3 Years and 3 months

Windows Server 2003 and IIS6 released in March of 2003.  Last week, we released a patch for asp.dll to fix our first vulnerability in over 3 years! 

It was kind of a sad day for the team (but one that we knew would come), because after IIS5, we committed as a team to never let IIS be an primary attack vector for the Windows platform.  And so far we've been able to keep that commitment.  Hopefully it'll be another 3 years before we release another one!  :)  So it was also a happy day in that 3 years is a really long time (these days) for your product to be really "unbreakable".  :)

I had the duty of testing the patch before it was released to make sure the vulnerability was indeed fixed.  Ulad did a great job of doing a very thorough analysis of the code and a thorough fix to the issue.  Given that we hadn't shipped a release like this in 3 years we did have a couple hicups, you might have seen or experienced this issue: 

http://news.com.com/Microsoft+irons+out+security+patch/2100-1002_3-6096179.html?tag=newsmap  

That issue was mostly due to the "detectoid" logic that WU uses to say if the patch is needed or not; the patch itself was fine (so no work was required on the IIS side) although I spent a long night here last week to help them pinpoint the issue. 

Also, we were unable to get the right logic to restart w3svc prior to updating the asp.dll binary, but there is an easy workaround for that.  Next time, (if there is a next time) we'll be sure to get that logic correct. 

As the MSRC bulletin says, this vulnerability requires the attacker to place asp content on the machine (so for example hosting scenarios).  Once the maliciously formed page is requested, the attacker would be able to run arbitrary code.  So it's certainly an important patch to install.  There is extremely little risk in installling this patch given the nature of the code change and the testing that we did on this patch. 

Anyway, I'm glad to be back blogging, I had some permissions and user account problems blocking me.