Slashdot Mirror


MS Security Chief: Windows Never Exploited Until Patch Available

BenBenBen writes "The head of Microsoft's security business and technology unit states that Windows is never vulnerable until a patch appears, and that releasing patches is what causes exploits to be developed. Good quotes: 'We have never had vulnerabilities exploited before the patch was known', and '[he] could only think of one instance when a vulnerability was exploited before a patch was available'. Erm..."

12 of 1,040 comments (clear)

  1. Re:Oh really? by Jotaigna · · Score: 5, Interesting

    the simplest method used to detect a lie is to cross question the subject until it gets confused and contradict itself. This guys have security departaments, management, developing, sales, etc. They should build a "Lie Tracking" departament, then, they'll have at least something consistent. I think this post should have been published in "its funny, laugh" category.

    --
    "The quality of life is inversely proportional to the number of keys on your keyring."
  2. Security is in the eye of the beholder by chaoskitty · · Score: 5, Interesting

    MS' problem is clearly that they have too many managers and businesspeople, and not enough technical people (or perhaps their technical people have no voice). That a MS employee can say such things that everyone else in the world clearly knows is wrong says something about their concern for real security...

  3. They don't get the point... by chill · · Score: 5, Interesting

    Who is it that finds all the exploits and reports them to Microsoft in the first place? It sure as hell isn't Microsoft employees!

    This means, known holes and exploits are available to certain people BEFORE patches exist. Are you willing to bet your business that those "certain people" are ALWAYS good, ethical and honest? There are no intelligent "bad guys" who can do this?

    Where are all the "hackers" and "black hats" the media is always screaming about! Please, don't tell me they are ALL script kiddies.

    -Charles

    P.S. -- How can I ever get "first post" if the damn artitle quotes make me laugh so hard I can't type?

    --
    Learning HOW to think is more important than learning WHAT to think.
  4. Re:Criminal tools like "diff"? by tomhudson · · Score: 5, Interesting
    I guess that explains why Windows doesn't include a "diff" function...

    fc - from your old DOS days - stands for file compare

    I'd check to see if it still exists in Windows, but there aren't any Winboxen around here :-)

  5. Re:Piffle by onyxruby · · Score: 5, Interesting

    I agree not all old software should be upgraded. Windows 3.1 may rest in hell as far as I'm concerned. But it wasn't that long ago they tried to kill of Windows 98, that's what 25% or so of the home user base? I recognize that the 9.x kernel is inherintly insecure and outdated, but that's no excuse not to patch known exploits when their is a substantial user base out there.

    I am not, by the way, saying that users should nut patch their systems, only that they should not be forced to upgrade working systems under auspices of security just because MS want's more revenue. They can pull that crap on the business market and get away with it, but joe sixpack can always go try that linux thingie he heard about.

  6. Bug Free == More Secure by dre23 · · Score: 5, Interesting
    Any bug is a potential security hole. And Windows has a lot of bugs. Fix the bugs, not the security holes, and your code will be more secure.

    Patching is great. Patch Management is great. But it doesn't keep the bad guys out, it just stops some worms. But then variants of worms come out.

    Clearly worms are a security threat. But there are many other security threats.

    Windows is not secure. NT NULL session, NetBIOS attacks (SAM and AD come to mind quickly), and even simple buffer overflows, format string attacks, etc ... these are POPULAR attacks against Windows that attackers are utilizing right now. Even when patched, some of these attacks still work. Why? Inherent network protocol design is part of it. But bugs are a huge part also.

    Reverse engineering patches... who needs to even go that far? Any engineer at Microsoft can just query their internal bug tracking system. An attacker could have a friend inside Microsoft who sends her/him a bug report. That friend could also be the target of social engineering. You saw the movie "Sneakers", right?

    Others can simply "grep" or "slint" the code. By reading the code, anyone can find a bug and make an exploit out of it. This has been widely done for a long time. It's not an uncommon practice, and it's not difficult.

    If coders want to fix security holes in their code, the only real place to start is by fixing the bugs. When Windows runs so smoothly and never app fails or hangs on me, When I no longer hear or see a BSOD, When hell freezes over -- Then Windows will be truly secure.

    --
    IPv4 allocations for hobbyists? join the ipalloc-l mailing-list! www.operations.net/mailman/listinfo/ipalloc-l
  7. I can't agree with this statement... by u-235-sentinel · · Score: 5, Interesting

    "We have never had vulnerabilities exploited before the patch was known', and '[he] could only think of one instance when a vulnerability was exploited before a patch was available'. "

    I've had my Windows XP system comprimised a couple of times in the most interesting way. Fully patched and running SP1. I've even tightened up IE security to high and restricted what sites can do and firewalled. Despite my best efforts, somehow I must have hit a web site which they downloaded spyware onto my system. I couldn't see it running in the task bar but it was there.

    I found it by accident. From download.com I pulled several programs to scan for running processes. I noticed some weird stuff that Bill didn't put there. I didn't put it there also. Took a bit of work but it was eventually killed and I remove the programs from the system.

    Microsoft has no explaination for this other than "practice safe browsing". Great. So how is that accomplished using IE?

    BTW, Netscape in the same environment and same web sites hasn't given me the same headaches. Oh I"m sure there are problems. At least they are not as blatant as what Microsoft has been shelling out.

    --
    Has Comcast disconnected your Internet account? Same here. You can read about it at http://comcastissue.blogspot.com
  8. Mockery aside, how about the counterexamples? by djh101010 · · Score: 5, Interesting

    It's lots of fun to bash an asinine statement from Microsoft such as this. However, how about we come up with a list of actual counterexamples? Which specific patches did they release in response to a real security problem that existed before the patch?

    I'll start. KB832894 "fixed" the exploits which used the user:password in the URL to authenticate to websites. It was there long, long before the patch (years, in fact).

    What other counterexamples do we have to show precisely how wrong Microsoft's statements are?

  9. Re:An article disproving this... by Daniel_Staal · · Score: 5, Interesting
    It's almost like they are "above the law" and what thsy say happens. Kind of like when God speaks.

    Nah... God gets questioned more.

    (You can even double check me: I can't remember a single instance in the Bible where God's command wasn't questioned...)

    --
    'Sensible' is a curse word.
  10. well i can tell you for a fact... by ophix · · Score: 5, Interesting

    i can tell you for a fact that the RPC hole was being exploited for at least 9 months before a patch was out. I know a few script kiddies in RL who were pissed off when the patch came out as they lost their doorway. I watched them do it a couple of times as proof. I pretty much will not put a windows box directly touching the outside world in any way shape or form now.

  11. Re:Oh really? by LnxAddct · · Score: 5, Interesting

    It is blatantly false that only Microsoft finds exploits. The SAMBA team found nemerous security vulnerabilities with the way Microsoft implemented their protocol and then reported them to Microsoft. Hackers could easily have abused such cases, but instead Microsoft got lucky and they were white hats that found them. There are many other cases, most exploits are found by security firms of some sort and then Microsoft will acknowledge them for one sentence in the fine print at the bottom of the notice. Well I could go on but I'll let the other slashdotters do that for me.
    Regards,
    Steve

  12. Re:Oh really? by killmenow · · Score: 5, Interesting

    Umm, if there are no exploits to begin with, then why does microsoft need to issue a patch?

    I'm not trying to defend the parent poster to which you replied; but, the reason *anybody* needs to issue a patch even when there are no exploits to begin with is because sooner or later, one will exist.

    See, if some researcher finds a hole, he's not the only genius in the world who can find it. Someone else will eventually. If the manufacturer of the product with the newly discovered hole sits on its arse and does not issue a patch, even if no known exploits exist, said manufacturer is leaving its customers vulnerable to attack. This is a disservice to those customers...and one that will lose said customers. Especially when it comes out that the latest worm/crack/etc. exploited a vulnerability the manufacturer knew about for six months, but sat on it instead of fixing it for you.

    What Microsoft wants to do, I'm sure, is to make distribution of patches similar to AOL's software update. You turn on your computer, boot up Windows, and it initiates an encrypted conversation with Microsoft HQ...then says to you: "Windows needs updated, please wait..." while it downloads and installs whatever it is Microsoft wants to install on your PC today without telling you what that is.

    That would be Microsoft's "security" wet-dream, if you ask me.