What about MS04-013? And patch management in general

[Eberhard Schefold]

On April 13, MS issued a patch addressing the issues described in Security
Bulletin MS04-013, "Cumulative Security Update for Outlook Express
(837009)", the so-called severity rating of which is "Critical".

It's more than four weeks now without a patch for XP Embedded. Our
customers are severely stepping on our feet, and I can't blame them. When
can we expect a patch?

As a whole, I must say the entire patch management for XPE is a desaster
that we are unable to explain to our customers.

Why are the developers forced to develop and test DUA scripts individually?
Wouldn't that be Microsoft's damned job? Why isn't there finally a solution
to be able to apply XP Professional patches to XPE as well? I heard there
was a component once for this, which was withdrawn by Microsoft for
legal/license issues. Sorry, I cannot accept this any longer. Solve the
damn "issues" and finally give us a solution!

If this situation will not improve *fast*, we will have to make a cut. Our
customers have gotten very sensitive towards security issues, and for good
reason. All these security holes are bad enough, but at least we have to
offer them a satisfactory patch strategy. For that, we need acceptable
support from Microsoft. If we don't get this support, we will be forced to
abandon XP Embedded. With this current frequency of patches, this platform
no longer allows us to deliver the quality our customers expect.

Microsoft, we really need help here!

 

[Jay Kremer]

Hello Eberhard

Regarding the lateness of MS04-013 - We had some issues
with the XPE version of the patch in test, but long hours
put in by the QFE team in cooperation with the Outlook
Express team have resolved these issues. The patch has
been sent to the release site and should be available for
download later this week. MS04-015, which Microsoft
released for XP Pro on Tuesday, will be available at the
same time. Getting security updates to our customers in a
timely fashion is one of our absolute highest priorities,
but the updates need to meet the quality bar before we
can ship them.

The desktop QFE installer component is the component you
allude to which allows XP Pro updates to be run directly
on an Embedded runtime. (Jon talks about the
complications with this component here:
http://xpeqfe.blogspot.com/)We are now making this
component available to OEMs on the OEM secure site - in
fact, it was released earlier today. I understand that
several OEM's have already begun testing with this
component.

Improving the QFE process for XPE is a high priority for
us. We have improved our turnaround time significantly
over the last year, and we expect it will continue to
improve. Exceptions like MS04-013 are an unfortunate
reality, but we do understand the pain and frustration
our customers are experiencing as a result of this, and
we don't like it either.

The reason we don't do DUA scripts is twofold: First, we
have no idea what a user's environment is, or what their
runtime includes, and DUA scripts are powerful enough to
allow us to develop a generic solution. Second, a DUA
script from us is code; which requires further
investigation, testing, release management, et cetra.
Even if creating generic DUA scripts were possible,
releasing them would delay our QFE process even more. Our
focus is currently streamlining the existing process to
make it as efficient as possible, and this would work
against that goal.

I hope that helps address some of the issues you've
mentioned.

-Jay

This posting is provided "AS IS" with no warranties, and
confers no rights.

 

[Jay Kremer]

My comment on DUA should have read "DUA scripts are NOT
powerful enough to allow us to develop a generic
solution." Sorry.

-Jay

This posting is provided "AS IS" with no warranties, and
confers no rights.

 

[Nikolai Vorontsov]

Hello, Jay!

BTW, the latest patch (840374 - Help & Control Center) installs on XPe
without any problem. Does it mean that you changed your policy and now
we are able to apply the same patches to the XP and XPe?

 

[Eberhard Schefold]

Jay Kremer schrieb/wrote:

Regarding the lateness of MS04-013 - We had some issues
with the XPE version of the patch in test, [...]

Hello Jay,

thank you very much for your information, we really appreciate it.

The desktop QFE installer component is the component you
allude to which allows XP Pro updates to be run directly
on an Embedded runtime. (Jon talks about the
complications with this component here:
http://xpeqfe.blogspot.com/)

Thank you very much for this link as well. It makes such a difference when
these kinds of decisions become at least to some degree transparent to us.

We are now making this
component available to OEMs on the OEM secure site - in
fact, it was released earlier today. I understand that
several OEM's have already begun testing with this
component.

This is excellent news. Since we manufacture und distribute PCs with XPE, I
guess we are regarded as OEMs in that sense. Maybe it's my own fault, but I
had never heard of the "OEM secure site", and couldn't find any information
on the MS site about it. Luckily, in the Google newsgroup archive I was
able to find the link: https://microsoft.embeddedoem.com

I really wished these kinds of information were more readily accessible,
but I very much appreciate your personal efforts. Thanks again.

 

[Eberhard Schefold]

Eberhard Schefold schrieb/wrote:

https://microsoft.embeddedoem.com

In the meantime, I was granted access to the site.

Maybe I have misunderstood your posting, but I was not able to find a
reference to the "desktop QFE installer" component. Did I overlook it, or
is it not uploaded yet?

 

[Jay Kremer]

I actually just got access to the OEM secure site myself
this morning, and I don't see it either. I'm following up
with the site admins right now to get the word on this.
Keep an eye on the site - I'll make sure they post it
today.

-Jay
This posting is provided "AS IS" with no warranties, and
confers no rights.

 

[Guest]

Hi Nikolai

No, our policy hasn't changed. The Desktop QFE installer
component we're releasing to OEMs has all the
dependencies in place to assure that the updates install
correctly. Most, if not all of these dependencies will
exist in a large, inclusive image, and the updates may
indeed run successfully without the component in place.
This is an unsupported scenario, however - the only way
to be certain and have a supported experience is to
include the component in your runtime.

-Jay

This posting is provided "AS IS" with no warranties, and
confers no rights.

 

[Guest]

Eberhard,

I'm afraid I have to eat my words in my last post - I
just got off the phone with the OEM secure site admin,
and there simply is no way they can post this before
tomorrow. They did promise me unequivocally that it would
be there tomorrow, though.

-Jay

This posting is provided "AS IS" with no warranties, and
confers no rights.

 

[Eberhard Schefold]

I'm afraid I have to eat my words in my last post - I
just got off the phone with the OEM secure site admin,
and there simply is no way they can post this before
tomorrow. They did promise me unequivocally that it would
be there tomorrow, though.

Jay,

thanks for letting us know. I'll look tomorrow.

 

[Eberhard Schefold]

Nikolai Vorontsov schrieb/wrote:

BTW, the latest patch (840374 - Help & Control Center) installs on XPe
without any problem.

Just to be sure: Do did explicitly check on every file and registry entry
that is supposed to be installed? On our image, at least one patch appeared
to install, but in fact did nothing.