Slashdot Mirror
MS Security Chief: Windows Never Exploited Until Patch Available
BenBenBen writes "The head of Microsoft's security business and technology unit states that Windows is never vulnerable until a patch appears, and that releasing patches is what causes exploits to be developed. Good quotes: 'We have never had vulnerabilities exploited before the patch was known', and '[he] could only think of one instance when a vulnerability was exploited before a patch was available'. Erm..."
"The Earth is flat."
:-)
"The Sky is green."
"Earth is the center of the universe."
Other ridiculous statements that have also been proven false.
So, let me get this straight, Windows will become more secure if Microsoft stops issuing patches?
Sakes alive, the Microsoft spin machine has been well oiled this morning!
ChaoticChaos
"If Windows wasn't vulnerable until the patch was released, why was the patch released in the first place???"
Doesn't the BBC have any better stock photos to place in this article. I mean come on, a picture of an old clock and a close of zoom of the shift and return key (with the caption of "Exploits get written once patches appear").
Beware the evil shift and return keys! They should be removed from the keyboard as they clearly are used to write exploits.
Sounds pretty close to an admission of deliberately leaving old OS's insecure to force upgrades to me. What really gets me though is the insinuation that those who don't hand over more money to the beast of redmond for shiny new software are somehow responsible for security exploits.
Certainly there are industry people that consider only NT 4 as being the only MS OS at all securable and only then because it has been around long enough to pretty much have it's holes ironed out. Is this just a prelude to their future excuse to force a rental model on the public?
Has Microsoft become so jaded that they have turned to the dark art of trolling? Do they get some sort of perverse pleasure by fishing strong feelings out of educated people who know better just so their board of directors can laugh at the zeal of the rebuttals, knowing full well they were full of shit?
head of security? The article is pure genius by trolling standards. And having just read about Microsoft wanting to pollute java, maybe their new business strategy is to troll all aspects of the computer world... just to pollute it?
Meh.......The last statement in the article: "If you want more secure software, upgrade." pretty much sums up Microsoft's position. With this kind of logic, it's a wonder that any coding gets done at all there. So, by extension, if everybody were to leave their doors open and unlocked at night, there would be no crime? :-) Seriously though, if you actually read the article, what it says describes reverse engineering of patches to explore and exploit vulnerabilities. So, the statement if confused might be technically correct, but that does not mean that the security vulnerabilities are not there in the first place. What happens mostly is that the lazy are exploiting the patches, whereas the more experienced (perhaps more dangerous) hackers will do their own work. Furthermore, the more experienced hacker might not be as likely to release their attack into the wild promiscuously. Rather they are doing what they do for a likely monetary payoff.
The real question though is: If the patch can be exploited, is it a patch? Yes, I know that they are analyzing the patch to attack unpatched machines, but to claim that vulnerabilities are not present before patches are released is circular logic.
Visit Jonesblog and say hello.
At best, the notion that patches are the source of all exploits is a logical fallacy. However, I'm sure I'd not be in the minority of /. readers if I opined that Mr. Aucsmith is either lying outright or simply delusional.
I say that since Microsoft has a policy of "eating their own dog food", they should be forced to stand by this ridiculous proclamation and henceforth cease and desist all efforts to patch their code. Thus, all exploitations of buggy MS code will also halt.
If crackers never find exploits except for by comparing patched and unpatched versions, why the hell do they release security patches then? Seems like they've got their security problems licked -- no patches, no exploits. What could be simpler.
Also liked this quote, from the end of the article:
"Almost all attacks against our software are against the legacy systems," he said.
"If you want more secure software, upgrade."
Hmmm.
The bigotry of the nonbeliever is for me nearly as funny as the bigotry of the believer. - Albert Einstein
He said tools were available that compared patched and unpatched versions of Windows to help vandals and criminals work out what was different.
"The guys who write the tools would not consider themselves to be criminals by any measure," he said, "but the tools are also being picked up by people with criminal intent."
I guess that explains why Windows doesn't include a "diff" function...
Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
In related news, the Mayo Clinic has announced that if we eliminated cancer treatments, we would eliminate cancer.
I watched C-beams glitter in the dark near the Tannhauser gate.
So, instead of poor programming it's incompetent management?
Sticks and Stones may break my bones, but copyright will always protect me.
If a politician said something like this it would get torn apart by the media. If a scientist said something he would loose his credibility and there would be articles written to counter this in major publications. Why does that not happen with M$??? It's almost like they are "above the law" and what thsy say happens. Kind of like when God speaks.
Evolution or ID?
I love how people with vested interests are called 'experts'
thhhhhhhhhtttt *choke* *gag* "ahhhhhhh" So as I was saying, hackers haven't found any of these flaws and exploited them before they were patched. Man, this is some strong crack, I almost believe what I said, myself"
And how do these fine experts actually know there aren't, at this moment, flaws being exploited left and right? Ah, they're experts, of course!
A feeling of having made the same mistake before: Deja Foobar
Microsoft to stop patching systems altogether to improve security. Also announces that War is Peace, Freedom is slavery etc etc etc
... we seem to have skipped directly to April 1st...
This ranks right up there w/ the Information Minister... Looks like the corporate world is just as bad about propaganda as the gov'ts of the world.
This guy is way out there
that with geniouses like this working for them, Microsoft has the most secure OS in the world.
MS' problem is clearly that they have too many managers and businesspeople, and not enough technical people (or perhaps their technical people have no voice). That a MS employee can say such things that everyone else in the world clearly knows is wrong says something about their concern for real security...
This is a fabulous marketing manouvre. It's completely ludicrous of course, but it makes the connection between not-upgrading and being-vulnerable in the pointy-haired heads.
There *must* however be laws against making statements *that* outrageous...
Simon.
Physicists get Hadrons!
... just assume for a moment that what he says IS true (for argument's sake). Would you feel better as an M$ customer having heard it? That is, do you feel better knowing that there are many holes in the system that no one outside of M$ knows about? Does security through obscurity make you feel better?
-m
#
# Modus Ponens
#
"Almost all attacks against our software are against the legacy systems," he said.
"If you want more secure software, upgrade."
Should I start laughing now or later? David Aucsmith seems to be missing a clue.
Previous Quote: 'could only think of one instance when a vulnerability was exploited before a patch was available' Revised Quote: 'I can not think of even one instance when a vulnerability was exploited before windows was available'
Who could ever possibly believe such a statement. I am not necessarily anti-MS (maybe a little) but this is just so over the top that it can only be targeted at people without any clue whatsoever. This is not even a good spin on the topic. Remind me never to believe anything MS puts out in a press release.
Stay tuned for new sig...
I'm sure that security researchers at companies like EEye are providing Microsoft with proof-of-concept exploit code when submitting vulnerabilities.
It's pretty obvious from that fact that exploit code does exist before a patch is released almost 100% of the time; it's just not released to the public until after the patch is available most of the time.
Direct quote from the end of the article
---------
"Almost all attacks against our software are against the legacy systems," he said.
"If you want more secure software, upgrade."
An unlocked door is safe until someone sees you lock it. Therefore everybody just leave all your door unlocked, since we do not know that they're unlocked there is no danger.
Reply to this post with your street adress and your usual work hours, thanks!
Since when did Microsoft hire the Iraqi Information Minister?
I must admit that they are partly right on this statement. As long as they don't publish a patch, most the world doesn't even know there is a hole. A few security specialist firms know, but they are not dangerous.
As soon as they release the patch, every hacker knows 99% of the systems won't be patched for a while, and Microsoft just about gave out what is the problem and how to exploit it.
So I say yes, it is dangerous to say out loud "hey, there is a hole in our system, but we have a patch". I would prefer if they just shut up, and release a "cumulative patch" once in a while.
Just my opinion.
You may mock, but I doubt any exploit has been written without using the Shift & Return keys.
"It's a myth that hackers find the holes," said Nigel Beighton, who runs a research project for security firm Symantec that attempts to predict which vulnerabilities will be exploited next.
... falling ...
wow, credibility meter falling
"We never HAD a problem, until we NOTICED it!"
B-)
A friend will come and bail you out of jail, a true friend will be sitting next to you saying, "damn that was fun!"
"Bullshit" doesn't begin to do justice of the level of falsehood present here. We're talking about taking the very essence of falsity, distilling it over the flames of ignorance, condensing it within intestinal walls of monumentally bovine intellectual apathy and sponsoring a college kegger with the elixir-excremento obtained therefrom.
If I were going to write an exploit, I'd write the exploit AFTER Microsoft had patched my OS so I didn't zombie my own computer up!!!!
With all the script-kiddies out there, would they know how to patch microsoft to protect themselves? They probably use code from security sites which show the exploit in action, and don't understand the underlying code.
Of course for the others, they probably realise that many people are forced to use Windows, and there only protection is Windows with a decent firewall and up to date WindowsUpdates.
Nigel Beighton, who runs a research project for security firm Symantec that attempts to predict which vulnerabilities will be exploited next.
So Symantec has a full list of all vulenrabilities and is keeping that a secret. Then why does it take 3 days to get a Outlook patch to fix the latest vulnerability?
I concur! :) Upgrade today!
My dog ate my sig
I think he might be wrong.
I wonder if he's moonlighting for tobacco companies on the side as well.
"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."
"Almost all attacks against our software are against the legacy systems," he said.
So is that what they're calling WindowsXP now?
When I read this story earlier, I figured that what they really meant was, "most of our vulnerabilities don't get announced until we have a patch, and people don't start to exploit them until they're announced".
Given that they're binary patches, it seems to me that it'd be a whole lot less effort to look at the details of the advisory (and example 'sploit) than to go reverse-engineering the patches. Particularly since they're accusing the h4x0rZ of being lazy.
Registering accounts later than some other chrisb since 1997
Who is it that finds all the exploits and reports them to Microsoft in the first place? It sure as hell isn't Microsoft employees!
This means, known holes and exploits are available to certain people BEFORE patches exist. Are you willing to bet your business that those "certain people" are ALWAYS good, ethical and honest? There are no intelligent "bad guys" who can do this?
Where are all the "hackers" and "black hats" the media is always screaming about! Please, don't tell me they are ALL script kiddies.
-Charles
P.S. -- How can I ever get "first post" if the damn artitle quotes make me laugh so hard I can't type?
Learning HOW to think is more important than learning WHAT to think.
I seem to remember a buggy peice of crap software called Windows ME, that had a couple of bugs in it, and it was "new" software, is microsoft telling me that if I upgrade to winblows XT that i wont have any problems? HAH the only stable Microsoft OS out there was MS Dos oh yea, I need a print out of microsoft's EULA or my Bunghole
"The infidels packets are slaughtering themselves at the ports to our OS"
"There are no exploits against windows, they are all lies from the so called Open Source community"
"We removed the Windows Update site to better serve our loyal followers."
-- Slashdot, making the Left look conservative since 1997.
The Micro$oft Information Minister must have been smoking crack^^^^H, I mean talking with Darl if he's spouting this kind of crap.
> > >We don't need no steeekin'.....oh wait, my wife says we do.
Or how about until their source itself is known publicly. to my knowledge several bugs were found by meerly looking at the source and if the patches show the vournerabilities of MS, then the source obviously shows the root of every problem.
I do enjoy how they state something that can never be proven correct on top of the fact that there are already a few known exploits to the source stolen a while back
The original generic sig.
Then, when MS does release the patch, the people who found the flaw throw up the details on their website for all the "hackers" to get their hands on.
hence the exploits coming after the patch is released
If only Microsoft would get struck down at the next Zebra crossing
He went on to prove that black was white and was run over at the next zebra crossing..
-Hmm...I got a G+ invite, better remember to remove the request from my sig...-
Since when did McBride get a job a Microsoft..
pretty much nothing to call into question what he said. granted, I didn't rtfa, but I would like to hear from some slashdot users of a windows vulnerability that was exploited on a large scale before a patch was released.
There's a lot of hand wringing and self righteous indignation over the statement, but has anyone bothered actually to counter it?
The guy does have a point. The description of the patches gives malicious coders a good detail of what to exploit.
There are no doubt circumstances where the super-1337 h4x0r finds an exploit all on his own, I'd imagine through trial and error, but for the most part, they look at windows update and see "This patch resolves a vulnerability in WMP which could allow arbitrary code execution", and they write an exploit for the unpatched boxes.
The MSDN knowledge base is a great source for folks looking for exploits, they very often have step-by-step directions to reproduce the problems.
That's how you get root on linux boxes too, you find people still running an older kernel version, or an old sendmail, ssh, whatever, and hit the known exploits for that version.
And if you want a more secure system, yeah, upgrade. It works that way no matter what your personal philosopy behind your OS choice.
I don't need no instructions to know how to rock!!!!
I can't help wondering if they're anticipating a sales problem. If a CEO sees an upgrade request and "knows" that upgrading helps security issues, they're sure to say yes. Unless, of course the CEO thinks that the upgrade is really just another type of patch or realizes that they will get forced into a costly upgrade spiral. But, I wouldn't want to give anyone any ideas.
sure this wasn't ripped from bbspot.com?
32 bit extensions to a 16 bit OS, built for an 8 Bit CPU by a two bit company.
Defining the Microsoft Legacy.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
...I never did this.
Ever.
No, really... I didn't.
Mr Aucsmith went on to prove that 1=2, that black is white, and promptly got himself killed on the next zebra crossing...
If you put yourself in the company's position, as chairman of the company, would you be releasing the source code to what you know makes the most money and is used widely thru out the world? Face it, that's a face. Yes, we all would like to see Linux used, but it isn't. They did use underhanded ways to get to the top, but think about it.
This is bullshit! Total bullshit!
"Windows is never vulnerable until a patch appears" if this is the case then maybe MS should stop releasing patches.
since so much source code was leaked out. I bet they can no longer make the claim that exploits are not released until after the patch.
Welcome to a whole new ballgame, Microsoft.
Patching is great. Patch Management is great. But it doesn't keep the bad guys out, it just stops some worms. But then variants of worms come out.
Clearly worms are a security threat. But there are many other security threats.
Windows is not secure. NT NULL session, NetBIOS attacks (SAM and AD come to mind quickly), and even simple buffer overflows, format string attacks, etc ... these are POPULAR attacks against Windows that attackers are utilizing right now. Even when patched, some of these attacks still work. Why? Inherent network protocol design is part of it. But bugs are a huge part also.
Reverse engineering patches... who needs to even go that far? Any engineer at Microsoft can just query their internal bug tracking system. An attacker could have a friend inside Microsoft who sends her/him a bug report. That friend could also be the target of social engineering. You saw the movie "Sneakers", right?
Others can simply "grep" or "slint" the code. By reading the code, anyone can find a bug and make an exploit out of it. This has been widely done for a long time. It's not an uncommon practice, and it's not difficult.
If coders want to fix security holes in their code, the only real place to start is by fixing the bugs. When Windows runs so smoothly and never app fails or hangs on me, When I no longer hear or see a BSOD, When hell freezes over -- Then Windows will be truly secure.
IPv4 allocations for hobbyists? join the ipalloc-l mailing-list! www.operations.net/mailman/listinfo/ipalloc-l
The first sentence is so ironic: It should read:
Microsoft is lazy and waits a long time after hackers discover ways to exploit loopholes in Windows before issuing patches.
There's still one major difference - M$ is driven by the almighty dollar, while Linux is driven by people who want to do what's right. Further, with Microsoft, you not only upgrade your software, but most likely, your EULA as well (and no telling what kind of nastiness). With Linux, you have no such worries.
Note that this is from their "security chief" and that he probably actually believes this. Amazing. You might think that if they were serious about security, they'd have a security chief who... oh, nevermind.
That's like saying you didn't start having hemorroids until AFTER someone brought home Preparation H.
*shakes head*
e.
Build Your Own PVR/HTPC news, reviews, &
"We have never had vulnerabilities exploited before the patch was known', and '[he] could only think of one instance when a vulnerability was exploited before a patch was available'. "
I've had my Windows XP system comprimised a couple of times in the most interesting way. Fully patched and running SP1. I've even tightened up IE security to high and restricted what sites can do and firewalled. Despite my best efforts, somehow I must have hit a web site which they downloaded spyware onto my system. I couldn't see it running in the task bar but it was there.
I found it by accident. From download.com I pulled several programs to scan for running processes. I noticed some weird stuff that Bill didn't put there. I didn't put it there also. Took a bit of work but it was eventually killed and I remove the programs from the system.
Microsoft has no explaination for this other than "practice safe browsing". Great. So how is that accomplished using IE?
BTW, Netscape in the same environment and same web sites hasn't given me the same headaches. Oh I"m sure there are problems. At least they are not as blatant as what Microsoft has been shelling out.
Has Comcast disconnected your Internet account? Same here. You can read about it at http://comcastissue.blogspot.com
How about they read and follow instructions to write exploits, or download and modify proof of concept code? Sounds a whole lot easier and lazier to me than reverse engineering the patches. And given that many of the script kiddies don't even understand the code that they themselves use...
And that's the head of MS security dept. speaking? Now it all makes sense! At least the BBC had the decency to call them malicious hackers.
Please correct me if I got my facts wrong.
Nuff said?
Darl McBride by day, Mr. Aucsmith by night!
Perhaps David Aucsmith would care to explain this then? Though eEye (purposely) doesn't describe the vulnerabilities that they list there, it's been indicated (on mailing lists like Full-Disclosure) that several of them are being actively exploited.
Do you have a
What he's saying is that the vulnerability is discovered within microsoft and no one knows about it until the patch is released, thus creating the security risk. But don't blame yourselves... they write code in just as confusing a fashion.
Hey Microsoft!
I certainly sympathize with you guys---I know the feeling. I never had to worry about termites before I moved into a house, because termites didn't exist on Earth before January 2004.
It's lots of fun to bash an asinine statement from Microsoft such as this. However, how about we come up with a list of actual counterexamples? Which specific patches did they release in response to a real security problem that existed before the patch?
I'll start. KB832894 "fixed" the exploits which used the user:password in the URL to authenticate to websites. It was there long, long before the patch (years, in fact).
What other counterexamples do we have to show precisely how wrong Microsoft's statements are?
I see a lot of people calling "shenanigans" on this one... but no counterexamples. Surely somebody can dig deep into the Slashdot archives and bring up some Windows exploits the preceded the patch, right?
I feel an automatic vulnerability finder coming on....
"It's a myth that hackers find the holes," said Nigel Beighton, who runs a research project for security firm Symantec that attempts to predict which vulnerabilities will be exploited next.
/.-hate-Microsoft nonsense.
Makes sense to me. Hackers and crackers are losers by definition, so it seems a reasonable explanation that they don't have the smarts to find the holes themselves.
They're scavengers; a slightly higher form of script kiddie, who looks for knowledge won by other people and then exploits it.
By the way, no one suggested that companies should stop looking for vulnerabilities that need patching. That spin is just the standard
Chernobyl is in Ukraine...
Which is funny, because I'm sure i once saw a list of security holes dating from win98 to XP (including NT and 2000 also) that have *yet* to be patched.
I tried to google the list, but it appears to be missing now....
Dammit. There were also applications included too, like the infamous IIS and Exchange stuff.
do() || do_not();
A few weeks ago, we were treated to the BBC claiming that the Linux community was behind MyDoom, even after it had become clear to everyone else in the world that it was written by Spammers. This article isn't any better/worse - its another thinly-disguised and apparently unresearched document, with no supporting statistics. Is there a reason to read this trash anymore, or should we switch to something more reliable, like the tabloids?
Law is whatever is boldly asserted and plausibly maintained. -- Aaron Burr
I know this isn't exactly realisitic, but then maybe MS should be striving to make things right the first time instead of releasing an OS where you can buffer overload virtually every feature.
Microsoft admits there they are the cause of all those security holes! By recklessly releases these patches, they are creating exploits!
I think I'll sue now that I have proof!
"It's a myth that hackers find the holes," said Nigel Beighton If they don't issue a patch, that must mean those script kiddies are finding a new 'feature'.
Heck is a place for people that don't believe in gosh.
Wait... April comes after March... this is way too early for an April fools joke.
If I was a windows user, I'd seriously consider suing M$ for false advertising.
Tm
Support TBI Research: http://www.raisinhope.org
Actually, the articles you cite go to his point. "new security flaw in Microsoft's Internet Explorer which could let hackers..."
"A security hole in Microsoft Corp.'s Internet Explorer could prove devastating."
"7 new security holes for Internet Explorer have been discovered by a Chinese researcher; however, there apparantly aren't any attacks on IE yet."
He's not saying that there aren't flaws in IE; he's saying that the flaws are discovered by researchers and patches released before exploits are done. At which point he's blaming you for failing to upgrade.
The skepticism of most articles in this thread appears to be well justified with respect to Outlook, though these days the "bugs" are more human interface issues where people are a crucial element of the infection loop: you can't be infected without pushing a button.
I do not have the complete history of IE bugs at my disposal, but I'm pretty sure at least one IE bug has been exploited before a patch was released. However, the articles you cite don't demonstrate that.
I'm not trying to justify MS's security approach. Blaming the user who fails to upgrade is tacky and bad. Even blaming the user who clicks on a virus-ridden attachment is putting the blame in the wrong place, and I'd like to see MS do something about that. So overall this article is rather a non-starter, but it's not actually a lie, at least not that I've seen so far.
I'd check to see if it still exists in Windows, but there aren't any Winboxen around here :-)
/? from the command window and it responded.
Good news fellow criminals its still there. I checked on WinNT and Win2k and its located in the System32 folder. Its listed as the Dos 5 File Compare Utility I did a fc
Here, I've been using Windiff all this time... Dang
MY GOD you have a way with words. :)
. I love the sound of burning women and screaming rubber....
Remember tierdrop and winuke. I remember two days a few years ago when microsofts whole network was down. they finally had to use cisco routers that rejected everything except port 80 to get their website back up. It took them weeks to come up with a good patch that would stop it. It only took a few hours to get a tierdrop fix for linux.
I think what he is saying is that most exploits are done using known vulnerabilities for which a patch has been released.
The action of releasing a patch is usually the same as announcing the vulnerability. If the vulnerability exists, and there is no patch for it, it can go unnoticed, and hence unexploited.
Once a patch exists, the vulnerability can be exploited on systems that aren't patched. Since historically patching has been lax, announcing a patch and the vulnerability it prevents can be dangerous.
XeoMage
So we can interprete this in other ways is that there are so many "holes" that need to be "patched" that hackers have given up doing the hard work by themselves and let microsoft show them "the way" ... I wonder why they release a buggy code from the start itself!!! If you have less/no patches MS won't have to make these stupid remarks at all!!!
That vulnerability is purely theoretical....
Success is the ability to go from failure to failure without losing your enthusiasm.........
Their point is that when they patch they announce they HAD a problem and the hackers can see what the patch fixed and try to exploit UNpatched machines... its security through obscurity, if I don't release a patch... hopefully the hackers won't notice the hole.
:)
But now that the patch is out, you can expect hackers to know about the vulnerability and attack you if you don't have the patch.
They are dumb, dont try to play dumber.
Why? Can't I get a patch for my current version? Imagine that, a security fix that doesn't need you to upgrade, possibly breaking a fine-tuned system(*).
(*) This is no figment of my imagination. At work we have a kickass app that runs on specific versions of perl, apache, mod_perl, etc. Trying to run it with the new apache and mod_perl leads to random hangs and shared memory leaks. If apache had the MS approach to security, a bug in their software would have made my app either unstable or insecure.
What he actually said was:
"We have never had vulnerabilities exploited before Apachi was available."
Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated up.
It's just a matter of time before statements like this make vulnerability researchers go back to releasing exploits _immediately_ to hurry things up instead of politely reporting vulnerabilities and waiting until a patch is issued before publishing their findings.
The way I read this was "No exploits happen until we release a patch" meaning that the patch that was released to fix the exploit sucked, or even better opened up new holes to be exploited...... the article almost makes sense that way.
Due to user error, the words "to NetBSD" were omitted from the end of the article.
++ Say to Elrond "Hello.".
Elrond says "No.". Elrond gives you some lunch.
Which came first, the exploit or the hole?
SmashTech - No smashing of tech involved
here. I rest my case.
I've read a lot of these comments here and I do think the claims are a little far reaching...but, HAS there ever been a worm that has exploited a previously unknown flaw in the operating system?
Sig it.
With material this good the guy ought to be doing two shows per night in Vegas.
I just flew in from the coast and boy are my arms tired!
That sounds about right, but many of the patches get released in secret or something shows up the KB that alerts people to creat viruses. But I don't think there has been many exploits that Microsoft hasn't brought on them selves by releasing some document that states a work around or a problem.
So I sort of a agree with the statment from microsoft.
QUOTE: ""We have never had vulnerabilities exploited before the patch was known,"" a few paragraphs later... QUOTE: "Mr Aucsmith said he could only think of one instance when a vulnerability was exploited before a patch was available" either aucsmith is a complete buffoon or bbc fudged up. im leaning towards the former.
Obviously this post points out a very big flaw in the way MS approaches its business practices, but honestly who in the /. audience doesn't already know that. I'm so sick of these 'MS-Sucks' flame bait posts. There are so many other things happening in the world of techdom, why do we have to dedicate 4-5 posts a day to proclaiming our dislike for the way MS behaves. To those who make these posts, please move onto a different topic. The community as a whole will be more informative and more respected if the topics were not constantly recycled. Let me guess, in the next 3 hours we'll see some post about how SCO is a terrible company too!!! Ooh, lots to learn there too.
HAH!
No other comment, that's it. I just read the article and all I could do was scream "HAH!" at the top of my lungs
My lack of God, it's Trotsky!
I'll give 2:
1) The original Melissa email virus (enabled by idiotic default settings in OE)
2) The one recently where remote web sites could hijack your address bar while redirecting you and doing nasty shit - that MS didn't patch for 6 months.
Someone might say those weren't strictly "Windows," but both OE and IE come installed by default, so it counts for me.
Others?
Alright, who gave Microsoft the SCO koolaid?
Brielle
I thought Moore's law was a marketing strategy...
And that is that criminals, and demi-criminal crackers are lazy. Most of them anyway. I take this as axiomatic.
So yeah, patching probably does stir things up. But this guy has to be smoking something.
Why do I have this? I don't smoke.
Up yours.
Sigs are bad for your health.
How did MS discover that they needed a patch? 1) Somebody hacked it. or 2) They poured over the souce code and found a flaw. I suspect at least half of them were found by method 1.
which came first, full public expoitation or patches?
I can see the point that the exploits are not "fully taken advantage of" until a patch is release, since then its 100% publically known.
It statistically might be that virus' etc are written for these vulnerabilities moreso after the patch has been made available than beforehand.
In related stories, it has been revealed that firemen cause fires, policeman cause crime, and the good folks at Symantec have written all the viruses.
Film at 11:00 (just after the anchorman tells us about all of the muggings he committed).
Don't blame Durga. I voted for Centauri.
--30--
Oh, the head of Microsoft's security business and technology unit...
If this should not send a shockwave to Microsoft stockholders, then what?
Wallstreet, hello...
Translation: What we gave you the first time sucked, so give us more money and we'll give you something that sucks a little less.
This guy is a fruitcake.
What the heck is he trying to do? Convince everyone that Microsoft has no clue about security at the highest level?
Keep talking dude, you're doing a fine job.
As for real security experts, they routinely find vulnerabilities in Windows beforesending a description to MS which would then, a few months later, issue a patch. Maybe.
There is a fine line between marketing and outrageous lying. I'm glad to see that MS gleefully steps over it every single time. Any other conduct would actually be unsettling. You see, we geeks revel in a binary vision of the world, and we cannot thank MS enough for consistently being a caricature of evil villain. It makes working against them so much more rewarding.
--
Mad science! Robots! Underwear! Cute girls! Full comic online! http://www.girlgeniusonline.com/
in real life who could be described as black hat. He showed me exploit code for the ASN1 exploit (this was remote shell code) about a week before the Microsoft patch was release. He said it was big news in his community.
From what i could see, it was very tight C code which compiled and worked on the winxp test machine (his own), so I guess it was authentic.
Gamers Europe - Gaming News. Reviews.
The same company that has an exploit written for an OS that is yet to be released ??
Malicious hackers and vandals are lazy and wait for Microsoft to issue patches before they produce tools to work out how to exploit loopholes in Windows, say experts.
I think they pick random bums of the street and ask them of their oppinion and say that "experts claim that". Maybe "expert" is a very old word for "bum".
GAAH! MY PRINTER IS ON FIRE!!! PUT IT OUT! PUT IT OUT!
Hah! I know microsoft is evil and all, so you have to twist anything microsoft related in the worst possible way, but still I think most of you read way more into this then was there. It clearly looks like the quotes are taken completely out of context, and you guys are all implying meaning that is clearly not intended.
All they are trying to say is that patching your machine is a good idea because many exploits are created from reverse engineering. I don't think there's anything revolutionary about that statement, and I think it's a pretty accurate one.
So let's really hash this out.
Just for kicks, let's make a list of examples in the last three years where a virus/explot happened on any kind of wide scale before the patch was available. If we really disagree with his comments, let's make an intelligent attempt at rebuttal.
I'll take first shot: the first major incident that comes to mind for me is the COM+ bug of this last summer.
The article states "We have never had vulnerabilities exploited before the patch was known"
However, in the cases I cited, people were absolutely exploiting those bugs in the wild before Microsoft released a patch for them. While the articles I linked don't explicitly state "this is already being exploited", the fact of the matter is that exploits did happen before Microsoft finally put out a patch. A friend of mine was hit with the domain-spoofing bug while surfing pr0n, seriously.
I find it kind of weird that Symantec is backing Microsoft up on this goofy propaganda. You'd think, since they are in the business of protecting peoples' computers, they wouldn't make such a ridiculously stupid statement.
to Linux or *BSD or OSX or OS/390
:)
Seriously, to me it sounds more and more like they knowingly shipped a defective product (remember, it wasn't until class action suits that the ar industry started to clean up thier act). Then they are using fear of security issues to force upgrades. It almost sounds like racketeering to me.
"Ya got a nice server there, it would be a shame if something happened to it... for just $bignum dollars we can protect you..."
Hey! That sort of sounds like the AV "industry" as well...
putting the 'B' in LGBTQ+
i can tell you for a fact that the RPC hole was being exploited for at least 9 months before a patch was out. I know a few script kiddies in RL who were pissed off when the patch came out as they lost their doorway. I watched them do it a couple of times as proof. I pretty much will not put a windows box directly touching the outside world in any way shape or form now.
Maybe MS is mixing things up? If you count worms and viruses as exploits in the same category as real breakins then by far those and script kiddies who uses ready made exploits account for most breakins.
Any sane cracker wont report his latest exploit to bugtraq. He will continue to use it until someone else finds out about it. When it hits MS and they patch it the cracker will have found another hole to use. The most dangerous breakins is ofcourse corporate espionage and i think the ones doing those have a field day on Windows right now. They dont use common exploits that intrusion detection systems detect since they want in and out unnoticed, even if the systems in the target is unpatched.
HTTP/1.1 400
(Re: Eliminating cancer treaments will eliminate cancer) Well, that is technically true. I mean, they WILL die. ... and no new cases would appear?
Like woodworking? Build your own picture frames.
dude, give the guy a break.
when Steve ballmer hired him he was able to get him for a set of office chairs and a snow globe...
Besides, the mentially retarted need jobs..
This certainly falls under the category of humour. It is the funniest thing I've read on /. in a while.
Lasers Controlled Games!
If a vulnerability is never exploited before a patch is relased. Then this is equivalent to saying releasing a patch implies a vulnerability may be exploited. Thus the contrapositive of this statement is never releasing a patch is implies a vulnerability will not be exploited.
Since a statement and its contrapositive have the same truth value (if one is true then so is the other) and if M$ assumes the initial statement is true then they must accept the contrapositive is true.
This being the case it seems the logical consequence for M$ in their desire to increase security is to never release another patch.
But this would require M$ to actually operate under a logical framework and we know that his statement is false.
"Where do you want to go yesterday?" Thanks, that made me spit coffee on my screen... but it needed cleaning anyway.
Could the mean that Microsoft as a Business exists moving in time backward. This explains Microsoft quick profits and good business decisions back in the 80's and over now in the 2000's a younger and less experience Microsoft is making more mistakes. and having a little more competition to deal with.
I don't know about you but I confused myself.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
MSBlast?
Or is it the other way around ?
:
... to Debian 8)
say [pun]"Only Microsoft exploits exploits"[/pun]...
from the article
"Almost all attacks against our software are against the legacy systems," he said.
"If you want more secure software, upgrade."
Here you are. They said it, officially.
I seem to remember that my debian stable is composed of 1-2 years old software, and, regularly patched, will say secure without even have to reboot...
PEOPLE !!! "If you want more secure software, upgrade."
It takes 40+ muscles to frown, but only four to extend your arm and bitchslap the motherfucker
Well, it's perfectly obvious that Redmond is not experiencing the security problems that the rest of the world is because they were isolated from the changes in the timeline. In layman's terms they'd be in a 'paralell universe' mostly like caused by temporal wake. Obviously, the article got to us because of the excess Tachyon emissions. Don't read the article, fellow Slashdotters it could create Casuality paradoxes which would destroy the innocent Redmond from which this message came!
Something intelligent here.
From the article:
"It's a myth that hackers find the holes," said Nigel Beighton, who runs a research project for security firm Symantec that attempts to predict which vulnerabilities will be exploited next.
He said in many cases the appearance of a patch was the spur that kicked off activity around a particular vulnerability.
For the most part, I think this is true. Most Windows exploits DO "magically" appear a few days or weeks after a patch is available. Of course, hundreds of thousands of users never patch, or never patch in time. The "magic" lies in the symbiotic relationship between anti-virus software producers and malware creators.
None of this excuses MS from releasing Swiss cheese code, but it looks like a lot of malware gets created after a "proof of concept" has been released by "security researchers".
Is this sig nificant?
Maybe they knew about the vulnerability for a week at that moment, maybe they were testing the patch, but the patch was not yet available, existing systems were being actively exploited, and site owners had no clue about that vulnerability because the "will be no exploit till we release this patch" policy.
I'm not sure if that is the best example, but at least is one that is enough to show how much bullshit they used to tell in public.
- download source, fix bugs, recompile
;)
i keed, i keed...-fren
"Where are we going, and why am I in this handbasket?"
"If you want more secure software, upgrade."
How far do you think Ford would get if they said something along the lines of:
"If you don't want your Pinto to explode, upgrade."
Hey MS, fix your crap.
So can I sue Microsoft for providing hackers the information they need to hack my machine. Sounds like they're aiding and abetting according to that logic.
Mohammed Saeed al-Sahhaf? Is that you?
"The infidels packets are slaughtering themselves at the ports to our OS"
ROTFPMP -Rolling on the floor pissing my pants!
Goddamn, that was the funniest shit I ever read. And I read some funny shit. Thanks.
The power of Christ compiles you!
I keep on thinking of this ST:TNG episode where Picard gets shuffled around between the past, present and future. By doing some blather (IIRC, some inverse tachyon pulse into an anomaly) they create a temporal rift...
So here's this MS marketroid saying, "Windows is secure until we release a patch." It's like saying, "We've created an anomaly in the past by releasing this patch today." Uh huh.
Anyhoo, knowing that MS is known for taking a kernel of truth.. well, say sliver or iota of truth, and then twisting it into their needs I had to look further... So I went to eEye and cert and poked around. Soon, I realized that the MS statement was closer to the "All dogs are cats" argument from phi101. The iota of truth in this case means that others find the exploits and, being good net citizens, they inform MS a few days or months in advance. MS then releases a patch. At this time the exploit is released to the wild and people start creating code around the exploit. In other words, MS has thus far relied upon the benevolence of the Internet to do no harm before MS is patched.
It's like the whiny kid on the playground who's mean and nasty and pathetic. The big kids tell the little kids not to pick on him because that would be so *low*.
Little Kid: Hey, that guy Billy just peed in his pants.
Big Kid: Hey, don't shout it. Give the kid a chance.
Little Kid (to Billy): You peed your pants.
Billy: My pants were not peed. I have on new diapers. The pants only became peed when I changed my diapers. Nyah nyah nyah.
If haven't RTFA (and I won't) but the post here is not saying that the exploits are caused by the patches but that patches expose the vulnerabilities.
This means is that the people who discover vulnerabilities inform M$ of them instead of exploiting them. Very nice of them, but I find that hard to believe. Are there examples of exploits that came out before their respective patches did?
How does it happen is the OSS world? I know that vulnerabilities are discovered (and published) and patches are released very soon after that. Are there exploits that happen within that short time? The reason for this is that the vulnerabilities are also open. In case of M$, they are not.
Wouldn't it be nice if someone here were to engage in a groklaw like effort of documenting the cases in which an exploit occured before the patch. That would be the mature approach. Who knows, maybe he's right.
Well.. maybe. Or Maybe not. But Definitely not sort of.
Second: They are admiting that any machine which is not patched current has vulnerabilities; including machines with fresh installs, and the ones sitting on store shelves/warehouses waiting to be sold. Since these machines are already admitted vulnerably, and since patches are now being release monthly (or more frequently) we can conclude Microsoft Operating systems have a maximum warrantable period of 30 days, and recalls should be done for all previously delivered software, since the manufacturer is admitting the fault at this point.
The thing about things we don't know is we often don't know we don't know them.
How about testing these claims by gathering data on exploits that were written before - and using a hypothesis test, with a correlation analysis to check if there is any ASSOCIATION.
Then again - correlation does not imply causation.
tim
"A previously unknown vulnerability in Microsoft's Web software allowed an online attacker to take control of a publicly accessible U.S. Department of Defense server last week, the military confirmed late Tuesday."
http://news.com.com/2100-1009-993276.html
(This has been confirmed over more or less independent channels. Nobody was truly independent because of the pending war on Iraq, of course.)
And, as you all know, several holes in Internet Explorer exist which are being exploited actively.
I thought Linux is own by SCO. And you have to pay for these upgrades. You mean that I have been RIPed Off! Man now I am really disapointed.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
I had NO idea that Darl McBride was MS's security cheif!
Kernels as far back as 2.0.x still receive security updates. As new kernel series are developed, the old ones are handed to maintainers who become responsible for the security of the product.
tasks(723) drafts(105) languages(484) examples(29106)
If a politician said something like this it would get torn apart by the media.
...have you listened to any politicans lately? The complete and utter bullshit they come up with and get away with would make your head implode. Your brain cells would collectively either commit harakiri or escape through any orifice possible, leaving nothing but a big vacuum. In fact, I suspect that's the fate of most politicans - listening to other politicans.
Kjella
Live today, because you never know what tomorrow brings
That's funny, just the other day my dog was trying to convince me that flies cause dog shit.
-Peter
I'm guessing that one instance of exploitation would be the initial windows purchase. That's when you bend over and Billy comes over to plant his worm in your "security hole."
"Our products just aren't engineered for security."
- Brain Valentine: Microsoft senior vice president in charge of Windows development team
Actually, yes thats our plan. But who will believe you... Mu ha ah haha! Bill Gates
Though I hate to say it, this statement is partially true. No, we wouldn't completely eliminate cancer by stopping treatment, but by sustaining bloodlines wherein cancer is common - we are increasing the rate at which it can spread.
The same thing applies to many gene-related defects/diseases though. Nowadays we have the technology to allow people with said condition to live and produce offspring which may inherit it. In latter days, they would die and thus not pass on the possibly defective genetic material.
Not argueing that it's a good thing that people can live... but until an actual cure is found or perhaps gene-therapy for such things (which is scary in itself) we are actually making ourselves as a race more succeptible to such things by creating survivors.
for the postion of Iraqi Info Minister?
It is NOT only the MS exec who is saying this. In the same article Symantec confirms this:
"It's a myth that hackers find the holes," said Nigel Beighton, who runs a research project for security firm Symantec that attempts to predict which vulnerabilities will be exploited next.
He said in many cases the appearance of a patch was the spur that kicked off activity around a particular vulnerability"
As usual everyone is going off half-cocked.
Is it possible that articles like this are a setup to set the stage for taking action, not against hackers, but web sites and publishing companies that divulge information on system vulnerabilities?
This is the one argument that seems to make sense out of Microsoft's goofy statements. If they establish the impression that publishing vulnerabilities is the key factor in creating problems, they can go after their critics as the cause, instead of tracking down the actual hackers.
It could be true!
After all, I've never had a cavity until I went to the dentist!
Fnord.
"It ignores the fact that there is a community of hackers out there actively looking for the holes."
The point being made in the article is that the "community of hackers" has never actually found an exploit until MS told them where it was by issuing a patch for it. At which point, all the hackers are then doing is taking advantage of people's laziness.
I wasn't up to date when the SoBig virus hit. But the patch was available a month before it came out which further proves the point of the article. However, no computers on the home network were touched because I run a $40 hardware NAT that's properly configured. The College of Education was the least affected college at ASU because the people who do the tech support make sure all the virus scan and windows updates happen automatically. The faculty affected where the ones that went out of their way to stop windows from updating.
Keep up with the free patches and you're fine because all (most of) the hackers working on Windows are just a bunch of no talent script kiddies. SoBig didn't happen because of some genius. It happened because MS told them what the exploit was and a month later they finally got it to work and the real problem was lazy Windows users.
It's very rare that a Windows virus doesn't require user assistance.
Ben
Work Safe Porn
See also here and here.
-Trick
Woah....If there are no vulnerabilities until a patch is administered then I guess there was no reason for administering a security patch in the first place.....good sound Microsoft logic.
Um.... Windows 98 isn't 9. anything.
If anything, it's 'Win4.1'. Take a really close look at the installer the next time it runs. [I know I saw 'win4.0' flash by when I installed Windows 95 for the first time.]
In the same way, Win2000 is is 'NT5.0' I'm not sure if XP is the fabled 'NT6' or jut considered to be 'NT5.1' as I've never used it.
Build it, and they will come^Hplain.
By this time next week we'll be ass-deep in MyDoom.g and PrePatchOfDeath.a .b and .c
-- I'm not a pessimist, I'm a realist. It's not my fault that life sucks so much. --
Few quick observations...
1.) Microsoft end of lifed windows98 on Jan 16th of 2004. That's 6 years of supporting an operating system, folks. That's impressive. $100, and you got downloadable updates for 6 years? RHN subscriptions or enterprise linux don't touch that. So, if they don't provide security updates for it anymore, it's only because, in terms of software, it's ancient and it should be phased out. Upgrading to get security sux, but who'd buy a new computer and willingly want to use their old win98 on it (i know slashdotters can always come up with whatever reasons for anything, but in the general public).
Yes the Linux kernel, even back to 2.2, is still being updated. And yes, linux updates don't cost money. But, what if I have just downloaded kernel 2.4.11, and it works great, and oops, we found a problem in 2.4.11. The solution is to upgrade. Not patch. What if going to the new kernel breaks stuff that used to work, while in the process patching an old hole?
This is different, but similar to MS. "You have a problem with 2.2.7? You should try to upgrade to 2.2.26 or 2.4.24." "You have a problem with windows98? You should upgrade to ME or XP."
2.) The article claims windows has not had security holes that were exploited before a patch was available. I don't think this was true, but keep in mind, the VAST VAST majority of Microsoft problems are with outlook, internet explorer, office, IIS, exchange, etc. Technically, these are not windows problems. It's like saying that wu-ftpd has an exploit that gives a user root access (which is almost always true), and then blaiming that on the kernel dev team.
Or, it's like OpenBSD. "Only one remote hole in the default install, in 7 years". My ass. The default install is unusable as an OS. How do they accomplish their security claim? Partially through well-written systems. Partially through turning off every freaking useful service known to man that you would want to run on a server. And yet, people hold them up as a paragon of security. The holes in OpenBSD are from other programs, the masses cry. But no one thinks about the same thing in terms of microsoft.
3.) The time warp thing is confusing me. Everyone is saying that it's a logical fallacy that Microsoft could have released patches for security bugs that are not yet discovered? Or, what, i'm not following. The have the code, they test it, they find a bug, they try to release a patch before it gets exploited. This involves, as has been discussed, not mentioning that there is a bug, but i suppose security through obscurity is still security.
How many times have we seen a story on slashdot that exclaims how microsoft has yet another hole (!!!!1!) and then, 40 minutes after the bashers have played their part, someone comes on and says "people should have applied this patch (link) which is discussed in MS Knowledge base 7498923298232"? I see it all the time.
The average linux user is smarter than the average windows user. Therefore, we tend to keep our shit up to date. Microsoft tries to make it as easy as they can, but there's no such thing as idiot proof (i mean, in windows XP, the windows update service pops up on the first run of the OS and asks you if it can run in the background, checking for updates, and downloading / installing them automatically for you!).
I'm not trying to defend microsoft here, all I'm saying is that, before you bash them, think.
~Will
sig?
They've depended on it for years - why stop now?
The viruses that are making the rounds now, many of them won't work on Win 9x.
The older systems are growing more secure, because the virus writers are going after the newere ones.
Coupled with running any e-mail program besides Outlook and you are pretty secure.
How many people do you know that are still running 2.0.34
Hell man, I'm still running Kernel 1.2.13 (Slackware 3) on a an old Pentium 133MHz box that's still going strong!!!
Why dork with something that works fine?
"This is a new focus for the security community, [...] The actual user of the PC -- someone who can do anything they want -- is the enemy."
-- David Aucsmith, security architect for Intel, as quoted in an article by Robert Lemos of ZD Network News, Feburary 25, 1999
Remember the Pentium III Processor serial number?
Joe Sixpack has a bigger problem than over modem auto-attacks, and that's Joe Sixpack clicking any old attachment he gets.
I'd rather they spend money making future versions of server/workstation software secure than Joe Sixpack's Win98 AOL Box.
"'[he] could only think of one instance when a vulnerability was exploited before a patch was available'. Erm..."
Although the MS guy overstates his case, it isn't always a good idea to release a patch for a system after an exploit is discovered internally that is not well known. The problem is that releasing the patch also alerts malicious individuals of the vulnerability. The real problem that must be solved first is figuring out a way to deploy a patch at a level near 100% so that releasing the patch does more good than harm.
Vote for Pedro
Okay, so Microsoft wants to claim that their operating system is not exploited until a patch is released. First off, how did they know to make the patch if the operating system wasn't exploited. But more important, until recently, what has microsoft done to help educate those end-users whom use their computer just for email or word-processing about maintaining their computer.
r .asp
Let's face it folks...most novice people who buy a computer expect it to work the first time and not do anything to up keep. Their idea of up keep is buying a new unit. Most people don't understand that Microsoft provides a free service to their customers to help make their system more stable (in relative terms to microsoft quality).
I personally hold Microsoft responsible for not properly educating those users how to maintain their systems. Granted, I'm not asking to have each individual user sent to a "Computer Licensing" class to know how to maintain OS patches and Antivirus Pattern files.
Possibly even an automated tutorial when the user first turns on their computer or some guide that can help them with the process.
The other complaint that I have is that Microsoft has made these patches so large that most updates (from a computer that has never seen the daylights of windowsupdate.microsoft.com) usually take 2-3 days of constant effort to complete. Most novice users don't have DSL or Cable modems cause they only use it for very simple tasks such as email and moderate web-surfing over a 56K modem.
I do have to applaude Microsoft for finally making a windows security update cdrom http://www.microsoft.com/security/protect/cd/orde
for free. After all, these are problems caused by them for lack of testing their code for security vulnerabilitites for those individuals who just have a slow connection.
Lastly, I feel that Microsoft should have the workstation locked down to begin with at first time turn-on. For example, Microsoft could do the world a big favor by making their workstations with xp by default have the firewall enabled. It would eliminate a whole set of vulnerabilities right there and/or limit it (whether it is a DoS attack or Virus).
Microsoft also needs to educate users that just because they went to the store and bought Norton Antivirus 2004 means that it is current. Most people think they buy this software to stay current with the latest. But most often by the time the software is packaged, shipped, and purchased in bulk and redistributed to the stores it is already more than 90 days old and is in serious need of updating.
Microsoft also needs to have their patches broken up into smaller segments. So that users can casually download these programs in the background if they are connected to the internet and idle.
Enough ranting and raving. Microsoft just needs to admit that they as an OS distributor are going to find their operating system vulnerable and hacked. Granted other operating systems have vulnerabilities and problems too *but* the user group is much more in-tune to patching and verifying that their systems are secure.
The analogies in previous posts (locked doors/crime, cancer/treatment, etc) are entirely inaccurate. A more proper analogy might be the fixing of a defective door/window in an apartment building, where the fix is observed and the problem exploited before all units are updated.
Why is this phenomenon so hard to accept? When I first played around with Linux, I put up a server on multiple T1's of bandwidth to experiment. After pointing a domain to the system, it was attacked and compromised regularly, but only after a patch was released. Yes, that's right, Linux suffers the same problem. Now, I'm certainly not advocating the cessation of security patch development. The people reverse-engineering patches for exploits are small potatoes--the real threat is the person capable of ascertaining and exploiting holes on their own. However, releasing patches does facilitate the development of exploits by those who would otherwise be unable.
I hate Microsloth as much as the next geek, but the issue here is not whether patches facilitate attacks (of course they do). Exploits will occur regardless, and I for one would rather have the opportunity to pro-actively patch my systems instead of hiding in a Saddam summer home. The issue is half-assed buggy software that requires so many patches, and security holes that totally compromise systems.
Oh, and I don't buy the 'logical fallacy' BS either--I've seen it happen, so obviously their argument is invalid, or the premises false, or both.
"Even logic must give way to physics."
Given the number of Windows machines in my office that have required complete reinstallation after a bad Windows Update, I'd say we've spent many thousands of dollars in lost development time. Think developers not working * average wage * hours twiddling thumbs waiting for reinstallation for the bigger picture.
My desktop XP is on its fifth install. I have compressed images of the XP partitions saved on the network so I can restore the entire system state rather than reinstall from scratch.
-Hope
Oh, so he's basically saying that Microsoft Windows will never be secure? Yeah, I could have told him that. Besides, patches heal more holes than they create... so his statement made Microsoft's lovely Operating System look a lot more vulnerable. =/
I'm glad I use Linux. Oh sure, it's been proven true that Linux has more holes than Windows... but which is worse? Windows of course. With Linux, the holes get patched quick... and are relatively small anyhow.. but with Windows, it seems to take Microsoft about 8 months to fix each damn hole. Come on, I know you can do better than that!
"Instant gratification takes too long." - Carrie Fisher
Any bug is a potential security hole.
False. A bug that could only cause white pixels to be drawn as yellow is not a security hole.
It would not even be safe to say that all security holes are bugs, some are by design. (see Windows 9x)
Patching is great. Patch Management is great. But it doesn't keep the bad guys out, it just stops some worms. But then variants of worms come out.
Yes, it stops some worms. And then the next patch stops more worms. And this continues until, in theory, all security holes have been patched. What do you expect? Do you want Microsoft to skip patches and "simply" fix all of their bugs in one go?
Even when patched, some of these attacks still work. Why?
Because the patches did not adequately address the security hole. Internet protocol has nothing to do with it, it's either bugs in the patch or no patch related to the issue.
You saw the movie "Sneakers", right?
Actually, no.
If coders want to fix security holes in their code, the only real place to start is by fixing the bugs.
And somehow do this in production code without releasing patches for it?
never app fails or hangs on me
Microsoft does not write all of the apps that run on Windows.
When I no longer hear or see a BSOD
I haven't seen a BSOD for a very long time. months, maybe years. I've never heard one to my knowledge, but then my ears aren't very sensitive in the blue range.
When hell freezes over
Well, I hear Bill just bought a nice sturdy coat...
This is how they keep us upgrading our software. They just admitted that. lol.
good one for bill gates. I'm sure they got the haxor division of the campus where they unleash to code samples to efnet after the fact.
ya right.
Aucsmith's logic assumes that the only exploits that count are by morons who try to infect every machine on the planet.
The bright and industrious hackers like to keep a low profile.
You had it almost right there, just that once, with 'viruses'. Check it:
You can find the whole article here. Now you can just use the word 'viruses' all the time, and not sound like the literary equivalent of an out-of-tune piano.
Is this Microsoft's way of saying they're not gonna patch Windows vulnerabilities any more?
"If you want more secure software, upgrade."
OK, I'll take you up on this. Starting today, release no more patches for XP and 2003 Server (or IE or IIS or OE or MS-SQL or any other component.) We should see no new exploits from this day forward. We'll give it a year. If an explot is found, I get your house and car. If no exploits are found, you get mine. Deal?
PS: If you release another patch, I win. Any "feature upgrades" must be thoroughly examined by a 3rd party to make sure you aren't sneaking any patches in. I promise I will not actively look for exploits myself.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
This is exactly the same as a car manufacturer saying "we never had an accident caused by this fault until we told people about it".
Well of course you didn't. The defect still caused accidents but other factors were blamed.
This disgusts me.
"If you want more secure software...", dump Windoze.
The guy does have a point. The description of the patches gives malicious coders a good detail of what to exploit.
This is completely true. Publishing the details of a hole certainly draws attention to that hole.
However, it doesn't change either the facts or history: many holes were exploited long before MS either published a description, or a patch. If MS did not publish patches, crackers would *still* discover holes, and exploit those holes.
There are several levels of cracker. There's the script kiddie, which accounts for the largest number; there's the typical malicious coder, who can create a new exploit based on the description of a hole; and there are the true malicious hackers (the ones that deserve the term, bastards as they are), who can find a hole and write an exploit.
Many security firms find holes in MS-Windows. This is without code or anything else. If good guys can find holes, why would you assume the bad guys sit around waiting for patch descriptions? That's very poor logic.
Yes, upgrading and patching will make you more secure. But, security is also dependent on the quality of the OS you run, and no amount of MS-Spin (tm) or outright lieing can change that.
Microsoft is to software what Budweiser is to beer.
this is true, why do they release patches anyway?
"If you loved me, you`d all kill yourselves today"
Spider Jerusalem
Unlike Open BSD, Windows Installs many obscure features into the the default install of the desktop. So although it wasn't a bug in the kernel, it was in Ie or windows messaging or RPS or something else. I sort of prefer the OpenBSD idea that the end user has to decide what to put on their computer besides the shell and basic utilities.
Well.. maybe. Or Maybe not. But Definitely not sort of.
" Instead of working it out for themselves, malicious hackers are reverse engineering the patches to better understand the vulnerabilities, said David Aucsmith, who is in charge of technology at Microsoft's security business and technology unit."
/. to bother even considering MS's arguement. The post doesn't even bother to explain the MS position, but instead just continues with the mindless MS bashing that I've come to expect here to insure that no meaningful disscussion ensues and nothing is learned from MS, since of course they can't possibly have anything usefull to teach us about computer use and misuse.
Of course I wouldn't expect a biaed site like
Vote for Pedro
MS wants to make computers secure for copyright holders from those who purchase their output (or not), they want to make email more secure and less spammable, and they claim to have an emphasis on security. The quotes (I haven't RTA, so fire away) seem to imply a level of security below "security through obscurity" (I call it "security through stupidity") incompatible with securing anything more valuable than yesterday's used toilet paper. These are the people I'm supposed to trust with my bank accounts (or already do), my pictures, video, and music, my checkbook and taxes, and my personal mail? Why would copyright holders or anyone else with anything of value trust MS to secure their work? Why would users trust them to make something that works well and does what they want if MS doesn't understand or care what they want? They may be able to write programs, but if they have such a distorted view of reality, how are they going to understand what others want or how to help them to get it?
Willful stupidity is not a defense mechanism - it is a way for MS to say "Got ya, suckers!" MS must figure that it can afford because of market share to ignore and antagonize its customers while using its positions to find new people to antagonize - usually businesses operating under willful stupidity end up in Chapters 7 or 11, so I can't figure that they're that stupid. They must think that others are however, that as long as they have a pretty butterfly and nice ads no one will pay attention to the bugginess and insecurity of their software and the denial of their executives. I hope this is wrong.
Admins just didn't realize that was how there box was hacked until after they saw the symptoms.
With the patch in hand, people can say, "Oh THAT was how they did it."
Scott Carr
in Soviet Russia.
Never release any patches, and there will never be any exploits! Isn't that the strategy M$ is already following?
"Freedom means freedom for everybody" -- Dick Cheney
I think it's a combination of BOTH! I have several friends who have worked at Microsoft, both as contract employees, and regular staff - OH the stories I have heard!
I read recently in some tech article online that the author doubted Microsoft's commitment towards their Security Initiative, and cleaning up their code. I have no DOUBT that Microsoft is committed to cleaning up their code... what I doubt is their ABILITY to clean up their code.
--==>>BobT>
Wouldn't believe it if I hadn't seen it firsthand.
Mail? Put "slashdot" in the subject to pass the spam filters.
Microsoft just broke one fundamental law. First there was a patch and then it was vulnerability. Brrr... It means that patches produces vulnerabilities.. Well done Microsoft. Everything left is to claim that earth is flat.
Someone let G. W. Bush know we found the Iraqi Minister of Information.
500 dollar reward for tip(s) leading to the arrest of the person(s) who stole my sig.
and spammers have a lot of time, a lot of computers, and all the incentive in the world. What makes you think that only MS can find the holes in their software? Brute force, lots of people, and lots of patience can do quite a lot - brilliance is not required. Even dumb people are smart sometimes ("the problem with stupid people is not that they are predictably stupid, but that they are unpredictably smart.")
/. says it best : 10 guys at MS working 9-5 versus 10 million file sharers working nights and weekends - do the math in man-hours...
The sig on
The head of Microsoft's security business and technology unit states that Windows is never vulnerable until a patch appears
He said no such thing. Not only does he say no such thing, but you (Michael) are clearly aware of it. To claim that the vulnerability doesn't exist until a patch appears would certainly be absurd, which is probably why no one made that claim.
The article is simply making an observation: That most vulnerabilities are not actually exploited until after a patch is released. This is an observation, not an assertion. It seems like a very reasonable one, too, since most evil crackers are not smart or patient enough to go though Windows binaries instruction-by-instruction looking for bugs. Instead, they just wait until a patch is released, and see what was patched. That way, they know where to look.
No one is claiming that a bug can't be exploited before the patch is released. They are simply pointing out that they usually aren't.
Michael, you can't just misquote people like that. It is obvious from looking at the comments here than most people did not read the article. Most people believe what you write, and don't realize that it is a gross exaggeration of what was acutally said. Even if it is Microsoft (and mind you I'm no fan of Microsoft), it's still not ok. Don't stoop to Microsoft's level; lying about your enemy is not the right way to win any battle.
It's posts like this that made me give up on Slashdot as a source of anything other than humor long ago (see the sig).
Microsoft is many things, but stupid isn't one of them. They have a great technical community. Their coders are *very* important to the MS culture, and they have some of the best.
.Net, providing their version of something that is already available. (In the case of .Net, improving on the weaknesses of the competing product while introducing its own set of weaknesses), giving their products stupid common names like Windows and Word and Access to help push the idea these products are the Platonic Ideal.
I've known too many MS employees to think the problem lies with their technical folks. These are smart, dedicated individuals who are proud of their work; and most of them may be justifiably proud.
The problem is the market. MS is able to push up schedules and avoid real innovation, because real innovation would change the product. Remember when Coke issued their "New Formula?" Remember the customer backlash? Same sort of market pressure applies here.
So they give their products a face lift once in a while so the average customer thinks they're getting something new. They react to the market pressure with things like
No, the problem is not the technical folks at all, and I think it an indictment of the corporate culture that managers and PR folks and marketters can so effectively hamstring their real talent.
But that's just my naive assessment. I could, of course, be wrong.
Microsoft is to software what Budweiser is to beer.
Then how do they know what to patch?
My parsing says a "patch was known" means
most attacks happen after a patch, but some
attacks happen before, and that's how
they know what to patch.
Otherwise the implication is they know about
all possible vulnerabilities now, or will discover
them by themselves, which can't be true.
Cancer is mostly an old person's disease. If nothing else gets you before you get old, you die of cancer. (stroke and heart attack of the other big ones that I can think of). Very few people of "breeding age" get cancer. The rest are no longer contributers to the gene pool (Viagra aside, and then only for men who can get a younger girl) in any way so eliminating their genes gains the future nothing.
David Aucsmith is apparently a very intelligent and ambitious man. This is ground breaking insight into multi-dimensional dynamics. Surely, we must study this thoroughly. For all we know he may have stumbled onto a unifying theory.
Maintaining software, digging for exploits and writing patches is a tedious and costly expense for microsoft to be certain. Perhaps this is simply a disclaimer or possible excuse if they slack off, miss a hole, or just plain decide to cut back on this cost center of their business.
Any OS is secure if you don't turn on the computer. After that, all bets are off.
Mail? Put "slashdot" in the subject to pass the spam filters.
What's this ? RedHat driven to do what is right? Then how come they orphaned 30,000 RedHat_8/9 lusrs? Ditched them (us) cold after we proved-by-use the value of that desktop OS_version. Don't bleat about ENTERPRISE or FEDORA. Not the same, eh ...
As these words mean different things, there is no contradiction. You just didn't pay attention. I'm not batting for microsoft here, just trying to keep the griping at their statement legitimate.
While most people are hearing affirmation that they only care about the newest versions of the Windows OS and that this is how they hope to keep people buying upgrades, I hear something a little different.
This could easily be a prelude to Microsoft releasing OS upgrades without a description of what is being done to the system. Consider how scary it will be to do your daily upgrade/update/reboot only to find that along with new fixes, they've done other nasty things like change the EULA again... of course not agreeing would mean you can no longer use the system. Or maybe they decide to do some other trashy thing like forcing an upgrade of (Insert Program Here) that you prefer not to have upgraded for some reason.
I have a feeling they might be trying to give out updates and patches without telling us what they are.
At least we know from this that Microsoft's security is not going to improve anytime in the near future.
"Reactionaries must be deprived of the right to voice their opinions; only the people have that right." - Mao
small linux uses 2.0.x still...and it's one of the prime options available for really not powerful computing solutions
GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation.
Yes, there is. hacker just means computer expert. See the jargon file entry for an insider definition, or Webster if you prefer a more objective source.
The press tends to use the term exclusively to mean computer criminals. Often, what they mean comes closer to cracker, but in other cases the people they label hackers are actually not hackers at all, but script kiddies.
I hope to have enlightened someone.
Please correct me if I got my facts wrong.
If statements don't wear out. Loops don't come loose after thousands of iterations.
Unless you work from (or depend on) Microsoft, that is.
I keep trying to explain that hackers are resourceful and can still find vulnerabilities without source code and before it's known to the public, but they deem that to be 'near impossible' and far too time consuming.
I think what we need to show these laypeople is a "Hackers Cookbook for Dummies" -- lay out some recipies for finding vulnerabilities. Show people that it's a simple matter of poking and prodding open ports in different ways to find buffer overflows and the like. Show them how easy (though probably tedious) it is for the hackers. Then see if their opinions change regarding security through obscurity.
Here's the detail I don't understand... presumably Microsoft believes that issuing a patch in turn signals a vulnerability that is then exploited. Ok, whatever... ... but here's the part I don't get... have you ever read microsoft's "detailed" information when installing a patch? The "detailed" information usually reads something like:
"This patch fixes a vulnerability in the operating system that could allow an attacker to do something with your computer, perhaps causing the death of cute kittens".
Ok, so I added the kittens part... but the rest of it is typically how it reads! NO DETAILS about *EXACTLY* what is vulnerable.
Microsoft's reasoning is absolutely false. My past experience shows that microsoft's "what patch do we write next" list comes from bugtraq after vulnerabilities are discovered.
Skiers and Riders -- http://www.snowjournal.com
In related news the government has fired all accountants in an effort to end budget deficits. "What we don't know can't hurt us."
I think MS has to go ~630720000 secs to get things back to normal!
{2004-1984 = 20
20*365*24*60*60 = ~630720000 secs}
I hardly call Windows updates for home use "painless", for many people out there.
Just this morning, for example, I helped a guy get his older PC updated from Windows '98 to 2000 Professional. Problem is, he's using AOL dial-up with a 56K modem. Ever try downloading the latest Win2K service pack over a 56K modem? Now, how about the IE 6 service pack 1, not to mention the other misc. update patches MS has out as "critical updates", and then the handful of "recommended updates" which you probably want, also. Did you install MS Office on that machine afterwards? If so, guess what? More critical updates to download (MSDAC objects need a patch after they get added by Office)!
As far as I'm concerned, the average "home user" has the most painful upgrade experience of all. It can take close to an entire day to download everything needed via modem. (You can't even do it all at once, in a big batch, either, because a number of the patches have to be installed individually, followed by a reboot! So that means pretty much babysitting the machine all day, if you want to get everything updated without spreading it over days and days.)
There aren't any MS security holes for which a patch hasn't been released yet? I thought that there have been multiple problems for which MS took 6 months or more to release a fix, all the while during which the hole was known and exploitable. If you kept your machine patched on a regular basis, you would still miss these holes because they weren't fixed. The holes may not have been used, but the longer a security hole goes with no patch, the greater the odds are it will be exploited.
Then of course, as others have said, there is the issue of the patches breaking other things....
The argument that Microsoft is making here is that the software is secure so long as the "evildoers" have no insight into how the software works. When the patch is released, they can compare patched vs. unpatched systems and gain that insight.
This sounds like a cloaked attack on the security of OSS. If you follow the argument M$ is making, publishing the source code to an operating system should make it more vulnerable to attack, not less.
If you buy M$'s argument.
Because...money makes the world spin. Fortunate or unfortunate...when there are dollars to be made companies will jump on it. Hence the trend with Linux as of late.
Redhat wanted to capitalize yet remain in good standing with the open source community. The answer? Enterprize and Fedora....sure they're not the same...but it helps ward off the demons.
You can't really believe that everyone involved in Linux is doing it so other companies can profit from their hard work, can you?
Better than Flickr - Manage, Share, Archive
Then what are these guys talking about?
Remember the $250,000 bounty M$ put out on I think more than one virus/worm writer? They've pretty much declared war lately. This comment is no doubt just trying to play on the common belief that eventually every virus author has to brag to someone, because they do it for social status. I'm not saying that it's correct or mistaken, but they probably expect someone to come forward and say, "HEY! I wrote A, B, and C to exploit your silly OS, X number of days before patches were available for any of them!" Just sign your name to that and you've got yerself a convicted cracker. Very clever, masking it like a marketing tactic, but we know the real truth.
there should be a prompt you can go to in 'system information' or some jazz which will actually tell you your version of windows. i don't currently ever plan on touching another windows box so long as i live so i'll have to just suggest for someone else to. but there is a version number for the windows kernel itself somewhere reachable. at least as far as win98se anywho
GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation.
Does this mean that there has never been an exploit against a Microsoft product based on a security bulletin describing the vulnerability before a patch has been developed? Presumably then publication of the details of any vulnerabilities would not present a problem for them.
"The vulnerability was discovered by Eeye Digital Security in July 2003 but no exploits were produced until three days after Microsoft's patch became available."
What this really means is no rapidly expanding virus was created which drew the general publics' attention. That doesn't mean a black hat didn't use it to hack a system steal merchanzse, products, $, or information. Then was able to cover his tracks.
That's why I like to see virus that forces everyone to patch their systems. It scares me to think how many companies have my banking/credit card infrmation. Then take into accout the millions of computers that can access that data, 90% of them running windows.
Either way, this guys is an idiot.
Although I think that the statement is untrue in its literal form as an all encompassing blanket, it is well known that most exploits are based on known security flaws. Said another way, most script kiddies use sites such as cert.org because they know that they can build an exploit faster than any given manufacturer's patch can be distributed and installed. And when you consider a product such as Windows, it takes an intense knowledge of the software to build an exploit without having the source code at your disposal. I argue that there are very few "hackers" that can find exploits in Windows without having access to the source.
Just my $0.02
Umm... we're supposed to believe this? Given Micro$quash's credibility problems when it comes to security issues, I don't really think it would be wise to take this "statement" at face value.
tobacco anyone?
GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation.
I don't think that's a too outrageous statement. I can't really recall a wide spread exploit made before MS knew about the flaw at least. Maybe some minor things, but nothing too big. The horrible Blaster worm was for example extremely well spread at its worst, but it wasn't because Microsoft hadn't got a patch for the flaw.
Beware: In C++, your friends can see your privates!
Let's say i wanted to hack windows. I could either spend a bunch of time doing hacker stuff or go to windowsupdate, patch my machine (so i won't 0wn myself) and exploit the most recent patch b/c most windows users don't do windows update.
DISCERN not DISCERNE!!!!
/Code!!!!
Damn you Malda and your cursed
Unless of course you use XFree86 for anything...
"Unheard of means only it's undreamed of yet,
Impossible means not yet done." ~~ Julia Ecklar
MS can't expect the crackers to laugh for too long. Maybe this guy has a whole stand-up routine planned to keep the crackers too busy laughing to write exploits.
One of the major things about security is assessing risk. If no one knows about a flaw, how can one exploit it? Risk is minimized by publishing patches in a timely fashion when a flaw exists. The vast majority of people who use and continually try to exploit flaws in Microsoft's software security are exploiting KNOWN issues. To just say "oh well there's Microsoft saying they are very secure" is hogwash, and frankly irresponsible of the poster to make such claims.
The lesson is: practice safe computing. All platforms have flaws, and since 90% of the desktop market is MS, that of course is going to be the target platform for viruses. I bet you anything that if Linux was the defacto standard for desktops in the home and enterprise, that we would see a hell of a lot more security issues arise on that platform.
If you look at the SSL Certs they use, MS signs them themselves. When did MS become a signing authority? CN www.microsoft.com O Microsoft OU mscom Issued By CN Microsoft Secure Sever Authority O OU Issued On 3/37/03 Expires On 3/26/04
On another note, I categorically deny that Linux is more secure an operating system than Windows. If Linux were as popular as Windows, it would have exactly the same security record as the Microsoft product. Windows, XP and the latest version of it in particular, will get the millions-of-eyes treatment the open source community is so proud of. Only in this case, the millions of eyes will make any security features shallow.
What makes the difference are the users. Microsoft has actually done an admirable job in creating an operating system that your average user has any chance of connecting to the net and with a reasonable amount of security.
The owls are not what they seem
You haven't RTFA, have you? The quote in the Slashdot summary is a little bit out of context, but is a perfectly valid statement of a well known historical fact nonetheless. Please read it carefully:
The head of Microsoft's security business and technology unit states that Windows is never vulnerable until a patch appears, and that releasing patches is what causes exploits to be developed. Good quotes: "We have never had vulnerabilities exploited before the patch was known," and "[he] could only think of one instance when a vulnerability was exploited before a patch was available."
Does he say anywhere that the patch is a specific diff patching this particular vulnerability? No. Of course not. It would be ridiculous.
Now, if I recall correctly, Larry Wall made the patch available in 1984 and I honestly cannot remember any Windows vulnerability whatsoever before that time.
Please, people, just because it was Microsoft Security Chief, doesn't mean that what he said must not be true!
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
Yeah, I suppose it could also be part of their large FUD campaign against LINUX since they insist that closed-source is more secure.</rant>
Wh47 d1d j00 541, 31337 15n't t3h r0xor5 ne m0r3???
i mean, the blurb you guys posted is an out and out lie
slashdot: "states that Windows is never vulnerable until a patch appears"...
actual article: "never had vulnerabilities exploited before the patch"...
nobody said windows is never vulnerable until a patch appears, except for you...
not saying bbc is much better, in this case. as their byline reads "experts say", but they only talk to one "expert" the whole artic...
oh sorry, i swear i didn't read the article, you can still mod me up
Linux is driven by people who want to do what's right
By people who want to make more useful and more secure software, yes. But to say that Linux is driven by people who want to do what is right is being too kind - I doubt the main motive for most contributer's efforts is the morality of what they write.
I wait to be modded into oblivion for daring to criticise any part of the OSS ideals or development process.
Exercise your right not to vote. thinkoutside.org
A shame about that, but thankfully, there are things like Y Windows, which would be next to impossible to create without the existence of the Open Source train of thought in the first place.
What if you don't like the next version of MS' EULA?
1. suck it up and patch
2. refuse and be owned by the next RPC buffer overflow worm
Whee.
Now tell us how you really feel...
I guess I officially ARE one... I Remember the Good Old Days... when "Hacker" was a term of honor, and great indignation was expressed when it was misused in reference to "crackers" **sigh**... is the current acceptance of this linguistic confusion (as evidenced by many posts in THIS topic/thread) simple realism... or is it "caving"?
I just spewed coffee all over my desk! To quote the article...
"Malicious hackers and vandals are lazy and wait for Microsoft to issue patches before they produce tools to work out how to exploit loopholes in Windows, say experts."
Ok, all you lazy good-fer-nothing lazy script kiddies -- get out your disassemblers and get to work! Service pack 2 is just around the corner and guaranteed to keep you busy for weeks! Brush up on VB scripting.
Whee-hoo!
Gates: No one will ever need more than 640k.
Translation:
Gates: By the time your underlings realize how gullible and incompetent you are, I will have your money and you will be negotiating the upgrade contract.
Microsoft made some follow up comments that were not included in the interview regarding Linux, the open source operating system.
M$: [...] Linux is not a threat to us. We don't even care about it. No one uses it because it costs so much money and has such poor performance, you know, it's awfully unstable and has low uptimes. And you can't find anyone who understands or can learn it, anywhere. It is incompatible with everything, and there is no community from which to seek or purchase support. Linux is stagnant because it's a lame copy of somehting that saw it's heyday in the 70's, and hasn't changed much since then. Also, Linux is inherently less secure than Windows XP, and cannot be configured or modified in any way. I feel sorry for those poor Linux users, all 9 of them, because they are locked-in to the system they use, and lack access to an application base.
phhhhbt.
(5, Troll)
It's entirely lacking the use of colorful language that made the Info Minister so entertaining.
So it's really just embarassing with no redeeming humorous qualities.
.sigs are for post^Hers.
Umm... I'd like to know how Microsoft explains these.
Oh, MAN!! *wipes eyes, catches breath* ..if /. has a hall of fame for funniest posts, you've definitely got my vote..that HAS to be in at least the top 10. I'd get a patent on that pronto, before M$ does..or maybe you should hide..before M$ legal sues you for releasing their trade secrets. ;)
Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
The implication is that hackers are not smart enough to use an exploit until a patch is released that that notifies them about what the exact exploit could possibly be, and how to use it.
From a certain point of view, they almost have a point.
Stay with me, I'm as surprised as anyone else.
Consider this: you buy a window that says it will stop insects. And it does. But then some nut genetically enhances* an insect to have diamond tip cutters that can cut through the window. Since the window did keep out all know insects when originally sold, the manufacture really isn't liable for the new one and is allowed to say 'the new model fixes it', though they could release a spray the would cover your old model but possibly introduce new problems.
Yes, that's a terrible analogy, but it shows that they have a bit of a point: any business would go out of business if they had to fix problems that were ineffable at the time of the original sale. Where this falls down with Microsoft, of course, is whether the problems were from completely new areas, or flaws in their original work that they just ignored and denied -- similar to how certain problems in cars/children's toy result in recalls, but other problems don't. (e.g. it isn't a problem if a toy breaks after 3 years of continued use, but it's a problem if it breaks in a potentially injurious way - and let's not get started on the liability/lemon laws that Microsoft avoids with EULA.)
* And this isn't intended as an attack on genetic engineering per se. But anyone who does this to insects would be, in my opinion, a nut.
R: That voice. Where have I heard that voice before? B: In about 365 other episodes. But I don't know who it is either.
Doesn't this sound an awful lot like:
"The Linux infidels are commiting suicide and throwing their dead bodies on the walls of Redmond..."
Well, MS Security Chief just found the answer to all MS security problems: never patch Windows!!
.:. The patch is the cause of all security holes. QED.
Proof: Patch available -> Windows exploited, no patch -> Windows unexploited.
Of course we don't hear about exploits being developed until after the patch. Because before that moment, the vulnerability is going to be kept in the dark by those who do know about it so that they can make best use of it.
You're not going to see worms using unknown sploits because the developer woub essentially be giving away a tool that could be used for perhaps more nefarious purposes.
And furthermore, I wonder how people would know to notify MS about unknown an exploit that's been used to crack a system when such exploits either crash the system (which NT admins are very use to experiencing during NORMAL use and will ignore the crash) or are used in a covert manner, not warranting attention from NT admins in the first place.
If this is the kind of logic MS has behind it's security department, then MS is just doomed.
This kind of logic is just so incredibly flawed I can't even comprehend how an educated person could think that way. It's like say "well, whenever I go to sleep, the sun goes down, so if I don't go to sleep the sun will stay up".
Just absolutely ludicrous.
The (not so) recent mass breakdown of basic critical thinking skills among people in powerful positions around the United States just scares the crap out of me.
"If I put my hands over my eyes, the evil booger-hackers can't see me...."
"I think everyone is an agnostic but just doesn't know" - Frazz
Someone's quite obviously not in their right mind....
In it Mr. Jones says that Open source is dangerous because people can read the script and see the problem.
Of course, neither of these people seem to be smart enough to think.
excitingthingstodo.blogspot.com
Marriage is a ritual. So are funerals. If you don't have a funeral, you're still dead, right?
Marriage is an "institution." Weddings are rituals. You can be married without a wedding, as you can be dead without a funeral. However, until you have a death certificate issued by the local authority, your beneficiaries cannot collect death benefits, your creditors won't stop hounding you, and your spouse can't remarry... so *legally*, you're not dead, no matter how stiff and cold you are.
Until you get a marriage certificate, *legally* you're not married, no matter how you feel about each other. You cannot collect any of the benefits of marriage (joint tax filing, automatic inheritance without probate, spousal SSI and pension benefits, etc.)
Don't you wish your girlfriend was a geek like me?
Those who work for government spy agencies don't care about the ease or expense.
It boils down to two things. Fear and Consumption. Get scared by the news, buy / upgrade the software. Repeat.
Malicious hackers and vandals are lazy and wait for Microsoft to issue patches before they produce tools to work out how to exploit loopholes in Windows, say experts.
MS users are the lazy ones because (either from laziness or ignorance) they do not maintain current patch levels on thier OS. Of course there would not be as many security updates if MS wrote better code. I suppose that is asking too much.
Hackers are loser by definition? What are you smokin? Or are you just trolling? Well, for everyone else's benefit...
It entirely depends on your definition, of course. But I would say that many people describe the people who program the linux kernel as "kernel hackers."
Obviously not losers.
Now, if you're talking about the guys who read FullDisclosure or Bugtraq, study applications for bugs, and responsibly support them, then again, you're wrong. These people do us all a favor by finding open holes and then letting people know about them. THEY FIND BUGS. they report them, we all upgrade, and all is well.
If such people were gone, only badguys would find bugs. No one would know that systems were insecure. And we'd all be owned, silently, without notice. Maybe we'd never know.
Remember back when the concept of networking computers wasn't that old, say, around 20 years ago? remember how people created viruses, looked into how systems could be exploited, but the security research was stamped out - sysadmins figured it was better to be ignorant and have strong rules than to find out the holes and plug them - that was their security plan.
You've probably never even heard of the morris worm. You probably think we should all just close our doors and trust the megacorps to protect us from the badguys. This is a common logical error. You're not the only one. But if everyone agreed with you, you'd all be boned. And I'd probably being one of the ones breaking into your servers and stealing your lunch money.
Who is this Anonymous Coward character, how does he post so much, and why is he always such a whore?
I thought the "eat our own dog food" was an Apple policy and in those exact words, too. I've heard Jobs say it numerous times at WWDC's.
nice. except you don't know that. Does everyone on the interweb know exactly what happens on all their servers? especially when someone might have broken in and erased their tracks? NOPE. NOPE. NOPE. NEVER EVER EVER ASSUME SECURITY.
Assume that you can be broken into. Assume that since you were vulnerable, it happened. you must PROVE that you weren't. Otherwise, you cannot trust your data.
How do we know that some unemployed researcher in hungaria didn't find this bug (or any other unreported bug), and use it to break into a bank somewhere, and make some cash? We don't. And given the number of potential hackers, I'd say that this bug WAS exploited, well before a patch. We just don't know, one way or the other.
Who is this Anonymous Coward character, how does he post so much, and why is he always such a whore?
I think we already know that everything from Microsoft is a joke :p
By stating to the world that "Malicious hackers and vandals are lazy and wait for Microsoft to issue patches before they produce tools to work out how to exploit loopholes in Windows" Microsoft just issued a challenge to these people. I think that all Microsoft has done by making these statements is piss off the "Malicious hackers" and make them redouble their efforts to get these exploits out there before the patch is available.
--pete
It is true, looking a sheer numbers, that most exploits occur after the patch is available. See, for example, Arbaugh et al
e ra bility.pdf
http://www.cs.umd.edu/~waa/pubs/Windows_of_Vuln
There are many reasons not to patch immediately (why should you Beta test the patch rushed out by the same guys who messed up in the first place? How much did they test? Did they test it on a system and configuration similar to yours? Can you afford the (potential) down time? Can you convince the PHB that it is more important than whatever else you have to do?)
You cannot just look at the raw numbers of exploits, which occur after a script becomes readily available (and one has to admit that a patch can be a very good recipe for scripting an exploit). What does not show up when looking at the raw numbers are the exploits that get in, do what they want to do, and then get out w/out saying "hey, look at me" (i.e. by participating in a DDOS attack). How much (unreported) fraud is associated with those first attacks?
"It's a myth that hackers find the holes," said Nigel Beighton, who runs a research project for Symantec.
"We find the holes and write the viruses - I mean patches. This way, we can make alot of money without anyone knowing our secret plan - I mean... you're not going to print this are you?"
M$ is driven by the almighty dollar, while Linux is driven by people who want to do what's right.
Which comes to an interesting issue: Open Source Software operates much as a public good, and in a similar way, is liable to be underproduced. Proprietary software operates more traditionally within the market economy, and so is more likely to find an equilibrium price at which the amount suppliers are willing to produce matches the demand of consumers.
Which isn't to say that it's unworkable; many items are public goods because when they're privately held they're non-functional. The journal entries I linked above go into more detail about how digital data and OSS might work in spite of the normal economy. Still, it's an important point to understand, especially if you want to see OSS go mainstream.
Don't you wish your girlfriend was a geek like me?
Hmm, you have all those companies like Eeye and such working nicely with MS to find holes in Windows. Seems like a kind of slap in the face to their credit.
To me, this sounds like a challenge to black hats.
Yeah they are in the business of protecting people's computers from the holes MS leaves in them.
But Symantec NEEDS MS. Without MS cooperation, Symantec can't make programs that work with MS patented and secret API's and filesystems.
As a result, Symantec is Microsoft's bitch. They write antivirus software that needs the latest version of Internet Explorer just so it can INSTALL.
I have two posts in this thread. Both of them have been marked overrated, despite the fact that neither of them had been previously rated. It's hard for an unrated post to be overrated, ain't it?
What the heck is the point of that? Is it merely to avoid later "meta-moderation"? Is it to avoid affecting the karma of the poster? What the heck?
(At least, if you want to moderate this down, be honest and mark it offtopic and not overrated.)
Phiwum's law: anyone that names an obvious law after himself and then puts it in his own sig is just pathetic.
I'll go further: Linux is driven by people that are anti-establishment and view Microsoft as "The Man" of technology. They don't want to use a Windows PC because they'd be supporting "The Man". They bitch about the "MS Tax" just as an already overpaid worker bitches about aying taxes to "The Man". Much like the overpaid worker who doesn't think he should pay any taxes at all, the Linux hippies don't think money is required to run things and not everything is without cost.
:P
50% Funny, 50% Flamebait!
This guy didn't happen to have dinner with the ex-Iraqi Information Minister recently did he? Certainly seems to be the same approach...
Q L_NOT_LESS_OR_EQUAL*** Address fc873d6c has base at fc870000 - i8042prt.SYS.....
"The evil penguins are _not_ in the kernel. We will crush the infidels with our mighty litigation machine. Our code has never, and will never crash. It is secu..*BRZZZT*
*** STOP: 0x0000000A (0x00000000,0x0000001A,0x00000000,0xFC873D6C)
IR
and so on.
Automobiles were safe until seat belts were installed.
Smoking is harmless until you go to the hospital.
Any more?
Of _course_ there have been no vulnerabilities exploited before the patch was known. Doesn't everyone know the patch? You know, the one that replaces core MS systems with, oh, say, Linux? Thus, I know the patch for all vulnerabilities for all future MS OSes! WOOT!
If MS believes that blackhats are reverse engineering patches to discover security problems and that their "solution" is to "upgrade" (which may mean replacing hardware as well as software) they have an insurmountable problem.
ANY two OS releases can be compared to detect the changes which can then be reversed engineered. It may be more complex as the security changes are mixed with other changes but blackhats have the time and, it increasingly appears funding, to do the research.
It looks like MS are applying "security through obscurity" as a business policy.
That article is just chock full of gems.
Slashdot readers are making something out of this that they shouldn't. I don't think that Mr Aucsmith is suggesting that we ought not patch our boxes or that Microsoft should return to a policy of security through obscurity.
What I read is a simple statement of fact. That virus and worm writers reverse engineer the patches to make it easier to write code that exploits the vulnerabilities that the patches fix. He goes on to urge companies to keep up with patches because the time they had to react before hackers released exploits was shrinking.
He also makes a few bogus comments like it's a myth that hackers find the holes etc. I would dare to say that hackers find almost all of the holes but not all hackers wear black hats.
The race isn't always to the swift... but that's the way to bet!
Back in the late '90s, I was a reviewer for a computer trade publication. After having been subjected to Microsoft's spin machine first-hand for so long, I went and did some research of my own. Now this was back in the days of NT 4, and at the time I think they were on Service Pack 4. If you actually read through the release notes, it was obvious that with each service pack release, the OS was becoming more unstable and less secure. Each service pack addressed at least twice as many new problems as the service pack before. Digging a little deeper, at least half of the fixes were in direct response to either previous fixes or to new "features" added in the last service pack. Everything from buffer overrun errors that could leave your system compromised to amateurish memory release errors. Having checked back recently, the same general trend is carried out with each Microsoft product. They not only can't get it right the first time, they get further and further away from it as time goes on.
Insightful my arse.
Yes, NT SP6 from 3 years ago caused a problem accessing Notes. It did not "broke all kinds of stuff". Still does not negate the FACT that almost every MS update has been EXTREMELY stable. And I have deployed many more SPs and hotfixes than I care to remember on thousands of systems.
Have you ever installed updates/patches/ptfs on minis or mainframes? If so, you would know what buggy and unstable is all about.
Minor problems with old crap video drivers that you didn't upgrade notwithstanding, the updates rarely break anything or cause much grief. Yes, I'm generalizing here, but I'm generalizing about a "testbed" of thousands of machines over several years, not about my home laptop and my cousin's Packard Bell.
If you have had trouble with MS updates with some of your 3rd party software, it is usually because it was never written for the OS you are running it on. It may have been written for 95, using carryover 3.1 code like many apps out there. Just because it successfully runs on 2000 or XP doesn't mean it should be. (Backwords compatibility is both a blessing and a curse. But you should thank MS for being so lenient towards lazy programmers who refuse to rewrite their crappy old programs).
Back to the point - to say that MS updates are buggy and unstable and break all kinds of stuff is a lie.
If Microsoft understands that people expect bug fixes for free, then why does Microsoft refuse to issue patches for holes in old but still widely used operating systems?
I'm guessing that a head will roll, then. Look, just making that statement is a challenge to these dingbats. Plenty of vulnerabilities are discovered before the patch is out. Many of those vulnerabilities are reported with proof-of-concept code showing how to do an exploit. The vulnerabilities are often discovered through reverse-engineering: they are not exclusively discovered by MS engineers. Now that this fellow has implied otherwise, there will be that much more incentive for the black hats to prove that they have the necessary skill to reverse engineer the OS before MS can catch up.
The last time I tried to get my Dad's PC current with update, after applying several over a period of hours, I got a little message box that said "Can't start explorer.exe. Reinstall Windows"!!!
There's an upgrade path for you! I worked the rest of the weekend trying to save his data and programs, but in the end, I had to do what that stupid little message box demanded.
Thanks, Bill! I'll install all the upgrades from now on. Sure!
Simple counter-example: Does anyone remember how long it took them to patch that URL spoofing problem? I certainly think that it was a problem before they patched it.
Call them on it, and they'll claim that the patch was already KNOWN, it just wasn't IMPLEMENTED. This is looking glass logic. And the worst part is, the PHBs will buy it.
When you run windows update and it completes "successfully" and for whatever reason, you are still wide open- that's when you give serious consideration to a serious OS. Like *BSD or a linux. Or an Amiga.
It's just poorly architected, like one of my perl scripts. Only, I don't get paid to sell perl scripts.
If there existed a published proof-of-concept exploit for a hole in a popular web browser that allowed the server to execute arbitrary code on the client machine without the informed consent of the user, would you consider it an "exploited hole"?
This would be easier to take seriously if it didn't come from someone who obviously still reads Slashdot...
"The patch for Windows security issues is Linux" is the common smart-aleck response to an article such as this about security holes in Microsoft Windows. However, not every user of desktop Windows can switch to Linux that easily. Linux on the desktop will not work for me until Microtek helps the SANE developers add support for the Scanmaker 4850 scanner. The fact remains that Windows has the best hardware support of any desktop OS.
Was this what you wanted?
--
Mad science! Robots! Underwear! Cute girls! Full comic online! http://www.girlgeniusonline.com/
This, I believe, fits your description.
--
Mad science! Robots! Underwear! Cute girls! Full comic online! http://www.girlgeniusonline.com/
I wonder how the 'vulnerabilities' get discovered then? An infinite amount of monkeys on an infinite number of keyboards? Perhaps microsoft employs a grad student to snif out these things.... yes - that's got to be it. Or perhaps while spewing out code, the IDE automatically highlights vulnerabilities in Red to 'remind' the programmers that there is something to fix (which they never get around to doing). Perplexing isn't it?
Microsoft Security - an oxymoron that ranks right up there with Jumbo Shrimp.....
"If you want more secure software, upgrade."
does anyone know of any other companies that actively promote their new products by badmouthing their old products?
this is the type of thing that keeps me from taking anything they say seriously.
Gyrate Dot Org - "Where high-tech meets low-life"
Today Microsoft Corp. (NASDAQ-NMS:MSFT)(MSFT) has undisputabley declared that indeed the chixen does come before the egg...
But it only takes one hacker to unleash something like MS.Blaster, MyDoom or SoBig.
I take the point that more people know about a security flaw after a patch is issued, but this doesn't seem like a quantity issue to me. The issue is one black hat writing a really vicious exploit that goes around the world in half a day -- and the sort of people that do that, I would have thought, are in communities where they are likely to hear about security holes ahead of the general public.
I should buy some cement.
This is like Michael Jackson saying he has only had esthetic surgery once.
Nobody smoked until nicotine patches were released
Nobody washed dishes before washing-up detergent was invented
Nobody had a crap before bog roll was invented
Nobody got pregnant or caught diseases until condoms were invented.
Help! I'm trapped in a parallel universe where the laws of logic are being inverted!
My hyperlinks aren't worth the paper they're printed on.
Microsoft's practise of patching security holes is a matter of patch economics. Patches will be released if: a. Microsoft will significantly lose customers if they do otherwise; b. legal threads/law enforcement force them to do so. I always compare it to primitive Saudi-style oil-patch economics with West Bank settler-type religion.
William, thou scurvy patch!
Could somebody explain to me how in the world this is supposed to be a good thing?
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
So this is like, if a tree falls in a forest and no one is around to hear it, does it make noise?
Eric B
ebresie@gmail.com
Perhaps a comparison is in order to determine if keeping exploits a secret really does help? Take a product that is open source, but which practices security through obscurity by keeping security bug fixes under raps. The first piece of popular OSS that fits this bill is Mozilla. Security bugs are reported to the bug list, where they are only known to a small circle of developers. Those bugs can then be fixed at the developers leisure (for instance the new Packages.sun.plugin.javascript.navig5.JSObject(1,1 ) bug which caused Mozilla to instantly crash taking every tab with it was fixed about 10 months after it was originally reported [reported in March 2003, silently fixed in a late January 2004 build of Mozilla 1.6]). After the bug is fixed however it is not formally announced, no advisory is issued to tell anyone to update to the latest build. Only after 2 version changes do the bugs appear on the vulnerabilities list (right now you can see 1.4 vulnerabilities, once 1.7 goes gold you'll see the 1.5 vulnerabilities).
This method has greatly increased the security of Mozilla users browsing experience (when was the last time you where the victim of a Mozilla exploit?). This is despite a long track record of arbitrary code vulnerabilities (almost averaging 1 per month so far as the official list admits), frequent problems with javascript and cross site vulnerabilities, URL spoofing, reading local file and password vulnerabilities in almost every minor version (1.2 being the exception for file reading, unless you count the 1.3 or 1.4 vulnerabilities), and some of the most original mail client vulnerabilities out there (in addition to standard arbitrary code execution) such as being able to permanently DoS a mailbox using a webmail account and a message of less then 20 byte.
The simple fact is that most Mozilla users aren't downloading nightly builds to keep themselves secured with all the latest secret patches (though this has its own risk, like the recent bug that deleted everything in the program files folder) they have remained much more secure than users of IE, who are frequently burned because they only (sometimes) apply the publicly announced and electronically pushed patches after someone takes a month or more to come up with a virus based on them (i.e. Blaster). Of course other software users get burned in the same way too: Redhat servers (including some at NASA) got rooted by the Ramen/Lion virus which was made possible by the public announcement and patching of the TSIG vulnerability 6 months earlier. phpBB2 boards that aren't constantly updated get hacked by script kiddies all the time thanks to open security mailing lists.
The simple fact is that the easiest method of writing a virus (if you want it to succeed) is to lookup a known vulnerability (even though its likely patched by that time) and use it. The people most likely not to notice or understand how to deal with the infection are the same people using totally unpatched copies of Linux kernel 1.8 or Windows 98. Look at the "please run this attachment" user vulnerability - while almost all email clients from the last few years physically prevent this vulnerability (for some time Outlook has even gone so far as to remove executable files from zips) viruses like MyDoom still spread at an alarming rate. The people most likely to let their machine become and remain compromised due to carelessness are also the least likely to watch for updates and apply patches.
And no, I don't think companies should withhold patches, but there is a lot of truth to the concept that telling the world about a vulnerability is the fastest way to get a virus written.
Ok
/. 's behalf. Think again.
1 21 9&mode=thread
E D0 016AD1ECC25684C000DD6EC?OpenDocument&Highlight=2,M icrosoft,Security
E D0 016AD1ECC25684C000D47F5?OpenDocument&Highlight=2,M icrosoft,Securitys .nsf/UNID/CC256CED0 016AD1ECC25684C000D4D53?OpenDocument&Highlight=2,M icrosoft,Security
For anyone who thinks this is just biased mindless m$ bashing on
http://slashdot.org/article.pl?sid=04/02/10/203
http://computerworld.co.nz/news.nsf/UNID/CC256C
From above link:
"* Microsoft officials say it is developing a patch to fix an IE 5 flaw that allows Web site operators to run malicious executable codes on visitors' computers. Until the patch is ready, Microsoft advises disabling Active Scripting in IE 5's ImportExportFavorites feature."
http://computerworld.co.nz/news.nsf/UNID/CC256C
http://computerworld.co.nz/new
I could have found a ton more examples. All of the articles basically show that an exploit has been found.
I could agree that some people have to literally create an exploit code from reverse engineering a patch - however the inital hole had to be found an exploited.
So that means someone out there had an exploit but was kind enuff to inform the vendor.
However! MICROSOFT ARE BLATANTLY BULLSHITTING AGAIN! Make NO Mistake about that.
1- There is such a thing as a zero day hack
2- There is such a thing as an easy manual exploit that doesn't require trojans or virus inflitration to bust open the hole.
Shape up Microsoft. Stop lying. I'm sick of it.
... and entering The Microsoft Zone.
"Can there be a Klein bottle that is an efficient and effective beer pitcher?"
By pointing out that 'known' bugs in the operating system make the system less secure (by more people being aware of it). It is plainly another attempt to draw a line between closed source and open source initiatives.
Open source is a labour of love, time and effort. Microsoft is a labour of profit and monopoly. Neither method is particularly better than the other, though one does sound more altruistic.
Maybe all the other arguments aren't working, although the article states "I know of no..." then "I think there has only been one instance..." is clearly contradictory, the only reason I can see for the article was to pave the way for more comments against open source initiatives. Makes you wonder really, some of their code is 'open' now.
First Step: Vulnerability
Second Step: Patch
Third Step: Profit!!!!
Hey, we know what the second step is now!!!
> (You can even double check me: I can't remember a single instance in the Bible where God's command wasn't questioned...)
"Be fruitful and multiply" seemed to go by without much backtalk.
Apparently, you haven't done much Bible reading. The story of Onan (Revised Standard Version) appears pretty early on; it is in Genesis 38.
For King James Version enthusiasts, here's your preferred text.
of buggy programming, randomly- and hastily-added "features" and security that makes Brie cheese at room temperature look solid.
Yeah, XP is a legacy alright....just don't leave it to anyone in your will.
in which a virus exploited windows prior to a patch would be what ? Installation ? That HUGE BLOATED mass of corpse white infected code is by its very nature a virus, that just happens to have some useable features :) LOL
errr....umm...*whooosh* *whoosh* Is this thing on ?
Where can I order these CD's?
... er ... well, maybe not.
... I used Linux to order the CD's last night so I could patch my final remaining copy of Win98 one last time ... it's all cool.
Online? Oh. Um
Just yanking yer chain
Microsoft were aware of it, it was public and MS didn't patch it for a few months.
As it was known and unpatched, I think someone, somewhere must have abused this.
Because those operating systems are 8 years old, and no-one in this industry - including RedHat - does that.
Third party consultants can and do still issue security updates for versions of Red Hat Linux. So let me rephrase: If Microsoft understands that people expect bug fixes for free, then why does Microsoft refuse to permit third parties to issue patches for holes in old but still widely used operating systems?
Of course they don't, security researchers find the wholes. They believe in full disclosure, and tell the hackers. Who create exploits, way before there is a patch, and often before the vendor (especially in the case of Microsoft) has responded to the notice.
Now that's good, but c'mon "We have never had vulnerabilities exploited before the patch was known" is just criminal ignorance. Let's all go visit Packet Storm and click on last 20 exploits, or Bugtraq and see if there's any talk of exploits without patches. Or, wait, we could go straight for Vuln-dev and see exploits as they are developed.. which is [sarcasm]OBVIOUSLY by reverse engineering patches[/sarcasm].
If this guy wasn't fed this FUD by marketing droids, and he's really supposed to be in charge of "security", he should be fired.
My Linux Command of the Day site : LCOD
...the patch causes the exploit.
That way folks could safely go grab the Windows updates;-)
The weird thing? It would work;-)
I'll have to remeber to suggest it in future...
Please mod parent up: +5, Funny!
Compare this to MS-Windows, where 90% of the network services included are turned on by default, and it is difficult for even an experienced user to know which services can be safely disabled, and which are necessary for a usable system.
How difficult would it be for Microsoft to default all services to 'off', and bind all network services only to the loopback interface?
If they can't make thge security posture of MS-Windows approach that of OpenBSD, at least they can try to match MacOS X, where the default install has no remotely accessible listening ports!
I do not deploy Linux. Ever.
While not exactly Windows, here's a flaw in MSN Explorer 8.5 that has been used since "sometime last year" by some clever folks in China to get free access to Premium services. This was just in the news today.
:)
Ironic that the very day MS' security chief says there are essentially no zero day vulnerabilities being exploited until after a patch comes out, one is reported by news.com.com.
The M$ guy has been borked by M$ - I mean, his brains must have rotten dead, or something like that. What he says is so utterly untrue, unlogic, strange - whatever you wish to call it. What does working for M$ do to your thinking-capacity? Destroy it? My hamster shows more intelligence.
This guy seems to have gone braindead.
I believe microsoft should fire their security chief .
Lets say it's a smiley for us myopic minority, okay ?
8)
It takes 40+ muscles to frown, but only four to extend your arm and bitchslap the motherfucker
Aucsmith and Microsoft have succeeded in misleading the public by giving the impression that no mechanism other than the ill will of a few fiends is responsible for the appalling state of Windows security. It's not Microsoft... it's not the vulnerabilities inherent in their code... it's the bad guys!
I work with users every day. I've been in the industry for twenty years and I know that user ignorance is a powerful force in sales, marketing, design and support of IT products and services. This Aucsmith debacle is a textbook case of a company depending on it. They know that the average user doesn't have--or want--the wherewithal to think critically about statements their representatives make. It's groundwork for Next Generation computing. It stinks.
the machine catches fire
Now there is a remote exploit that will catch everyone's attention. ;-)
When I was young, I had to rub sticks together to compute.
My bullshit detector just exploded when I heard that ...
This signature was left intentionally blank.
As far as he knows ! ;-P
I'm a former 'softie, and I hate to see people without half a neuron speaking for the company. Microsoft has a lot of good people, and a lot of good products. I just can't figure out why they let IDIOTS speak for the company so often.
From the article:
"'We have never had vulnerabilities exploited before the patch was known,' he said."
and:
"Mr Aucsmith said he could only think of one instance when a vulnerability was exploited before a patch was available."
Either I am missing something subtle about the difference between the words known and available, or his first statement is obviously false.
Aucsmith must live in the same self-delusional world as Jack Valenti and various record company execs. Maybe they should all go to an island somewhere. Make yourselves comfortable, gentlemen. Mr. Rorke will be along shortly. Here's a drink with an umbrella in it.
So you're limiting exploits to script kiddies who need to recruit hundreds of machines to do their ddos attacks on their favourite target for the week ?
The single professional hacker who exploits MY work server and modifies/steals the data contained is far more devestating than even a ddos directed at me by a script kiddy, but because professional hackers don't brag about their exploits in irc, these vulnerabilities will go largely unnoticed by MS until someone else discovers it and exploits it large scale or posts it to a discussion on security so that MS can fix it.
Large scale exploits are not the only concern here.
On another note, if you discover that you have been hacked, you would try to remove any backdoors that may have been installed and upgrade/re-install all your software but how do you figure out which exploit was used ? Is it a known exploit or is it a new one ?
I visit a website that has been hacked and taken down twice in the last two months. It seems that the maintainer simply didn't know how they got in, so put the box back up with basically the same configuration, plus some security patches from the distro website but it obviously didn't include the right patch, or possibly it was a configuration thing and not buggy software at fault so they got in again and hosed his server again.
So, how do you determine how they got in apart from scanning your own box for vulnerabilities and assuming it was one of those ?
Sig matters not. Judge me by my sig, do you?
In the Microsoft wet dream, customers are also paying them monthly for the priviledge of these secret automatic updates.
Though, they are finally adding a firewall in XP SP2. Maybe the recent Linux deployments are putting on some heat?
"Almost all attacks against our software are against the legacy systems," he said.
"If you want more secure software, upgrade."
They WANT YOU TO SPEND MONEY TO MAKE BILL RICHER!
This is the sole and total purpose of this idiot's comments.
That simple.
No further discussion is necessary.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
I just got the patch! No more viagra for me!
Well the easiest thing to do would be to stop releasing patches - then the hackers would never find the holes and everything would be fine.
What idiot came up with the idea of security patches in the first place?
I think MS predict cracker's way of thinking:
...
1. backup current system
2. install security patch
3. compare files
4. reverse engineer differences & refer to the security advisory
5. create an exploit
but:
what if step 3 was made difficult, say, by obsfuscate the new file, so comparation with old file will result in way to much difference?
Just an idea
...never works. That's like a bank saying "No one ever robbed our bank until we fixed that big gaping hole in the side of the vault that was exposed to the outer wall of the building."
Yes, that's a terrible analogy, but it shows that they have a bit of a point: any business would go out of business if they had to fix problems that were ineffable at the time of the original sale.
The problem is that you can reverse this concept with regards to software. If the vendor doesn't patch the exploits/bugs in their product, people will stop using said product because the holes in it will eventually make it unusable for many applications.
He has a point, but it's not a very good one. All he's saying is that most widespread attacks are script-kiddie attacks. Big deal. We already knew that. However, that's due to the fact that those people capable of discovering new exploits, for the most part, are white hat people who release the exploit info in order to get it fixed.
Yes, it sucks that releasing a patch leads to script-kiddie attacks on that exploit. But I find it hard to believe that they really think that if the situation were otherwise, and exploits didn't get fixed/patched until they were already seriously exploited in the wild, that this state of affairs would somehow be better in any way. Does everybody have to be rooted before a patch comes out to fix the problem? Or is it better to have the patch available and then be able to more squarely blame end users for not upgrading their boxes? There's really no alternative to these two scenarios. Take your pick.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
Is it just me or is Microsoft just asking the folks who send them security hole information to bypass that silly part where they send the information to them and wait 6 months for a patch and jump straight to giving the information to malware folks just to show MS up? Somehow this gives me the impression of snubbing their noses at some security folks. I'm sure there are some hackers who have been exploiting certain holes in MS for years and kept it secret. Maybe if MS keeps saying this stuff they will turn it into a virus just to show up. We don't need unpatchable worms. Thank you.
It is no longer uncommon to be uncommon.
It is all your fault then, Mirosoft!
I did not believe that, I thought it is those
nasty Linux hackers, but now you admit it yourself!
I demand that you stop relasing these patches so our OS is more secure! If you don't we will go into
class action suit against you.
*Cough* Winnuke *cough*
Wow, more Microsoft Stupidity. You have to wonder, is this marketing Genius? Or stupidity? All the people who aren't computer literate will probably believe that. Along with that Viruses make WinXP Better. Windows is never vulnerable until a patch appears, and that releasing patches is what causes exploits to be developed. Okay, well then if thats the case, why don't they stop making patches. We have never had vulnerabilities exploited before the patch was known Then what was that fault with Internet explorer opening .exe files that appeared as .pdf files? Thats been around for like, 9 Months.
I wonder if the coders and programmers @ Microsoft use Mac Products or Linux Flavors.
I'd like to raid their houses.........
$>man woman
$>Segmentation fault (core dumped)
Do anybody actually read these posts after a couple days and responds to them?
If not LAST POST!
If something is so important that you feel the need to post it on the internet... It probably isn't that important.