[unisog] MS Security patches
flynngn at jmu.edu
Tue Aug 7 13:10:13 GMT 2001
Paul L Schmehl wrote:
> Just an FYI. I emailed secure at microsoft.com, and all security related
> patches are now (supposed to be) included in Windows Update. So you can go
> to Windows Update and patch a server to current, including IIS.
Then I applaud their efforts in this area. A short time ago, server related
patches were not included and just a few short weeks ago they started
including the critical roll-ups.
FYI-In my conversations with them several months ago, they indicated that
it could take as long as 4-6 weeks to get a security patch included in
Windows Update depending upon where in the update cycle they were and
how testing went.
I wonder if they've changed the manner in which they make patches available
through Windows Update for servers. 4-6 weeks would not have helped us
prevent Code Red although it would have made it easy to tell people how
to get the updates.
For the masses running desktops and perhaps even for the unclueful souls
running servers, Windows Update is a wonderful tool. But my recommendation
to server operators is to subscribe to the MS mailing list and test and
apply the patches when they're announced. If they don't want that hassle
and complexity, perhaps they should find another line of work.
Security Engineer - Technical Services
James Madison University
More information about the unisog