLExJQUIuTFREKGMpOTgxSDBGBgNVBAMTP1ZlcmlTaWduIENsYXNzIDEgQ0EgSW5kaXZp ZHVhbCBTdWJzY3JpYmVyLVBlcnNvbmEgTm90IFZhbGlkYXRlZAIQBVujtlw0K6W7MlJ1/6zgIjAJ BgUrDgMCGgUAoIIBkDAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0w MDAxMjEyMzIzMzlaMCMGCSqGSIb3DQEJBDEWBBQDtRA8BZrwkw73y/Z/Cb4nfKOwGTA8BgkqhkiG 9w0BCQ8xLzAtMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMAcGBSsOAwIaMAoGCCqGSIb3DQIFMIHy BgkrBgEEAYI3EAQxgeQwgeEwgcwxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRv cnkvUlBBIEluY29ycC4gQnkgUmVmLixMSUFCLkxURChjKTk4MUgwRgYDVQQDEz9WZXJpU2lnbiBD bGFzcyAxIENBIEluZGl2aWR1YWwgU3Vic2NyaWJlci1QZXJzb25hIE5vdCBWYWxpZGF0ZWQCEAVb o7ZcNCuluzJSdf+s4CIwDQYJKoZIhvcNAQEBBQAEgYBBMjG2hMnf8Mxh6iYB7QcJpNMJEdlbktnL v42p7aOudLBdpzainc9/clcj+R7RdbtaOHrSUhnKwuKpWUJgd9VH6j/qMEPEy9Ue2omIPwCFUHs5 fTGqnwUFfFMs0au86SPly+v9817zO4A1oItikks2cn7fZTc6kID8rztPQ/08rgAAAAAAAA== ------=_NextPart_000_000C_01BF6423.7E61B9F0--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:30:19 PDT