Slashdot Mirror


MS Security Chief: Windows Never Exploited Until Patch Available

BenBenBen writes "The head of Microsoft's security business and technology unit states that Windows is never vulnerable until a patch appears, and that releasing patches is what causes exploits to be developed. Good quotes: 'We have never had vulnerabilities exploited before the patch was known', and '[he] could only think of one instance when a vulnerability was exploited before a patch was available'. Erm..."

22 of 1,040 comments (clear)

  1. The dark arts? by monstroyer · · Score: 4, Interesting

    Has Microsoft become so jaded that they have turned to the dark art of trolling? Do they get some sort of perverse pleasure by fishing strong feelings out of educated people who know better just so their board of directors can laugh at the zeal of the rebuttals, knowing full well they were full of shit?

    head of security? The article is pure genius by trolling standards. And having just read about Microsoft wanting to pollute java, maybe their new business strategy is to troll all aspects of the computer world... just to pollute it?

  2. Re:Oh really? by Jotaigna · · Score: 5, Interesting

    the simplest method used to detect a lie is to cross question the subject until it gets confused and contradict itself. This guys have security departaments, management, developing, sales, etc. They should build a "Lie Tracking" departament, then, they'll have at least something consistent. I think this post should have been published in "its funny, laugh" category.

    --
    "The quality of life is inversely proportional to the number of keys on your keyring."
  3. Security is in the eye of the beholder by chaoskitty · · Score: 5, Interesting

    MS' problem is clearly that they have too many managers and businesspeople, and not enough technical people (or perhaps their technical people have no voice). That a MS employee can say such things that everyone else in the world clearly knows is wrong says something about their concern for real security...

  4. Spin, spun, spend by Space+cowboy · · Score: 4, Interesting

    This is a fabulous marketing manouvre. It's completely ludicrous of course, but it makes the connection between not-upgrading and being-vulnerable in the pointy-haired heads.

    There *must* however be laws against making statements *that* outrageous...

    Simon.

    --
    Physicists get Hadrons!
    1. Re:Spin, spun, spend by prgrmr · · Score: 4, Interesting

      There *must* however be laws against making statements *that* outrageous...

      If the truth in advertising laws don't cover this, I would think that there are SEC regulations that do, particularly regarding an officer of a publically held company knowingly making false statements to the public. Anyone know when the next insider trading window for Microsoft is scheduled?

  5. POC by Bikini+Kill · · Score: 4, Interesting

    I'm sure that security researchers at companies like EEye are providing Microsoft with proof-of-concept exploit code when submitting vulnerabilities.

    It's pretty obvious from that fact that exploit code does exist before a patch is released almost 100% of the time; it's just not released to the public until after the patch is available most of the time.

  6. They don't get the point... by chill · · Score: 5, Interesting

    Who is it that finds all the exploits and reports them to Microsoft in the first place? It sure as hell isn't Microsoft employees!

    This means, known holes and exploits are available to certain people BEFORE patches exist. Are you willing to bet your business that those "certain people" are ALWAYS good, ethical and honest? There are no intelligent "bad guys" who can do this?

    Where are all the "hackers" and "black hats" the media is always screaming about! Please, don't tell me they are ALL script kiddies.

    -Charles

    P.S. -- How can I ever get "first post" if the damn artitle quotes make me laugh so hard I can't type?

    --
    Learning HOW to think is more important than learning WHAT to think.
  7. Re:Criminal tools like "diff"? by tomhudson · · Score: 5, Interesting
    I guess that explains why Windows doesn't include a "diff" function...

    fc - from your old DOS days - stands for file compare

    I'd check to see if it still exists in Windows, but there aren't any Winboxen around here :-)

  8. a quick read through thte comments yields..... by rumpledstiltskin · · Score: 4, Interesting

    pretty much nothing to call into question what he said. granted, I didn't rtfa, but I would like to hear from some slashdot users of a windows vulnerability that was exploited on a large scale before a patch was released.

    There's a lot of hand wringing and self righteous indignation over the statement, but has anyone bothered actually to counter it?

  9. Re:Piffle by onyxruby · · Score: 5, Interesting

    I agree not all old software should be upgraded. Windows 3.1 may rest in hell as far as I'm concerned. But it wasn't that long ago they tried to kill of Windows 98, that's what 25% or so of the home user base? I recognize that the 9.x kernel is inherintly insecure and outdated, but that's no excuse not to patch known exploits when their is a substantial user base out there.

    I am not, by the way, saying that users should nut patch their systems, only that they should not be forced to upgrade working systems under auspices of security just because MS want's more revenue. They can pull that crap on the business market and get away with it, but joe sixpack can always go try that linux thingie he heard about.

  10. Bug Free == More Secure by dre23 · · Score: 5, Interesting
    Any bug is a potential security hole. And Windows has a lot of bugs. Fix the bugs, not the security holes, and your code will be more secure.

    Patching is great. Patch Management is great. But it doesn't keep the bad guys out, it just stops some worms. But then variants of worms come out.

    Clearly worms are a security threat. But there are many other security threats.

    Windows is not secure. NT NULL session, NetBIOS attacks (SAM and AD come to mind quickly), and even simple buffer overflows, format string attacks, etc ... these are POPULAR attacks against Windows that attackers are utilizing right now. Even when patched, some of these attacks still work. Why? Inherent network protocol design is part of it. But bugs are a huge part also.

    Reverse engineering patches... who needs to even go that far? Any engineer at Microsoft can just query their internal bug tracking system. An attacker could have a friend inside Microsoft who sends her/him a bug report. That friend could also be the target of social engineering. You saw the movie "Sneakers", right?

    Others can simply "grep" or "slint" the code. By reading the code, anyone can find a bug and make an exploit out of it. This has been widely done for a long time. It's not an uncommon practice, and it's not difficult.

    If coders want to fix security holes in their code, the only real place to start is by fixing the bugs. When Windows runs so smoothly and never app fails or hangs on me, When I no longer hear or see a BSOD, When hell freezes over -- Then Windows will be truly secure.

    --
    IPv4 allocations for hobbyists? join the ipalloc-l mailing-list! www.operations.net/mailman/listinfo/ipalloc-l
  11. I can't agree with this statement... by u-235-sentinel · · Score: 5, Interesting

    "We have never had vulnerabilities exploited before the patch was known', and '[he] could only think of one instance when a vulnerability was exploited before a patch was available'. "

    I've had my Windows XP system comprimised a couple of times in the most interesting way. Fully patched and running SP1. I've even tightened up IE security to high and restricted what sites can do and firewalled. Despite my best efforts, somehow I must have hit a web site which they downloaded spyware onto my system. I couldn't see it running in the task bar but it was there.

    I found it by accident. From download.com I pulled several programs to scan for running processes. I noticed some weird stuff that Bill didn't put there. I didn't put it there also. Took a bit of work but it was eventually killed and I remove the programs from the system.

    Microsoft has no explaination for this other than "practice safe browsing". Great. So how is that accomplished using IE?

    BTW, Netscape in the same environment and same web sites hasn't given me the same headaches. Oh I"m sure there are problems. At least they are not as blatant as what Microsoft has been shelling out.

    --
    Has Comcast disconnected your Internet account? Same here. You can read about it at http://comcastissue.blogspot.com
  12. ROFLMAO by RAMMS+EIN · · Score: 4, Interesting
    I didn't get past the first paragraph for fear of laughing myself to death:

    Instead of working it out for themselves, malicious hackers are reverse engineering the patches to better understand the vulnerabilities, said David Aucsmith, who is in charge of technology at Microsoft's security business and technology unit.


    How about they read and follow instructions to write exploits, or download and modify proof of concept code? Sounds a whole lot easier and lazier to me than reverse engineering the patches. And given that many of the script kiddies don't even understand the code that they themselves use...

    And that's the head of MS security dept. speaking? Now it all makes sense! At least the BBC had the decency to call them malicious hackers.
    --
    Please correct me if I got my facts wrong.
  13. Mockery aside, how about the counterexamples? by djh101010 · · Score: 5, Interesting

    It's lots of fun to bash an asinine statement from Microsoft such as this. However, how about we come up with a list of actual counterexamples? Which specific patches did they release in response to a real security problem that existed before the patch?

    I'll start. KB832894 "fixed" the exploits which used the user:password in the URL to authenticate to websites. It was there long, long before the patch (years, in fact).

    What other counterexamples do we have to show precisely how wrong Microsoft's statements are?

  14. Exploit vs Vulnerability by centron · · Score: 4, Interesting

    I think what he is saying is that most exploits are done using known vulnerabilities for which a patch has been released.

    The action of releasing a patch is usually the same as announcing the vulnerability. If the vulnerability exists, and there is no patch for it, it can go unnoticed, and hence unexploited.

    Once a patch exists, the vulnerability can be exploited on systems that aren't patched. Since historically patching has been lax, announcing a patch and the vulnerability it prevents can be dangerous.

    --

    XeoMage

  15. Re:An article disproving this... by Daniel_Staal · · Score: 5, Interesting
    It's almost like they are "above the law" and what thsy say happens. Kind of like when God speaks.

    Nah... God gets questioned more.

    (You can even double check me: I can't remember a single instance in the Bible where God's command wasn't questioned...)

    --
    'Sensible' is a curse word.
  16. well i can tell you for a fact... by ophix · · Score: 5, Interesting

    i can tell you for a fact that the RPC hole was being exploited for at least 9 months before a patch was out. I know a few script kiddies in RL who were pissed off when the patch came out as they lost their doorway. I watched them do it a couple of times as proof. I pretty much will not put a windows box directly touching the outside world in any way shape or form now.

  17. Re:Oh really? by LnxAddct · · Score: 5, Interesting

    It is blatantly false that only Microsoft finds exploits. The SAMBA team found nemerous security vulnerabilities with the way Microsoft implemented their protocol and then reported them to Microsoft. Hackers could easily have abused such cases, but instead Microsoft got lucky and they were white hats that found them. There are many other cases, most exploits are found by security firms of some sort and then Microsoft will acknowledge them for one sentence in the fine print at the bottom of the notice. Well I could go on but I'll let the other slashdotters do that for me.
    Regards,
    Steve

  18. Re:Oh really? by killmenow · · Score: 5, Interesting

    Umm, if there are no exploits to begin with, then why does microsoft need to issue a patch?

    I'm not trying to defend the parent poster to which you replied; but, the reason *anybody* needs to issue a patch even when there are no exploits to begin with is because sooner or later, one will exist.

    See, if some researcher finds a hole, he's not the only genius in the world who can find it. Someone else will eventually. If the manufacturer of the product with the newly discovered hole sits on its arse and does not issue a patch, even if no known exploits exist, said manufacturer is leaving its customers vulnerable to attack. This is a disservice to those customers...and one that will lose said customers. Especially when it comes out that the latest worm/crack/etc. exploited a vulnerability the manufacturer knew about for six months, but sat on it instead of fixing it for you.

    What Microsoft wants to do, I'm sure, is to make distribution of patches similar to AOL's software update. You turn on your computer, boot up Windows, and it initiates an encrypted conversation with Microsoft HQ...then says to you: "Windows needs updated, please wait..." while it downloads and installs whatever it is Microsoft wants to install on your PC today without telling you what that is.

    That would be Microsoft's "security" wet-dream, if you ask me.

  19. What kind of BS do they think they can pull on us? by rock_climbing_guy · · Score: 4, Interesting
    Obviously, this is just more security through obscurity BS; we all know that it doesn't work. Simple counter-example: Does anyone remember how long it took them to patch that URL spoofing problem? I certainly think that it was a problem before they patched it.

    Yeah, I suppose it could also be part of their large FUD campaign against LINUX since they insist that closed-source is more secure.</rant>

    --
    Wh47 d1d j00 541, 31337 15n't t3h r0xor5 ne m0r3???
  20. Re:Oh really? by GSloop · · Score: 4, Interesting

    Beyond this...

    You're likely to know when you're rooted by s script-kiddie. Not by some black hat dude who simply wants to screw you over.

    The most devistating attack is one that subtly changes your data over time and upon finding, you realise that you can't determine when the break-in occured, what was modified, and or stolen, and how it happened.

    In short, you don't know what might be screwed, what to do to repair the screwage and how to prevent it in the future. In short - well...wait for it.. YOU'RE SCREWED!

    Script kiddies are a PITA, but far from my biggest worry.

    For the tinfoil hat crowd out there. Think how wonderful the Gvmt would find an unpatched remote root exploit? Total deny-ability should they get caught. "wasn't us - we'd get a warrant!" Great for fishing expeditions while outside the reservation. (Oh, no, the FBI/NSA/who ever's black list you're on would never do something ILLEGAL! No! Say it isn't so!) Sure, if the Gvmt really wants to get you, it can turn the full force of law on you. But IMHO, it's the extra-juducial action that's likely to really start the ball rolling. Just take a peak around the private lives of a few people - I guarantee you'll find some illegal activies that could be pried loose to unleash the full legal and law enforcement community on you.

    These are my fears - and script kiddies don't play an important part. They are like gnats. Really annoying, but not life threatening. Sweat the big stuff.

    Cheers,
    Greg

  21. Any comparision? by Michalson · · Score: 4, Interesting

    Perhaps a comparison is in order to determine if keeping exploits a secret really does help? Take a product that is open source, but which practices security through obscurity by keeping security bug fixes under raps. The first piece of popular OSS that fits this bill is Mozilla. Security bugs are reported to the bug list, where they are only known to a small circle of developers. Those bugs can then be fixed at the developers leisure (for instance the new Packages.sun.plugin.javascript.navig5.JSObject(1,1 ) bug which caused Mozilla to instantly crash taking every tab with it was fixed about 10 months after it was originally reported [reported in March 2003, silently fixed in a late January 2004 build of Mozilla 1.6]). After the bug is fixed however it is not formally announced, no advisory is issued to tell anyone to update to the latest build. Only after 2 version changes do the bugs appear on the vulnerabilities list (right now you can see 1.4 vulnerabilities, once 1.7 goes gold you'll see the 1.5 vulnerabilities).

    This method has greatly increased the security of Mozilla users browsing experience (when was the last time you where the victim of a Mozilla exploit?). This is despite a long track record of arbitrary code vulnerabilities (almost averaging 1 per month so far as the official list admits), frequent problems with javascript and cross site vulnerabilities, URL spoofing, reading local file and password vulnerabilities in almost every minor version (1.2 being the exception for file reading, unless you count the 1.3 or 1.4 vulnerabilities), and some of the most original mail client vulnerabilities out there (in addition to standard arbitrary code execution) such as being able to permanently DoS a mailbox using a webmail account and a message of less then 20 byte.

    The simple fact is that most Mozilla users aren't downloading nightly builds to keep themselves secured with all the latest secret patches (though this has its own risk, like the recent bug that deleted everything in the program files folder) they have remained much more secure than users of IE, who are frequently burned because they only (sometimes) apply the publicly announced and electronically pushed patches after someone takes a month or more to come up with a virus based on them (i.e. Blaster). Of course other software users get burned in the same way too: Redhat servers (including some at NASA) got rooted by the Ramen/Lion virus which was made possible by the public announcement and patching of the TSIG vulnerability 6 months earlier. phpBB2 boards that aren't constantly updated get hacked by script kiddies all the time thanks to open security mailing lists.

    The simple fact is that the easiest method of writing a virus (if you want it to succeed) is to lookup a known vulnerability (even though its likely patched by that time) and use it. The people most likely not to notice or understand how to deal with the infection are the same people using totally unpatched copies of Linux kernel 1.8 or Windows 98. Look at the "please run this attachment" user vulnerability - while almost all email clients from the last few years physically prevent this vulnerability (for some time Outlook has even gone so far as to remove executable files from zips) viruses like MyDoom still spread at an alarming rate. The people most likely to let their machine become and remain compromised due to carelessness are also the least likely to watch for updates and apply patches.

    And no, I don't think companies should withhold patches, but there is a lot of truth to the concept that telling the world about a vulnerability is the fastest way to get a virus written.