December 2003 - Posts
www.patchmanagement.org
From the home page:
PatchManagement.org is the industry's first mailing list dedicated to the discussion of patch management. Whether it's a Linux operating system patch or a Microsoft application hotfix, this is the place to find more information about it. Sign up now for the patchmanagement.org mailing list!
This site/list is fairly new and fairly well moderated. There have been some decent discussions on patch management issues, techniques and software. I would be interested in hearing feedback from others who have joined the list.
The first newsletter for security has been sent. Here is where it's archived:
http://www.microsoft.com/technet/security/secnews/newsletter.htm
I help out with the community and MVP section so if you would like to contribute to the FAQ section or would like to see a third party community site related to security listed, please let me know.
So it's probably old news by now but Microsoft did not release any security bulletins yesterday which was the regularly scheduled December release day. This does not mean that the process fell behind and that patches will be released out of cycle. The next scheduled patch release is the second Tuesday in January (1/13/04). Of course if there is a situation warranting it, Microsoft will release a patch out of cycle.
The fact that some people later began to be prompted by Automatic Update (AU) to install Security Update for Windows XP (KB810217) was unrelated and due to an update in the detection method Windows Update (WU) made for that security patch. There was not an update made to the bulletin itself. More will be released on this later.
Just so we are all clear on what these terms mean ;-)...
| Term |
Definition |
| Security Patch |
A broadly released fix for a specific product addressing a security vulnerability. A security patch is often described as having a "severity", which actually refers to the MSRC severity rating of the vulnerability that the patch addresses. |
| Critical Update |
A broadly released fix for a specific problem addressing a critical, non-security related bug. |
| Update |
A broadly released fix for a specific problem addressing a non-critical, non-security related bug. |
| Hotfix |
A single package composed of one or more files used to address a problem in a product. Hotfixes address a specific customer situation, are only available through a support relationship with Microsoft, and may not be distributed outside the customer organization without written legal consent from Microsoft. The terms QFE (Quick Fix Engineering update), patch, and update have been used in the past as synonyms for hotfix. |
| Update rollup |
A collection of security patches, critical updates, updates and hotfixes released as a cumulative offering or targeted at a single product component, such as Microsoft Internet Information Services (IIS) or Microsoft Internet Explorer. Allows for easier deployment of multiple software updates. |
| Service Pack |
A cumulative set of hotfixes, security patches, critical updates, and updates since the release of the product, including many resolved problems that have not been made available through any other software updates. Service packs may also contain a limited number of customer-requested design changes or features. Service packs are broadly distributed and tested by Microsoft more than any other software updates. |
| Integrated service pack |
The combination of a product with a service pack in one package. |
| Feature Pack |
A new feature release for a product that adds functionality. Usually rolled into the product at the next release. |
Full link to patch management process:
http://www.microsoft.com/technet/security/guidance/secmod193.mspx
My information may have been wrong as pointed out by jmk so I'm removing my original remarks. The story is still below:
http://news.com.com/2100-7344_3-5112427.html?tag=nefd_top