Coffeehouse Thread

21 posts

Forum Read Only

This forum has been made read only by the site admins. No new threads or comments can be added.

http://www.microsoft.com/mspress/uk - Problem solved..

Back to Forum: Coffeehouse
  • User profile image
    prog_dotnet


    Problem solved...

  • User profile image
    jonathanh

    Fixed. Thanks to a Channel9 reader for emailing me directly - by the time I had sent out an internal email trying to find the "appropriate people", they were already all over it Smiley

  • User profile image
    prog_dotnet

    no need to have the picture up then, editing the post...

  • User profile image
    jonathanh

    Hmmm, I'm not seeing it coming back. I just got a "directory listing denied", followed by a couple of "We're sorry, we were unable to service your request" errors.

    I wonder if the fix is still propogating? (i.e., is this one of the microsoft.com pages that gets served by Akamai?)

  • User profile image
    prog_dotnet

    ....

  • User profile image
    Shining Arcanine

    I was just reading about this.

    Anyway, I came here to say... This doesn't look good for Microsoft security wise. Why don't you guys have Windows Update automatically patch your computers?

  • User profile image
    prog_dotnet

    hmm, well that depends how deep the penetration has been and what version of IIS the site were running on.
    But without any knowlege of the problem on hand, any other statments would be pure speculation.
     
    It would be nice if you could come back with some info about what happened, and the neccesary steps taken to prevent such incidents in the future.







  • User profile image
    Shining Arcanine

    prog_dotnet said:
    hmm, well that depends how deep the penetration has been and what version of IIS the site were running on.
    But without any knowlege of the problem on hand, any other statments would be pure speculation.
     
    It would be nice if you could come back with some info about what happened, and the neccesary steps taken to prevent such incidents in the future.


    Personally, I think that they should be running the latest software especially because they are the ones that make it.

    However you are right, I don't know the entire situation.

  • User profile image
    prog_dotnet

    Repurtation wise, no company would ever like their sites to be defaced. But it is to soon to speculate on why this happened.
    Anyway; i dont think the servers use win update directly, but downloads approved hotfixes and patches from an internal SUS server.

  • User profile image
    Shining Arcanine

    prog_dotnet wrote:

    Repurtation wise, no comany would ever like there sites to be defaced. But it is to soon to speculate on why this happened.
    Anyway; i dont think the servers use win update directly, but downloads approved hotfixes and patches from an internal SUS server.



    If that is true, then they need to have the system administrator either work faster or get someone to help out with the patch validation.

    Does Microsoft even validate the patches for their servers? I'm wondering since I read that RCs are dog fooded so it is possible that Microsoft would just roll the patches, when declared ready for release by the devs, across the computers.

  • User profile image
    prog_dotnet

    if you follow best practises, any hotfix or update shall first be tried on a test server.
    Patch managment would go in six steps.

    1. notification
    2. assesment
    3. obtaining
    4.testing
    5. deploy
    6. and validate

    Also; there are different versions of updates. Like hotfixes adress problems reported by customers. They are developed in a short period of time, and with less testing than other update types.  

    Some hot fixes are also called security fixes, as thery are found by MSRC team( microsoft security response team) and not reported by the pss, (product support service) based on customer complaints.

  • User profile image
    Shining Arcanine

    prog_dotnet wrote:
    if you follow best practises, any hotfix or update shall first be tried on a test server.
    Patch managment would go in six steps.

    1. notification
    2. assesment
    3. obtaining
    4.testing
    5. deploy
    6. and validate

    Also; there are different versions of updates. Like hotfixes adress problems reported by customers. They are developed in a short period of time, and with less testing than other update types.  

    Some hot fixes are also called security fixes, as thery are found by MSRC team( microsoft security response team) and not reported by the pss, (product support service) based on customer complaints.


    I was asking because there is a possibility that Microsoft dogfoods the hotfixes.

  • User profile image
    prog_dotnet

    pathces comes in 3 formats:

    • Hotfixes

      as I explained in the previous post

    • Roll-ups ; a roll-up fix combines the updates of several hotfixes into a single update file. Roll-up fixes are run through more testing than single hotfixes but are released more frequently than service packs

    • Service Packes: collection of all hotfixes released since the OS’s or application’s release, including hotfixes released in previous service pack versions. These collections include fixes not previously released and occasionally introduce new functionality. Service packs undergo extensive testing before their release to ensure no deployment issues exist. Microsoft might issue several beta releases of a service pack before it is ready for the public.

    Develpment of a Hotfix

    Once product support or the MSRC identifies the need for a hotfix, the development process begins. This process differs between operating systems and applications, but the same general method is used:

    1. The vulnerability identified by MSRC or the bug identified by product support is escalated to the Microsoft sustained engineering team.

    2. The sustained engineering team investigates the bug and assigns it to a developer. The developer might be on the sustained engineering team or might be the core team developer responsible for the OS or application component.

    3. The developer creates an initial hotfix. This hotfix addresses the vulnerability or bug but does not undergo testing other than that performed by the developer. This version of the hotfix is referred to as a private.

    4. The private is sent to the customer who reported the problem to MSRC or to product support. The customer deploys the private to determine whether it corrects the problem.

    5. If the customer reports that the bug is fixed, the sustained engineering team registers the bug against the next version of the OS or application. This ensures that the next release does not include the same bug.

    6. The private is provided to the core team developer responsible for the OS or application component affected by the vulnerability. The developer reviews the hotfix to ensure no other issues exist.

    7. When the developer completes her analysis, the hotfix is submitted to the build lab, which creates the hotfix and runs it through several build verification tests.

    8. The hotfix is then passed through testers. The testers ensure that the hotfix works as expected. Because of time constraints, testing is not as extensive as the testing performed on service packs.

    9. Localization teams review the hotfix to determine whether localized versions are required for different language versions of the OS or application. If required, localized versions are developed.

    10. The completed hotfix is released to customers. If the hotfix is deemed a security update, Microsoft releases a related security bulletin that applies a vulnerability rating and provides further descriptions of the vulnerability

    Source: Microsoft Windows Security Resource Kit

  • User profile image
    Shining Arcanine

    I was asking if Microsoft rolls out the hotfixes across the campus right away (probably not judging by the recent hacking but just incase) as they were the ones that developed it. It is really something only a Microsoft employee could answer.

  • User profile image
    lars

    prog_dotnet wrote:
    Anyway; i dont think the servers use win update directly, but downloads approved hotfixes and patches from an internal SUS server.


    So it is not an automatic process rolling out the updates? If Microsoft does not trust their own updates well enough to do automatic updates - why should anyone else do it?

    /Lars.

  • User profile image
    spiderLab

    Shining Arcanine wrote:
    prog_dotnet said:
    hmm, well that depends how deep the penetration has been and what version of IIS the site were running on.
    But without any knowlege of the problem on hand, any other statments would be pure speculation.
     
    It would be nice if you could come back with some info about what happened, and the neccesary steps taken to prevent such incidents in the future.


    Personally, I think that they should be running the latest software especially because they are the ones that make it.

    However you are right, I don't know the entire situation.



    Saw the first post here: http://channel9.msdn.com/ShowPost.aspx?PostID=8502#8502

  • User profile image
    Charles

    I'm not sure how this thread has diverged into a discussion of automatic patch management. Details about what went wrong this morning are not available. It has little to do with Microsoft's internal patching process, which, as you might imagine is what you'd expect to be in place at one of the largest software companies in the world that also happens to write the software is writes software on...

    Without knowing the details, it's hard to tell what happened. I'll go out on a limb and say that automated patch management had little to do with it.

    Charles

  • User profile image
    mikekol

    lars wrote:


    So it is not an automatic process rolling out the updates? If Microsoft does not trust their own updates well enough to do automatic updates - why should anyone else do it?

    /Lars.


    Why would you auto-update a production server?  Since - unfortunately - most updates require a reboot, why in the world would you tell the server to do it automatically?

    Also - we don't know that this happened due to an unpatched server, do we?

Conversation locked

This conversation has been locked by the site admins. No new comments can be made.