Slashdot Mirror
MS Security Chief: Windows Never Exploited Until Patch Available
BenBenBen writes "The head of Microsoft's security business and technology unit states that Windows is never vulnerable until a patch appears, and that releasing patches is what causes exploits to be developed. Good quotes: 'We have never had vulnerabilities exploited before the patch was known', and '[he] could only think of one instance when a vulnerability was exploited before a patch was available'. Erm..."
Sounds pretty close to an admission of deliberately leaving old OS's insecure to force upgrades to me. What really gets me though is the insinuation that those who don't hand over more money to the beast of redmond for shiny new software are somehow responsible for security exploits.
Certainly there are industry people that consider only NT 4 as being the only MS OS at all securable and only then because it has been around long enough to pretty much have it's holes ironed out. Is this just a prelude to their future excuse to force a rental model on the public?
Has Microsoft become so jaded that they have turned to the dark art of trolling? Do they get some sort of perverse pleasure by fishing strong feelings out of educated people who know better just so their board of directors can laugh at the zeal of the rebuttals, knowing full well they were full of shit?
head of security? The article is pure genius by trolling standards. And having just read about Microsoft wanting to pollute java, maybe their new business strategy is to troll all aspects of the computer world... just to pollute it?
the simplest method used to detect a lie is to cross question the subject until it gets confused and contradict itself. This guys have security departaments, management, developing, sales, etc. They should build a "Lie Tracking" departament, then, they'll have at least something consistent. I think this post should have been published in "its funny, laugh" category.
"The quality of life is inversely proportional to the number of keys on your keyring."
MS' problem is clearly that they have too many managers and businesspeople, and not enough technical people (or perhaps their technical people have no voice). That a MS employee can say such things that everyone else in the world clearly knows is wrong says something about their concern for real security...
This is a fabulous marketing manouvre. It's completely ludicrous of course, but it makes the connection between not-upgrading and being-vulnerable in the pointy-haired heads.
There *must* however be laws against making statements *that* outrageous...
Simon.
Physicists get Hadrons!
I'm sure that security researchers at companies like EEye are providing Microsoft with proof-of-concept exploit code when submitting vulnerabilities.
It's pretty obvious from that fact that exploit code does exist before a patch is released almost 100% of the time; it's just not released to the public until after the patch is available most of the time.
Delusional. They're neither stupid enough or smart enough to lie outright. I think that there is a strong possibility that this sort of delusion is part of a corporate mindset.
Who is it that finds all the exploits and reports them to Microsoft in the first place? It sure as hell isn't Microsoft employees!
This means, known holes and exploits are available to certain people BEFORE patches exist. Are you willing to bet your business that those "certain people" are ALWAYS good, ethical and honest? There are no intelligent "bad guys" who can do this?
Where are all the "hackers" and "black hats" the media is always screaming about! Please, don't tell me they are ALL script kiddies.
-Charles
P.S. -- How can I ever get "first post" if the damn artitle quotes make me laugh so hard I can't type?
Learning HOW to think is more important than learning WHAT to think.
fc - from your old DOS days - stands for file compare
I'd check to see if it still exists in Windows, but there aren't any Winboxen around here :-)
pretty much nothing to call into question what he said. granted, I didn't rtfa, but I would like to hear from some slashdot users of a windows vulnerability that was exploited on a large scale before a patch was released.
There's a lot of hand wringing and self righteous indignation over the statement, but has anyone bothered actually to counter it?
If you put yourself in the company's position, as chairman of the company, would you be releasing the source code to what you know makes the most money and is used widely thru out the world? Face it, that's a face. Yes, we all would like to see Linux used, but it isn't. They did use underhanded ways to get to the top, but think about it.
Patching is great. Patch Management is great. But it doesn't keep the bad guys out, it just stops some worms. But then variants of worms come out.
Clearly worms are a security threat. But there are many other security threats.
Windows is not secure. NT NULL session, NetBIOS attacks (SAM and AD come to mind quickly), and even simple buffer overflows, format string attacks, etc ... these are POPULAR attacks against Windows that attackers are utilizing right now. Even when patched, some of these attacks still work. Why? Inherent network protocol design is part of it. But bugs are a huge part also.
Reverse engineering patches... who needs to even go that far? Any engineer at Microsoft can just query their internal bug tracking system. An attacker could have a friend inside Microsoft who sends her/him a bug report. That friend could also be the target of social engineering. You saw the movie "Sneakers", right?
Others can simply "grep" or "slint" the code. By reading the code, anyone can find a bug and make an exploit out of it. This has been widely done for a long time. It's not an uncommon practice, and it's not difficult.
If coders want to fix security holes in their code, the only real place to start is by fixing the bugs. When Windows runs so smoothly and never app fails or hangs on me, When I no longer hear or see a BSOD, When hell freezes over -- Then Windows will be truly secure.
IPv4 allocations for hobbyists? join the ipalloc-l mailing-list! www.operations.net/mailman/listinfo/ipalloc-l
The first sentence is so ironic: It should read:
Microsoft is lazy and waits a long time after hackers discover ways to exploit loopholes in Windows before issuing patches.
"We have never had vulnerabilities exploited before the patch was known', and '[he] could only think of one instance when a vulnerability was exploited before a patch was available'. "
I've had my Windows XP system comprimised a couple of times in the most interesting way. Fully patched and running SP1. I've even tightened up IE security to high and restricted what sites can do and firewalled. Despite my best efforts, somehow I must have hit a web site which they downloaded spyware onto my system. I couldn't see it running in the task bar but it was there.
I found it by accident. From download.com I pulled several programs to scan for running processes. I noticed some weird stuff that Bill didn't put there. I didn't put it there also. Took a bit of work but it was eventually killed and I remove the programs from the system.
Microsoft has no explaination for this other than "practice safe browsing". Great. So how is that accomplished using IE?
BTW, Netscape in the same environment and same web sites hasn't given me the same headaches. Oh I"m sure there are problems. At least they are not as blatant as what Microsoft has been shelling out.
Has Comcast disconnected your Internet account? Same here. You can read about it at http://comcastissue.blogspot.com
How about they read and follow instructions to write exploits, or download and modify proof of concept code? Sounds a whole lot easier and lazier to me than reverse engineering the patches. And given that many of the script kiddies don't even understand the code that they themselves use...
And that's the head of MS security dept. speaking? Now it all makes sense! At least the BBC had the decency to call them malicious hackers.
Please correct me if I got my facts wrong.
It's lots of fun to bash an asinine statement from Microsoft such as this. However, how about we come up with a list of actual counterexamples? Which specific patches did they release in response to a real security problem that existed before the patch?
I'll start. KB832894 "fixed" the exploits which used the user:password in the URL to authenticate to websites. It was there long, long before the patch (years, in fact).
What other counterexamples do we have to show precisely how wrong Microsoft's statements are?
I think what he is saying is that most exploits are done using known vulnerabilities for which a patch has been released.
The action of releasing a patch is usually the same as announcing the vulnerability. If the vulnerability exists, and there is no patch for it, it can go unnoticed, and hence unexploited.
Once a patch exists, the vulnerability can be exploited on systems that aren't patched. Since historically patching has been lax, announcing a patch and the vulnerability it prevents can be dangerous.
XeoMage
Nah... God gets questioned more.
(You can even double check me: I can't remember a single instance in the Bible where God's command wasn't questioned...)
'Sensible' is a curse word.
I find it kind of weird that Symantec is backing Microsoft up on this goofy propaganda. You'd think, since they are in the business of protecting peoples' computers, they wouldn't make such a ridiculously stupid statement.
i can tell you for a fact that the RPC hole was being exploited for at least 9 months before a patch was out. I know a few script kiddies in RL who were pissed off when the patch came out as they lost their doorway. I watched them do it a couple of times as proof. I pretty much will not put a windows box directly touching the outside world in any way shape or form now.
If a vulnerability is never exploited before a patch is relased. Then this is equivalent to saying releasing a patch implies a vulnerability may be exploited. Thus the contrapositive of this statement is never releasing a patch is implies a vulnerability will not be exploited.
Since a statement and its contrapositive have the same truth value (if one is true then so is the other) and if M$ assumes the initial statement is true then they must accept the contrapositive is true.
This being the case it seems the logical consequence for M$ in their desire to increase security is to never release another patch.
But this would require M$ to actually operate under a logical framework and we know that his statement is false.
It is blatantly false that only Microsoft finds exploits. The SAMBA team found nemerous security vulnerabilities with the way Microsoft implemented their protocol and then reported them to Microsoft. Hackers could easily have abused such cases, but instead Microsoft got lucky and they were white hats that found them. There are many other cases, most exploits are found by security firms of some sort and then Microsoft will acknowledge them for one sentence in the fine print at the bottom of the notice. Well I could go on but I'll let the other slashdotters do that for me.
Regards,
Steve
Umm, if there are no exploits to begin with, then why does microsoft need to issue a patch?
I'm not trying to defend the parent poster to which you replied; but, the reason *anybody* needs to issue a patch even when there are no exploits to begin with is because sooner or later, one will exist.
See, if some researcher finds a hole, he's not the only genius in the world who can find it. Someone else will eventually. If the manufacturer of the product with the newly discovered hole sits on its arse and does not issue a patch, even if no known exploits exist, said manufacturer is leaving its customers vulnerable to attack. This is a disservice to those customers...and one that will lose said customers. Especially when it comes out that the latest worm/crack/etc. exploited a vulnerability the manufacturer knew about for six months, but sat on it instead of fixing it for you.
What Microsoft wants to do, I'm sure, is to make distribution of patches similar to AOL's software update. You turn on your computer, boot up Windows, and it initiates an encrypted conversation with Microsoft HQ...then says to you: "Windows needs updated, please wait..." while it downloads and installs whatever it is Microsoft wants to install on your PC today without telling you what that is.
That would be Microsoft's "security" wet-dream, if you ask me.
Aucsmith's logic assumes that the only exploits that count are by morons who try to infect every machine on the planet.
The bright and industrious hackers like to keep a low profile.
That's almost exactly what happened to me! When I started my sys-admin career years ago, one of my first tasks was to install a web/mail/ftp anti-virus gateway from a major anti-virus company. I fought with this turd through 4 months of patches, direct developer support, etc... Although I was a noob, I wasn't a total moron either. This thing was crap.
Finally, we got it sort-of working. Then someone from McAfee(oops) marketing approached me about being published in a major news/industry publication. They sent me 3 "quotes" for me to choose from. I would be the so-called network and unix security "expert". Nevermind the fact that I was still fumbling with sendmail and vi.
Since I was young, I was pretty tempted to have been published as a network/unix security expert in 1997 (for those that remember, this was not a bad time for salary jumping!) However, since I was young AND idealistic, I told McAfee they could shove it up their a$$.
Nowadays, I'm getting old and cynical. I would only agree to being quoted in a quote they provide if an Xbox with 3 titles was included.
This one gang kept wanting me to join cause I'm pretty good with a bo staff.
MS wants to make computers secure for copyright holders from those who purchase their output (or not), they want to make email more secure and less spammable, and they claim to have an emphasis on security. The quotes (I haven't RTA, so fire away) seem to imply a level of security below "security through obscurity" (I call it "security through stupidity") incompatible with securing anything more valuable than yesterday's used toilet paper. These are the people I'm supposed to trust with my bank accounts (or already do), my pictures, video, and music, my checkbook and taxes, and my personal mail? Why would copyright holders or anyone else with anything of value trust MS to secure their work? Why would users trust them to make something that works well and does what they want if MS doesn't understand or care what they want? They may be able to write programs, but if they have such a distorted view of reality, how are they going to understand what others want or how to help them to get it?
Willful stupidity is not a defense mechanism - it is a way for MS to say "Got ya, suckers!" MS must figure that it can afford because of market share to ignore and antagonize its customers while using its positions to find new people to antagonize - usually businesses operating under willful stupidity end up in Chapters 7 or 11, so I can't figure that they're that stupid. They must think that others are however, that as long as they have a pretty butterfly and nice ads no one will pay attention to the bugginess and insecurity of their software and the denial of their executives. I hope this is wrong.
You must have been copying a file bigger than 2gig
....
they used signed int for the file copy dialog.
so anything bigger than appox 2 gig gets weird results.
Like -99% copied.
But I'm sure that is not exploitable in the least
The argument that Microsoft is making here is that the software is secure so long as the "evildoers" have no insight into how the software works. When the patch is released, they can compare patched vs. unpatched systems and gain that insight.
This sounds like a cloaked attack on the security of OSS. If you follow the argument M$ is making, publishing the source code to an operating system should make it more vulnerable to attack, not less.
If you buy M$'s argument.
Although I think that the statement is untrue in its literal form as an all encompassing blanket, it is well known that most exploits are based on known security flaws. Said another way, most script kiddies use sites such as cert.org because they know that they can build an exploit faster than any given manufacturer's patch can be distributed and installed. And when you consider a product such as Windows, it takes an intense knowledge of the software to build an exploit without having the source code at your disposal. I argue that there are very few "hackers" that can find exploits in Windows without having access to the source.
Just my $0.02
Yeah, I suppose it could also be part of their large FUD campaign against LINUX since they insist that closed-source is more secure.</rant>
Wh47 d1d j00 541, 31337 15n't t3h r0xor5 ne m0r3???
Beyond this...
You're likely to know when you're rooted by s script-kiddie. Not by some black hat dude who simply wants to screw you over.
The most devistating attack is one that subtly changes your data over time and upon finding, you realise that you can't determine when the break-in occured, what was modified, and or stolen, and how it happened.
In short, you don't know what might be screwed, what to do to repair the screwage and how to prevent it in the future. In short - well...wait for it.. YOU'RE SCREWED!
Script kiddies are a PITA, but far from my biggest worry.
For the tinfoil hat crowd out there. Think how wonderful the Gvmt would find an unpatched remote root exploit? Total deny-ability should they get caught. "wasn't us - we'd get a warrant!" Great for fishing expeditions while outside the reservation. (Oh, no, the FBI/NSA/who ever's black list you're on would never do something ILLEGAL! No! Say it isn't so!) Sure, if the Gvmt really wants to get you, it can turn the full force of law on you. But IMHO, it's the extra-juducial action that's likely to really start the ball rolling. Just take a peak around the private lives of a few people - I guarantee you'll find some illegal activies that could be pried loose to unleash the full legal and law enforcement community on you.
These are my fears - and script kiddies don't play an important part. They are like gnats. Really annoying, but not life threatening. Sweat the big stuff.
Cheers,
Greg
Hackers are loser by definition? What are you smokin? Or are you just trolling? Well, for everyone else's benefit...
It entirely depends on your definition, of course. But I would say that many people describe the people who program the linux kernel as "kernel hackers."
Obviously not losers.
Now, if you're talking about the guys who read FullDisclosure or Bugtraq, study applications for bugs, and responsibly support them, then again, you're wrong. These people do us all a favor by finding open holes and then letting people know about them. THEY FIND BUGS. they report them, we all upgrade, and all is well.
If such people were gone, only badguys would find bugs. No one would know that systems were insecure. And we'd all be owned, silently, without notice. Maybe we'd never know.
Remember back when the concept of networking computers wasn't that old, say, around 20 years ago? remember how people created viruses, looked into how systems could be exploited, but the security research was stamped out - sysadmins figured it was better to be ignorant and have strong rules than to find out the holes and plug them - that was their security plan.
You've probably never even heard of the morris worm. You probably think we should all just close our doors and trust the megacorps to protect us from the badguys. This is a common logical error. You're not the only one. But if everyone agreed with you, you'd all be boned. And I'd probably being one of the ones breaking into your servers and stealing your lunch money.
Who is this Anonymous Coward character, how does he post so much, and why is he always such a whore?
This brings up an excellent point I would like to make, which is that operating systems are by default not intelligent about how they handle files, and that is one thing that I feel greatly diminishes the security of the systems in question. Obviously tools are available (and sometimes bundled with/considered part of the OS) to track things like the ones you're mentioning, but in general most people will never have any idea they have been rooted until long, long afterwards, and only by witnessing effects much later. (Something is broken, something doesn't work that should, data is missing, the machine catches fire, et cetera.)
One thing that bothers me (I'll see if I can remember how this ties in when I get there again) about computers is the way they handle deleted files. For example on Windows when you delete something from Explorer it goes into the trash can, but when a file is deleted from the command line or by an application it is simply deleted. (I don't know how NTFS handles that, on FAT the file was marked as deleted by changing the first byte of the filename to some particular value > 127 and the clusters were reused, causing fragmentation. I assume the clusters in deleted files were reused before the later blocks were used in order to prevent the overall fragmentation which would occur if they used free blocks according to a LRU (least recently used) scheme. Regardless this led to a lot of frustration on the part of DOS users trying to recover deleted files. On Unix systems the files are generally unlinked and their blocks reused, but I only understand simple Unix filesystems, and not journaled ones so I can't go much deeper along these lines.
One thing I am told about modern filesystems is that they are designed to resist the effects of fragmentation. I'm not sure if that includes trying to create files which will not be fragmented later, and creating files which will not be fragmented now, or if it usually just means that the design and implementation are one or both such that when the system is fragmented, it will not suffer as greatly as a system like FAT, or what.
So it stands to reason that we could be using the whole disk, and only reclaiming deleted blocks when they are needed. Furthermore we can always (except when specified otherwise) be deleting files by moving them to a recycling system and deleting them based on an intelligent scheme (at minimum, least recently deleted) as more disk space is needed (rapidly enough to leave a comfortable margin.) That no current operating system does this (if any do, please let me know, but I've never seen nor heard of one) is mind-boggling, since it would be relatively simple to implement. Perhaps the current trend in filesystems which support arbitrary metadata (this is coming for ReiserFS, as I understand, is already present to some degree in XFS, and is a key feature of Microsoft's upcoming filesystem, using MSDE/SQL Server to store metadata) will lead to these sorts of technologies ending up as a throw-in.
The other thing I hope it will lead to (you knew this was coming, right?) is much better logging being done. For example, when journaling information is recorded, access logs can be recorded as well. I would like a Star Trek-esque log which tells when (and by who) a file was created, accessed, and eventually deleted. Metadata which pertains to deleted files can be discarded (or, preferrably to me, moved to offline storage somewhere but you might not want that feature for reasons which should be obvious to the security crowd) as it ages.
Admittedly you could get this functionality by describing your data as a series of cvs (or other version tracking system) repositories, but every time a file changes you have to do something for that to w
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
nice. except you don't know that. Does everyone on the interweb know exactly what happens on all their servers? especially when someone might have broken in and erased their tracks? NOPE. NOPE. NOPE. NEVER EVER EVER ASSUME SECURITY.
Assume that you can be broken into. Assume that since you were vulnerable, it happened. you must PROVE that you weren't. Otherwise, you cannot trust your data.
How do we know that some unemployed researcher in hungaria didn't find this bug (or any other unreported bug), and use it to break into a bank somewhere, and make some cash? We don't. And given the number of potential hackers, I'd say that this bug WAS exploited, well before a patch. We just don't know, one way or the other.
Who is this Anonymous Coward character, how does he post so much, and why is he always such a whore?
Reminds me: A friend of mine has a really old car, and knowing full well that it would take any skilled attacker ten seconds to open a locked door, he just left it unlocked, so at least anybody breaking in wouldn't destroy anything by doing so. He was hoping that if anybody stole the car, he would at least get the car back some day in one piece. Well, what happens? Some moron decides to steal it, doesn't check the doors, just smashes a window, tries to jump-start it, but in the process destroys the ignition! So, the car was originally intentionally open and easy to steal, but several parts of it was destroyed anyway... Lucky guy, eh...?
Employee of Inrupt, Project Release Manager and Community Manager for Solid
Automobiles were safe until seat belts were installed.
Smoking is harmless until you go to the hospital.
Any more?
> ... and IE said it had -8342563246 seconds to go!
/.'er, but I've actually had Galeon's download dialog tell me that a couple times. (fairly recent version as per MDK9.2). Odd thing to watch the seconds still count down (more negative) until the last two figures hit about ...95 or so and then they reverted back to ...36 on the next second, but without changing the rest of the "time left".
I love bashing IE much as the next
Perhaps a comparison is in order to determine if keeping exploits a secret really does help? Take a product that is open source, but which practices security through obscurity by keeping security bug fixes under raps. The first piece of popular OSS that fits this bill is Mozilla. Security bugs are reported to the bug list, where they are only known to a small circle of developers. Those bugs can then be fixed at the developers leisure (for instance the new Packages.sun.plugin.javascript.navig5.JSObject(1,1 ) bug which caused Mozilla to instantly crash taking every tab with it was fixed about 10 months after it was originally reported [reported in March 2003, silently fixed in a late January 2004 build of Mozilla 1.6]). After the bug is fixed however it is not formally announced, no advisory is issued to tell anyone to update to the latest build. Only after 2 version changes do the bugs appear on the vulnerabilities list (right now you can see 1.4 vulnerabilities, once 1.7 goes gold you'll see the 1.5 vulnerabilities).
This method has greatly increased the security of Mozilla users browsing experience (when was the last time you where the victim of a Mozilla exploit?). This is despite a long track record of arbitrary code vulnerabilities (almost averaging 1 per month so far as the official list admits), frequent problems with javascript and cross site vulnerabilities, URL spoofing, reading local file and password vulnerabilities in almost every minor version (1.2 being the exception for file reading, unless you count the 1.3 or 1.4 vulnerabilities), and some of the most original mail client vulnerabilities out there (in addition to standard arbitrary code execution) such as being able to permanently DoS a mailbox using a webmail account and a message of less then 20 byte.
The simple fact is that most Mozilla users aren't downloading nightly builds to keep themselves secured with all the latest secret patches (though this has its own risk, like the recent bug that deleted everything in the program files folder) they have remained much more secure than users of IE, who are frequently burned because they only (sometimes) apply the publicly announced and electronically pushed patches after someone takes a month or more to come up with a virus based on them (i.e. Blaster). Of course other software users get burned in the same way too: Redhat servers (including some at NASA) got rooted by the Ramen/Lion virus which was made possible by the public announcement and patching of the TSIG vulnerability 6 months earlier. phpBB2 boards that aren't constantly updated get hacked by script kiddies all the time thanks to open security mailing lists.
The simple fact is that the easiest method of writing a virus (if you want it to succeed) is to lookup a known vulnerability (even though its likely patched by that time) and use it. The people most likely not to notice or understand how to deal with the infection are the same people using totally unpatched copies of Linux kernel 1.8 or Windows 98. Look at the "please run this attachment" user vulnerability - while almost all email clients from the last few years physically prevent this vulnerability (for some time Outlook has even gone so far as to remove executable files from zips) viruses like MyDoom still spread at an alarming rate. The people most likely to let their machine become and remain compromised due to carelessness are also the least likely to watch for updates and apply patches.
And no, I don't think companies should withhold patches, but there is a lot of truth to the concept that telling the world about a vulnerability is the fastest way to get a virus written.
most exploits come after the hackers have had a chance to compare patched VS unpatched systems to see what the changes are.
So how hard would it be for them to take a few unrelated DLLs, touch a few to change the dates, add bounds checking in a few places that they missed in some others, recompile a few others with the functions in a different order, in addition to fixing what's realy broken just to throw off people trying to diff the patch?
My magic beight ball says "Microsoft is testing the waters so see if "expedited by subscription update" is marketable. If enough PHBes say "Yeah that's just what we need, get our patches before the public and those evil hackers!" it'll be to M$'s economic advantage to drag their heels on releasing patches.
Apocalypse Cancelled, Sorry, No Ticket Refunds