Slashdot Mirror
MS Security Chief: Windows Never Exploited Until Patch Available
BenBenBen writes "The head of Microsoft's security business and technology unit states that Windows is never vulnerable until a patch appears, and that releasing patches is what causes exploits to be developed. Good quotes: 'We have never had vulnerabilities exploited before the patch was known', and '[he] could only think of one instance when a vulnerability was exploited before a patch was available'. Erm..."
I think he might be wrong.
Linux 2.0.40 - release 2/8/04 Linux 2.2.26 - release 2/25/04 Linux 2.4.25 - release 2/18/04 Linux 2.6.3 - release 2/18/04 The older versions of the Linux kernel seem to be alive, well, and still being patched for security flaws. In fact, the most recent kernel release is 2.2.26.
This in my opinion is one of the greatest benefits of the open source community. You see with both Windows and OS X, if you want all the security patches you need to pay for the latest version of the software. The linux community (note I didn't say RedHat but community) will continue to support prior software so long as there are enough users out there. Just look to the linux kernel or apache for examples. Just my $0.02.
Fear trumps hope and ignorance trumps both
Actually, linux 2.2.XX and even 2.0.XX are still supported and still receive security fixes.
This isn't to say that it's reasonable to expect a commercial company to support software indefinitely, but one of the benefits of open source is that you CAN find/hire someone to support your old software and backport bugfixes as appropriate.
One of the nice things about MS is that they DO backport bugfixes to old software. Patches are almost always provided for free for all supported versions of Windows. Windows is supported for an established number of years (5, I believe) and at that point the user is reasonably expected to upgrade.
The Linux kernel has a better reputation than MS, but there are plenty of companies that have worse reputations. Even Redhat only supports its products for about 3 years before expecting an upgrade.
I'll give 2:
1) The original Melissa email virus (enabled by idiotic default settings in OE)
2) The one recently where remote web sites could hijack your address bar while redirecting you and doing nasty shit - that MS didn't patch for 6 months.
Someone might say those weren't strictly "Windows," but both OE and IE come installed by default, so it counts for me.
Others?
Next big thing in computers: the then-if statement!
print "this already exists\n" if ($usingPerl);
As for real security experts, they routinely find vulnerabilities in Windows beforesending a description to MS which would then, a few months later, issue a patch. Maybe.
There is a fine line between marketing and outrageous lying. I'm glad to see that MS gleefully steps over it every single time. Any other conduct would actually be unsettling. You see, we geeks revel in a binary vision of the world, and we cannot thank MS enough for consistently being a caricature of evil villain. It makes working against them so much more rewarding.
--
Mad science! Robots! Underwear! Cute girls! Full comic online! http://www.girlgeniusonline.com/
Linus doesn't, weaselnuts, but the 2.0.x kernel is alive and well, maintained by David Weinehall, the 2.2.x kernel is alive and well, being maintained by Marc-Christian Petersen, and the 2.4.x kernels are being maintained by Marcelo Tosatti. The only kernels that Linus maintains are the development kernels. He hasn't handed off 2.6.x yet, AFAIK, since it's not fully cooked and 2.7 hasn't forked. As soon as 2.7 branches, expect to see someone else issuing the 2.6 kernels. I'm not going to touch the Redhat commentary, but I know there are people still maintaining their own copies by patching and creating new packages. In the open source realm, you don't need a vendor to do it for you. In Win 9x, you do. 'Nuff said.
-30-
Let's see...with debian stable (possibly testing, but I don't recommend with unstable)Done.
Change your second crontab to run the shell script, and done. (yes, I don't use variables in 2 line scripts)Or, if you want a daily email of any packages requiring an update....
Oh, to upgrade to the next release...
for kernels, there's make oldconfig, but I realize there can be complications and a little more technical stuff, but upgrading a debian system for me is very straight forward. Set it and forget it. (I used to do automatic updates with WindowsUpdate, but there is still a patch out there that makes my Athlon laptop freeze up randomly).
-- If you can't laugh at yourself, someone else will do it for you.
Windows file sharing.
Back in the original 95 release, MS had a neat little bug. If you shared a folder, it was shared to the outside world by default (as it still is today, but I digress). The only security offered from within Windows was to password-protect the share. Now, the exploit:
Windows 95, and also at least the original 98, both contained a bug in which only the first character of the password had to be guessed. So, if your password was "Slashdot", I could get into your share by simply using "s". Yup, 26 tries and I'm in (iirc windows passwords have to start with a letter, but even if not, the ascii character set isn't that big). Forget dictionary attacks on the password, you were basically in within a second - and of course denied logins didn't count against you.
The patch for this wasn't released until well after 98 was on the market, which meant it sat for at least 3 years unpatched. I know damn well that it was known and being exploited before then, because I used to play jokes on my friends by getting into their supposedly protected folders. This was back in 1996.
Opaserv, among other worms, used this hole to spread through a lot of systems, but I can't find the first date any of these were noticed. So I can't prove large-scale explotation of this hole, but I do know that at least I was using it well before it was patched.
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
In the article, it seems quite clear that what they're saying is that most exploits come after the hackers have had a chance to compare patched VS unpatched systems to see what the changes are. But it's not just Microsoft saying this: In other words, I can see the point of view expressed in the article. I disagree with the parent in part (I think the attribution in the Slashdot story is sufficiently accurate) but that the specific (never had vulnerabilities exploited before the patch was known) is probably hyperbole. Hackers might be lazy, but they're not non-existent. There's no way M$ could even KNOW how many exploits have been made.
How about
24 unpatched IE exploits. No patches. Still exploited.
QED.
If I remember correctly, the WebDAV exploit that was out about 5 months ago was found because a military webserver was rooted with it. Thats definately an example of a blackhat finding a hole and using it well before there was a patch available.
" Instead of working it out for themselves, malicious hackers are reverse engineering the patches to better understand the vulnerabilities, said David Aucsmith, who is in charge of technology at Microsoft's security business and technology unit."
/. to bother even considering MS's arguement. The post doesn't even bother to explain the MS position, but instead just continues with the mindless MS bashing that I've come to expect here to insure that no meaningful disscussion ensues and nothing is learned from MS, since of course they can't possibly have anything usefull to teach us about computer use and misuse.
Of course I wouldn't expect a biaed site like
Vote for Pedro
I hardly call Windows updates for home use "painless", for many people out there.
Just this morning, for example, I helped a guy get his older PC updated from Windows '98 to 2000 Professional. Problem is, he's using AOL dial-up with a 56K modem. Ever try downloading the latest Win2K service pack over a 56K modem? Now, how about the IE 6 service pack 1, not to mention the other misc. update patches MS has out as "critical updates", and then the handful of "recommended updates" which you probably want, also. Did you install MS Office on that machine afterwards? If so, guess what? More critical updates to download (MSDAC objects need a patch after they get added by Office)!
As far as I'm concerned, the average "home user" has the most painful upgrade experience of all. It can take close to an entire day to download everything needed via modem. (You can't even do it all at once, in a big batch, either, because a number of the patches have to be installed individually, followed by a reboot! So that means pretty much babysitting the machine all day, if you want to get everything updated without spreading it over days and days.)
I read it quite differently.
If hackers are left uninformed, a security hole is only found by few industrious hackers. Some are white hats, some are not. Some will inform Microsoft, some will exploit the code, few will propagate the knowledge. The system is not secure, but few attacks happen. The few, however, might be very dangerous, as the attacker knows, what he's doing and is probably after something.
After a patch is released, thousands of crackers can find out, what was wrong. The knowledge barrier to writing a successful exploit drops, worms are written... Suddenly everyone's computers are under attack.
He's not saying, that only Microsoftees find exploitable bugs. He's just saying what everyone knows - once a hole is well known, it's a greater danger and soon even script kiddies start using it.
The article mainly says, that in case of a target as popular, as Windows, once a patch is available, you have to get it _quickly_, because the number of attacks grows very rapidly then.
Unknown hole = exploitable by some hackers
Well known and patched = safe
Well known and unpatched = goodbye, sweet data
If you read the article, nobody is claiming that only Microsoft finds exploits. They are saying that the people writing the viruses are not finding the exploits on their own - they are reverse engineering patches to find the exploits. They also don't say they should stop issuing patches, despite what people here seem to be assuming. The guy is issuing a caution about how patching quickly is becoming more important. There really isn't that much to get worked up about here.
They are saying that the people writing the viruses are not finding the exploits on their own - they are reverse engineering patches to find the exploits.
They don't even have to reverse engineer the patches, since the bulletins released with the patches usually describe the problem being patched well enough for someone to figure out a way to write an exploit. When you have a description available like the following:
Multiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings.
All you really need to do is find more information about how the exploitable code is normally used, then find the limits of the buffer (in the case of a buffer overflow like this) and go to town with it.
What it all comes down to is basically that people need to update as soon as possible when patches are released, because the people writing worms and viruses tend to watch the security bulletins looking for new holes to exploit. It's certainly much easier than actively seeking out undocumented holes.
-PainKilleR-[CE]
Is my recent experience prudent here?
Every version of windows, as shipped, now has security holes that will be exploited imediatly upon going on-line. I tried to go online with a new ms install, and was infected with a virus, before I could download a single patch.
The correct way, according to ms is to patch the OS is through the windows update site (it's hard to find the individual files for download, only going to windowsupdate.com with a non IExplore browser directs me to the patches for download otherwise.)
To my knowledge ms doesn't ship a single os that is secure enough to go online to patch it's self. maybe 98sp2, but to my knowledge their is no way to get a patched windows XP box without going online first (any patch CD's shipped from MS????)
You mean this article, right? http://support.microsoft.com:80/support/kb/article s/q276/3/04.asp
This is my all time favorite:
http://support.microsoft.com/?kbid=161129
("Kitchen: Known Content Errors"). What were they thinking?