Slashdot Mirror
MS Security Chief: Windows Never Exploited Until Patch Available
BenBenBen writes "The head of Microsoft's security business and technology unit states that Windows is never vulnerable until a patch appears, and that releasing patches is what causes exploits to be developed. Good quotes: 'We have never had vulnerabilities exploited before the patch was known', and '[he] could only think of one instance when a vulnerability was exploited before a patch was available'. Erm..."
"The Earth is flat."
:-)
"The Sky is green."
"Earth is the center of the universe."
Other ridiculous statements that have also been proven false.
So, let me get this straight, Windows will become more secure if Microsoft stops issuing patches?
Sakes alive, the Microsoft spin machine has been well oiled this morning!
ChaoticChaos
"If Windows wasn't vulnerable until the patch was released, why was the patch released in the first place???"
Has Microsoft become so jaded that they have turned to the dark art of trolling? Do they get some sort of perverse pleasure by fishing strong feelings out of educated people who know better just so their board of directors can laugh at the zeal of the rebuttals, knowing full well they were full of shit?
head of security? The article is pure genius by trolling standards. And having just read about Microsoft wanting to pollute java, maybe their new business strategy is to troll all aspects of the computer world... just to pollute it?
Meh.......The last statement in the article: "If you want more secure software, upgrade." pretty much sums up Microsoft's position. With this kind of logic, it's a wonder that any coding gets done at all there. So, by extension, if everybody were to leave their doors open and unlocked at night, there would be no crime? :-) Seriously though, if you actually read the article, what it says describes reverse engineering of patches to explore and exploit vulnerabilities. So, the statement if confused might be technically correct, but that does not mean that the security vulnerabilities are not there in the first place. What happens mostly is that the lazy are exploiting the patches, whereas the more experienced (perhaps more dangerous) hackers will do their own work. Furthermore, the more experienced hacker might not be as likely to release their attack into the wild promiscuously. Rather they are doing what they do for a likely monetary payoff.
The real question though is: If the patch can be exploited, is it a patch? Yes, I know that they are analyzing the patch to attack unpatched machines, but to claim that vulnerabilities are not present before patches are released is circular logic.
Visit Jonesblog and say hello.
At best, the notion that patches are the source of all exploits is a logical fallacy. However, I'm sure I'd not be in the minority of /. readers if I opined that Mr. Aucsmith is either lying outright or simply delusional.
I say that since Microsoft has a policy of "eating their own dog food", they should be forced to stand by this ridiculous proclamation and henceforth cease and desist all efforts to patch their code. Thus, all exploitations of buggy MS code will also halt.
If crackers never find exploits except for by comparing patched and unpatched versions, why the hell do they release security patches then? Seems like they've got their security problems licked -- no patches, no exploits. What could be simpler.
Also liked this quote, from the end of the article:
"Almost all attacks against our software are against the legacy systems," he said.
"If you want more secure software, upgrade."
Hmmm.
The bigotry of the nonbeliever is for me nearly as funny as the bigotry of the believer. - Albert Einstein
He said tools were available that compared patched and unpatched versions of Windows to help vandals and criminals work out what was different.
"The guys who write the tools would not consider themselves to be criminals by any measure," he said, "but the tools are also being picked up by people with criminal intent."
I guess that explains why Windows doesn't include a "diff" function...
Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
In related news, the Mayo Clinic has announced that if we eliminated cancer treatments, we would eliminate cancer.
I watched C-beams glitter in the dark near the Tannhauser gate.
So, instead of poor programming it's incompetent management?
Sticks and Stones may break my bones, but copyright will always protect me.
If a politician said something like this it would get torn apart by the media. If a scientist said something he would loose his credibility and there would be articles written to counter this in major publications. Why does that not happen with M$??? It's almost like they are "above the law" and what thsy say happens. Kind of like when God speaks.
Evolution or ID?
I love how people with vested interests are called 'experts'
thhhhhhhhhtttt *choke* *gag* "ahhhhhhh" So as I was saying, hackers haven't found any of these flaws and exploited them before they were patched. Man, this is some strong crack, I almost believe what I said, myself"
And how do these fine experts actually know there aren't, at this moment, flaws being exploited left and right? Ah, they're experts, of course!
A feeling of having made the same mistake before: Deja Foobar
Microsoft to stop patching systems altogether to improve security. Also announces that War is Peace, Freedom is slavery etc etc etc
... we seem to have skipped directly to April 1st...
This ranks right up there w/ the Information Minister... Looks like the corporate world is just as bad about propaganda as the gov'ts of the world.
This guy is way out there
MS' problem is clearly that they have too many managers and businesspeople, and not enough technical people (or perhaps their technical people have no voice). That a MS employee can say such things that everyone else in the world clearly knows is wrong says something about their concern for real security...
This is a fabulous marketing manouvre. It's completely ludicrous of course, but it makes the connection between not-upgrading and being-vulnerable in the pointy-haired heads.
There *must* however be laws against making statements *that* outrageous...
Simon.
Physicists get Hadrons!
... just assume for a moment that what he says IS true (for argument's sake). Would you feel better as an M$ customer having heard it? That is, do you feel better knowing that there are many holes in the system that no one outside of M$ knows about? Does security through obscurity make you feel better?
-m
#
# Modus Ponens
#
Previous Quote: 'could only think of one instance when a vulnerability was exploited before a patch was available' Revised Quote: 'I can not think of even one instance when a vulnerability was exploited before windows was available'
I'm sure that security researchers at companies like EEye are providing Microsoft with proof-of-concept exploit code when submitting vulnerabilities.
It's pretty obvious from that fact that exploit code does exist before a patch is released almost 100% of the time; it's just not released to the public until after the patch is available most of the time.
"If you want more secure software, upgrade."
That quote goes for Linux as well as MS. How many people do you know that are still running 2.0.34
An unlocked door is safe until someone sees you lock it. Therefore everybody just leave all your door unlocked, since we do not know that they're unlocked there is no danger.
Reply to this post with your street adress and your usual work hours, thanks!
Since when did Microsoft hire the Iraqi Information Minister?
I must admit that they are partly right on this statement. As long as they don't publish a patch, most the world doesn't even know there is a hole. A few security specialist firms know, but they are not dangerous.
As soon as they release the patch, every hacker knows 99% of the systems won't be patched for a while, and Microsoft just about gave out what is the problem and how to exploit it.
So I say yes, it is dangerous to say out loud "hey, there is a hole in our system, but we have a patch". I would prefer if they just shut up, and release a "cumulative patch" once in a while.
Just my opinion.
So, how much has using Windows Update cost you extra so far?
The owls are not what they seem
"Bullshit" doesn't begin to do justice of the level of falsehood present here. We're talking about taking the very essence of falsity, distilling it over the flames of ignorance, condensing it within intestinal walls of monumentally bovine intellectual apathy and sponsoring a college kegger with the elixir-excremento obtained therefrom.
If I were going to write an exploit, I'd write the exploit AFTER Microsoft had patched my OS so I didn't zombie my own computer up!!!!
With all the script-kiddies out there, would they know how to patch microsoft to protect themselves? They probably use code from security sites which show the exploit in action, and don't understand the underlying code.
Of course for the others, they probably realise that many people are forced to use Windows, and there only protection is Windows with a decent firewall and up to date WindowsUpdates.
Ridiculous. Why would they want to force upgrades to Windows ME?
I concur! :) Upgrade today!
My dog ate my sig
I think he might be wrong.
"Almost all attacks against our software are against the legacy systems," he said.
So is that what they're calling WindowsXP now?
When I read this story earlier, I figured that what they really meant was, "most of our vulnerabilities don't get announced until we have a patch, and people don't start to exploit them until they're announced".
Given that they're binary patches, it seems to me that it'd be a whole lot less effort to look at the details of the advisory (and example 'sploit) than to go reverse-engineering the patches. Particularly since they're accusing the h4x0rZ of being lazy.
Registering accounts later than some other chrisb since 1997
Who is it that finds all the exploits and reports them to Microsoft in the first place? It sure as hell isn't Microsoft employees!
This means, known holes and exploits are available to certain people BEFORE patches exist. Are you willing to bet your business that those "certain people" are ALWAYS good, ethical and honest? There are no intelligent "bad guys" who can do this?
Where are all the "hackers" and "black hats" the media is always screaming about! Please, don't tell me they are ALL script kiddies.
-Charles
P.S. -- How can I ever get "first post" if the damn artitle quotes make me laugh so hard I can't type?
Learning HOW to think is more important than learning WHAT to think.
Linux 2.0.40 - release 2/8/04 Linux 2.2.26 - release 2/25/04 Linux 2.4.25 - release 2/18/04 Linux 2.6.3 - release 2/18/04 The older versions of the Linux kernel seem to be alive, well, and still being patched for security flaws. In fact, the most recent kernel release is 2.2.26.
"The infidels packets are slaughtering themselves at the ports to our OS"
"There are no exploits against windows, they are all lies from the so called Open Source community"
"We removed the Windows Update site to better serve our loyal followers."
-- Slashdot, making the Left look conservative since 1997.
Yeah...I hate paying for those damn Linux upgrades.
I don't try to be right, I just try to make people think
Then, when MS does release the patch, the people who found the flaw throw up the details on their website for all the "hackers" to get their hands on.
hence the exploits coming after the patch is released
But, you are wrong about this. In fact, a new Kernel update to 2.2 was released. Version 2.2.26. It's been a year, but they were still released.
Here's a quote from the release: "Marc-Christian Petersen announced the release of the 2.2.26 Linux kernel. This release includes several security fixes, including a fix for the latest mremap() bug." See the Linux 2.2.26 Release Notes
So, really, MS is forcing users to upgrade by not releasing patches to old version.
"BEHOLD, CORN!!" - Dr. Weird, ATHF
pretty much nothing to call into question what he said. granted, I didn't rtfa, but I would like to hear from some slashdot users of a windows vulnerability that was exploited on a large scale before a patch was released.
There's a lot of hand wringing and self righteous indignation over the statement, but has anyone bothered actually to counter it?
The guy does have a point. The description of the patches gives malicious coders a good detail of what to exploit.
There are no doubt circumstances where the super-1337 h4x0r finds an exploit all on his own, I'd imagine through trial and error, but for the most part, they look at windows update and see "This patch resolves a vulnerability in WMP which could allow arbitrary code execution", and they write an exploit for the unpatched boxes.
The MSDN knowledge base is a great source for folks looking for exploits, they very often have step-by-step directions to reproduce the problems.
That's how you get root on linux boxes too, you find people still running an older kernel version, or an old sendmail, ssh, whatever, and hit the known exploits for that version.
And if you want a more secure system, yeah, upgrade. It works that way no matter what your personal philosopy behind your OS choice.
I don't need no instructions to know how to rock!!!!
I agree not all old software should be upgraded. Windows 3.1 may rest in hell as far as I'm concerned. But it wasn't that long ago they tried to kill of Windows 98, that's what 25% or so of the home user base? I recognize that the 9.x kernel is inherintly insecure and outdated, but that's no excuse not to patch known exploits when their is a substantial user base out there.
I am not, by the way, saying that users should nut patch their systems, only that they should not be forced to upgrade working systems under auspices of security just because MS want's more revenue. They can pull that crap on the business market and get away with it, but joe sixpack can always go try that linux thingie he heard about.
...I never did this.
Ever.
No, really... I didn't.
Mr Aucsmith went on to prove that 1=2, that black is white, and promptly got himself killed on the next zebra crossing...
Patching is great. Patch Management is great. But it doesn't keep the bad guys out, it just stops some worms. But then variants of worms come out.
Clearly worms are a security threat. But there are many other security threats.
Windows is not secure. NT NULL session, NetBIOS attacks (SAM and AD come to mind quickly), and even simple buffer overflows, format string attacks, etc ... these are POPULAR attacks against Windows that attackers are utilizing right now. Even when patched, some of these attacks still work. Why? Inherent network protocol design is part of it. But bugs are a huge part also.
Reverse engineering patches... who needs to even go that far? Any engineer at Microsoft can just query their internal bug tracking system. An attacker could have a friend inside Microsoft who sends her/him a bug report. That friend could also be the target of social engineering. You saw the movie "Sneakers", right?
Others can simply "grep" or "slint" the code. By reading the code, anyone can find a bug and make an exploit out of it. This has been widely done for a long time. It's not an uncommon practice, and it's not difficult.
If coders want to fix security holes in their code, the only real place to start is by fixing the bugs. When Windows runs so smoothly and never app fails or hangs on me, When I no longer hear or see a BSOD, When hell freezes over -- Then Windows will be truly secure.
IPv4 allocations for hobbyists? join the ipalloc-l mailing-list! www.operations.net/mailman/listinfo/ipalloc-l
There's still one major difference - M$ is driven by the almighty dollar, while Linux is driven by people who want to do what's right. Further, with Microsoft, you not only upgrade your software, but most likely, your EULA as well (and no telling what kind of nastiness). With Linux, you have no such worries.
"We have never had vulnerabilities exploited before the patch was known', and '[he] could only think of one instance when a vulnerability was exploited before a patch was available'. "
I've had my Windows XP system comprimised a couple of times in the most interesting way. Fully patched and running SP1. I've even tightened up IE security to high and restricted what sites can do and firewalled. Despite my best efforts, somehow I must have hit a web site which they downloaded spyware onto my system. I couldn't see it running in the task bar but it was there.
I found it by accident. From download.com I pulled several programs to scan for running processes. I noticed some weird stuff that Bill didn't put there. I didn't put it there also. Took a bit of work but it was eventually killed and I remove the programs from the system.
Microsoft has no explaination for this other than "practice safe browsing". Great. So how is that accomplished using IE?
BTW, Netscape in the same environment and same web sites hasn't given me the same headaches. Oh I"m sure there are problems. At least they are not as blatant as what Microsoft has been shelling out.
Has Comcast disconnected your Internet account? Same here. You can read about it at http://comcastissue.blogspot.com
This in my opinion is one of the greatest benefits of the open source community. You see with both Windows and OS X, if you want all the security patches you need to pay for the latest version of the software. The linux community (note I didn't say RedHat but community) will continue to support prior software so long as there are enough users out there. Just look to the linux kernel or apache for examples. Just my $0.02.
Fear trumps hope and ignorance trumps both
How about they read and follow instructions to write exploits, or download and modify proof of concept code? Sounds a whole lot easier and lazier to me than reverse engineering the patches. And given that many of the script kiddies don't even understand the code that they themselves use...
And that's the head of MS security dept. speaking? Now it all makes sense! At least the BBC had the decency to call them malicious hackers.
Please correct me if I got my facts wrong.
Perhaps David Aucsmith would care to explain this then? Though eEye (purposely) doesn't describe the vulnerabilities that they list there, it's been indicated (on mailing lists like Full-Disclosure) that several of them are being actively exploited.
Do you have a
Actually, linux 2.2.XX and even 2.0.XX are still supported and still receive security fixes.
This isn't to say that it's reasonable to expect a commercial company to support software indefinitely, but one of the benefits of open source is that you CAN find/hire someone to support your old software and backport bugfixes as appropriate.
One of the nice things about MS is that they DO backport bugfixes to old software. Patches are almost always provided for free for all supported versions of Windows. Windows is supported for an established number of years (5, I believe) and at that point the user is reasonably expected to upgrade.
The Linux kernel has a better reputation than MS, but there are plenty of companies that have worse reputations. Even Redhat only supports its products for about 3 years before expecting an upgrade.
It's lots of fun to bash an asinine statement from Microsoft such as this. However, how about we come up with a list of actual counterexamples? Which specific patches did they release in response to a real security problem that existed before the patch?
I'll start. KB832894 "fixed" the exploits which used the user:password in the URL to authenticate to websites. It was there long, long before the patch (years, in fact).
What other counterexamples do we have to show precisely how wrong Microsoft's statements are?
Those people are Amateurs.
The latest kernel is 2.0.40, as everyone should know.
[/sillyness]
Fellowship 9/11
A few weeks ago, we were treated to the BBC claiming that the Linux community was behind MyDoom, even after it had become clear to everyone else in the world that it was written by Spammers. This article isn't any better/worse - its another thinly-disguised and apparently unresearched document, with no supporting statistics. Is there a reason to read this trash anymore, or should we switch to something more reliable, like the tabloids?
Law is whatever is boldly asserted and plausibly maintained. -- Aaron Burr
"Almost all attacks against our software are against the legacy systems ..."
...
Am I the only one who remembers a few exploits that 95/8 were immune to because of innovations in new OSs? I mean, just a little thing like MS.Blaster. Probably didn't make the news
Xbox reviews.. We think they're funny.
If you don't want to read the article all the way through, here are the last two paragraphs:
There's no place like 127.0.0.1
Tm
Support TBI Research: http://www.raisinhope.org
I'd check to see if it still exists in Windows, but there aren't any Winboxen around here :-)
/? from the command window and it responded.
Good news fellow criminals its still there. I checked on WinNT and Win2k and its located in the System32 folder. Its listed as the Dos 5 File Compare Utility I did a fc
Here, I've been using Windiff all this time... Dang
Up until a couple months ago at least, 2.2 ws the still the official kernel version for Debian (which obviously takes security seriously).
I don't try to be right, I just try to make people think
I think what he is saying is that most exploits are done using known vulnerabilities for which a patch has been released.
The action of releasing a patch is usually the same as announcing the vulnerability. If the vulnerability exists, and there is no patch for it, it can go unnoticed, and hence unexploited.
Once a patch exists, the vulnerability can be exploited on systems that aren't patched. Since historically patching has been lax, announcing a patch and the vulnerability it prevents can be dangerous.
XeoMage
Their point is that when they patch they announce they HAD a problem and the hackers can see what the patch fixed and try to exploit UNpatched machines... its security through obscurity, if I don't release a patch... hopefully the hackers won't notice the hole.
:)
But now that the patch is out, you can expect hackers to know about the vulnerability and attack you if you don't have the patch.
They are dumb, dont try to play dumber.
here. I rest my case.
Why do you speak as though this "conundrum" were unique to Microsoft, or even closed-source software in general? If I buy a '57 Chevy Bel-Air convertible, and the top has a tear in it, should GM be obligated to provide me with a replacement part, if I'm willing to pay for it? Does the fact that they won't indicate that GM is a bad company for not supporting its "legacy" products?
Just how long should a company be obligated to support its older products? And why are you coming down so hard on Microsoft while ignoring the fact that this is simply standard practice, in every industry?
Like woodworking? Build your own picture frames.
I'll give 2:
1) The original Melissa email virus (enabled by idiotic default settings in OE)
2) The one recently where remote web sites could hijack your address bar while redirecting you and doing nasty shit - that MS didn't patch for 6 months.
Someone might say those weren't strictly "Windows," but both OE and IE come installed by default, so it counts for me.
Others?
I realize that you are trying to make a joke, but seriously, how painful is a Linux upgrade compared to a WindowsUpdate(R)(C)TM? Cause that's about the price you pay almost daily to get up-to-date.
Write boring code, not shiny code!
Quite a few people use various flavors of the 2.0 kernel for various reasons. The 2.2 installed base is huge, and not going anyplace fast. Larger minor version number (or even major version number) does not even vaguely imply greater security. You are buying the myth.
In fact, quite the opposite is often the case if older versions remain maintained, because they are more thoroughly debugged and locked down. And they are maintained because there is no profit motive to not do so.
KFG
In related stories, it has been revealed that firemen cause fires, policeman cause crime, and the good folks at Symantec have written all the viruses.
Film at 11:00 (just after the anchorman tells us about all of the muggings he committed).
Don't blame Durga. I voted for Centauri.
--30--
As for real security experts, they routinely find vulnerabilities in Windows beforesending a description to MS which would then, a few months later, issue a patch. Maybe.
There is a fine line between marketing and outrageous lying. I'm glad to see that MS gleefully steps over it every single time. Any other conduct would actually be unsettling. You see, we geeks revel in a binary vision of the world, and we cannot thank MS enough for consistently being a caricature of evil villain. It makes working against them so much more rewarding.
--
Mad science! Robots! Underwear! Cute girls! Full comic online! http://www.girlgeniusonline.com/
in real life who could be described as black hat. He showed me exploit code for the ASN1 exploit (this was remote shell code) about a week before the Microsoft patch was release. He said it was big news in his community.
From what i could see, it was very tight C code which compiled and worked on the winxp test machine (his own), so I guess it was authentic.
Gamers Europe - Gaming News. Reviews.
The same company that has an exploit written for an OS that is yet to be released ??
So let's really hash this out.
Just for kicks, let's make a list of examples in the last three years where a virus/explot happened on any kind of wide scale before the patch was available. If we really disagree with his comments, let's make an intelligent attempt at rebuttal.
I'll take first shot: the first major incident that comes to mind for me is the COM+ bug of this last summer.
The article states "We have never had vulnerabilities exploited before the patch was known"
However, in the cases I cited, people were absolutely exploiting those bugs in the wild before Microsoft released a patch for them. While the articles I linked don't explicitly state "this is already being exploited", the fact of the matter is that exploits did happen before Microsoft finally put out a patch. A friend of mine was hit with the domain-spoofing bug while surfing pr0n, seriously.
I find it kind of weird that Symantec is backing Microsoft up on this goofy propaganda. You'd think, since they are in the business of protecting peoples' computers, they wouldn't make such a ridiculously stupid statement.
You could fabricate a new top/machine parts/etc for a car. Not so for a closed source software product (or at least, it would be much harder.)
i can tell you for a fact that the RPC hole was being exploited for at least 9 months before a patch was out. I know a few script kiddies in RL who were pissed off when the patch came out as they lost their doorway. I watched them do it a couple of times as proof. I pretty much will not put a windows box directly touching the outside world in any way shape or form now.
Maybe MS is mixing things up? If you count worms and viruses as exploits in the same category as real breakins then by far those and script kiddies who uses ready made exploits account for most breakins.
Any sane cracker wont report his latest exploit to bugtraq. He will continue to use it until someone else finds out about it. When it hits MS and they patch it the cracker will have found another hole to use. The most dangerous breakins is ofcourse corporate espionage and i think the ones doing those have a field day on Windows right now. They dont use common exploits that intrusion detection systems detect since they want in and out unnoticed, even if the systems in the target is unpatched.
HTTP/1.1 400
If a vulnerability is never exploited before a patch is relased. Then this is equivalent to saying releasing a patch implies a vulnerability may be exploited. Thus the contrapositive of this statement is never releasing a patch is implies a vulnerability will not be exploited.
Since a statement and its contrapositive have the same truth value (if one is true then so is the other) and if M$ assumes the initial statement is true then they must accept the contrapositive is true.
This being the case it seems the logical consequence for M$ in their desire to increase security is to never release another patch.
But this would require M$ to actually operate under a logical framework and we know that his statement is false.
"Where do you want to go yesterday?" Thanks, that made me spit coffee on my screen... but it needed cleaning anyway.
Could the mean that Microsoft as a Business exists moving in time backward. This explains Microsoft quick profits and good business decisions back in the 80's and over now in the 2000's a younger and less experience Microsoft is making more mistakes. and having a little more competition to deal with.
I don't know about you but I confused myself.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Or is it the other way around ?
:
... to Debian 8)
say [pun]"Only Microsoft exploits exploits"[/pun]...
from the article
"Almost all attacks against our software are against the legacy systems," he said.
"If you want more secure software, upgrade."
Here you are. They said it, officially.
I seem to remember that my debian stable is composed of 1-2 years old software, and, regularly patched, will say secure without even have to reboot...
PEOPLE !!! "If you want more secure software, upgrade."
It takes 40+ muscles to frown, but only four to extend your arm and bitchslap the motherfucker
From the article:
"It's a myth that hackers find the holes," said Nigel Beighton, who runs a research project for security firm Symantec that attempts to predict which vulnerabilities will be exploited next.
He said in many cases the appearance of a patch was the spur that kicked off activity around a particular vulnerability.
For the most part, I think this is true. Most Windows exploits DO "magically" appear a few days or weeks after a patch is available. Of course, hundreds of thousands of users never patch, or never patch in time. The "magic" lies in the symbiotic relationship between anti-virus software producers and malware creators.
None of this excuses MS from releasing Swiss cheese code, but it looks like a lot of malware gets created after a "proof of concept" has been released by "security researchers".
Is this sig nificant?
Maybe they knew about the vulnerability for a week at that moment, maybe they were testing the patch, but the patch was not yet available, existing systems were being actively exploited, and site owners had no clue about that vulnerability because the "will be no exploit till we release this patch" policy.
I'm not sure if that is the best example, but at least is one that is enough to show how much bullshit they used to tell in public.
Linus doesn't, weaselnuts, but the 2.0.x kernel is alive and well, maintained by David Weinehall, the 2.2.x kernel is alive and well, being maintained by Marc-Christian Petersen, and the 2.4.x kernels are being maintained by Marcelo Tosatti. The only kernels that Linus maintains are the development kernels. He hasn't handed off 2.6.x yet, AFAIK, since it's not fully cooked and 2.7 hasn't forked. As soon as 2.7 branches, expect to see someone else issuing the 2.6 kernels. I'm not going to touch the Redhat commentary, but I know there are people still maintaining their own copies by patching and creating new packages. In the open source realm, you don't need a vendor to do it for you. In Win 9x, you do. 'Nuff said.
-30-
So can I sue Microsoft for providing hackers the information they need to hack my machine. Sounds like they're aiding and abetting according to that logic.
Second: They are admiting that any machine which is not patched current has vulnerabilities; including machines with fresh installs, and the ones sitting on store shelves/warehouses waiting to be sold. Since these machines are already admitted vulnerably, and since patches are now being release monthly (or more frequently) we can conclude Microsoft Operating systems have a maximum warrantable period of 30 days, and recalls should be done for all previously delivered software, since the manufacturer is admitting the fault at this point.
The thing about things we don't know is we often don't know we don't know them.
"A previously unknown vulnerability in Microsoft's Web software allowed an online attacker to take control of a publicly accessible U.S. Department of Defense server last week, the military confirmed late Tuesday."
http://news.com.com/2100-1009-993276.html
(This has been confirmed over more or less independent channels. Nobody was truly independent because of the pending war on Iraq, of course.)
And, as you all know, several holes in Internet Explorer exist which are being exploited actively.
It depends if you run updates through regression testing on a series of "standard" machines in the office and all goes well until you actually try to patch the systems. Then, some obscure third party app that you completely forgot even existed clashes with the freshly updated machine and fucks the whole thing but good because of some bizarre bug that prevents the machine from even getting to first stage boot. On 350 desktops. In the middle of the night. On the weekend.
As compared to the boxes that kernel-upgraded flawlessly even though we didn't list out half the stuff being used on said boxes.
Windows update for home use? (Usually) painless. Windows update for wide deployments. Potentially, the most painful fucking nightmare you will ever experience unless you have a completely homogenous environment.
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
So Microsoft has two available plans for dealing with those old and outmoded '98 boxes.
Plan A:
1. Issue security patch for 98 (COSTS MS $)
2. Fix issues caused by hackers examining patches and determining new exploits. (COST MS TIME AND $)
3. Goto 1
Or, there is another way...
Plan B:
1. Issue bulletins telling those 25% of the home user base that their systems are insecure.
2. Sell new copies of an OS to those 25% peoples.
3. PROFIT!!!!
4. Issue new bulletins telling those that upgraded that their *new* replacement OS is insecure.
5. Goto 2
Yep, Plan B has a few more steps, but in the end I think even the silliest would choose that route, provided they could get away with it.
-- I have fans? Wow.
The difference is GM won't sue you for measuring the size of the top and making your own replacement. Hell if you found out a lot of people had similar problems you could even go into business making replacement tops for others without any type of lawsuit even appearing on the horizon.
It's not about how long a company is obligated to support it's products, it's about having a company that refuses to fix their products and has the legal right to sue you if you try to do it yourself.
That's the real problem.
Fanatically anti-fanatical
I'm guessing that one instance of exploitation would be the initial windows purchase. That's when you bend over and Billy comes over to plant his worm in your "security hole."
It is NOT only the MS exec who is saying this. In the same article Symantec confirms this:
"It's a myth that hackers find the holes," said Nigel Beighton, who runs a research project for security firm Symantec that attempts to predict which vulnerabilities will be exploited next.
He said in many cases the appearance of a patch was the spur that kicked off activity around a particular vulnerability"
As usual everyone is going off half-cocked.
It could be true!
After all, I've never had a cavity until I went to the dentist!
Fnord.
Let's see...with debian stable (possibly testing, but I don't recommend with unstable)Done.
Change your second crontab to run the shell script, and done. (yes, I don't use variables in 2 line scripts)Or, if you want a daily email of any packages requiring an update....
Oh, to upgrade to the next release...
for kernels, there's make oldconfig, but I realize there can be complications and a little more technical stuff, but upgrading a debian system for me is very straight forward. Set it and forget it. (I used to do automatic updates with WindowsUpdate, but there is still a patch out there that makes my Athlon laptop freeze up randomly).
-- If you can't laugh at yourself, someone else will do it for you.
Um.... Windows 98 isn't 9. anything.
If anything, it's 'Win4.1'. Take a really close look at the installer the next time it runs. [I know I saw 'win4.0' flash by when I installed Windows 95 for the first time.]
In the same way, Win2000 is is 'NT5.0' I'm not sure if XP is the fabled 'NT6' or jut considered to be 'NT5.1' as I've never used it.
Build it, and they will come^Hplain.
Few quick observations...
1.) Microsoft end of lifed windows98 on Jan 16th of 2004. That's 6 years of supporting an operating system, folks. That's impressive. $100, and you got downloadable updates for 6 years? RHN subscriptions or enterprise linux don't touch that. So, if they don't provide security updates for it anymore, it's only because, in terms of software, it's ancient and it should be phased out. Upgrading to get security sux, but who'd buy a new computer and willingly want to use their old win98 on it (i know slashdotters can always come up with whatever reasons for anything, but in the general public).
Yes the Linux kernel, even back to 2.2, is still being updated. And yes, linux updates don't cost money. But, what if I have just downloaded kernel 2.4.11, and it works great, and oops, we found a problem in 2.4.11. The solution is to upgrade. Not patch. What if going to the new kernel breaks stuff that used to work, while in the process patching an old hole?
This is different, but similar to MS. "You have a problem with 2.2.7? You should try to upgrade to 2.2.26 or 2.4.24." "You have a problem with windows98? You should upgrade to ME or XP."
2.) The article claims windows has not had security holes that were exploited before a patch was available. I don't think this was true, but keep in mind, the VAST VAST majority of Microsoft problems are with outlook, internet explorer, office, IIS, exchange, etc. Technically, these are not windows problems. It's like saying that wu-ftpd has an exploit that gives a user root access (which is almost always true), and then blaiming that on the kernel dev team.
Or, it's like OpenBSD. "Only one remote hole in the default install, in 7 years". My ass. The default install is unusable as an OS. How do they accomplish their security claim? Partially through well-written systems. Partially through turning off every freaking useful service known to man that you would want to run on a server. And yet, people hold them up as a paragon of security. The holes in OpenBSD are from other programs, the masses cry. But no one thinks about the same thing in terms of microsoft.
3.) The time warp thing is confusing me. Everyone is saying that it's a logical fallacy that Microsoft could have released patches for security bugs that are not yet discovered? Or, what, i'm not following. The have the code, they test it, they find a bug, they try to release a patch before it gets exploited. This involves, as has been discussed, not mentioning that there is a bug, but i suppose security through obscurity is still security.
How many times have we seen a story on slashdot that exclaims how microsoft has yet another hole (!!!!1!) and then, 40 minutes after the bashers have played their part, someone comes on and says "people should have applied this patch (link) which is discussed in MS Knowledge base 7498923298232"? I see it all the time.
The average linux user is smarter than the average windows user. Therefore, we tend to keep our shit up to date. Microsoft tries to make it as easy as they can, but there's no such thing as idiot proof (i mean, in windows XP, the windows update service pops up on the first run of the OS and asks you if it can run in the background, checking for updates, and downloading / installing them automatically for you!).
I'm not trying to defend microsoft here, all I'm saying is that, before you bash them, think.
~Will
sig?
"'[he] could only think of one instance when a vulnerability was exploited before a patch was available'. Erm..."
Although the MS guy overstates his case, it isn't always a good idea to release a patch for a system after an exploit is discovered internally that is not well known. The problem is that releasing the patch also alerts malicious individuals of the vulnerability. The real problem that must be solved first is figuring out a way to deploy a patch at a level near 100% so that releasing the patch does more good than harm.
Vote for Pedro
The analogies in previous posts (locked doors/crime, cancer/treatment, etc) are entirely inaccurate. A more proper analogy might be the fixing of a defective door/window in an apartment building, where the fix is observed and the problem exploited before all units are updated.
Why is this phenomenon so hard to accept? When I first played around with Linux, I put up a server on multiple T1's of bandwidth to experiment. After pointing a domain to the system, it was attacked and compromised regularly, but only after a patch was released. Yes, that's right, Linux suffers the same problem. Now, I'm certainly not advocating the cessation of security patch development. The people reverse-engineering patches for exploits are small potatoes--the real threat is the person capable of ascertaining and exploiting holes on their own. However, releasing patches does facilitate the development of exploits by those who would otherwise be unable.
I hate Microsloth as much as the next geek, but the issue here is not whether patches facilitate attacks (of course they do). Exploits will occur regardless, and I for one would rather have the opportunity to pro-actively patch my systems instead of hiding in a Saddam summer home. The issue is half-assed buggy software that requires so many patches, and security holes that totally compromise systems.
Oh, and I don't buy the 'logical fallacy' BS either--I've seen it happen, so obviously their argument is invalid, or the premises false, or both.
"Even logic must give way to physics."
"If you want more secure software, upgrade."
OK, I'll take you up on this. Starting today, release no more patches for XP and 2003 Server (or IE or IIS or OE or MS-SQL or any other component.) We should see no new exploits from this day forward. We'll give it a year. If an explot is found, I get your house and car. If no exploits are found, you get mine. Deal?
PS: If you release another patch, I win. Any "feature upgrades" must be thoroughly examined by a 3rd party to make sure you aren't sneaking any patches in. I promise I will not actively look for exploits myself.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
This is exactly the same as a car manufacturer saying "we never had an accident caused by this fault until we told people about it".
Well of course you didn't. The defect still caused accidents but other factors were blamed.
This disgusts me.
Each time Microsoft comes out with a new OS or product upgrade, it usually IS the most secure and state-of-the-art example of WINDOWS.
Microsoft is twenty years behind the development curve on stability and security because they spent the early years building up something that's usable. Linux is playing catch up on the usability side and Microsoft is playing catch up on the security and stability side. Each is making good ground, but IMHO, Linux is going to be the winner in the race because Microsoft has to figure out how to keep things usable AND make them secure. Linux just has to add a usability layer on top of things and make sure the new layer is secure while trusting the guts of the machine.
Heh.. then there's BSD out there actually pretending to be UNIX and not giving a crap about either of those two nutjobs.
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
Unlike Open BSD, Windows Installs many obscure features into the the default install of the desktop. So although it wasn't a bug in the kernel, it was in Ie or windows messaging or RPS or something else. I sort of prefer the OpenBSD idea that the end user has to decide what to put on their computer besides the shell and basic utilities.
Well.. maybe. Or Maybe not. But Definitely not sort of.
" Instead of working it out for themselves, malicious hackers are reverse engineering the patches to better understand the vulnerabilities, said David Aucsmith, who is in charge of technology at Microsoft's security business and technology unit."
/. to bother even considering MS's arguement. The post doesn't even bother to explain the MS position, but instead just continues with the mindless MS bashing that I've come to expect here to insure that no meaningful disscussion ensues and nothing is learned from MS, since of course they can't possibly have anything usefull to teach us about computer use and misuse.
Of course I wouldn't expect a biaed site like
Vote for Pedro
SteveB.
Admins just didn't realize that was how there box was hacked until after they saw the symptoms.
With the patch in hand, people can say, "Oh THAT was how they did it."
Scott Carr
Someone let G. W. Bush know we found the Iraqi Minister of Information.
500 dollar reward for tip(s) leading to the arrest of the person(s) who stole my sig.
windows update is ABSOLUTELY FUCKING APPALLING.
oh look, several patches available... wtf, not only do I have to close down all my apps and restart my computer, but I have to restart for each patch individually!?
SUSE YOU is infinitely better. I let it run all the time because it doesn't bug me with crap notices (just changes colour), so I get patches straight away, and no restarts. although I'm not running a server or anything it's still very important to me for my work.
thank god windows is too useless for my work anyway so the crapness of windows update isn't an issue.
I sometimes use MS Office via Crossover though. even that's better on linux - can automatically download updates and "simulates windows restarting" instead of the real thing.
The head of Microsoft's security business and technology unit states that Windows is never vulnerable until a patch appears
He said no such thing. Not only does he say no such thing, but you (Michael) are clearly aware of it. To claim that the vulnerability doesn't exist until a patch appears would certainly be absurd, which is probably why no one made that claim.
The article is simply making an observation: That most vulnerabilities are not actually exploited until after a patch is released. This is an observation, not an assertion. It seems like a very reasonable one, too, since most evil crackers are not smart or patient enough to go though Windows binaries instruction-by-instruction looking for bugs. Instead, they just wait until a patch is released, and see what was patched. That way, they know where to look.
No one is claiming that a bug can't be exploited before the patch is released. They are simply pointing out that they usually aren't.
Michael, you can't just misquote people like that. It is obvious from looking at the comments here than most people did not read the article. Most people believe what you write, and don't realize that it is a gross exaggeration of what was acutally said. Even if it is Microsoft (and mind you I'm no fan of Microsoft), it's still not ok. Don't stoop to Microsoft's level; lying about your enemy is not the right way to win any battle.
It's posts like this that made me give up on Slashdot as a source of anything other than humor long ago (see the sig).
While most people are hearing affirmation that they only care about the newest versions of the Windows OS and that this is how they hope to keep people buying upgrades, I hear something a little different.
This could easily be a prelude to Microsoft releasing OS upgrades without a description of what is being done to the system. Consider how scary it will be to do your daily upgrade/update/reboot only to find that along with new fixes, they've done other nasty things like change the EULA again... of course not agreeing would mean you can no longer use the system. Or maybe they decide to do some other trashy thing like forcing an upgrade of (Insert Program Here) that you prefer not to have upgraded for some reason.
I have a feeling they might be trying to give out updates and patches without telling us what they are.
Hackers and crackers are losers by definition, so it seems a reasonable explanation that they don't have the smarts to find the holes themselves.
They're scavengers; a slightly higher form of script kiddie, who looks for knowledge won by other people and then exploits it.
Um, who do you think finds security holes in the first place? Hackers. Whether they are "evil hackers" out in the wild, white-hat hackers, or working for Symantec (or whoever), they're still hackers.
True, most people who actually exploit the holes are script kiddies, but script kiddies are not hackers.
sudo eat my shorts
I hardly call Windows updates for home use "painless", for many people out there.
Just this morning, for example, I helped a guy get his older PC updated from Windows '98 to 2000 Professional. Problem is, he's using AOL dial-up with a 56K modem. Ever try downloading the latest Win2K service pack over a 56K modem? Now, how about the IE 6 service pack 1, not to mention the other misc. update patches MS has out as "critical updates", and then the handful of "recommended updates" which you probably want, also. Did you install MS Office on that machine afterwards? If so, guess what? More critical updates to download (MSDAC objects need a patch after they get added by Office)!
As far as I'm concerned, the average "home user" has the most painful upgrade experience of all. It can take close to an entire day to download everything needed via modem. (You can't even do it all at once, in a big batch, either, because a number of the patches have to be installed individually, followed by a reboot! So that means pretty much babysitting the machine all day, if you want to get everything updated without spreading it over days and days.)
The argument that Microsoft is making here is that the software is secure so long as the "evildoers" have no insight into how the software works. When the patch is released, they can compare patched vs. unpatched systems and gain that insight.
This sounds like a cloaked attack on the security of OSS. If you follow the argument M$ is making, publishing the source code to an operating system should make it more vulnerable to attack, not less.
If you buy M$'s argument.
"The vulnerability was discovered by Eeye Digital Security in July 2003 but no exploits were produced until three days after Microsoft's patch became available."
What this really means is no rapidly expanding virus was created which drew the general publics' attention. That doesn't mean a black hat didn't use it to hack a system steal merchanzse, products, $, or information. Then was able to cover his tracks.
That's why I like to see virus that forces everyone to patch their systems. It scares me to think how many companies have my banking/credit card infrmation. Then take into accout the millions of computers that can access that data, 90% of them running windows.
Either way, this guys is an idiot.
Every once in a while you hear stories about a company running a dedicated-purpose machine with a fixed set of software for decades because it does the job it's supposed to.
For these people, the real waste of resources would be requalifying their system after an upgrade.
When a vendor provides support for crusty old architectures like VAX or HP minicomputers for years and years, people say that that's great "enterprise-level" support. When a couple of guys maintain security patches of older Linux kernels, you say it's a "waste".
Preventive War is like committing suicide for fear of death. - Otto Von Bismarck
Yeah, I suppose it could also be part of their large FUD campaign against LINUX since they insist that closed-source is more secure.</rant>
Wh47 d1d j00 541, 31337 15n't t3h r0xor5 ne m0r3???
Umm... I'd like to know how Microsoft explains these.
From a certain point of view, they almost have a point.
Stay with me, I'm as surprised as anyone else.
Consider this: you buy a window that says it will stop insects. And it does. But then some nut genetically enhances* an insect to have diamond tip cutters that can cut through the window. Since the window did keep out all know insects when originally sold, the manufacture really isn't liable for the new one and is allowed to say 'the new model fixes it', though they could release a spray the would cover your old model but possibly introduce new problems.
Yes, that's a terrible analogy, but it shows that they have a bit of a point: any business would go out of business if they had to fix problems that were ineffable at the time of the original sale. Where this falls down with Microsoft, of course, is whether the problems were from completely new areas, or flaws in their original work that they just ignored and denied -- similar to how certain problems in cars/children's toy result in recalls, but other problems don't. (e.g. it isn't a problem if a toy breaks after 3 years of continued use, but it's a problem if it breaks in a potentially injurious way - and let's not get started on the liability/lemon laws that Microsoft avoids with EULA.)
* And this isn't intended as an attack on genetic engineering per se. But anyone who does this to insects would be, in my opinion, a nut.
R: That voice. Where have I heard that voice before? B: In about 365 other episodes. But I don't know who it is either.
Of course we don't hear about exploits being developed until after the patch. Because before that moment, the vulnerability is going to be kept in the dark by those who do know about it so that they can make best use of it.
You're not going to see worms using unknown sploits because the developer woub essentially be giving away a tool that could be used for perhaps more nefarious purposes.
And furthermore, I wonder how people would know to notify MS about unknown an exploit that's been used to crack a system when such exploits either crash the system (which NT admins are very use to experiencing during NORMAL use and will ignore the crash) or are used in a covert manner, not warranting attention from NT admins in the first place.
If this is the kind of logic MS has behind it's security department, then MS is just doomed.
This kind of logic is just so incredibly flawed I can't even comprehend how an educated person could think that way. It's like say "well, whenever I go to sleep, the sun goes down, so if I don't go to sleep the sun will stay up".
Just absolutely ludicrous.
The (not so) recent mass breakdown of basic critical thinking skills among people in powerful positions around the United States just scares the crap out of me.
But you wouldn't have somebody in authority effectively stating that problems can be addressed by keeping them quiet. If somebody from one of the distributions did say that, users would be able to make a judgement on whether or not it might be better to migrate to a competing supplier. Emphasis on competing. The only reason MS can pay somebody to spout nonsense like this is because they have a monopoly. I hope and believe that that time is coming to an end now.
Reality is defined by the maddest person in the room
Windows of Mass Destruction.
You are being MICROattacked, from various angles, in a SOFT manner.
Crankshafts are similar, except anything on a car that old can be replaced with a differently-made part which will meet or exceed the original specifications. For example, a forged crankshaft on a car that old could be replaced with a press-fit crank made out of a better alloy, to more exacting tolerances.
A machinist who tells you "I can't make you one of those" either doesn't want to invest in tooling for a particular material (like if you want something made out of titanium, you have to go to a specialist) or just doesn't want to take the job, they can make the same amount of money or more doing something easier. If I were posessed of that many old cars, personally, I'd build a machine shop and learn machining. Anyone can do it, I mean they even have blind machinists, some of whom do amazing work. (It's hard to imagine working with machines which can effortlessly maim or kill you without being able to see them.)
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
If MS believes that blackhats are reverse engineering patches to discover security problems and that their "solution" is to "upgrade" (which may mean replacing hardware as well as software) they have an insurmountable problem.
ANY two OS releases can be compared to detect the changes which can then be reversed engineered. It may be more complex as the security changes are mixed with other changes but blackhats have the time and, it increasingly appears funding, to do the research.
It looks like MS are applying "security through obscurity" as a business policy.
9% of the updates on XP don't require a restart, they just tell you it won't take effect until the next restart.
Um, that means you have to restart to have an updated system...
SB
It's old. The more humans I meet, the more I like my cats. At least they are honest.
Perhaps a comparison is in order to determine if keeping exploits a secret really does help? Take a product that is open source, but which practices security through obscurity by keeping security bug fixes under raps. The first piece of popular OSS that fits this bill is Mozilla. Security bugs are reported to the bug list, where they are only known to a small circle of developers. Those bugs can then be fixed at the developers leisure (for instance the new Packages.sun.plugin.javascript.navig5.JSObject(1,1 ) bug which caused Mozilla to instantly crash taking every tab with it was fixed about 10 months after it was originally reported [reported in March 2003, silently fixed in a late January 2004 build of Mozilla 1.6]). After the bug is fixed however it is not formally announced, no advisory is issued to tell anyone to update to the latest build. Only after 2 version changes do the bugs appear on the vulnerabilities list (right now you can see 1.4 vulnerabilities, once 1.7 goes gold you'll see the 1.5 vulnerabilities).
This method has greatly increased the security of Mozilla users browsing experience (when was the last time you where the victim of a Mozilla exploit?). This is despite a long track record of arbitrary code vulnerabilities (almost averaging 1 per month so far as the official list admits), frequent problems with javascript and cross site vulnerabilities, URL spoofing, reading local file and password vulnerabilities in almost every minor version (1.2 being the exception for file reading, unless you count the 1.3 or 1.4 vulnerabilities), and some of the most original mail client vulnerabilities out there (in addition to standard arbitrary code execution) such as being able to permanently DoS a mailbox using a webmail account and a message of less then 20 byte.
The simple fact is that most Mozilla users aren't downloading nightly builds to keep themselves secured with all the latest secret patches (though this has its own risk, like the recent bug that deleted everything in the program files folder) they have remained much more secure than users of IE, who are frequently burned because they only (sometimes) apply the publicly announced and electronically pushed patches after someone takes a month or more to come up with a virus based on them (i.e. Blaster). Of course other software users get burned in the same way too: Redhat servers (including some at NASA) got rooted by the Ramen/Lion virus which was made possible by the public announcement and patching of the TSIG vulnerability 6 months earlier. phpBB2 boards that aren't constantly updated get hacked by script kiddies all the time thanks to open security mailing lists.
The simple fact is that the easiest method of writing a virus (if you want it to succeed) is to lookup a known vulnerability (even though its likely patched by that time) and use it. The people most likely not to notice or understand how to deal with the infection are the same people using totally unpatched copies of Linux kernel 1.8 or Windows 98. Look at the "please run this attachment" user vulnerability - while almost all email clients from the last few years physically prevent this vulnerability (for some time Outlook has even gone so far as to remove executable files from zips) viruses like MyDoom still spread at an alarming rate. The people most likely to let their machine become and remain compromised due to carelessness are also the least likely to watch for updates and apply patches.
And no, I don't think companies should withhold patches, but there is a lot of truth to the concept that telling the world about a vulnerability is the fastest way to get a virus written.
Aucsmith and Microsoft have succeeded in misleading the public by giving the impression that no mechanism other than the ill will of a few fiends is responsible for the appalling state of Windows security. It's not Microsoft... it's not the vulnerabilities inherent in their code... it's the bad guys!
I work with users every day. I've been in the industry for twenty years and I know that user ignorance is a powerful force in sales, marketing, design and support of IT products and services. This Aucsmith debacle is a textbook case of a company depending on it. They know that the average user doesn't have--or want--the wherewithal to think critically about statements their representatives make. It's groundwork for Next Generation computing. It stinks.