Computer geek, and self-appointed know-it-all, Westley Annis answers all those hard 
questions about anything related to computers and technology, as well as business and 
political questions.

Microsoft Out-of-Band Security Update

Question asked on December 16, 2008 4:33 PM :: :: Comments (0) :: TrackBacks (0)

A Microsoft out-of-band security update is one released outside of the once monthly schedule that Microsoft adheres to for security patches.

Almost all computer software is going to have some kind of security flaws, especially something as complicated as Internet Explorer. Being as popular as it is in terms of installed base, hackers tend to focus their efforts on finding flaws to exploit.

When Microsoft released Windows 98, they also included a "Windows Update" system that made it easy for users to update their systems which was great for home users but turned out to be not so great for corporate users. Some of those early updates tended to "break" other software and forced corporate IT support personnel to try and "unbreak" the latest update.

Since Microsoft was releasing the updates as they developed them, IT departments had no way to prepare for an update or to keep track of what updates Microsoft had released.

To reduce the cost of maintaining updated systems, Microsoft switched to releasing updates once a month on the second Tuesday of the month, also known as Patch Tuesday, with a bulletin released three days before the patches announcing what products the updates would cover.

Although hackers are constantly trying to find some flaw in Microsoft products to take advantage of, many security researchers are doing the same thing. To protect the public, when one of the researchers discovers a flaw, they will alert Microsoft and allow Microsoft time to develop a patch before announcing their findings to the public. It's when a hacker finds the flaw before one of the researchers and uses it to attack the general public that it becomes what's known as a "zero-day flaw" i.e., a flaw that Microsoft has not had a chance to work on before it becomes public knowledge.

Most often, it is these zero-day flaws that Microsoft will release an out-of-band update for, especially if it is considered a critical threat.

Bonus question: How does Microsoft classify a threat?

Microsoft will give a threat one of four ratings.



A vulnerability whose exploitation could allow the propagation of an Internet worm without user action.


A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of users data, or of the integrity or availability of processing resources.


Exploitability is mitigated to a significant degree by factors such as default configuration, auditing, or difficulty of exploitation.


A vulnerability whose exploitation is extremely difficult, or whose impact is minimal.



0 TrackBacks

Listed below are links to blogs that reference this entry: Microsoft Out-of-Band Security Update.

TrackBack URL for this entry:

Leave a comment

Ask Westley your question on technology, business, or politics!
Add to My Yahoo!
Subscribe in 
NewsGator Online

All Categories
Powered by
Movable Type 4.1
© 2005-2009 by Westley Annis. All Rights Reserved.

Valid XHTML 1.0!