Slashdot Mirror
MS Security Chief: Windows Never Exploited Until Patch Available
BenBenBen writes "The head of Microsoft's security business and technology unit states that Windows is never vulnerable until a patch appears, and that releasing patches is what causes exploits to be developed. Good quotes: 'We have never had vulnerabilities exploited before the patch was known', and '[he] could only think of one instance when a vulnerability was exploited before a patch was available'. Erm..."
If I were going to write an exploit, I'd write the exploit AFTER Microsoft had patched my OS so I didn't zombie my own computer up!!!!
With all the script-kiddies out there, would they know how to patch microsoft to protect themselves? They probably use code from security sites which show the exploit in action, and don't understand the underlying code.
Of course for the others, they probably realise that many people are forced to use Windows, and there only protection is Windows with a decent firewall and up to date WindowsUpdates.
Nigel Beighton, who runs a research project for security firm Symantec that attempts to predict which vulnerabilities will be exploited next.
So Symantec has a full list of all vulenrabilities and is keeping that a secret. Then why does it take 3 days to get a Outlook patch to fix the latest vulnerability?
I concur! :) Upgrade today!
My dog ate my sig
I think he might be wrong.
When I read this story earlier, I figured that what they really meant was, "most of our vulnerabilities don't get announced until we have a patch, and people don't start to exploit them until they're announced".
Given that they're binary patches, it seems to me that it'd be a whole lot less effort to look at the details of the advisory (and example 'sploit) than to go reverse-engineering the patches. Particularly since they're accusing the h4x0rZ of being lazy.
Registering accounts later than some other chrisb since 1997
Linux 2.0.40 - release 2/8/04 Linux 2.2.26 - release 2/25/04 Linux 2.4.25 - release 2/18/04 Linux 2.6.3 - release 2/18/04 The older versions of the Linux kernel seem to be alive, well, and still being patched for security flaws. In fact, the most recent kernel release is 2.2.26.
This in my opinion is one of the greatest benefits of the open source community. You see with both Windows and OS X, if you want all the security patches you need to pay for the latest version of the software. The linux community (note I didn't say RedHat but community) will continue to support prior software so long as there are enough users out there. Just look to the linux kernel or apache for examples. Just my $0.02.
Fear trumps hope and ignorance trumps both
Perhaps David Aucsmith would care to explain this then? Though eEye (purposely) doesn't describe the vulnerabilities that they list there, it's been indicated (on mailing lists like Full-Disclosure) that several of them are being actively exploited.
Do you have a
Actually, linux 2.2.XX and even 2.0.XX are still supported and still receive security fixes.
This isn't to say that it's reasonable to expect a commercial company to support software indefinitely, but one of the benefits of open source is that you CAN find/hire someone to support your old software and backport bugfixes as appropriate.
One of the nice things about MS is that they DO backport bugfixes to old software. Patches are almost always provided for free for all supported versions of Windows. Windows is supported for an established number of years (5, I believe) and at that point the user is reasonably expected to upgrade.
The Linux kernel has a better reputation than MS, but there are plenty of companies that have worse reputations. Even Redhat only supports its products for about 3 years before expecting an upgrade.
FYI, fc still exists in both XP and 2003 server.
1f u c4n r34d th1s u r34lly n33d t0 g37 l41d
Uh, lessee... Blaster?
It affected XP, NT 4 and win 2k3. Win 98 and 95 were immune.
If you don't want to read the article all the way through, here are the last two paragraphs:
There's no place like 127.0.0.1
I'd check to see if it still exists in Windows, but there aren't any Winboxen around here :-)
/? from the command window and it responded.
Good news fellow criminals its still there. I checked on WinNT and Win2k and its located in the System32 folder. Its listed as the Dos 5 File Compare Utility I did a fc
Here, I've been using Windiff all this time... Dang
Up until a couple months ago at least, 2.2 ws the still the official kernel version for Debian (which obviously takes security seriously).
I don't try to be right, I just try to make people think
here. I rest my case.
I'll give 2:
1) The original Melissa email virus (enabled by idiotic default settings in OE)
2) The one recently where remote web sites could hijack your address bar while redirecting you and doing nasty shit - that MS didn't patch for 6 months.
Someone might say those weren't strictly "Windows," but both OE and IE come installed by default, so it counts for me.
Others?
Next big thing in computers: the then-if statement!
print "this already exists\n" if ($usingPerl);
As for real security experts, they routinely find vulnerabilities in Windows beforesending a description to MS which would then, a few months later, issue a patch. Maybe.
There is a fine line between marketing and outrageous lying. I'm glad to see that MS gleefully steps over it every single time. Any other conduct would actually be unsettling. You see, we geeks revel in a binary vision of the world, and we cannot thank MS enough for consistently being a caricature of evil villain. It makes working against them so much more rewarding.
--
Mad science! Robots! Underwear! Cute girls! Full comic online! http://www.girlgeniusonline.com/
in real life who could be described as black hat. He showed me exploit code for the ASN1 exploit (this was remote shell code) about a week before the Microsoft patch was release. He said it was big news in his community.
From what i could see, it was very tight C code which compiled and worked on the winxp test machine (his own), so I guess it was authentic.
Gamers Europe - Gaming News. Reviews.
This posting counters it...
3 98 802
http://slashdot.org/comments.pl?sid=98387&cid=8
Quick Link to Post
An optimist believes we live in the best world possible; a pessimist fears this is true.
apt-get or yum is your friend
I don't read your sig, why do you read mine?
Linus doesn't, weaselnuts, but the 2.0.x kernel is alive and well, maintained by David Weinehall, the 2.2.x kernel is alive and well, being maintained by Marc-Christian Petersen, and the 2.4.x kernels are being maintained by Marcelo Tosatti. The only kernels that Linus maintains are the development kernels. He hasn't handed off 2.6.x yet, AFAIK, since it's not fully cooked and 2.7 hasn't forked. As soon as 2.7 branches, expect to see someone else issuing the 2.6 kernels. I'm not going to touch the Redhat commentary, but I know there are people still maintaining their own copies by patching and creating new packages. In the open source realm, you don't need a vendor to do it for you. In Win 9x, you do. 'Nuff said.
-30-
"A previously unknown vulnerability in Microsoft's Web software allowed an online attacker to take control of a publicly accessible U.S. Department of Defense server last week, the military confirmed late Tuesday."
http://news.com.com/2100-1009-993276.html
(This has been confirmed over more or less independent channels. Nobody was truly independent because of the pending war on Iraq, of course.)
And, as you all know, several holes in Internet Explorer exist which are being exploited actively.
Actually, if DCOM was installed (like in some developer or vertical app situations), 9x/ME were (and are) vulnerable to the attack used by Blaster. Fortunately for those otherwise unfortunate souls running such systems, there weren't enough targets around to make it worth the effort to create offsets and shellcode for 9x.
-30-
Actually, as the comment below that post mentions, it doesn't really counter his claim concerning "exploits." But this post does, as does this one.
-Trick
It is NOT only the MS exec who is saying this. In the same article Symantec confirms this:
"It's a myth that hackers find the holes," said Nigel Beighton, who runs a research project for security firm Symantec that attempts to predict which vulnerabilities will be exploited next.
He said in many cases the appearance of a patch was the spur that kicked off activity around a particular vulnerability"
As usual everyone is going off half-cocked.
Let's see...with debian stable (possibly testing, but I don't recommend with unstable)Done.
Change your second crontab to run the shell script, and done. (yes, I don't use variables in 2 line scripts)Or, if you want a daily email of any packages requiring an update....
Oh, to upgrade to the next release...
for kernels, there's make oldconfig, but I realize there can be complications and a little more technical stuff, but upgrading a debian system for me is very straight forward. Set it and forget it. (I used to do automatic updates with WindowsUpdate, but there is still a patch out there that makes my Athlon laptop freeze up randomly).
-- If you can't laugh at yourself, someone else will do it for you.
I think pretty much every distro has an automatic updater which is no more painful than Windows Update. Also...almost daily?? I'm guessing you're talking about more than just the kernel unless you're obsessed with getting the latest revision. Among all the software on my computer there are only a couple updates a week aside from snapshots and probably some devel releases. And as for updates that are important for security and system integrity, it's probably about one update a month on average and the other updates could just be done in one large batch.
I don't try to be right, I just try to make people think
Um.... Windows 98 isn't 9. anything.
If anything, it's 'Win4.1'. Take a really close look at the installer the next time it runs. [I know I saw 'win4.0' flash by when I installed Windows 95 for the first time.]
In the same way, Win2000 is is 'NT5.0' I'm not sure if XP is the fabled 'NT6' or jut considered to be 'NT5.1' as I've never used it.
Build it, and they will come^Hplain.
Windows file sharing.
Back in the original 95 release, MS had a neat little bug. If you shared a folder, it was shared to the outside world by default (as it still is today, but I digress). The only security offered from within Windows was to password-protect the share. Now, the exploit:
Windows 95, and also at least the original 98, both contained a bug in which only the first character of the password had to be guessed. So, if your password was "Slashdot", I could get into your share by simply using "s". Yup, 26 tries and I'm in (iirc windows passwords have to start with a letter, but even if not, the ascii character set isn't that big). Forget dictionary attacks on the password, you were basically in within a second - and of course denied logins didn't count against you.
The patch for this wasn't released until well after 98 was on the market, which meant it sat for at least 3 years unpatched. I know damn well that it was known and being exploited before then, because I used to play jokes on my friends by getting into their supposedly protected folders. This was back in 1996.
Opaserv, among other worms, used this hole to spread through a lot of systems, but I can't find the first date any of these were noticed. So I can't prove large-scale explotation of this hole, but I do know that at least I was using it well before it was patched.
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
In the article, it seems quite clear that what they're saying is that most exploits come after the hackers have had a chance to compare patched VS unpatched systems to see what the changes are. But it's not just Microsoft saying this: In other words, I can see the point of view expressed in the article. I disagree with the parent in part (I think the attribution in the Slashdot story is sufficiently accurate) but that the specific (never had vulnerabilities exploited before the patch was known) is probably hyperbole. Hackers might be lazy, but they're not non-existent. There's no way M$ could even KNOW how many exploits have been made.
Incorrect. The contrapositive of patch->exploit is no exploit->no patch, which is not really a truth. The inverse of patch->exploit is no patch->no exploit, but the inverse of a true statement does not have to be true.
XP SP2 is going to be a bundle of laughs...
I remember NT SP6 where they screwed up the NTFS format somehow and several machines (luckily only test machines) rebooted to the 'couldn't load NTLDR' screen.
Various 'hotfixes' that have cause apps to crash or behave oddly - some of which have been subsequently withdrawn and reissued fixed layer.
How about
24 unpatched IE exploits. No patches. Still exploited.
QED.
If I remember correctly, the WebDAV exploit that was out about 5 months ago was found because a military webserver was rooted with it. Thats definately an example of a blackhat finding a hole and using it well before there was a patch available.
You had it almost right there, just that once, with 'viruses'. Check it:
You can find the whole article here. Now you can just use the word 'viruses' all the time, and not sound like the literary equivalent of an out-of-tune piano.
" Instead of working it out for themselves, malicious hackers are reverse engineering the patches to better understand the vulnerabilities, said David Aucsmith, who is in charge of technology at Microsoft's security business and technology unit."
/. to bother even considering MS's arguement. The post doesn't even bother to explain the MS position, but instead just continues with the mindless MS bashing that I've come to expect here to insure that no meaningful disscussion ensues and nothing is learned from MS, since of course they can't possibly have anything usefull to teach us about computer use and misuse.
Of course I wouldn't expect a biaed site like
Vote for Pedro
windows update is ABSOLUTELY FUCKING APPALLING.
oh look, several patches available... wtf, not only do I have to close down all my apps and restart my computer, but I have to restart for each patch individually!?
SUSE YOU is infinitely better. I let it run all the time because it doesn't bug me with crap notices (just changes colour), so I get patches straight away, and no restarts. although I'm not running a server or anything it's still very important to me for my work.
thank god windows is too useless for my work anyway so the crapness of windows update isn't an issue.
I sometimes use MS Office via Crossover though. even that's better on linux - can automatically download updates and "simulates windows restarting" instead of the real thing.
I hardly call Windows updates for home use "painless", for many people out there.
Just this morning, for example, I helped a guy get his older PC updated from Windows '98 to 2000 Professional. Problem is, he's using AOL dial-up with a 56K modem. Ever try downloading the latest Win2K service pack over a 56K modem? Now, how about the IE 6 service pack 1, not to mention the other misc. update patches MS has out as "critical updates", and then the handful of "recommended updates" which you probably want, also. Did you install MS Office on that machine afterwards? If so, guess what? More critical updates to download (MSDAC objects need a patch after they get added by Office)!
As far as I'm concerned, the average "home user" has the most painful upgrade experience of all. It can take close to an entire day to download everything needed via modem. (You can't even do it all at once, in a big batch, either, because a number of the patches have to be installed individually, followed by a reboot! So that means pretty much babysitting the machine all day, if you want to get everything updated without spreading it over days and days.)
But, what if I have just downloaded kernel 2.4.11, and it works great, and oops, we found a problem in 2.4.11. The solution is to upgrade. Not patch. What if going to the new kernel breaks stuff that used to work, while in the process patching an old hole?
This is different, but similar to MS. "You have a problem with 2.2.7? You should try to upgrade to 2.2.26 or 2.4.24." "You have a problem with windows98? You should upgrade to ME or XP."
You're confusing your terminology... The problem with your argument is that going from 2.2.7 to 2.2.26 is a patch, not an upgrade. It's the same as applying a patch to a Microsoft product that modifies the kernel. And, as everyone knows, applying Microsoft patches very frequently breaks old things... you do not need to upgrade just to lose functionality.
And that patch is often even more risky in Microsoft products than open source, because MS typically supplies a whole package of unrelated patches with no way of applying only the individual ones you want.
I read it quite differently.
If hackers are left uninformed, a security hole is only found by few industrious hackers. Some are white hats, some are not. Some will inform Microsoft, some will exploit the code, few will propagate the knowledge. The system is not secure, but few attacks happen. The few, however, might be very dangerous, as the attacker knows, what he's doing and is probably after something.
After a patch is released, thousands of crackers can find out, what was wrong. The knowledge barrier to writing a successful exploit drops, worms are written... Suddenly everyone's computers are under attack.
He's not saying, that only Microsoftees find exploitable bugs. He's just saying what everyone knows - once a hole is well known, it's a greater danger and soon even script kiddies start using it.
The article mainly says, that in case of a target as popular, as Windows, once a patch is available, you have to get it _quickly_, because the number of attacks grows very rapidly then.
Unknown hole = exploitable by some hackers
Well known and patched = safe
Well known and unpatched = goodbye, sweet data
Man! You had me going there for a moment. I was going to award you the shiniest mod point I had in my quiver until I went back and checked your assertion.
David Aucsmith explicitly states that: "We have never had vulnerabilities exploited before the patch was known," he said.
This statement is false on its face and it is not misquoted. Numerous posters have pointed out why much more completely than I can. Again, CIFS/SMB using ports 137-139 is so irretrievably flawed that they've implemented a workaround rather than fix it (PATIENT: It hurts when I do this. DOCTOR: Don't do that!)
So, thanks for the lofty pronouncements--no mod point for YOU!
"The vulnerability was discovered by Eeye Digital Security in July 2003 but no exploits were produced until three days after Microsoft's patch became available."
What this really means is no rapidly expanding virus was created which drew the general publics' attention. That doesn't mean a black hat didn't use it to hack a system steal merchanzse, products, $, or information. Then was able to cover his tracks.
That's why I like to see virus that forces everyone to patch their systems. It scares me to think how many companies have my banking/credit card infrmation. Then take into accout the millions of computers that can access that data, 90% of them running windows.
Either way, this guys is an idiot.
The following two statements are VERY DIFFERENT:
We have never had vulnerabilities exploited before the patch was known - Actual quote. Maybe not completely true, but mostly true. "Never" should be replaced with "almost never". I consider that an honest mistake.
Windows is never vulnerable until a patch appears - Misquote by Michael. Absurd. Anyone who would make this claim is an idiot.
If you read the article, nobody is claiming that only Microsoft finds exploits. They are saying that the people writing the viruses are not finding the exploits on their own - they are reverse engineering patches to find the exploits. They also don't say they should stop issuing patches, despite what people here seem to be assuming. The guy is issuing a caution about how patching quickly is becoming more important. There really isn't that much to get worked up about here.
Preventive War is like committing suicide for fear of death. - Otto Von Bismarck
If you look at the SSL Certs they use, MS signs them themselves. When did MS become a signing authority? CN www.microsoft.com O Microsoft OU mscom Issued By CN Microsoft Secure Sever Authority O OU Issued On 3/37/03 Expires On 3/26/04
Umm... I'd like to know how Microsoft explains these.
They are saying that the people writing the viruses are not finding the exploits on their own - they are reverse engineering patches to find the exploits.
They don't even have to reverse engineer the patches, since the bulletins released with the patches usually describe the problem being patched well enough for someone to figure out a way to write an exploit. When you have a description available like the following:
Multiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings.
All you really need to do is find more information about how the exploitable code is normally used, then find the limits of the buffer (in the case of a buffer overflow like this) and go to town with it.
What it all comes down to is basically that people need to update as soon as possible when patches are released, because the people writing worms and viruses tend to watch the security bulletins looking for new holes to exploit. It's certainly much easier than actively seeking out undocumented holes.
-PainKilleR-[CE]
Is my recent experience prudent here?
Every version of windows, as shipped, now has security holes that will be exploited imediatly upon going on-line. I tried to go online with a new ms install, and was infected with a virus, before I could download a single patch.
The correct way, according to ms is to patch the OS is through the windows update site (it's hard to find the individual files for download, only going to windowsupdate.com with a non IExplore browser directs me to the patches for download otherwise.)
To my knowledge ms doesn't ship a single os that is secure enough to go online to patch it's self. maybe 98sp2, but to my knowledge their is no way to get a patched windows XP box without going online first (any patch CD's shipped from MS????)
Then feel free to enlighten me as I don't quite see your problem here.
In that article, "almost all attacks are against legacy systems". Define legacy. There's plenty of XP and 2003 attacks out there, so that means either a) Non-Longhorn = legacy or b) They're blowing smoke.
On another note, I categorically deny that Linux is more secure an operating system than Windows. If Linux were as popular as Windows, it would have exactly the same security record as the Microsoft product. Windows, XP and the latest version of it in particular, will get the millions-of-eyes treatment the open source community is so proud of. Only in this case, the millions of eyes will make any security features shallow.
Not true. Developers on Linux are more aware of testing under non-root level accounts. That is sorely lacking under Windows.
Many-eyes does *not* make security features shallow. Many encryption algorithms are publicly, including the ones MS uses to sign their code. Kindly release an executable that is signed using an MS certificate.
Microsoft has actually done an admirable job in creating an operating system that your average user has any chance of connecting to the net and with a reasonable amount of security.
Reasonable amount of security? I've had to clean plenty of systems that have been attached to the net, including one that was infected through the XP firewall. And no, the owner *doesn't* run executables from unknown sources or use Outlook/Outlook Express.
But then on my notebook I have to recompile my display drivers every fourth of fifth update, and I still haven't figured out why or when... heck, if I weren't a reasonably experienced user I probably never would've gotten the drivers going in the first place.
Pin the xserver-xfree86 release. Instructions on how are in the Debian User's Guide. That way it won't get upgraded, but everything else will. It should be noted that notebook video is *terribly* supported, but there are *plenty* of guides out there as to how to do it - tuxmobil has them.
(You also then should do the trick above which emails you changes specifically for the xserver-xfree86 release coming from the security dist.)
And as related to previous discussions, the reason that apt's better than Windows Update is that it allows you to customize in this way. With Microsoft, it's "You want to install these updates. Really you do. Trust in Microsoft. Believe Microsoft. Microsoft is good. Watch the spinning lights."
Yes, they are now shipping CD's so you can patch your system without going on the Internet.
You are being MICROattacked, from various angles, in a SOFT manner.
Crankshafts are similar, except anything on a car that old can be replaced with a differently-made part which will meet or exceed the original specifications. For example, a forged crankshaft on a car that old could be replaced with a press-fit crank made out of a better alloy, to more exacting tolerances.
A machinist who tells you "I can't make you one of those" either doesn't want to invest in tooling for a particular material (like if you want something made out of titanium, you have to go to a specialist) or just doesn't want to take the job, they can make the same amount of money or more doing something easier. If I were posessed of that many old cars, personally, I'd build a machine shop and learn machining. Anyone can do it, I mean they even have blind machinists, some of whom do amazing work. (It's hard to imagine working with machines which can effortlessly maim or kill you without being able to see them.)
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
If it was any other MS bashing article, you would have a point. But did you really read the article?
The logic that that article clearly asinine.
Pleas read it and find out for yourself.
You mean this article, right? http://support.microsoft.com:80/support/kb/article s/q276/3/04.asp
This is my all time favorite:
http://support.microsoft.com/?kbid=161129
("Kitchen: Known Content Errors"). What were they thinking?
Was this what you wanted?
--
Mad science! Robots! Underwear! Cute girls! Full comic online! http://www.girlgeniusonline.com/
This, I believe, fits your description.
--
Mad science! Robots! Underwear! Cute girls! Full comic online! http://www.girlgeniusonline.com/
"The guys who write the tools would not consider themselves to be criminals by any measure," he said, "but the tools are also being picked up by people with criminal intent."
I guess that explains why Windows doesn't include a "diff" function...
Sysdiff.exe: Automated Installation Tool...
SCO employee? Check out the bounty
I think MS tries to mix up two facts. It may be true to claim that some high profile but not that damaging malicious code (e.g. those wild spread internet worms in the last few years) are created in this reverse engineering way... A good enough but not the most elite cracker probably wants to most publicity. Their aim is to compromise the largest number of machine.
But, I can imagine some of the best crackers in fact targets specific systems. In this case, they don't even want other people to know their technique....
Here is one that CNET just announced today. Microsoft admits it has been vulnerable this whole year and they are working on a patch yet to be released.
I'm a former 'softie, and I hate to see people without half a neuron speaking for the company. Microsoft has a lot of good people, and a lot of good products. I just can't figure out why they let IDIOTS speak for the company so often.