Microsoft Microsoft Microsoft

Your day wouldn't be complete without Microsoft news. Ralph Nader has written an open letter to Judge Kollar-Kotelly. Seems he has a few bones to pick with the settlement. MSNBC is running a WSJ article detailing how Microsoft beat down the DOJ in settlement negotiations. Even Israel knows Microsoft is a monopoly. Microsoft reveals its keep-them-in-the-dark plan for Microsoft security vulnerabilities. Amazingly, some security firms seem to be willing to go along with it. I guess they figure setting up a sort of cartel for security flaws is in their best financial interest. SANS is keeping their list of top security vulnerabilities up to date with the latest IIS exploits. And finally, MS wishes their new disclosure rules were used for yet another huge hole in Windows. Microsoft says it's "irresponsible" to expect them to get a patch out for a critical flaw within "a few days". As usual, switch off active scripting, even though that will make essentially every webpage that's designed for IE not work.

You know what I find funny?

[Uttles]

I clicked on the Microsoft security bulletin. I've never seen one of those before. Back when I first bought my gateway I actually registered with Microsoft online, and so I find it hilarious that an important bulletin such as this is in such an obscure place. I think it's only right for them to send this out to everyone who's registered at least, it's just the right ethical move. We do have to remember who we're talking about though. I'm still laughing about that bulletin. Aren't you supposed to distribute bulletins, not hide them somewhere? Ugh...

Re:You know what I find funny?

[Tassach]

Any information that MS puts out is going to be a battle between engineering and PR -- The programmers probably want bugfixes announced prominantly, whereas the PR drones see this as a Bad Thing because it involves admitting that they screwed up in the first place.

MS's windows update is a step in the right direction, but it sucks compared to Red Hat's up2date program. It's a service that is well worth paying for. Even if you just download the Red Hat ISOs, consider subscribing to RHN - you are supporting future Linux development and are getting a good service at a fair price. [Disclosure: I own RHAT stock]

Re:You know what I find funny?

[EFGearman]

You get what you pay for. RedHat has a financial stake in making sure you get your money's worth. Microsoft does not. You've already paid for thier product. So they put out fixes, updates, etc. at their leisure. Where RedHat will lose update subscribers if there is the 'perception' that people aren't getting value for the money spent. The customer can be getting value, they just have to feel like they are not getting value for RedHat to suffer in this way.

Just my $0.02

EFGearman
---

Re:You know what I find funny?

[Zico]

What is it exactly that you're so baffled by? Just because you've never seen them only shows your ignorance, since they've been sending these out for years now. As far as being in an obscure place, where would you expect to find it? I always use the direct link to the bulletin list (www.microsoft.com/technet/security/current.asp), but if I didn't know how to find it, I think I might try www.microsoft.com/security. And whaddaya know, there's a web page there and the second link on the left is for the Security Bulletin service. How obscure. *ahem*

Re:You know what I find funny?

[ahaning]

"For IT Professionals"?

Ha! According to the bulletin, the people that should be reading this are:

Customers using Microsoft® Internet Explorer

That's quite a few people. And consider the link you have to click on. Most users of IE probably don't consider themselves IT Professionals. Heck, some of them are afraid to remove icons from their desktop because it might break Windows.

You expect these people to:

1) Visit www.microsoft.com. That's the boring site. They want www.msn.com or www.hotmail.com (these would be much better places to put bulletins.)

2) Consider themselves IT Professionals. That means they have to be REALLY smart (yeah, sure).

Basically, it IS hidden, especially for people to don't think to look for these security vulnerabilities. Microsoft may consider posting these bulletins in more prominent places. However, as someone above pointed out, there are probably battles between Marketing and the Developers (developers developers developers developers....) about what to make easily available.

Of course there will be more buges reported in MS

[instinctdesign]

Just as a disclaimer, I'm not one to defend Microsoft is most cases. But what I think most people don't think about is that there have been so many bugs reported in MS software not only because MS releases naturally buggy software, but because the user-base is so huge that there is more of a possibility that these bugs will be found and in many cases used for unfortunately bad purpouses. If Linux/Mac OS/etc was the most widely used, you'd see much the same focus on problems with the software.

That said however, I don't care for MS and the majority of their software that I do use is out of necessity.

Keeping bugs a secret..

[b-side.org]

Firestone tried it, and, while software bugs might not kill people, they certainly do some damage. What did it cost them, $41.5M?

How are software bugs, especially critical ones, different from design flaws in a tire?

Re:that last one is NOT a hole in windows.

[avdp]

ahhh... but Microsoft claimed in court that IE could not be removed from Windows so this is indeed a security hole in Windows.

Unless... *gasp* you're calling Microsoft a liar and telling us that IE and Windows are indeed two separable products?

They could learn from Apple...

[CokeBear]

Microsoft says it's "irresponsible" to expect them to get a patch out for a critical flaw within "a few days".

Pardon my french, but *bullshit*.

Apple released iTunes 2.0 on a Saturday night. When a major bug was found, not only did they pull the installer *immediately*, but they fixed the bug and had a new one up in its place (properly labelled 2.0.1) within 24 hours. Not only that, but they have also said that they will pay for DriveSavers recovery for anyone who lost data to the bug. Can anyone imagine MS responding that quickly? On a *weekend* even! (Or accepting responsibility for its bugs like that?)

Let's not be the pot calling the kettle black

[JoeBuck]

It is proper for us to reject Microsoft's attempt to keep its bugs secret. But this means that we must also reject Alan Cox's attempt to protest the DMCA by withholding discussion of security holes in Linux, under his false belief that the DMCA somehow forbids such discussion. We need to openly discuss our bugs. Otherwise we are, in effect, supporting Microsoft in their effort to stifle discussion.

Yes, the DMCA is a bad law, but it's not infinitely bad. It does not forbid discussion of bugs or circulation of patches for bugs; claims otherwise are based on confused readings.

Re:Let's not be the pot calling the kettle black

[Velex]

It is proper for us to reject Microsoft's attempt to keep its bugs secret. But this means that we must also reject Alan Cox's attempt to protest the DMCA by withholding discussion of security holes in Linux, under his false belief that the DMCA somehow forbids such discussion. We need to openly discuss our bugs. Otherwise we are, in effect, supporting Microsoft in their effort to stifle discussion.

Not at all. The way I see it, there are two things at work here.

1. As pointed out in other posts, Alan Cox is not the one censoring himself, but rather it is the DMCA, which has the enforcement of the entire populace of the United States behind it. That is what it means to make a law, to create a policy with the enforcement of every single individual in the country where the law was made. On the other hand, Microsoft is the one that is censoring itself, without respect for the DMCA, whether or not it applies to the bug as it did to the bugs that Cox refuses to discuss in a forum intended for United States audience.
2. More importantly, the intents of the actions are completely different and somewhat incomparable. When Cox refused to discuss security of the Linux kernel, he had two intentions:
   1. Cover his own ass from possible litigation from the people of the United States, represented by John Ashcroft.
   2. Drive a message to the people of the United States that the DMCA is a bad law, and they should seek its immediate repeal.
   On the other hand, Microsoft, while their intention is also to cover their ass, it's not from litigation and legal hot water, it's from their own bad PR. Microsoft isn't even trying to seek repeal of the DMCA, for obvious reasons. Whereas Cox was making a political statement, Microsoft is just trying to censor bad PR.

Therefore, it is right and consistent that we can hate Microsoft for censorship, and applaud Cox for censorship, because there are deeper levels and motives than simply censorship.

From Ralph Nader's Open Letter

[libre+lover]

From the open letter:

The agreement provides Microsoft with a rich set of strategies to undermine the development of free software, which depends upon the free sharing of technical information with the general public, taking advantage of the collective intelligence of users of software, who share ideas on improvements in the code. If Microsoft can tightly control access to technical information under a court approved plan, or charge fees, and use its monopoly power over the client space to migrate users to proprietary interfaces, it will harm the development of key alternatives, and lead to a less contestable and less competitive platform, with more consumer lock-in, and more consumer harm, as Microsoft continues to hike up its prices for its monopoly products.

To think that a man who ran for President "gets it" with respect to Free Software boggles the mind. As days go by I just keep feeling more and more vindicated for having voted for him.

Re:From Ralph Nader's Open Letter

[frank_adrian314159]

To think that a man who ran for President "gets it" with respect to Free Software boggles the mind.

And to think that most of the Neanderthals on Slashdot still think it the height of humor to castigate him as a loon. I don't want to be a troll, but I find it the penulimate irony that people who can wax rhapsodiacally over RMS bitch about the one nationally recocognized politician that seems to actually "get it" when it comes to Free Software.

The ulitimate irony is, of course, that anyone actually takes these Neanderthals seriously enough to bitch about it :-(.

I made my mistake in the last election by wasting my vote on Gore. Next time, it's Green all the way, baby...

MS Rallying end-user support?

[Xerithane]

From the article:
The person who discovered this vulnerability has chosen to handle it irresponsibly , and has deliberately made this issue public only a few days after reporting it to Microsoft. It is simply not possible to build, test and release a patch within this timeframe and still meet reasonable quality standards.

I was reading through the "Irresponsible" link, as well as the vulnerability report. Information Anarchy is the phrase they have coined to display that information really doesn't want to be free. This, if successful, will cause a very adverse association to open source developers I think. If they "edjucate" their end-users into thinking that information should be tightly controlled by a centralized source, than it's easy to make the connection that the open-source community is villifying the information management structure that Microsoft and friends is working so hard to manage for the best interest of the consumers.

They claim it's not feasible for them to release a patch within 5 days. Why do I have a feeling that this code segment is probably less than 50 lines, hell - you could provide a hack just to filter malicious URLs in less than that and release that patch in well under a day or two without sacrificing what we all know as Microsofts high standards of quality.

Maybe I'm paranoid, but it seems this is a much larger tactic towards a revised SSSCA that will be in Microsofts best interest - much easier to add a clause saying it's illegal to release unauthorized security information about a companies product to an unapproved bill.

Re:MS Rallying end-user support?

[Xerithane]

<I>As far as qualifying that statement, I thought it was fairly obvious from my response. I asked you to provide a ruleset for parsing valid URL strings. Just some simple perl regular expressions would do. </I>
Uhh, no you didn't.

<I>I read the article. The difference is, I happen to know a tiny bit about programming, and you obviously don't.</I>
Yes, obviously it is so difficult to write a valid URL parser that Apache has a problem with it, and Mozilla, and hell, even Slashdot.
You want a URL parser, pick a language. You said perl here ya go (brackets ommited to appease slashdot's stupid filtering):

sub validateURL
my @ValidInstructions = (
'[^/]\.(htm|html)', ## Allow only top level that end in .htm or .html
);
if ( /(http|ftp):\/\/([A-Za-z0-9:_\.]+)\/(.*)?/ )
my ($req, $domain, $path ) = ($1,$2,$3);
## Lets check for user combinations, denoted by :
if ( my $userinfo = split(/@/,$domain) )
my ($user,$pass) = split(/:/, $user);
for( my $i = 0; $i < $#ValidInstructions; $i++ )
return 0
if ( $path !~ /$ValidInstructions[$i]/ );
else
return 0;
}

I'll leave it as an excercise to figure out where the brackets go
So, all you need to do is add to the valid handler array, and writing reg-ex's for this is not the most efficient method, nor would I recommend it. But, it's also exceptionally easy to verify that the file is there and check the parameters in case of a dynamic page to ensure it's not a malicious intent (go read any howto-secure-a-CGI for more info).

I just spent about 5 minutes writing this out, with cold hands and all my other text. It's not far more complicated than I think it is; I'm just a good programmer. Before accusing people of how hard something is with knowing "a tiny bit about programming" find out that the person you are talking to does network development for a living. Thanks.

I'd like to take the opportunity to try to have you take a deep breath, and realize that you had no idea who I am before you started your assumption that I wasn't a programmer and just some ass-clown. I've written anything from URL validators to email validators, to pthreaded socket connection. You didn't know that though, you just instantly assumed I was talking out my ass saying that this was just such a wonderful easy idea and I just couldn't understand why they couldn't do it. It's called prioritizing of tasks, someone is in charge of this particular affected code. Whether it be in the URL validation or the cookie retrieval code (I'm not sure how IE is structured), this fix is none-the-less simple, and not an amazingly complex feat of engineering talent.

Re:Of course there will be more buges reported in

[gorilla]

Many of MS's problems aren't bugs, they're designed to work that way. MS has had a poor record of thinking about security. They tend to think more of features, and what can the enable, rather than what shouldn't be permitted. Allowing a macro to be automatically run on opening of a document, which can then have full access to the system, is a classic example.

Re:Of course there will be more buges reported in

[Kadin2048]

I'm not sure I agree with this. I think that, in general, there are more bugs in Microsoft's software because there are fewer people looking at the code, not because there are more people looking at the end product.

On another note, I'm not sure that Microsoft has any grounds for demanding to be notified about flaws in the final releases of their software. If they want to keep bugs from becoming huge public brouhahas, then they should either fix them in-house while the software is still beta, or open the source up and let other people actually fix it. They're out of line to say that people should find bugs in their ware, tell them, and then sit on their discovery while some cubicle slave works to make a patch, and Microsoft takes the credit for saving the day.

Re:Of course there will be more buges reported in

[Znork]

In the cases where Linux or unix has a majority market share Microsoft still leads the exploit statistics by far.

Of course, it's not as simple as saying that MS sucks, but it's a combination of bad design (dont put everything in every program, dont have unlimited interoperation between everything) bad programming(dont use admin privilidges if not absolutely necessary, also a design issue maybe), bad installation policies (dont install everything or even anything but the basics by default), bad admins and bad will.

The combination of these elements end up in software you dont want to be running because it will stink from a security point of view.

So, no, you wouldnt have the same amount of problems on Linux at least. You'd have problems, yes, but not nearly as many. Unless, of course, the general policies among linux distribution vendors change to install everything insecurely by default, but hopefully that wont happen, and in the Linux world you can always change to another vendor if one of them goes seriously astray.

Hard to get a patch in a few days?!

[SquierStrat]

Okay, some vulnerabilities might be difficult to get fixed in a couple of days...but with a team of programmers as large as they have...months is quite a stretch...they still have God knows how many vulnerabilities in NT 4 that have been known for some time! The linux folks can patch stuff rather quickly with a fraction of microsoft's financial and wetware resources. Show me the problem.

Re:Of course there will be more buges reported in

[iabervon]

I think if Linux or MacOS, as they are currently, were the most widely used, MS would still have more reported bugs, because there's just so much MS stuff. There's the kernel, the GUI, many applications, etc. With Linux, bugs in these would be reported against different entities.

Also, MS software is integrated on a large scale without sufficiently restrictive interfaces to cleanly separate it into individual programs. Since the number of potential bugs in a program grow faster than the length, this makes such integrated code more likely to have bugs; and, in fact, many MS bugs are due to interactions between different projects. With the Linux model, code is in relatively small chunks, which communicate over limited interfaces, so there is much less opportunity for cross-project bugs.

So I think that, to a certain extent, the reason that there are so many MS bugs reported is mostly that there are so many opportunities for MS to make mistakes, due to their size and the architecture they have chosen.

Re:Oh really?

[gmhowell]

Let me play devil's advocate (seriously):

Yes, you can get a patch to kernel 2.foo very quickly. But it can take weeks/months for RH to get a package out. Perhaps M$ can get the code fixed, but not quickly send out a package (and in some ways they do. They send out hotfixes, and only later service packs).

Why? In both instances, the companies have to make sure that by fixing one problem, they don't create several others.

So yes, you can get quick fixes to Samba, the kernel, etc. But it takes time for commercial vendors to roll out the patches.

(And, having said all that, I used to use Progeny, and am switching to Debian. They get out patched packages really damned fast.)

Poetic Justice: My favorite Nader quote

[Adhoc]

Reading this gave me a warm fuzzy feeling inside.
-----------------
The level of fines that would serve as a deterrent for cash rich Microsoft would be difficult to fathom, but one might make these fines deter more by directing the money to be paid into trust funds that would fund the development of free software, an endeavor that Microsoft has indicated it strongly opposes as a threat to its own monopoly. This would give Microsoft a much greater incentive to abide by the agreement.

Re:Of course there will be more buges reported in

[Snootch]

Nope. It's not.

The Netcraft survey crawls through all those little Melvin machines which each have an httpd running that nobody ever accesses.

Nobody cares about them. They are irrelevant.


Actually, it tends to go the other way - IIS installs as standard on a heck of a lot of WinNT boxen that do no hosting, and as (much as we hate to admit it here) most small businesses (big enough to have an always-on connection but not big enough for their own IT dept) use Windows. Most Apache installs are meant to be there.

Great Quote from the WSJ

[Skip+Head]

Here is a little quote from the Wall Street Journal article:

James rejects these criticisms and says the decision to protect Microsoft's security provisions was "one of those 'duh' issues". He continues: "Microsoft has security protocols. Are we going to tell everyone how they work? Do you want people to get access to your credit-card information when you shop on line?"

Knowing how a security protocol works should not make it less secure. I can read how SSL works, but that does not make it less secure. Same with Kerberos, DES, RSA, etcetera. A proper security protocol should be secure even if you know how it works. Security through obscurity DOES NOT WORK.

This quote sounds like it came from Microsoft, but get this: he works for the DOJ! This guy James was the one in charge of the negotiations with Microsoft. He is supposed to be on our side.

It seems like he knows very little about computer security. It also seems like he believed whatever the Microsoft lawyers told him. No wonder they arrived a such a one-sided settlement.

Re:Of course there will be more buges reported in

[1010011010]

So, there's apparently a huge market for poorly designed, poorly implemented, but "feature-rich" and "easy to use" software.

Okay.

Irresponsible? Conventional wisdom is wrong...

[weave]

OK, someone was irresponsible by releasing details so soon after notifying Microsoft and they say that is irresponsible.

Maybe so, but what I don't get is this expectation everyone has that these security holes go through the same steps...

1. Discovery
2. Notification
3. Disclosure
4. Exploits

The real danger is when someday someone will discover one of these huge gapping holes, not tell a soul, and then exploit them for profit, terror, extortion, or simple chaos.

We've been lucky so far. For Microsoft to try to divert the entire blame is what is irresponsible. Remember who created the security hole in the first place....

I'm a MS supporter, but this is ridiculous

[Quadell]

Usually, I think MS has an undeservedly bad reputation. But I can't stomach their assertion that open discussion about their bugs is somehow unethical.

From Microsoft's article:

We can and should discuss security vulnerabilities, but we should be smart, prudent, and responsible in the way we do it.

Who chooses what sort of speech is smart, prudent, and responsible? The speaker? Or Microsoft? Since they branded it irresponsible to reveal a security flaw only "days" after telling Microsoft about it, it seems obvious to me that this is a request to let Microsoft control all discussion about their security flaws. This is patently unacceptable.

If we can't eliminate all security vulnerabilities, then it becomes all the more critical that we handle them carefully and responsibly when they're found. Yet much of the security community handles them in a way that fairly guarantees their use, by following a practice that's best described as information anarchy. This is the practice of deliberately publishing explicit, step-by-step instructions for exploiting security vulnerabilities, without regard for how the information may be used.

I don't think it's best described as information anarchy. Anarchy is an emotionally loaded term, like piracy. But anarchy just means "not centrally controlled or regulated". Do we want all discussion of security to be centrally controlled and regulated? If you replace the phrase "information anarchy" with "free speech", the article becomes much more enlightening. The author seems to try to address this by saying:

By analogy, this isn't a call for people for give up freedom of speech; only that they stop yelling "fire" in a crowded movie house.

But the movie house is on fire. The bug exists - your private information is vulverable. The responsible thing for Microsoft to do is admit that they made a mistake, and work to put out the fire. Unfortunately, they've chosen to blame the messenger.

It's natural for a powerful organizion to want to surpress speech that points out its flaws. It's natural - but it should never be tolerable.

Nader?

[DrCode]

While I'm glad he's chimed in on this, I'd say he's just as, if not more, "uncompromising" and "abrasive" as RMS.

Re:I can't read the details of the security flaw

[hackman]

After making their reccomended changes I can't use
Windows Update either. Very interesting, how ironic that MS stuff is these days.

Re:Slashdot editor bias

[kindbud]

What should be done about it is to inform everyone as soon as problems are discovered.

That is a period at the end of that sentence, it means there is nothing further to add. What we're doing now is what should be done.

Re:Why it takes MS so long....

[Chris+Johnson]

Um- one of the links this very article includes addresses Microsoft's plan for stamping out error disclosure. The Register has also reported on this recently. The other half of Microsoft's plan is to rely on silently updating Windows computers with security patches. Microsoft also bundles unrelated stuff with security patches, megabytes worth of it.

So the problems that Microsoft patches cause are not solely due to 'oh, Microsoft software is so much more sophisticated and advanced!' but due to bad planning and inappropriate bundling combined with lack of disclosure of what's being altered. And it is going to get MUCH worse, not better. To cap it off, if they are able to suppress disclosure of bugs and security holes, they don't need to regression test anywhere near as hard as you seem to think they are doing- because all that will happen is that Windows boxes will mysteriously die and there won't be any publically disclosed link to connect that with Microsoft updates.

Hell, if they can truly cut off all disclosure, they can just STOP any work on security patches entirely. Who'd know?