Bugtraq mailing list archives
Re: Xato commentary on MS security bulletins
From: Microsoft Security Response Center <secure () MICROSOFT COM>
Date: Fri, 8 Dec 2000 09:01:58 -0800
-----BEGIN PGP SIGNED MESSAGE----- "We often need to know what files are going to be updated. We also often need to know what registry keys will be changed. We need to know if hotfixes need to be installed in a particular order and how different hotfixes interact." --.sozni I wanted to take a quick moment to update folks on an exciting project we are working on to address the specific points above. Microsoft is in the process of finalizing a new Security Bulletin XML file on the microsoft.com/security website. This XML file, in its most basic state, will allow users to view security bulletins as they can today. However, we are adding several new features: 1) Ability to view bulletins/patches by OS, application, and Service Pack relevance. For example, a user could query the site and ask to see the list of NT4 post SP6a hotfixes. This could be further extended to view post SP6a hotfixes relevant to both the OS and a specific application - such as IIS4. 2) The XML database will create a cross-reference between the bulletin number, related OSes/applications, and relevant KB articles. 3) For each patch (for each OS/application), the XML file will contain details of files in the hotfix, including (but not limited to): - -file checksum - -file version - -file location (where is the file placed on your system) - -reg key updates (what entries are made in either the \hotfixes and/or \updates key) What does this all mean? A visitor to the web site can query security patches based on their existing OS\application and current Service Pack. Users can decide to view only those patches/bulletins that relate to their configuration, or they can view any information for any OS/SP/application - all depending on the query strings they enter on the site. Because file version will be included for each file on the hotfix, the hotfixes can be displayed in the order in which they must be applied to the machine (pause for applause...) Information may be viewed in any amount of detail - from a simple list of bulletins and patches, to the related KB articles, to a detailed list of files included in each hotfix. All the data will be in the XML file, the user can control how much information they'd like to see in their query. The XML schema has been normalized and has been fixed. While the schema can be extended for new bits of information (future enhancements), the existing bits in the (soon to be published) schema will not change - vendors and individuals may download and leverage the XML file and create custom applications that extract relevant information for their own purposes. The XML database is updated automatically each time a new security bulletin/patch is released. This "new and improved" XML database is undergoing final testing now. We hope to make this available shortly, however, you won't see it any time before February 2001. We hope that these changes will assist users in their ability to manage their knowledge of Microsoft's security patches. I, for one, and very excited about the new features, and look forward to rolling this out next year. After successful implementation of the XML database, we'll announce additional tools that will aid users in keeping their systems "up to date" on security hotfixes. Questions and/or feedback (now or later) can be sent to secfdbck () microsoft com Regards, Eric Schultze Security Program Manager Microsoft Security Response Center -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQEVAwUBOjEUBY0ZSRQxA/UrAQEU0Af/Tqg9RTwpLrqV+gpfqjXpmCxfHKndGcqJ u2ATgo7cIdFnRiFNwEXxR6fgW9Ty1lOz9BaHUTgKtvfQ9hwt4ZL1U2c9pr0UEmWC vdMciVVq2ppFrqs5zzoRrhXUs4tyFzu2MD25IeaXBwzSUGZXICSPlVyS5h3Yj2zJ namzz6/hdNz4eDkRKVElFyQvEFr+ml0AsBWk2Wq/3In8cpwFs96hIcxG1DjlvM2m IvseFqeywOmnqaH78AtXu944/xZ7HbgEHAVcAyq6FZQnviqpT/7HgM+WKb4mULvd 2lxPDOgwI+CpNNs5wXQTgZgGEIyQBi2fYBrXWoBQt/iAgucRH3qQlA== =ozjX -----END PGP SIGNATURE-----
Current thread:
- Xato commentary on MS security bulletins .sozni (Dec 08)
- <Possible follow-ups>
- Re: Xato commentary on MS security bulletins Theodor Bucher (Dec 11)
- Re: Xato commentary on MS security bulletins Microsoft Security Response Center (Dec 11)