MS Security Chief: Windows Never Exploited Until Patch Available
BenBenBen writes "The head of Microsoft's security business and technology unit states that Windows is never vulnerable until a patch appears, and that releasing patches is what causes exploits to be developed. Good quotes: 'We have never had vulnerabilities exploited before the patch was known', and '[he] could only think of one instance when a vulnerability was exploited before a patch was available'. Erm..."
Meh.......The last statement in the article: "If you want more secure software, upgrade." pretty much sums up Microsoft's position. With this kind of logic, it's a wonder that any coding gets done at all there. So, by extension, if everybody were to leave their doors open and unlocked at night, there would be no crime? :-) Seriously though, if you actually read the article, what it says describes reverse engineering of patches to explore and exploit vulnerabilities. So, the statement if confused might be technically correct, but that does not mean that the security vulnerabilities are not there in the first place. What happens mostly is that the lazy are exploiting the patches, whereas the more experienced (perhaps more dangerous) hackers will do their own work. Furthermore, the more experienced hacker might not be as likely to release their attack into the wild promiscuously. Rather they are doing what they do for a likely monetary payoff.
The real question though is: If the patch can be exploited, is it a patch? Yes, I know that they are analyzing the patch to attack unpatched machines, but to claim that vulnerabilities are not present before patches are released is circular logic.
Visit Jonesblog and say hello.
At best, the notion that patches are the source of all exploits is a logical fallacy. However, I'm sure I'd not be in the minority of /. readers if I opined that Mr. Aucsmith is either lying outright or simply delusional.
I say that since Microsoft has a policy of "eating their own dog food", they should be forced to stand by this ridiculous proclamation and henceforth cease and desist all efforts to patch their code. Thus, all exploitations of buggy MS code will also halt.
If crackers never find exploits except for by comparing patched and unpatched versions, why the hell do they release security patches then? Seems like they've got their security problems licked -- no patches, no exploits. What could be simpler.
Also liked this quote, from the end of the article:
"Almost all attacks against our software are against the legacy systems," he said.
"If you want more secure software, upgrade."
Hmmm.
The bigotry of the nonbeliever is for me nearly as funny as the bigotry of the believer. - Albert Einstein
If a politician said something like this it would get torn apart by the media. If a scientist said something he would loose his credibility and there would be articles written to counter this in major publications. Why does that not happen with M$??? It's almost like they are "above the law" and what thsy say happens. Kind of like when God speaks.
Evolution or ID?
Sounds like a simple belief security through obscurity. That is really sad.
Confucius say: I hear and I forget. I see and I remember. I do and I understand.
... just assume for a moment that what he says IS true (for argument's sake). Would you feel better as an M$ customer having heard it? That is, do you feel better knowing that there are many holes in the system that no one outside of M$ knows about? Does security through obscurity make you feel better?
-m
#
# Modus Ponens
#
"If you want more secure software, upgrade."
That quote goes for Linux as well as MS. How many people do you know that are still running 2.0.34
An unlocked door is safe until someone sees you lock it. Therefore everybody just leave all your door unlocked, since we do not know that they're unlocked there is no danger.
Reply to this post with your street adress and your usual work hours, thanks!
I must admit that they are partly right on this statement. As long as they don't publish a patch, most the world doesn't even know there is a hole. A few security specialist firms know, but they are not dangerous.
As soon as they release the patch, every hacker knows 99% of the systems won't be patched for a while, and Microsoft just about gave out what is the problem and how to exploit it.
So I say yes, it is dangerous to say out loud "hey, there is a hole in our system, but we have a patch". I would prefer if they just shut up, and release a "cumulative patch" once in a while.
Just my opinion.
Then, when MS does release the patch, the people who found the flaw throw up the details on their website for all the "hackers" to get their hands on.
hence the exploits coming after the patch is released
But, you are wrong about this. In fact, a new Kernel update to 2.2 was released. Version 2.2.26. It's been a year, but they were still released.
Here's a quote from the release: "Marc-Christian Petersen announced the release of the 2.2.26 Linux kernel. This release includes several security fixes, including a fix for the latest mremap() bug." See the Linux 2.2.26 Release Notes
So, really, MS is forcing users to upgrade by not releasing patches to old version.
"BEHOLD, CORN!!" - Dr. Weird, ATHF
The guy does have a point. The description of the patches gives malicious coders a good detail of what to exploit.
There are no doubt circumstances where the super-1337 h4x0r finds an exploit all on his own, I'd imagine through trial and error, but for the most part, they look at windows update and see "This patch resolves a vulnerability in WMP which could allow arbitrary code execution", and they write an exploit for the unpatched boxes.
The MSDN knowledge base is a great source for folks looking for exploits, they very often have step-by-step directions to reproduce the problems.
That's how you get root on linux boxes too, you find people still running an older kernel version, or an old sendmail, ssh, whatever, and hit the known exploits for that version.
And if you want a more secure system, yeah, upgrade. It works that way no matter what your personal philosopy behind your OS choice.
I don't need no instructions to know how to rock!!!!
> Another way to look at this is that I should be able to remove every patch from my Windows PC and it would be totally secure?
Um, no, since his point was that exploits are only found when a patch is released. By removing the patches from your system, you'll be vulnerable to those patches that were found. The parent's statement was more correct and humorous:
There's still one major difference - M$ is driven by the almighty dollar, while Linux is driven by people who want to do what's right. Further, with Microsoft, you not only upgrade your software, but most likely, your EULA as well (and no telling what kind of nastiness). With Linux, you have no such worries.
A few weeks ago, we were treated to the BBC claiming that the Linux community was behind MyDoom, even after it had become clear to everyone else in the world that it was written by Spammers. This article isn't any better/worse - its another thinly-disguised and apparently unresearched document, with no supporting statistics. Is there a reason to read this trash anymore, or should we switch to something more reliable, like the tabloids?
Law is whatever is boldly asserted and plausibly maintained. -- Aaron Burr
This means that Microsoft has *NEVER*, I repeat, *NEVER*, has been subject to a 0-day exploit. Wow...this guy is smoking some serious crack. What about the recent exploit that they sat on for 6 months? Doesnt that count? How about the new one that X-Force has contacted them about and MS has 30 days to fix? Is that from a patch too?
The implication there is that only Microsoft finds exploits. Forgive me if I'm skeptical.
Acquiescence leads to obliteration
Their point is that when they patch they announce they HAD a problem and the hackers can see what the patch fixed and try to exploit UNpatched machines... its security through obscurity, if I don't release a patch... hopefully the hackers won't notice the hole.
:)
But now that the patch is out, you can expect hackers to know about the vulnerability and attack you if you don't have the patch.
They are dumb, dont try to play dumber.
Exactly how obsure is Windows?
What this is is security through hiding problems you find and hoping that no one else finds them.
RonB
It is human nature to take shortcuts in thinking.
Why do you speak as though this "conundrum" were unique to Microsoft, or even closed-source software in general? If I buy a '57 Chevy Bel-Air convertible, and the top has a tear in it, should GM be obligated to provide me with a replacement part, if I'm willing to pay for it? Does the fact that they won't indicate that GM is a bad company for not supporting its "legacy" products?
Just how long should a company be obligated to support its older products? And why are you coming down so hard on Microsoft while ignoring the fact that this is simply standard practice, in every industry?
Like woodworking? Build your own picture frames.
The really scary part is that this wasn't said by some marketing guy like Gates or Ballmer, it was said by the Microsoft Security Chief.
I realize that you are trying to make a joke, but seriously, how painful is a Linux upgrade compared to a WindowsUpdate(R)(C)TM? Cause that's about the price you pay almost daily to get up-to-date.
Write boring code, not shiny code!
Quite a few people use various flavors of the 2.0 kernel for various reasons. The 2.2 installed base is huge, and not going anyplace fast. Larger minor version number (or even major version number) does not even vaguely imply greater security. You are buying the myth.
In fact, quite the opposite is often the case if older versions remain maintained, because they are more thoroughly debugged and locked down. And they are maintained because there is no profit motive to not do so.
KFG
So let's really hash this out.
Just for kicks, let's make a list of examples in the last three years where a virus/explot happened on any kind of wide scale before the patch was available. If we really disagree with his comments, let's make an intelligent attempt at rebuttal.
I'll take first shot: the first major incident that comes to mind for me is the COM+ bug of this last summer.
You could fabricate a new top/machine parts/etc for a car. Not so for a closed source software product (or at least, it would be much harder.)
No, the point is terribly obvious to those with pointy-hair:
It's not Microsoft's fault your Windows servers have been hacked, infected and your entire system is down, it's the fault of your IT department for not keeping up to date on the Windows patches. You see Microsoft software is 100% secure as long as you keep up to date on the patches.
I'm not sure whether this is uncertainty or doubt, though.
Fanatically anti-fanatical
Maybe MS is mixing things up? If you count worms and viruses as exploits in the same category as real breakins then by far those and script kiddies who uses ready made exploits account for most breakins.
Any sane cracker wont report his latest exploit to bugtraq. He will continue to use it until someone else finds out about it. When it hits MS and they patch it the cracker will have found another hole to use. The most dangerous breakins is ofcourse corporate espionage and i think the ones doing those have a field day on Windows right now. They dont use common exploits that intrusion detection systems detect since they want in and out unnoticed, even if the systems in the target is unpatched.
HTTP/1.1 400
Or is it the other way around ?
:
... to Debian 8)
say [pun]"Only Microsoft exploits exploits"[/pun]...
from the article
"Almost all attacks against our software are against the legacy systems," he said.
"If you want more secure software, upgrade."
Here you are. They said it, officially.
I seem to remember that my debian stable is composed of 1-2 years old software, and, regularly patched, will say secure without even have to reboot...
PEOPLE !!! "If you want more secure software, upgrade."
It takes 40+ muscles to frown, but only four to extend your arm and bitchslap the motherfucker
From the article:
"It's a myth that hackers find the holes," said Nigel Beighton, who runs a research project for security firm Symantec that attempts to predict which vulnerabilities will be exploited next.
He said in many cases the appearance of a patch was the spur that kicked off activity around a particular vulnerability.
For the most part, I think this is true. Most Windows exploits DO "magically" appear a few days or weeks after a patch is available. Of course, hundreds of thousands of users never patch, or never patch in time. The "magic" lies in the symbiotic relationship between anti-virus software producers and malware creators.
None of this excuses MS from releasing Swiss cheese code, but it looks like a lot of malware gets created after a "proof of concept" has been released by "security researchers".
Is this sig nificant?
Maybe they knew about the vulnerability for a week at that moment, maybe they were testing the patch, but the patch was not yet available, existing systems were being actively exploited, and site owners had no clue about that vulnerability because the "will be no exploit till we release this patch" policy.
I'm not sure if that is the best example, but at least is one that is enough to show how much bullshit they used to tell in public.
It depends if you run updates through regression testing on a series of "standard" machines in the office and all goes well until you actually try to patch the systems. Then, some obscure third party app that you completely forgot even existed clashes with the freshly updated machine and fucks the whole thing but good because of some bizarre bug that prevents the machine from even getting to first stage boot. On 350 desktops. In the middle of the night. On the weekend.
As compared to the boxes that kernel-upgraded flawlessly even though we didn't list out half the stuff being used on said boxes.
Windows update for home use? (Usually) painless. Windows update for wide deployments. Potentially, the most painful fucking nightmare you will ever experience unless you have a completely homogenous environment.
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
Few quick observations...
1.) Microsoft end of lifed windows98 on Jan 16th of 2004. That's 6 years of supporting an operating system, folks. That's impressive. $100, and you got downloadable updates for 6 years? RHN subscriptions or enterprise linux don't touch that. So, if they don't provide security updates for it anymore, it's only because, in terms of software, it's ancient and it should be phased out. Upgrading to get security sux, but who'd buy a new computer and willingly want to use their old win98 on it (i know slashdotters can always come up with whatever reasons for anything, but in the general public).
Yes the Linux kernel, even back to 2.2, is still being updated. And yes, linux updates don't cost money. But, what if I have just downloaded kernel 2.4.11, and it works great, and oops, we found a problem in 2.4.11. The solution is to upgrade. Not patch. What if going to the new kernel breaks stuff that used to work, while in the process patching an old hole?
This is different, but similar to MS. "You have a problem with 2.2.7? You should try to upgrade to 2.2.26 or 2.4.24." "You have a problem with windows98? You should upgrade to ME or XP."
2.) The article claims windows has not had security holes that were exploited before a patch was available. I don't think this was true, but keep in mind, the VAST VAST majority of Microsoft problems are with outlook, internet explorer, office, IIS, exchange, etc. Technically, these are not windows problems. It's like saying that wu-ftpd has an exploit that gives a user root access (which is almost always true), and then blaiming that on the kernel dev team.
Or, it's like OpenBSD. "Only one remote hole in the default install, in 7 years". My ass. The default install is unusable as an OS. How do they accomplish their security claim? Partially through well-written systems. Partially through turning off every freaking useful service known to man that you would want to run on a server. And yet, people hold them up as a paragon of security. The holes in OpenBSD are from other programs, the masses cry. But no one thinks about the same thing in terms of microsoft.
3.) The time warp thing is confusing me. Everyone is saying that it's a logical fallacy that Microsoft could have released patches for security bugs that are not yet discovered? Or, what, i'm not following. The have the code, they test it, they find a bug, they try to release a patch before it gets exploited. This involves, as has been discussed, not mentioning that there is a bug, but i suppose security through obscurity is still security.
How many times have we seen a story on slashdot that exclaims how microsoft has yet another hole (!!!!1!) and then, 40 minutes after the bashers have played their part, someone comes on and says "people should have applied this patch (link) which is discussed in MS Knowledge base 7498923298232"? I see it all the time.
The average linux user is smarter than the average windows user. Therefore, we tend to keep our shit up to date. Microsoft tries to make it as easy as they can, but there's no such thing as idiot proof (i mean, in windows XP, the windows update service pops up on the first run of the OS and asks you if it can run in the background, checking for updates, and downloading / installing them automatically for you!).
I'm not trying to defend microsoft here, all I'm saying is that, before you bash them, think.
~Will
sig?
Here is the big example that I can think of -- SP6 broke all kinds of stuff. So much stuff that MS released SP6a shortly after. And that's hardly the only example.
"'[he] could only think of one instance when a vulnerability was exploited before a patch was available'. Erm..."
Although the MS guy overstates his case, it isn't always a good idea to release a patch for a system after an exploit is discovered internally that is not well known. The problem is that releasing the patch also alerts malicious individuals of the vulnerability. The real problem that must be solved first is figuring out a way to deploy a patch at a level near 100% so that releasing the patch does more good than harm.
Vote for Pedro
The analogies in previous posts (locked doors/crime, cancer/treatment, etc) are entirely inaccurate. A more proper analogy might be the fixing of a defective door/window in an apartment building, where the fix is observed and the problem exploited before all units are updated.
Why is this phenomenon so hard to accept? When I first played around with Linux, I put up a server on multiple T1's of bandwidth to experiment. After pointing a domain to the system, it was attacked and compromised regularly, but only after a patch was released. Yes, that's right, Linux suffers the same problem. Now, I'm certainly not advocating the cessation of security patch development. The people reverse-engineering patches for exploits are small potatoes--the real threat is the person capable of ascertaining and exploiting holes on their own. However, releasing patches does facilitate the development of exploits by those who would otherwise be unable.
I hate Microsloth as much as the next geek, but the issue here is not whether patches facilitate attacks (of course they do). Exploits will occur regardless, and I for one would rather have the opportunity to pro-actively patch my systems instead of hiding in a Saddam summer home. The issue is half-assed buggy software that requires so many patches, and security holes that totally compromise systems.
Oh, and I don't buy the 'logical fallacy' BS either--I've seen it happen, so obviously their argument is invalid, or the premises false, or both.
"Even logic must give way to physics."
The arguement is still horribly flawed though.
Its flawed alright.
First off, MS is making a statement they can't possibly know to be true. "We have never had vulnerabilities exploited before the patch was known." At best all they can say is never that they know of. Then we find out its a lie anyway because the article later says that "he could only think of one instance when a vulnerability was exploited before a patch was available".
Which is it, never or one? Or do they just not know?
Maybe I'm just paranoid, but its not the script kiddies MS is talking about that I'm worried about. Its the professional crackers who are willing to take the time to find a new exploit because they're after something more specific than bragging rights on some IRC channel. They are the ones MS isn't going to hear about because they don't go around submitting vulnerabilities or bragging about their escapades. They are the ones who are going to do real damage, and they are not the ones who are going to be stopped if MS stops issuing patches.
MS just doesn't get it.
No... I think what they are trying to say is that *after* a patch is released and a description of the exploit is given, mal-ware writers then run off and use this description to write mal-ware to take advantage of folks who haven't applied the provided patches.
I don't care either way, just providing interpretation.
The head of Microsoft's security business and technology unit states that Windows is never vulnerable until a patch appears
He said no such thing. Not only does he say no such thing, but you (Michael) are clearly aware of it. To claim that the vulnerability doesn't exist until a patch appears would certainly be absurd, which is probably why no one made that claim.
The article is simply making an observation: That most vulnerabilities are not actually exploited until after a patch is released. This is an observation, not an assertion. It seems like a very reasonable one, too, since most evil crackers are not smart or patient enough to go though Windows binaries instruction-by-instruction looking for bugs. Instead, they just wait until a patch is released, and see what was patched. That way, they know where to look.
No one is claiming that a bug can't be exploited before the patch is released. They are simply pointing out that they usually aren't.
Michael, you can't just misquote people like that. It is obvious from looking at the comments here than most people did not read the article. Most people believe what you write, and don't realize that it is a gross exaggeration of what was acutally said. Even if it is Microsoft (and mind you I'm no fan of Microsoft), it's still not ok. Don't stoop to Microsoft's level; lying about your enemy is not the right way to win any battle.
It's posts like this that made me give up on Slashdot as a source of anything other than humor long ago (see the sig).
Hackers and crackers are losers by definition, so it seems a reasonable explanation that they don't have the smarts to find the holes themselves.
They're scavengers; a slightly higher form of script kiddie, who looks for knowledge won by other people and then exploits it.
Um, who do you think finds security holes in the first place? Hackers. Whether they are "evil hackers" out in the wild, white-hat hackers, or working for Symantec (or whoever), they're still hackers.
True, most people who actually exploit the holes are script kiddies, but script kiddies are not hackers.
sudo eat my shorts
I may be wrong, but one thing I never hear talked about in the relationship between open source and closed source is the sharing of bugs. I'd think it would be safe to assume that when a bug is discovered in an open-source project (or anywhere else for that matter) it can be assumed that it may be present in other similar applications, just because humans think similarly and a lack of foresight on the part of one programmer could have been made by another. And so a bug fixed in one network service may still be present in others, maybe unnoticed by the maintainer. Obviously there are a lot of variables which could eliminate even the possiblity (and some like shared technologies which could support the possibility), but I'd think that if one were to look at all the past bugs that may be easily examined in other projects, sooner or later an exploit could be found which would work on other servers, maybe with a little tweaking.
I don't try to be right, I just try to make people think
What is this, a game of telephone? The further into the thread we go, the more wildly inaccurate the posts have become.
Well, in that case, Bill Gates recently declared "The world is flat. The sky is green. Earth is the center of the universe." That's right. Mod me up, baby!
Of course we don't hear about exploits being developed until after the patch. Because before that moment, the vulnerability is going to be kept in the dark by those who do know about it so that they can make best use of it.
You're not going to see worms using unknown sploits because the developer woub essentially be giving away a tool that could be used for perhaps more nefarious purposes.
And furthermore, I wonder how people would know to notify MS about unknown an exploit that's been used to crack a system when such exploits either crash the system (which NT admins are very use to experiencing during NORMAL use and will ignore the crash) or are used in a covert manner, not warranting attention from NT admins in the first place.
If this is the kind of logic MS has behind it's security department, then MS is just doomed.
This kind of logic is just so incredibly flawed I can't even comprehend how an educated person could think that way. It's like say "well, whenever I go to sleep, the sun goes down, so if I don't go to sleep the sun will stay up".
Just absolutely ludicrous.
The (not so) recent mass breakdown of basic critical thinking skills among people in powerful positions around the United States just scares the crap out of me.
If MS believes that blackhats are reverse engineering patches to discover security problems and that their "solution" is to "upgrade" (which may mean replacing hardware as well as software) they have an insurmountable problem.
ANY two OS releases can be compared to detect the changes which can then be reversed engineered. It may be more complex as the security changes are mixed with other changes but blackhats have the time and, it increasingly appears funding, to do the research.
It looks like MS are applying "security through obscurity" as a business policy.