How Microsoft Develops and Releases Software Patches

By Jeffrey R. Jones, Senior Director, Microsoft Security Business Unit

When we launched our first security newsletter in December, I asked you to send me your comments and feedback so that I could be your advocate at Microsoft for security issues—and you delivered! I appreciate the many e-mail messages with comments and questions, and we will begin answering them this month.

One particular question raised by many of you focused around the Microsoft process for patching known vulnerabilities. This is an important topic to many of you, so this month I will describe the lifecycle of a software vulnerability from time of disclosure until a patch and Security Bulletin release.

The Microsoft security response process follows the general steps of reporting, investigation, development, test, and release.

The security response process starts with the reporting of a potential issue. Microsoft uses our membership in the Organization for Internet Safety to strongly promote the principles of responsible reporting. A central principle is the belief that the best way to minimize customer risk is for security researchers to work closely with vendors to identify issues and fix them before they are publicized.

When Microsoft releases a patch concurrently with an announcement of a vulnerability, it is a result of having identified the issue and worked through the patch release process prior to communicating publicly. This means our customers will have an opportunity to protect themselves from malicious hackers seeking to exploit the vulnerability. However, when vulnerabilities are announced publicly at the same time Microsoft is notified, customers remain exposed to malicious attackers.

Once a potential issue is reported to Microsoft, either privately or publicly, our team immediately begins an investigation to reproduce and verify the reported issue and to identify any associated or variant issues. Historically, only about 1 out of 10 reported issues turns out to be a new and unique security issue that warrants opening an investigation, while the other 9 fall into categories of known issues, non-security issues, or errors.

If an issue is replicable, a priority is assigned to it and potential fixes, mitigations, and workarounds are developed. We’ve learned over time that mitigations and workarounds are very important for empowering users to control when and how they manage their risk. Chartered with defining and implementing the process for responding to reported software security issues, the Microsoft Security Response Center works closely with the affected product group to do this investigation, and, further, to expand the investigation to other supported versions of products so that we can gain a complete understanding of how an issue may affect customers.

One of the most challenging elements of this process is testing. It is critical to our customers that whatever changes we make to a product have little to no impact on existing installations and applications. For a product such as Internet Explorer, for example, the breadth can be significant. Microsoft currently supports three major versions of Internet Explorer (5.01, 5.5, 6) across several minor versions (for example, Internet Explorer 6 “gold” and Service Pack 1) across several operating systems (Windows 98, Windows Me, Windows XP, Windows 2000, and Windows Server 2003) for more than 25 languages. In total, to fix one Internet Explorer issue, Microsoft builds and releases more than 400 unique packages, tested on an even larger number of combinations.

Complementary to taking these steps to help customers more ably protect themselves from malicious attackers, the Security Response Center and Security Business Unit offer outreach programs and prescriptive guidance through our Web properties, through support channels, and directly through our interactions with customers.

Most importantly, what this means to us is that, even as we are driving urgently for timely delivery of a patch for serious security issues, we are motivated to focus as much on the “quality” part as the “timely” part so that we can deliver the quality and protection our customers demand. It is essential that each patch installs properly, addresses the security issue, and does not disrupt other existing functionality. It is a job Microsoft takes very seriously.

To learn more about Microsoft Security Response Center policies or to report suspected security vulnerabilities, visit the Microsoft Security Response Policy and Practices website.

Again, thanks for the comments and feedback, and I encourage you to keep it coming. Let me know if this article helped answer some of the questions you had.

Link:http://www.microsoft.com/technet/security/secnews/articles/jj200402.mspx

Similarities and Difference between C# and Other Languages

Similarities and Difference between C# and Other Languages By John Godel Introduction You should know that many C/C++ developers have been asking this question: Is C# a new programming language or a new version of C/C++. My answer to both questions is that none of these definitions is true. Well, in this article I'm going to go under the hood and show you that C# is a cocktail of Java, C, C++ and Delphi/C++ Builder from Borland. Let's first take a look what C# programming language really is. What is really C# and not? First of all C# is a programming language. It has a power to develop software. It is a strong language for network and internet programming. C# has redefined the programming landscape. In addition, C# designed with the need of C/C++ and Java programmers. Microsoft created it with Anders Hejlsberg the former Turbo Pascal and Delphi luminary who was the most prominent Borland staff also Jbuilder team worked together with him. This new language has been developed specifically with the NET framework in mind, and as such is designated to be the .NET developer's language of choice. One very important matter about C#, it is the first component oriented programming language. The hot topic at the moment though is not its relation to C/C++ or Visual basic, but how it compares to Java and Delphi. Why Delphi? Because Anders has had a prime role during C# developing. C# inherits some of it's characteristics from C++ and also is an object oriented language. C# has the functionality of Java, Delphi and Visual Basic and it a very strong language. You can not reject Delphi similarity because theoretically Borland was trying to do the same thing with Borland C++ Builder working on Delphi. But C# has the most functionality of Java and C++ and theoretical similarity with Delphi and Visual Basic to use this Java and C++ functionality in a RAD environment. You may remember properties term from both Delphi and Visual Basic. On the other hand, when I read "C# combines the high productivity of Microsoft Visual Basic® with the raw power of C++" I quickly remember Borland's words for introduction to Borland C++ Builder. What does all mean? C# is not a clone of Java. C# has more compatibility, functionality and similarity than Java. Also, C# more similar to C++ as a programming language. C# stay much closer to C++. Similarity and difference with C/C++ C# is directly related to C and C++. This is not just an idea, this is real. As you recall C is a root for C++ and C++ is a superset of C. C and C++ shares several syntax, library and functionality. In addition structures, unions, arrays, strings and pointers are most important and similar functionality for both languages. C# inherits most of its operators, keywords, and statements directly from C++. Enums are clearly a meaningful concept in C++. Finally I can clearly say that C# is the first component-oriented language in the C/C++ family. C# constructors are very similar with C++ constructors. Like C++, methods are non-virtual by default, but can be marked as virtual. There is also some difference between C# and C++, C# supports multiple inheritance of interfaces, but not of classes. Another difference is destructors, their syntax is same with C++ but actually they are very different. Most of the C# basic types have the same names as C++ basic types but they are not really same. For example a char in C# is equivalent to a wchar_t in C++. If you decide to move from C++ to C# there are a few things to watch out to include the changes to new, structs, constructors, and destructors. Creating and using a component (DLL) in C# is fairly easier than in C++. One more thing, Borland's C++ Builder was a pure C++ with simple RAD environment of Delphi and VB. C++ Builder was not a new language. This is one of the biggest differences between C++ Builder and C#. The CLR (Common Language Runtime) improves runtime interactivity between program development simplicity, security and portability. However CLR gives usability for cross-language integration. In addition to all those CLL has+ a perfect foundation for a rich set of class libraries. Conclusion While there are a number of differences between C++ and C#, the syntax of C# is not very different from C++ and the transition to the new language is more easy with RAD environment of .NET. Also NET's cross language interoperability can give you the ability to use C++ and C# together Finally, if you want to use a strong programming language like C++ with the simplicity of VB and Delphi, than you can use C# powered with CLR.

 

 

URL of this page is : http://www.csharphelp.com/archives/archive138.html

Comparison Between C++ and C#

 

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cscon/html/vclrfcomparisonbetweenccsharp.asp