Administrivia #35683: Microsoft Security Bulletin Notifications

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 04/27/02

Date:         Sat, 27 Apr 2002 11:22:01 -0400
From: Russ <Russ.Cooper@RC.ON.CA>

1. Microsoft doesn't release Security Bulletins for Service Packs,
Security Roll-ups, packages like the Outlook Email Security Update, or
tools like the Microsoft Baseline Security Analyzer or URLScan. I can't,
for the life of me, understand why this isn't done. Every SP or SRP
obsoletes many individual Security Bulletin patches, so they are
obviously important to the Security community. Further, SP's or SRP's
usually include additional patches, sometimes for security issues which
weren't deemed important enough for an individual Security Bulletin. So
while they may not need to be dealt with using the same urgency as a
Security Bulletin, they are still very important.

In fact, some people wait until a Service Pack, or now, a Security
Roll-up before they apply those fixes to some of their machines.
Machines which may not be directly exposed to a specific threat
environment may only apply SPs and SRPs in an effort to reduce patch
management hell.

The same is true of packages like the Outlook Email Security Update,
HFNetchk, or URLScan. All are examples of extremely useful tools that
specifically assist Security people. IMO, anything related to security
should have a Security Bulletin.

No doubt the negative PR that generally accompanies another Microsoft
Security Bulletin is one reason not to release more of them. But having
them included with everything else related to Security Bulletins might
begin to make it easier to figure out what you need. HFNetchk, for
example, doesn't know about SRPs. Neither does the Security Bulletin web
page at;

This means that if you go to the Security Bulletin page, indicate you're
running NT4 TSE SP6, you'll get a very long list of Security Bulletins
you need to read. However, if you go to;;EN-US;Q317636&

the KB article for the TSE SRP, you'll find that many of them have been
included in the SRP. But you don't get that information easily from the
Security Bulletins site. The same is true about Office and other

Yet we do get Security Bulletins for "Cumulative Patches" for some
products. What's the difference? It all has to do with the quagmire that
Microsoft's patch management is in. All of these different delivery
mechanisms for Security patches/tools are built differently, record
themselves differently in the OS, use different tools to install/deploy,
are managed by different people, and have different locations at for you to find out about them.

Wonderful, eh?

The bottom line is that I think Microsoft should release a Security
Bulletin for all such packages. If you use the Microsoft Product
Security Notification Service in such a way that you would find these
additional notifications a burden, I'd like to hear from you. Maybe you
forward all Microsoft Security Bulletins to your pager, or have them
wake you up in the middle of the night if one arrives. It wouldn't be
that difficult to come up with different notations within the Security
Bulletin to allow people to differentiate the importance or urgency to
suit their own needs. So if there's a good reason not to do this, I've
not heard it yet.

Please, only email me if you disagree.

2. The latest revision to MS02-006 didn't come automatically because the
revised Bulletin didn't actually include a revision note. I made up the
V6.0 explanation in the previous message, if that section of the
Bulletin isn't revised I have no idea why its been revised and don't
push a notification, so this one slipped by my scanner. I'm not going to
try and figure out how I know the reason for a revision when its not
actually indicated on the Bulletin page itself, so if you see a Security
Bulletin that's been updated but haven't seen a "Revised:" notification
to the list, let me know.

3. You may wonder why I send these "Revised:" messages. Most of the time
revisions don't actually include new bits, revisions usually just
include more information or the availability of the patch for another
platform. I figure that's worth a note to the list. I've modified the
format of "Revised:" notifications as you saw with the previous message.
These notifications will give you whatever reason Microsoft have
provided for the revision, and a link to the original. Beyond what I
give you (the revision explanation), I can't determine what else has
changed well enough to give you any more detail than that. The web page
is the best place for that additional information anyway.

4. Unfortunately Microsoft don't seem to revise Security Bulletins to
announce availability of non-US-English versions of the patch. I think
they should, people have no way of knowing that the patch in their
language has been made available otherwise.

Russ - NTBugtraq Editor