how long it took MS to come out with patch
how long it took MS to come out with patch
am 17.01.2008 20:29:49 von tony
since 2003 or the release of IIS6, there has been 3 advisories for IIS6
1. MS04-030 is a WebDAV XML vulnerability that could lead to DoS -
released 10/12/2004
2. MS04-034 is an ASP vulnerability that could lead to remote code
execution - released 7/11/2006
What was the timeline between when the vulnerability was known and the
release of patch from ms?
Re: how long it took MS to come out with patch
am 18.01.2008 10:31:11 von David Wang
On Jan 17, 11:29=A0am, "tony" wrote:
> since 2003 or the release of IIS6, there has been 3 advisories for IIS6
>
> 1. =A0 =A0 =A0MS04-030 is a WebDAV XML vulnerability that could lead to Do=
S -
> released 10/12/2004
>
> 2. =A0 =A0 =A0MS04-034 is an ASP vulnerability that could lead to remote c=
ode
> execution - released 7/11/2006
>
> What was the timeline between when the vulnerability was known and the
> release of patch from ms?
Well, if it's not already publicly disclosed, then I certainly cannot
tell you...
Why exactly do you want to know?
Rest assured, we certainly do not delay in acting on or announcing
them.
And to be clear, the timeline is hardly the only or main metric
Microsoft uses to evaluate patches. If it was a useful metric, then it
stands to reason that Microsoft would drop everything to maximize on
speed -- and compromise on quality, reliability, etc. Forget about the
regression and reliability testing -- time is everything -- the
customers can figure out what broke and make more support calls. Does
that make sense?
So, let me ask again -- can you clarify exactly what you are trying to
ask and obtain?
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
Re: how long it took MS to come out with patch
am 18.01.2008 16:09:25 von tony
hi david
I am trying to put together a document to convince security group to expose
the IIs servers port 80/443 on the dmz to the public. right now we have
apache proxies in place in front of IIS which does redirection.
I want to gather as much information as possible to tell them IIS is secure
to be exposed on DMZ and we do not need proxies
"David Wang" wrote in message
news:4b87c2cc-c030-4017-8bee-120828ef02f9@21g2000hsj.googleg roups.com...
On Jan 17, 11:29 am, "tony" wrote:
> since 2003 or the release of IIS6, there has been 3 advisories for IIS6
>
> 1. MS04-030 is a WebDAV XML vulnerability that could lead to DoS -
> released 10/12/2004
>
> 2. MS04-034 is an ASP vulnerability that could lead to remote code
> execution - released 7/11/2006
>
> What was the timeline between when the vulnerability was known and the
> release of patch from ms?
Well, if it's not already publicly disclosed, then I certainly cannot
tell you...
Why exactly do you want to know?
Rest assured, we certainly do not delay in acting on or announcing
them.
And to be clear, the timeline is hardly the only or main metric
Microsoft uses to evaluate patches. If it was a useful metric, then it
stands to reason that Microsoft would drop everything to maximize on
speed -- and compromise on quality, reliability, etc. Forget about the
regression and reliability testing -- time is everything -- the
customers can figure out what broke and make more support calls. Does
that make sense?
So, let me ask again -- can you clarify exactly what you are trying to
ask and obtain?
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
Re: how long it took MS to come out with patch
am 19.01.2008 10:03:39 von David Wang
Start by pointing out:
1. the Apache software running the proxy has had more vulnerabilities
than IIS6 in the past 5 years -- well documented by groups like
secunia.
2. Windows firewall locks down all other ports except 80/443, so no
additional ports are open
Thus, security does not look like the only argument for running Apache
proxies in front of IIS.
I suspect you will have to figure out why the security group want
Apache proxies and address them. For example, consider these
arguments:
1. functional - you'd have to replicate the redirection features -
depending on what you are doing, that task can be done in many, many
ways
2. political/emotional - people assume IIS is insecure and must be
secured with Apache - I admit that damage caused by IIS4 and IIS5 is
bad, but IIS6 is time-tested already. Depending on the opponent that
is political/emotional, it may/not be possible for you to overcome
with logic
3. illogical -
- suppose there was a security vulnerability in IIS. Wouldn't it
be necessary to have the Apache Proxy be able to shield the IIS server
during that time period? True. But what happens when there is a
security vulnerability in the Apache Proxy -- where's the shield for
it? And if IIS6 has less security vulnerabilities than Apache over the
same time period as well as relative product lifespan, does it make
sense to use the less secure product as the "shield".
- suppose there was a security vulnerability in IIS. Open Source
makes patches faster, so even if Apache is more vulnerable, it is
patched faster so overall there are less days of vulnerability. Well,
arguing the time-to-patch availability is moot point. Open source puts
responsibility on the user for using the software, so while a patch
can be quickly cranked out, the burden is *always* on the user to
regression test -- and is your organization willing/able to regress?
Or is it going to wait for someone else to regress -- and if you wait,
how useful is the rapid availability of a patch? In other words, do
you care about rapid availability of patches, or do you care about
rapid availability of stable, regressed, and supported patches. This
is why I point out that "timeline" is hardly a useful comparison
metric. Microsoft releases supported, regressed patches as quickly as
possible, while Open Source can release unsupported, unregressed
patches as quickly as possible. If Microsoft's approach sounds like
what you want, then great. But if you are ok with the added
responsibility and can help yourself, then more power to you and you
should definitely go with Open Source.
I'm not saying either is "good" or "bad" -- it all depends on your
requirements.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
On Jan 18, 7:09=A0am, "tony" wrote:
> hi david
>
> I am trying to put together a document to convince security group to expos=
e
> the IIs servers port 80/443 on the dmz to the public. right now we have
> apache proxies in place in front of IIS which does redirection.
>
> I want to gather as much information as possible to tell them IIS is secur=
e
> to be exposed on DMZ and we do not need proxies"David Wang"
..com> wrote in message
>
> news:4b87c2cc-c030-4017-8bee-120828ef02f9@21g2000hsj.googleg roups.com...
> On Jan 17, 11:29 am, "tony" wrote:
>
> > since 2003 or the release of IIS6, there has been 3 advisories for IIS6
>
> > 1. MS04-030 is a WebDAV XML vulnerability that could lead to DoS -
> > released 10/12/2004
>
> > 2. MS04-034 is an ASP vulnerability that could lead to remote code
> > execution - released 7/11/2006
>
> > What was the timeline between when the vulnerability was known and the
> > release of patch from ms?
>
> Well, if it's not already publicly disclosed, then I certainly cannot
> tell you...
>
> Why exactly do you want to know?
>
> Rest assured, we certainly do not delay in acting on or announcing
> them.
>
> And to be clear, the timeline is hardly the only or main metric
> Microsoft uses to evaluate patches. If it was a useful metric, then it
> stands to reason that Microsoft would drop everything to maximize on
> speed -- and compromise on quality, reliability, etc. Forget about the
> regression and reliability testing -- time is everything -- the
> customers can figure out what broke and make more support calls. Does
> that make sense?
>
> So, let me ask again -- can you clarify exactly what you are trying to
> ask and obtain?
>
> //Davidhttp://w3-4u.blogspot.comhttp://blogs.msdn.com/David. Wang
> //
Re: how long it took MS to come out with patch
am 22.01.2008 00:53:30 von Roger Abell
Hey Tony,
Just by way of correctness, the second patch you cite as MS04-034
should have been MS06-034. If I recall correctly MS also issued
and advisory that provided workaround info for use while awaiting
the patch, and the same was also done with the WebDav vulnerability.
It is interesting to note that this comes down to something like
0.5 patches per year over the past 4 years, and these are for
things potentially bolted on to IIS, not for IIS itself.
Roger
"tony" wrote in message
news:eM93X9TWIHA.4196@TK2MSFTNGP04.phx.gbl...
> since 2003 or the release of IIS6, there has been 3 advisories for IIS6
>
> 1. MS04-030 is a WebDAV XML vulnerability that could lead to DoS -
> released 10/12/2004
>
> 2. MS04-034 is an ASP vulnerability that could lead to remote code
> execution - released 7/11/2006
>
>
>
> What was the timeline between when the vulnerability was known and the
> release of patch from ms?
>
>
Re: how long it took MS to come out with patch
am 22.01.2008 02:38:53 von David Wang
Internally, the IIS team treats the ASP one as the only one the IIS
team was responsible for.
- The WebDAV one is due to MSXML which IIS is one of the affected
partners and used as a vector. But WebDAV is disabled by default.
- The SSL one is due to ASN which IIS is one of the affected partners.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
On Jan 21, 3:53=A0pm, "Roger Abell [MVP]" wrote:
> Hey Tony,
>
> Just by way of correctness, the second patch you cite as MS04-034
> should have been MS06-034. =A0If I recall correctly MS also issued
> and advisory that provided workaround info for use while awaiting
> the patch, and the same was also done with the WebDav vulnerability.
>
> It is interesting to note that this comes down to something like
> 0.5 patches per year over the past 4 years, and these are for
> things potentially bolted on to IIS, not for IIS itself.
>
> Roger
>
> "tony" wrote in message
>
> news:eM93X9TWIHA.4196@TK2MSFTNGP04.phx.gbl...
>
>
>
> > since 2003 or the release of IIS6, there has been 3 advisories for IIS6
>
> > 1. =A0 =A0 =A0MS04-030 is a WebDAV XML vulnerability that could lead to =
DoS -
> > released 10/12/2004
>
> > 2. =A0 =A0 =A0MS04-034 is an ASP vulnerability that could lead to remote=
code
> > execution - released 7/11/2006
>
> > What was the timeline between when the vulnerability was known and the
> > release of patch from ms?- Hide quoted text -
>
> - Show quoted text -