Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Microsoft Turns to External Patch Testers



 By: Ryan Naraine
2005-01-12
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
The company recruits external evaluation teams to help test software security updates.

Looking to improve—and possibly speed up—the creation and release of software security patches, Microsoft Corp. is implementing a closed beta program for external testing teams.

The formalization of Redmonds new Security Update Validation Program clears the way for external patch testers to get "limited and controlled access" to security updates ahead of public release.

The goal, according to company officials, is to provide a small number of dedicated external evaluation teams with access to the patches to test for application compatibility, stability and reliability in simulated production environments.

Stephen Toulouse, program manager at the Microsoft Security Response Center, told eWEEK.com that the external evaluation program was implemented to add a new level of quality control to the engineering process.

Resource Library:

"Weve always maintained that the most important thing is to make sure the patches are of a high quality. A faulty patch is worse than no patch at all. This program speaks to that commitment," Toulouse said.

He made it clear that the outside testers had no access to information on the vulnerability addressed by the patch.

"Theyre evaluating the updates in a private, closed-lab environment. They are required to sign an NDA [nondisclosure agreement] and they dont ever know what the patch is correcting. Theyre simply simulating a real-world deployment in a lab environment and looking for potential problems," Toulouse said.

"The end result of this program is higher quality updates for customers to help ensure timely and effective deployment of patches."

Should users be wary of third-party IE patches? Click here to find out what security experts say.

According to Debby Fry Wilson, a director in the security research center, the external testing teams were selected from trusted MVPs (Most Valuable Players), ISVs and managed customers who were capable of mimicking patch deployments in a lab environment.

"They had to make a heavy commitment to provide a dedicated evaluation team and to restrict the use of the update to the test environment," Wilson said.

"Based on customer feedback, one of the complaints weve dealt with was that security updates had problems with application compatibility, reliability and stability. Weve done better in the last year, but we can always improve the engineering process," she said.

Its a Catch-22 situation for the software giant as it struggles to balance the need for glitch-free updates rolled out in a timely manner.

Security experts have long criticized the company for being slow to address critical software flaws. eEye Digital, a security research outfit, maintains a section on its Web page that features Microsoft patches that are long overdue.

On the other hand, Microsoft has also had to cope with the embarrassment of having to recall faulty patches.

In 2003, a buggy patch from Microsoft even opened the door to the widespread exploitation of a vulnerability in the Internet Explorer browser.

"Were always looking at ways to create updates and get them rolled out to customers quickly. But, the testing is an important part of that process. With this program, the external evaluation teams arent looking to make sure the vulnerability is fixed. Theyre testing to make sure that when the update is deployed across a network, it does not break existing applications," Toulouse said.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.



  Reader Comments: Microsoft Turns to External Patch Testers
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


x}r۸j9km"u#dKb[ZL*%BER9eoВ/q*D th4?{$s[ kB.l}nR?GG.5蝷O$|mwOk%[ mWn-ː5MF)h|Lcb2#jGJ~x'AT{# xL15ΘMj1&ԓoN~e0c-ZNq:)6NU7n/LZP8$9H.sH~rDug~D&ǶKALBAUw0VKS[inAUVek햡*6:2ș}5Pz$թd;3{R'-,w2I*5b;6:9zuGi08RiJ%lf fO$(sl˳]S/D1 )<32biHt6XA8<_݀yyNt²-,r~ƷPL\{ndovQw T9'>6M) O}I#|öԥZr(˚9h#d-#HUŪZB+T╻agv#{fTk]w+)U/znu7unm1y Cq>:}r:?'׼;AڼW@m&37`r1LTTJ|hg" ԂNY5=(釭~W-B5#5Cv,f5< 3+i3,q)?[ZUk~:E,[3SA)U̠`Wk11zq}ڼ~n_6;=rڹ"IŞΆTpgsZ܌vO^InXCYCa-U*Ūd#3t[d[Od:"~qN 黚-4S[ }>k%#,_%?fV k3tJ ":2P;L|ښN(jZRMǿ#G/x%Kes7p#S:񇠻fy՜(Ӆ]WftwYCL 9\zmMꧭFUIze.Z^C 8^%g 5F0 ,ieݴ%!8W5MG\FWPP9*;-xQnx٩l Z2X jXvRX~Vs6 :uf>QݘjCͲbOGs>hH2胆6mdX-kAXn`vthWXxؿ\ cO&v/|\SƌzN-VD4h-DAwu0Ie{e"3 qKs Νdrko͠^(gMPjX^0 j5pHpyY?9ûmd= w@L߽1#|[ S&x KzP P|'sZ( w^b|NҵEEKy3@ $hԏaz6/mb$&w$] q+XdD0nOu${ڹLX,$QY,p[/1͙Jdy4[LboK7], S l-muk{PjTOG4MhȀ%1tAμsI`0HC";NM: xw}CCeYҳ[J`p\Ͱ"̴b֜u4.dMfB7g Ʃ1 R g?0-qڛwuVsӠz|`*,qF7&3Ͱ&p8+ogzjre&>|YrY49y_,MmUPS7˕L8+׬uPM g2)*[hw< 8:ȬN7 \15W{`MLEZ`˟Q,C*"4) 6Eװ DؙRQb{cm1J8.hɸ>M?XĞ.FC\Caﴵ.H .jd>j'L[AHz{<8`Tfha86Lb?3XHy` /syEH~1:2.eX kۦiߥOb3f-Hpi)EraXsH`HDScHB(`DPǶ;3MĖAΠ~Q&wwdd{>70MCLKw39>Ĥ4YU f2~2jsp1< _[ p:Su?; ̟~UқAL}6݁ /m}K>9N--;h'(0 +\2ByVhwDT@)tå#*GS%'=iv?l jFswq5l`EY_g?Z7` 926–8+ѡ,Xr%*%mK]W, GQ: A\=!< `QtEa&Ni}I PsI |O!B[pkxz``!>ޏ?f&Ш؇٨b_@ה\Z+{ל5^,߬]hDс(dyDG/qbk l|s}rp@d#!R~Cݜ5n"uy@VIYhQ6[[6MO'vhXJD幓>7/=ϼrw@MĴz6=_`Ŧto@ЙY&Cj2m95b~<(Gcj1% Lg,fqN'Aׅ#?apFvN{F[ |{*jo#@7X$t#6;r_kNn[:kPgw(* Cq3`3"豥mBxcANVjIk-g}X#2nfwTJ0Tc΁M\1W*b 2=ct{ێ1dmj̩7N;oE 蝚{hR̚,ZDW}X`" ݸ1FSLL.]ITY) +q5΀Ld\(KEۚ;*JhHɑ+y(G?^nVȕZV?bIG|@U$UH/ez$ :̫7xџYD+(++i-Z2˾im.E9[F 47ʨK-,sK"hʈg _<r[rn)tyņ5т(-Bwyr`0W?48NbqDM#?րh)k033Ri<RU$Ԋ+yI?"X7Swg4}̇)5qCTPhwĶ\,2G?'D. ]qC`ITWdR"YrϴJ+e+dP%\xO+4]N\oa+T6n{߼L'+cI`Q`w0D|*nLgFcckfi`z}VrobP@/I6lS.:;b4BϢ.}vvH*ۧ>\E!a*/UWOM}ga\TezLR(I]2~ԮFپ ]wi?`y BN߹p.WڗK'?wDۗ-)^< rDp'Bj?\$'d0 srj\'7b7 `x$Ϣz H-@Vs ߼=2oaw.p]9Qz ACvkL4v|挜50n3~kka4FC-?OKo{g}e2tRTsd{q6$BdEͪ2ۻʞZEVd.tٓswt62ӂ@7YU (f~X;pOʠEc5bw u2{KL7+x=*^OϚ4"]bwB%-J{%nYhr;XE%y,QQ"{"F7t`AuoO&&mq4Wc Zy‡i襖N</; `!3Ȑ +Q1MgH&rd )8T0x l?|nwkJdjl 8!Q"hdo 9oj٤h2[" 6a' ZYC,G p$|+؊w'GG?[{kE|;L-u\ KM_U_r ^?P??\@Ӟ MAW˼2.mE>zQm%Fm?ZS{ϗqGg4ӸgFƏ=I'̙>/03WUsUy_jfxLG#ˮ&  aMrL-:6|ןC}p8_2z27tN`$dU%3RȗxGR-/73AB5ip+Eޡ.L4զE؉8қE9]o8w'x; ďӟkWz^5P"Ug6YRjoM UFc r cx0&<~*uh/M/'otݵZ 4>#^⚁%=5n*Qw:-{P:Yr8߲Jn,OJ5ag!;:y@(NlRƄu  B3" :2c*̾j 5ք@'Z) 7[8Mym`I겎|E(#x; ~أwZ2sužc^؛AnwRbraY(젱K+voWK'~b?0IqJx'Lm8cg3`j>:1'#E|ۖhy w³\It9 8f㱎'ȣc >#'k&Lx7X(b6}1+W1U &QR; fuz cdDc'1b9(/xmRU+j|O&QyF ?b@1ŀR9$LO\ydWNaaZΓky 6R\3揦q B86J!  #F4"-eLDIQsia{[W]`]~ psQ)K"\#ZXb)q]n4v_RǡV`Kk-b$XH=I*劒[b2~R BioCP&NoĤU TlˤgWuˎd +|*uz(ǶK wR&'JQ)[?q% 9%2p_ |ى]jx"m\g,6&uX6-A(]" VZ,`@z#Þ{RpzW|9E7~x7BZRJ, ˱)lDͼ E2 h9׷lմx1+\Rsai3c$3e\HZWS %$HB_5=:av&F}7|m>V33r55-CI]cw_>܅\khRG04Ka 3o7s*Aqwwww󋸞\\ϑJztҵvBjTJ0 a>L6 ɂ+)FSٶ V?r|vO JN:&unuawT{0i92ixSP 838%HЂ" [`J+YH S9lɉĹo ' i*Hޛ>X*(؎FA&Xa P-Y\t6Y@ ]mێ/F|&5Pd@u<sHI0.x}R%JU H V\]_2K+[[/}/Xft~䋄B$ً_||#TƱEoJ: U 61袃'&%lDw>X,r4˜XP)$?" C`@6G`g,mw82:CVݱ%vdJDg@6 NOG@^ !Hp:t۳L}o[v_r_Wyp5:ܞ؃r^-fs=nUMk#F?W¨1;Rnٞ؎fQ+x uǿx2SrrO|k V~s"o̢=xP!j8gf5`Nm`d86S7y{m_P3o6` l[V340SV-zUQ7e]:oJi,qGlp,GӸw= z>(' ƗY'6 ZH9#y_c0T1̬-IXdnS$Vƀn yi`mk)567#E,ڙ%]^,Ra]ߢl`x2[4뿓$~Wk1F1Y}Gj OQ59j>&U6PCeٙ6Co:wCstsRy rũݱYxH]A7>k_AG-'IΞCi/%s>'!i=PxU]f?8 "^tAw'y{DdbX #M .alnPG}fw1^sa2US Q?cfG?׬$¤t'O|oD2z^HBrp 8Om[Q'Ht!D<[fDP-FAw9Ƕ1էTƫ1}Љ[]+p@YWcP&5Q9!N%ٷel>}i=F?P٦I]Ǐ{HDvxQʜ"@]%PV4 %]Q arC^#=%1(%Ⱥc(g}8Vƕ55xk +-❐R%>"@Ÿ ".+> l?QXms/)qy0z1hshh,Vp+Vc.j9WUK.A`s\75̈'50yf|6aqv%|W@[bkwhP™U*Ԭu;1Sק)On@c,+ap M lMk烔IpʬCץ&:̾JD0ƣU\Q)*GzU9+jV ph $9!FTr;IaJ_r+}^rYDX:Tga^0XT J)yKs? Ra)zdHvk%.`\lGN$(# ~59 @;@O aˡqU#\oJ0Iziv3%1,/I ^T""7e z6[i Ҥ3F;2vC7kln@jz)}Fuk5{1~$js{5ʒplfmmQQ1ֶ\ۥ]aIJ`Ar2.2a"=:Iϡ/HJMT껀+sT0lIַX>bxgt0]tʎ`_ňbR>fD9mgFR1Dd`LW<00t+PHjNT]֏pY]XC3ɛwo/p+$_W+Gd}expJ"8rK E/I>oۻI XPp~M>wP*(j- ѵF/|T0/b-38#>Nn!1K=o~{@\p X!q,Ye%+փފ> sF@YbGP567:[9l][~몇V ]=G}m <| <EB`@S[0z  dwh{l0Wot}t%lehj|t]["m#!k^"Αf,X~3?^]r\X ۗ)'pp\`qj8@K/+2&Bs85_z=&jƄ[V aAJz>fօ6"n`>k<}>³漆a9cS`p>WM<iw[/ T6CĊ1gKi6%@1y>;% $`,M@S "PV: 9C(^lJ ͍$u~ K6X`k,2E<CezwY<^+S!:01gYC7`C[j\@ g >򽉡z0us2%iDRxxLb ] 4B0hߘ ?2PX;S<_ =<RXX_1;WQʹb$0+9|:!dW`NJR_}.O܁Gfi,)f/#/S\iL$R&, ?e$5C쌆xɼ1IQkY73F{vH^Zwr۝Kr:\'lkM߂/UQvqrھluڗLpa&hD/湶 ˙ǣ, rzٸh1;eNq(gڽɎq&cWC\pxIx>+ah,.6|?Rv}YQJ/N01ch6ZN֖CyƋxYj8S;Ӧo1ZIc sbR:oI粕&5+8v@?'(7zRk3˔r;{^J(ٮ~2>E " >"@\)_^E ^?AYJ?)P~R{2 ?)s w2~'?I/]n tnW?W){)^ }~ \ S }i>>ʯʁSڿNi:s$CPHFNOoX8)L8_%iAa uyR^}VAy JI,c)t.3_R̭L_ݓN3\a( -U噗f Ǩruv ^_A5KHe^ۛD6CGPryE#BhtoD.|.Ix=0?Mu{1پWߕ\*ܲ}:aO+XE 9K8G#nL _3A0+1FU "X ̽KqǜW1W }^h#mv0(GUtKn lv-v=~^^¯)xHƙRAU J~+r\'\!aFdRL`FUVrrB.{\X(L3BAxG l]{ۦJ̾jC3CX)ḃ=̺o5@ P]:1lK iۼx02aw8cokx;B Q X~Y8P"`)K؞6FvCV9x=ͩ^ocƥ 6%bn1vk']'SFL=O,O~f+g  ȪGsoѨsaQrO?gyOg#ՃoBs1 lJ//ݓxCKQ,Vn;v=sctíd <@T6?rކw2$Z$GYb>s$b8=fՇ=<0; VW.wwM(0z.fPǤe @ v_j[cŝ0%4 ÌkK$L6^ @ >!&֠=kd9ck+cNP< _ϊAf+l@Pմ -2 ?~.rgܖ?Fӳym֎m b vڮƝ ZkXœj@@|v4X3!?coITÓ]Zo/TùLHKmј2\οX:cVP#a iwŝD&ug%=ۜ X?f&}#4 (MP"qm(!3S4J(Hki t^wkdU9H|&zu p$.6=k"2: gKbwB9=vbbļln M5SY,> N_dvO~-B?yW [l>|,XoͨT*L[K |ICڼAM"Kd'-Ym L3t#mk g*Iůu KNT%sDr1ߠ^ yJ>? /ϻ{k~O9n>m='.}F5ӟCt j7;5mˎ0 um'#8>ܸmQ޺pml.;+C&:bz:SAW(Y|h@NlM-1ue|nHKU֧f2{N;:з57d0[| EV?Fu:h /A)6Y q ?dxE#b[p!@pIf*QT KQ)Yl{d㜙9g>Ba2\Xx kyfţ3W\4nZP'jdV@8̙MÛec$|_[0~Y+ʕbA4\n2?>Ei#2|@ =(ۉnzTx `GYu`.9[mx: wyuke!*O1:7˟]lׁQ#hӰ QaW&6n MywTsu\7oG]ecAP1W)?$Il}r9{~w!Ǹ 0pcz:mnt g)C2^#s!? Ln2m^^kte(n aaXY[D,5R`:(fG z|k|FXKqm}.&6a]`r8Lte4Q3|JKm)轃ȝkz^4Vh6ۗ񲞽?`(XECh⍾c01|4cA$⑝7~I1u*+T[]jβ[GQll٦i29Z{)qͭ֫w6c!f07Nv6̈́ В\&Ůvbe}˧V)