In an update to yesterdays information about the upcoming Service Pack for Vista, and the Service Pack for XP Jon Devann Senior VP of Windows Core Operating System divulges his thoughts and process’s for this update and any future updates.

I have taken some of the more interesting questions out from the PressPass Q&A with Mr.Devann and have posted them below. You would think that this Q&A segment would be pretty boring coming from a VP of COSD, but actually he makes some great points about their new update process, which I am very excited about.

“PressPass: How do you know and decide what gets fixed for a service pack?

DeVaan: We are constantly monitoring the quality of users’ experience through Windows Vista’s built-in, automated feedback systems, such as the Customer Experience Improvement Program (CEIP) and Windows Error Reporting (WER). These are systems that customers anonymously and privately participate in via an explicit opt-in choice. Through the data we get back, we can identify, diagnose and then repair the most detrimental and prevalent problems users encounter.

Our primary focus after launch became addressing ecosystem compatibility issues that the data showed had adversely impacted some users’ Windows Vista experience. For example, when consumers see a “Device Not Found” message or the systems report back that a device failed to install, we can prioritize getting the needed drivers available on Windows Update or up on the hardware vendor’s Web site. As a result, our driver coverage went from 1.4 million in January to more than 2.2 million today. We also work directly with our partners to improve overall driver quality. We are able to see which drivers are causing system crashes or contributing to hangs and other performance problems, and then work across the ecosystem to bring solutions to market via Windows Update.”

PressPass: What about security improvements in Windows Vista SP1?

DeVaan: Windows Vista continues to be the most secure version of Windows ever. For instance, we can know from a recent vulnerability reports comparison that Windows Vista had 50 percent fewer critical vulnerabilities than XP SP2 and far fewer critical vulnerabilities than other competing operating systems in their first respective 180 days after release. We have addressed any known vulnerabilities in the appropriate manner and those changes will be in Windows Vista SP1 as well. At the same time, we are always looking at the proactive work we can do to improve the product before we receive reports of potential vulnerabilities. We have invested significantly in tools, training and techniques to improve the security of our software. We are constantly looking for and learning about new means of improving security, as well as new ways software is being pushed by those wishing to do harm. Using these learnings, we improve our tools, which we then use to analyze and proactively continue to harden Windows Vista.

Windows Vista SP1 will contain a significant number of code changes focused on the ongoing work to continue making Windows Vista the most secure operating system available. We are being proactive — these code changes do not represent vulnerabilities, rather they are coding practices that we continue to hone and improve in the ongoing race against escalating and evolving security threats.

PressPass: It sounds like a lot is changing. Is this a sizeable update for Windows Vista?

DeVaan: It’s true that at first glance it will look like a lot is changing, and it’s true that there are thousands of files being changed to varying degrees in Windows Vista SP1. However, the first measure of “size” most people will encounter will likely be the download of Windows Vista SP1 through Windows Update or Windows Server Update Services (WSUS), which we predict will be about 50 MB. The second measure of size will be the free disk space requirement for installing Windows Vista SP1, which is currently around 7 GB for the beta, although we will be working to bring this down for the final version as we optimize the servicing algorithms used.

IT Professionals not using distribution tools like WSUS will work with the “stand-alone” image of Windows Vista SP1. This image will be considerably larger than the download, at about a gigabyte in the beta, but it’s large with good reasons. This package includes all of the localized language resources for 36 languages, so that companies with worldwide install images have all the files they need in one place. Also, this image utilizes servicing algorithms that update all files of an operating system component, even if only one of the files has changed, which increases the size of the image but allows IT Pros to service their images in any order they chose without worrying about creating inconsistent system states across their organization. Finally, Windows Vista and Windows Server 2008 share the same code base, and we are choosing to unify the servicing between the two in order to simplify the long-term maintenance process and lower support costs for customers. To do this, we’re changing the files necessary to align the servicing components, which contributes to the larger size of the stand-alone image.”

Click here to read the full transcript of this Q&A session.

For me reading this really made me feel a lot better about this new process, and the reasons why they have waited so long. A lot of it makes sense. Microsoft has taken a lot of flack for releasing updates to late or to early, this Service Pack is no different, but they are improving the process so they can create updates that take care of a whole issue not just a patch that is temporary.

Well they really are not melting the polar ice caps, but I bet Skype could figure out a way to blame them for it though. But in the recent he said she said management battle over at Skype it makes me think why cant companies take the fall for there own shortfalls. Why blame it on everyone’s favorite fall guy. I myself understand the seriousness of this problem with the restarts after updating, but I would think the techs at Skype would understand that usually after an update you have to restart, I mean how long has MS been pushing out updates ? And why do they have automatic updates on? Seriously was it imminent to restart their boxes without doing some research on how those updates might affect their software and hardware. Skype is a large corporation I hope that their CIO gets an evil glare every time he walks through the hall from his techs. Don’t they have process’s. They should take a chapter out of Dell’s book in management mishaps.

To me it just seems like a complete cop out to blame Microsoft. It is there fault and there fault alone. I think they just still have no idea on what happened. Someone messed up and I don’t think it was MS. I think this move will come back and really bite Skype in their backside after this has all cooled down.

But if anyone wants to blame anything else on MS feel free to do it. They are that warm cuddly bear that never comes back at anyone. Everyone is always on their case about everything. If you hate them so much use someone else’s software. Maybe one day MS wont take these kind of blame game insults directed at them. I would say, “Here is your money back, we will take our software back now. Now survive.” Everyone always has something bad to say, but they never have an alternative solution. I honestly think this is a horrible PR move.
This issue I really think will end Skype. They should have taken the high road, and confessed it was a problem with their system. But with EBay management running the show now we will never get honesty out of them.

I do have a message for Microsoft though. Stop being that doughy fat kid that everyone picks on. Go pick up some weights, start working out, and start putting these rumors to rest. Come out fighting, release counter statements on what you think might have happened or have known to happen. Instead of bloggers spreading “hear say” why don’t you just lay them all to rest with an uppercut. I have only seen Microsoft do this once or twice in the past.

Microsoft has released a fairly important Internet Explorer update to fix at least three code vulnerabilities in IE.

The cumulative IE update (MS07-045) takes care of a list of nine updates that contain fixes for 14 vulnerabilities.

“The update affects IE 5.0 through IE 7.0 on Windows Vista but, because of defense-in-depth mitigations, the severity rating has been reduced to “important” on the newer versions.”

Microsoft describes 3 issues:

1. A remote code execution vulnerability exists in the ActiveX control, tblinf32.dll. This control can also be found under the name of vstlbinf.dll. Both of these components were never intended to be supported in Internet Explorer. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user visited the Web page.
2. A remote code execution vulnerability exists in the ActiveX object, pdwizard.ocx. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution.
3. A remote code execution vulnerability exists in the way Internet Explorer parses certain strings in CSS. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged on user.

In all, there are six critical bulletins in this latest release. These effect XML Core Services (Windows 2000 through Windows Vista); Object Linking and Embedding (OLE) automation (Vista is not affected); Microsoft Excel (Office 2000, Office 2003, Office XP and Office 2004 for Mac); Graphics Rendering Engine (Windows 2000 through Windows Server 2003); and Vector Markup Language (IE 5.0 through IE 7.0 on Windows Vista).

The other three bulletins cover:

MS07-047 — Two code execution holes in the way Windows Media Player parses and decompresses skins. This is rated “important.”

MS07-049 — Patches an elevation of privilege vulnerability in Microsoft Virtual PC and Microsoft Virtual Server could allow a guest operating system user to run code on the host or another guest operating systems. This update carries an “important” rating.

MS07-048 — This applies to at least three serious flaws in Windows Gadgets. This “important” update is specific to Windows Vista and affects the Feed Headlines Gadget, the Weather Gadget and the Contacts Gadget.

These vulnerabilities have been thrown around that past couple of days without fixes; glad they issued these fairly quickly. More info to come…