[unisog] MS Security patches

Gary Flynn flynngn at jmu.edu
Tue Aug 7 13:10:13 GMT 2001

Paul L Schmehl wrote:
> Just an FYI.  I emailed secure at microsoft.com, and all security related
> patches are now (supposed to be) included in Windows Update.  So you can go
> to Windows Update and patch a server to current, including IIS.

Then I applaud their efforts in this area. A short time ago, server related
patches were not included and just a few short weeks ago they started
including the critical roll-ups.

FYI-In my conversations with them several months ago, they indicated that
it could take as long as 4-6 weeks to get a security patch included in
Windows Update depending upon where in the update cycle they were and
how testing went.

I wonder if they've changed the manner in which they make patches available
through Windows Update for servers. 4-6 weeks would not have helped us
prevent Code Red although it would have made it easy to tell people how
to get the updates.

For the masses running desktops and perhaps even for the unclueful souls
running servers, Windows Update is a wonderful tool. But my recommendation 
to server operators is to subscribe to the MS mailing list and test and 
apply the patches when they're announced. If they don't want that hassle 
and complexity, perhaps they should find another line of work.

Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.

More information about the unisog mailing list