You analyse the problem backward : the need is not to break an existing service pack for a partial security update. The need is for a faster single patch which will be consolidated later in a global service pack.

Each time a weakness is exposed, Microsoft should fixe it faster than they are doing right now. A first patch like GRC's one should be their first answer.

Next, if the fix is sufficient for solving the problem, it should be consolidated in the service pack as is. If the fix is not complete, as you suggest for this specific case, the service pack should remove it and replace it with a complete solution developped on a longer period.

At the end, users can protect themselves faster, in a more efficient way, and the service pack will consolidate many smaller fixes or major changes like those required for the help center.

In this case, Microsoft skip the first step. Re-doing it after the second and third is not logical. This don't means that the first step was not needed, like you suggest it. Microsoft must do their job, which include the quick fix first, a deep analysis for confirming it is enough or developping a more complete solution, and finally concatenate all durable fixes in their service pack.

Not doing any of this step reduces the security on the user side.
Not doing the first lets them expose to known exploits, just as they did this time.
Not doing the second does not solve the entire problem.
Not doing the last produces a too large set of fixes for sysadmin.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/112/16656#16656