Re: Xato commentary on MS security bulletins

[Microsoft Security Response Center <secure () MICROSOFT COM>]

-----BEGIN PGP SIGNED MESSAGE-----

"We often need to know what files are going to be updated.  We also
often need to know what registry keys will be changed.  We need to
know if
hotfixes need to be installed in a particular order and how different
hotfixes interact." --.sozni

I wanted to take a quick moment to update folks on an exciting
project we are working on to address the specific points above.

Microsoft is in the process of finalizing a new Security Bulletin XML
file on the microsoft.com/security website.  This XML file, in its
most basic state, will allow users to view security bulletins as they
can today.  However, we are adding several new features:

1) Ability to view bulletins/patches by OS, application, and Service
Pack relevance.
For example, a user could query the site and ask to see the list of
NT4 post SP6a hotfixes.  This could be further extended to view post
SP6a hotfixes relevant to both the OS and a specific application -
such as IIS4.

2) The XML database will create a cross-reference between the
bulletin number, related OSes/applications, and relevant KB articles.


3) For each patch (for each OS/application), the XML file will
contain details of files in the hotfix, including (but not limited
to):
- -file checksum
- -file version
- -file location (where is the file placed on your system)
- -reg key updates (what entries are made in either the \hotfixes
and/or \updates key)

What does this all mean?
A visitor to the web site can query security patches based on their
existing OS\application and current Service Pack.  Users can decide
to view only those patches/bulletins that relate to their
configuration, or they can view any information for any
OS/SP/application - all depending on the query strings they enter on
the site.

Because file version will be included for each file on the hotfix,
the hotfixes can be displayed in the order in which they must be
applied to the machine (pause for applause...)

Information may be viewed in any amount of detail - from a simple
list of bulletins and patches, to the related KB articles, to a
detailed list of files included in each hotfix.  All the data will be
in the XML file, the user can control how much information they'd
like to see in their query.

The XML schema has been normalized and has been fixed.  While the
schema can be extended for new bits of information (future
enhancements), the existing bits in the (soon to be published) schema
will not change - vendors and individuals may download and leverage
the XML file and create custom applications that extract relevant
information for their own purposes.  The XML database is updated
automatically each time a new security bulletin/patch is released.

This "new and improved" XML database is undergoing final testing now.
 We hope to make this available shortly, however, you won't see it
any time before February 2001.

We hope that these changes will assist users in their ability to
manage their knowledge of Microsoft's security patches.  I, for one,
and very excited about the new features, and look forward to rolling
this out next year.  After successful implementation of the XML
database, we'll announce additional tools that will aid users in
keeping their systems "up to date" on security hotfixes.

Questions and/or feedback (now or later) can be sent to
secfdbck () microsoft com

Regards,

Eric Schultze
Security Program Manager
Microsoft Security Response Center

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3

iQEVAwUBOjEUBY0ZSRQxA/UrAQEU0Af/Tqg9RTwpLrqV+gpfqjXpmCxfHKndGcqJ
u2ATgo7cIdFnRiFNwEXxR6fgW9Ty1lOz9BaHUTgKtvfQ9hwt4ZL1U2c9pr0UEmWC
vdMciVVq2ppFrqs5zzoRrhXUs4tyFzu2MD25IeaXBwzSUGZXICSPlVyS5h3Yj2zJ
namzz6/hdNz4eDkRKVElFyQvEFr+ml0AsBWk2Wq/3In8cpwFs96hIcxG1DjlvM2m
IvseFqeywOmnqaH78AtXu944/xZ7HbgEHAVcAyq6FZQnviqpT/7HgM+WKb4mULvd
2lxPDOgwI+CpNNs5wXQTgZgGEIyQBi2fYBrXWoBQt/iAgucRH3qQlA==
=ozjX
-----END PGP SIGNATURE-----