Slashdot Mirror
Early Warning For Microsoft Premium Customers
techmuse writes "According to internetnews.com, Microsoft is giving its premium customers early warning about vulnerabilities and patches. Those of us who aren't lucky enough to have such a relationship with Microsoft may find ourselves at greater risk than premium customers as a result."
Kindof like the paid customers using slashdot who get a chance to read the clicky links before it dies.
The U.S. government's Computer Emergency Readiness Team (US-CERT) has also been heavily criticized for providing security advisories to paying customers ahead of coordinated public release.
Microsoft and the government using the same strategy! I am shocked! (sarcasm mode off)
Other juicy information from the article:
There won't be a patch this month for a "highly critical" bug in Internet Explorer browser's drag-and-drop feature.
So we are suppose to buy access to problems that won't be patched in a timely fashion? You've got to be kidding me.
The only justification that I can see to this might be that microsoft wants to release it to their "elite" first... so that work-arounds and patches might be generated by the community instead of within microsoft. Thus, trying to get one of the open source benefits...
While that's a good theory... I bet it's really just microsoft praying on the security worries of companies. Considering I run a Microsoft network... that's a sad conclusion for me to have to make.
Let me guess another potential revenue stream for MS?
Security through $$$
another Roadkill on the Information Superhighway
Company gives preferntial treatment to its higher profit customers!
I've just signed legislation that'll outlaw Russia forever. We'll begin bombing in five minutes.
*shrug*
Doesn't sound like it affects overall computer security, really. It's nice for the organizations that sign on, so they have a couple more days to plan outages as necessary. It doesn't affect the vast majority of home users at all (I certainly don't plan my downtime, it just happens when I feel like it).
I can see this being irritating to customers who are unwilling to pay yet another Microsoft tax for early notification, but I don't see that it's some kind of horrible, evil practice, either.
Reality has a conservative bias: it conserves mass, energy, momentum...
I would re-write one sentence in the summary as:
"Those of us who aren't lucky enough to have such a relationship with Microsoft may find ourselves at greater risk FROM premium customers as a result."
(changed "than" to "FROM")
In a nutshell, is this not what MS is doing?
Anybody here actually paid for MS software?
be giving any type of warnings to linux users? Holes in their products affect us as well.
GETPKG - Package Management for Slackware
Why, no, I'm feeling less than special to M$.
First patch?
This seems perfectly valid practice to me. People who pay more should get better service. Think of the subscribers to /. they get better service than the rest...
You pay more, you get more.
Further proof that money talks. Sad.
This is extortion! You cannot force me to pay you more money to provide a warranty that I'm entitled to under law. Just try this logic in any other industry... Oh, you're car's got a major issue that could cause injury, but we won't tell you about it, until we tell our wealthy customers first.
---
Programming is like sex... Make one mistake and support it the rest of your life.
Bugtraq is almost always ahead of microsoft where it comes to vulnerabilities in their software. Why in the world would I pay Microsoft to tell me what might be wrong tomorrow when bugtraq will tell me what's wrong today? Does anyone have an experience where MS came out with vulnerabilities first?
I submitted this story last night, and it didn't get posted.
like iDefense do u mean
So you gotta pay to see the vulnerabilities of Microsoft's products in a timely way. And I thought I am anal.
blacklight
......are at greater risk. It's just that premium customers with lots of clients and very large pipes to the internet, can probably pose a greater *threat* and can propogate a worm/virus based on said vulnerability faster than the average internet surfing Office user.
-Randy
We are all equal, just some of us are more equal than others.
1. Become premium customer
2. Get early notification of new vulnerability
3. Write exploit to target non-premium customers
4. Profit!
This isn't so bad, it just means that the premium customers get to beta test the patches for the rest of us!
To the making of books there is no end, so let's get started
That is silly. Are "premium customers" going to be bound by some NDA not to talk about the vulnerabilities? What's to prevent some news outlet from becoming a "premium customer" and then publishing everything they hear five minutes later. But now MSFT will look bad (worse) because the press is announcing there flaws instead of them.
Step 1) Create poorly secure code and occassionally release patches when feeling generous
Step 2) Charge extra to allow earlier access to major security patches
Step 3) Profit!
But just maybe, this might be logical, if you have to update everyone about a glitch in your software then that would take time*. If everyone starts to download patches at the same time you just might get slow downloads
It would be a Bad Thing for MS if their premium customers were the last ones to be notified (as in, turn the story around) or had to wait just as long as some John Doe who copied Windows, to get a patch or download it at some lame speed.
This is just economics, nothing to see here
*Especially if bugs are your business
Maybee I'm reading it wrong but I never read anything about having to pay for this "service" when they say Premium... do they just mean people who buy alot more of M$'s programs? i.e. Large Corprations, and is this just a notice to them because in a Large Corparation its alot harder to update 1000s of machines vs lets say a office of 15? They just send a e-mail stating that there will be a update, its not like it actually contains the update.
Loading Please Wait....
M$ says they are focusing on security, but how does giving advance warning only to subscribers support security? It's the average user who doesn't know how to patch their computer that is at the most risk (and can also propogate the most damage to the rest of us). And the average user won't be a premium customer.
Does it seem like M$ is saying one thing and doing another?
You won't hate yourself in the morning if you don't get up before noon.
If you are a hacker you probably already knew. If you are a premium customer you know first then get to wait for Microsoft to release a patch. If you arn't a premium coustomer you don't find out until a week before the patch is release. No matter who you are the patch will contain more bugs than the orignial problem.
It wouldn't take much for virus writer to sign up for this premium service to obtain and potentially exploit vulnerabilities that they didn't already know about.
Then again, if all that Microsoft is worried about is their bottom dollar then I suppose they don't care who's paying for their premium service.
Those of us who are lucky enough to have no relationship with Microsoft may find ourselves at even lower risk than premium customers
-truth
I had a steady B+ in my AI class until I failed the Turing test...
....see I don't give Microsoft any money at all, and I avoid their products too, so I'm not at risk either.
Stick Men
As if the vulnerabilities that people are buying under the mask of windows XP is not enough, this is just plain adding insult to the injury. I am ashamed having to run this crappy OS on my desktop because my company adopted the crap as their standart.
I am speechless for this arrogance they exhibit with their not so new approach. The were doing this no matter what (fixes to the riches first, then to the lowly people) now they are just making it official. Disgusting.
__________
The more I know people, the more I love animals
Or we could all just read slashdot and get the advisories about 1-2 hours later....
I can see there's some genuine reasoning behind this: When they announce an exploit potential, they're serving warning to those who can actually generate the exploit. If they control WHO gets the information first, they can keep their "worst case scenario" customers happy.
Script kiddies aren't likely to subscribe, and if they were, it might make it easier to track them down or trap them.
I can see the logic in it. I don't know if it's a "good" solution, but it must be difficult when they become aware of a problem that has not been exploited yet. It's open season on the security hole thanks to reverse-engineering the patch, but if they don't announce it then their at fault for a "known hole"
I think anything where there's a working exploit out should be released immidiately to everyone, but non-exploited holes might be well served by slowly releasing it to clients that pay to have that information-- and therefore are more likely to listen up and patch their systems.
Why, I hear that even a major Internet news organ is giving early warning of changes in the IT environment, including information about bugs and patches, to a shadowy elite of privileged 'subscribers'.
Whence? Hence. Whither? Thither.
don't tell this to ./ crew.
they may think it's a good idea and provide news first for subscribers..
It's not that regular customers (=AOL-type users) would care to install patches anyway. It'd be funny if it weren't so sad (and wouldn't affect the rest of the internet).
Assumedly, their "Premium" customers pay more than we do, are bigger than we are, and probably stand more to lose in a major outage than small companies, on a $ per $ basis. This sounds like good customer relations to me, and not any different from any other service.
The only question is what it takes to become a "premium cusomter". Is it simply a matter of giving MS a few bucks, or is it up to them to choose their friends? MS has a monopoly on the ability to patch their operating systems; if they don't market it openly and fairly then perhaps they'll get another visit from the DoJ (well, I guess this depends on what happens in November...).
Disclaimer: I work for a company, but I don't speak for them.
I would disregard the risk comment as an obligatory slashdot troll.
No one is at any higer risk than other since everybody gets the patches at the same time.
Imagine if companies in the car industry worked the same way:
People wouldn't stand for it. Why do they hold software companies to such lower standards?
I'd never heard such a thing (and wouldn't have believed it) until SANS mentioned it in their Security Consensus newsletter last week.
Good grief. First Microsoft starts releasing security patches on a monthly basis because the "release as needed" policy was bad for their image; and now we non-premium customers have even longer delays, having to wait until MS decides to release patches to the Teeming Hordes. What's next?
#DeleteChrome
In terms of the 'badness factor' of this practice. My tax dollars funding cert should insure that Cert never does this, that is the big issue. Cert shooting itself in the foot with reliable bug submitters is ignorant.
let me get this straight.
They put out a crappy product, them make you pay for the knowledge of knowing it's crappy?
I already knew that! I should sell this knowledge on ebay, if there's already paying customers out there, there's bound to be millions of other idiots who will bid on it.
seriously though, we already get the updates before microsoft, from symantec and buqtraq. This is very sad for whoever is dishing out money to them.
Runnin' On Empty
Is this the first move toward paying for security patches? What if a cracker got a subscription, and released a virus. People would need to week 2 weeks before they could get a patch? That sounds scary :(
Tell the truth and you won't have so much to remember.
The next Slashdot story will be ready soon, but subscribers can beat the rush and see it early!
You should read the article before jumping on their shit. First, the early warning for premium customers started in November of 2003 - yeah, almost a year ago. Good job catching that one. In april it was expanded to ANYONE who would sign their NDA. Second, they don't release specific details regarding vulnerabilities. All this is intended is an general advanced warning to customers that a security patch is coming out.
This is from the article
Microsoft said it was intended to "help our customers plan for the deployment of these security updates more effectively. The goal is to provide our Premier customers with information on soon-to-be released security updates."
Those of us who aren't lucky enough to have such a relationship with Microsoft
She told me she doesnt want a relation or anything like that.
They are nothing more than a head's up about the number and severity of updates coming. Never any details. You guys can take off your tin foil hats.
This article is garbage. Every company has a system for getting the word out. By telling the premium partners first you're most likely to fix the maximum amount of computers.
Sometimes I wonder if Slashdot moderators are any better than the idiots that show up at World Bank protests. Uninformed, anti-corporation, anti-globalization propaganists!
Keep the black choppers in the garage. There's no consipiracy here.
just came in his own pants.
Asked why it has taken Microsoft 25 years to get trustworthy computing into the forefront of its efforts, he said: "Because customers wouldn't pay for it until recently."
Assholes.
How about if I use it to control heavy equipment and it hurts someone?
No lie. Can't remember for which patch. It was right after they got burned on one of the many virus outbreaks.
At first I thought, cool, they are really taking this seriously. But then, I thought, what does he really think I'm going to do? go into the office and patch 1000 machines before morning?
Since then, we've just been getting these 'pre-warnings' via email. Which of course are marked as confidential.
For the record, we are an enterprise customer.
My company gets the premium support advanced warnings.
Honestly, they are vague to the point of useless...other than "don't make any plans on this day" when the notices to everyone are released.
What is a premium customer?? Is this like some (non-publicly available) MSDN Million Dollar subscription?
What is a premium customer?? Is this like some (non-publicly available) MSDN Million Dollar subscription?
MSFT has done this in practice for years, at least back to 1998 when I worked with a very large 'preferred' customer and partner. We would receive both 1) early notice of an identified exploit or bug & 2) beta patch versions that we could use at our own risk if we needed to immediately fix something extremely nasty.
Same early warning or pre-release patch service was provided by Cisco, Oracle and others.
In other words those people you didn't actually buy the OS they believe they have the "right" to use for free.
... GM announced today that a new "premium" warranty is available for it's vehicles. Vehicle owners who purchase this new warranty (Only $500, NDA required) will receive recall notices regarding vehicle roll-overs and potential explosions a full month before vehicle owners that do not have the new warranty option.
The Gartner vice president said the notice would be akin to an independent researcher or hacker finding a vulnerability and sharing the information before a patch is available.
There's an idea. If you find a bug, just auction off the information to the highest bidder 3 days before you inform MS...
~Warning!~ The above is encrypted using rot676!
Power to the Person.
If aspiration is a virtue, achievement cannot be a vice.
it's someone who's bought "premium support" off them. it's a package.
Slashdot is giving early previews of stories to paying customers. Those of us who aren't lucky enough to have such a relationship with Slashdot may find ourselves at greater risk of missing the story than premium customers as a result."
Tech, life, family, faith: Give me a visit
From the article: A separate patch with an "important" rating ... was sent only to premier customers.
What? You have to be a premier member to get a patch? We must pay extra for basic security?
MICROSOFT
YOUR PRIORITIES NEED TO CHANGE
...Microsoft is basically just telling certain people whether it will release any patches, and if so whether any of them are deemed "Critical" patches so that sysadmins and IT depts can schedule folks to be on hand to take care of things. It's not giving these folks any intel about what the patches will fix or what vulnerabilities they address. that said, I know of few IT professionals that rush out to install Msft patches when they first come out.
...because you never know who you're dealing with.
Give this program one month and the hackers will have a worm that targets only those customers that have Microsoft Update registery keys identifying the as elite. 3l33t h@x0r$ everywhere will want to prove that title only goes to them.
Pay us or we WON'T tell you about the next worm/vulnerability.
Wait, that's not terrorism, that's extorsion.
I don't mind them witholding premium services as long as there are no safety issues with doing that.
For example, a hospital that ISN'T paying Microsoft through the nose for these "heads-ups" can have it's medical data destroyed because of it.
For SHAME, Microsoft, for shame.
I don't know the meaning of the word 'don't' - J
i work in pharmaceutical research. my machines dose clinical trial volunteers, and record trial data, which then goes for clinical submission to create new drugs. of course faulty software can be lethal.
Money is the only language that Microsoft understands. The idea of doing the "right thing" is beyond them.
I view this as an attempt to short out the potential of the Zero-day exploit. When everyone is informed of a vulnerability at the same time, it's not long before an exploit of this vulnerability can be engineered out. Hopefully, by restricting access to the information early, they are able to protect the resources of their biggest customers, and judge by the response how this is going to affect the rest of us. Point to note though, as some other poster has stated, this may not be effective if one of the people in the know acts maliciously to produce an exploit before the patch is made available.
No Sig. Sigs are bad, mkay?
Starbucks, Harbuckle of Breath.
Date of internetnews.com article: September 10.
Date of slashdot post: September 14.
Date of Microsoft bulletin: September 14.
Apparently you have to be a slashot premium subscriber to get early warnings, too.
What? You have to be a premier member to get a patch? We must pay extra for basic security?
... was sent only to premier customers.
The article actually said: A separate patch with an "important" rating will be issued for Microsoft Office customers, the company said in the notice, which was sent only to premier customers.
Far from your edited version: From the article: A separate patch with an "important" rating
The article actually says that a NOTICE was sent only to premier customers, not a patch.
Dedicated Cthulhu Cultist since 4523 BC.
Microsoft insisted the information provided in the notice was "very basic in nature" and intended only to provide general guidelines concerning the maximum number of bulletins that may be released, the anticipated severity ratings, and an overview of products that may be affected. "The information is purposely not specific and does not disclose any vulnerability details or other information that could put customers at risk."
It sounds like they're using Homeland Defense's Terror Threat level method of marketing.
Becareful, the threat level has been raised to orange due to possible security vulnerabilities in one or more Microsoft products.
by Max Barry
http://www.maxbarry.com/jennifergovernment/
It gives an interesting look at a hypercapitalist world. It's also a highly entertaining read.
Dude,
There is now profit to be made in "owning" a large group of infected windows machines for sending spam, and packeting sites. Think about that.
For every annoying gentoo user, are three even more annoying anti-gentoo crybabies. Take Yosh from #Gimp for example.
I find the overall slant of the topic to be disingenuous. Why shouldn't PAYING customers, you know those who pay the bills, get "preferential" treatment? If you don't like eating table scraps then pull a chair up to the table and pay for a meal. Being a 'nerd' doesn't mean one has to be a socialist. The same thought applies to Open Source Software. Those who contribute (you know time, money, sex) generally get more attention than those who don't.
It isn't unfair. It's life. Whether it's Micro$oft, CERT, or OSF, those who help keep the lights on generally get to see what's happening first.
My first thoughts on this were:
1) Can I subscribe and just repost all of the early warnings on a website somewhere, or are subscribers bound by an NDA/EULA type thingie?
2) What about black hats subscribing to the service to get early info on new holes that won't be patched anytime soon?
do not read this line twice.
So let's sign up OSDN (under a pseudonym like WeLuvMS.com, of course) as a preferred customer, and post the notification here on Slashdot!
10b||~10b -- aah, what a question!
What they give is a heads up of what will be affected by the upcoming patches or updates. This allows very large organisations with thousands or even tens of thousands of boxes to do some pre-release planning. Updates and patches may need to be tested against other critical applications to make sure nothing breaks. Overtime may need to be planned out etc etc. Huge amounts of time and money may be involved so a few days extra time can be invaluable.
Patch one XP box is a far far simpler thing to do than patching 10k machines of varying Windows versions and functions.
The U.S. government's Computer Emergency Readiness Team (US-CERT) has also been heavily criticized for providing security advisories to paying customers ahead of coordinated public release.
Last January, research firm Next Generation Security Software (NGSS) severed ties with the federally funded US-CERT and accused the organization of selling early access to vulnerability warnings long before vendor fixes are made available.
At the time, NGSS co-founder Mark Litchfield said it was "annoying" that CERT gave early warning on six vulnerabilities to its paid sponsors before vendor patches were created and made available. "The problem became apparent when the vendor we're working with on these vulnerabilities said they were contacted by government departments. CERT notified them ahead of patches being made available. We did not know about this policy to share this information with people who pay for that privilege," Litchfield argued.
You're right; I totally misread that. How embarassing.
I take it back. Except for the last bit.
First it was enterprise customers not being burdened with product activation, now they're getting advanced warning on vulnerabilities. ROFL! Nice going Redmond. Another demonstation that the millions of little people using your busted-ass products are worthless little annoyances that you'll get to sometime after you take care of your important customers.
It used to be fun watching the MSFT faithful take it up the pooper but after a while it's just kind of pathetic. It's lost its appeal as a spectator sport.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
They are not giving patches away early, nor details of the vulnerabilities. So this won't mean we'find ourselves at greater risk than premium customers'. I don't expect most people to read the article before posting, and it is apparant that the editors stopped reading them ages ago too, but now even the guy submitting it hasn't read it?
Posts claiming it's extortion are way off-base.
If you need advance notice that a patch might be coming for, say, Outlook, pay for it. It sounds like a service of dubious value, as you won't be able to test the patch any sooner. I guess you can make sure your crack team of roll-out testers aren't all on vacation that day, but that's about it
RTFA!
Mark
Liked this comment? Why not buy me something nice
Microsoft should have this on the top of their webpage:
"There's a new major virus outbreak - premier subscribers can beat the rush and see it early!"
But now MSFT will look bad (worse) because the press is announcing there flaws instead of them.
Isn't this generally how it's been working anyways? I mean, MS seems to not want to acknowledge their bugs until absolutely forced to.
Those of us who aren't lucky enough to have such a relationship with Microsoft may find ourselves at greater risk than premium customers as a result.
Meaning those of us who aren't premium customers will have a greater risk of getting hit by auto-propogating worms, meaning they'll attempt to auto-propogate themselves everywhere once infected, meaning they'll drain the bandwidth of the premium customers anyway, meaning... wait...
Demanding constant attention will only lead to attention.
http://www.mtholyoke.edu/~rzdalea/cs100/software_
http://www.baselinemag.com/article2/0,1397,154440
Also google for Therac-25
What if Ford, Honda, and GM decided that they'd let their big customers (companies with fleets of cars) in on safety recalls before joe schmoe who has just _one_ car that he drives his kids around in. Would that be a big deal?
It's not that they're giving new and exciting features to preferred customers, it's that their product is defective and they couldn't be bothered to give a sh*t about the little guy.
---
Play Six Pack Man. I
the screen "Running Windows for the first time" should have been warning enough.
For Microsoft's law firm and for plaintiff's attorneys. I can already hear the class action lawyers cracking their knucles and getting ready. I'm sure the non-premium customers is a very large group.
How does one become a "premium customer"?
Dedicated Cthulhu Cultist since 4523 BC.
It's well known that some crackers analyze what's changed in Windows Updates, and find vulnerabilities that way.
Well, invariably, some of the patches or info they release to their "premium" customers will find their way to the virus writers. Viruses will be written to take advantage of holes that aren't even patched yet for the general public.
Suddenly, "keep your computer up to date" isn't good enough anymore. And there will be weeping and gnashing of teeth and planes falling from the sky and such.
I've got more mod points and GMail invi
why don't you just NOT use IE.. hmmm? I mean not only will you not get any malware to deal with you won't have to pay to be a premium member to get bug reports too! sounds like a great deal to me.
or are you just complaining about something that doesn't apply to you?
did you forget to take your meds?
All you get is an email from MS saying 'oh, next Tuesday we're going to release X patches, with Y rated critical, and Z rated serious'.
There are ZERO details on what the patch is going to fix, personally, I consider the advance notice almost useless except to tell you you need to have resources ready to roll out critical patches.
You get *no* details, *no* access to patches, and I have several emails from MS Security people who always include ' sorry, I can't give you any details about Tuesday's patch'.
Please, hate MS all you want, but at least hate them for a reason, not the typical /. drooling paranoia I see here.
--R.
I can only wonder: MS really is in quite deep trouble with their customers, especially those, who have paid big bucks to have the right to upgrades of their products. Since Longhorn is a long way out, and any upgrades (OS or Office) seem not hugely attractive, why is anyone paying the maintenance fees, which were designed to save you money on product upgrades?
MS has made their staunchest customers (i.e. the executives and managers having talked their companies into spending the extra money on maintenance) look absolutely foolish. So now, they desprately need to give those folks a story to tell their bosses, why they should not get fired for such a wanton waste of their companies' money.
Playing this security card shows an amazing act of desparation by a wounded giant. If even Gartner starts to critisize MS, there is a lot going wrong in the belly of the beast.
It's not that you're important or not, but under this arrangement you're paying the thief or arsonist responsible for the impending mess. Don't like it? Don't reward them for it by buying in. Usually such bargains as this come in the email with headings like:
I pity da foo
A feeling of having made the same mistake before: Deja Foobar
We get them too. (And the right terminology is "Premiere Customer" heh)
They are useless. We'll get an e-mail from our TAM saying "We're going to release a bunch of patches for a bunch of stuff. There's no ETA - it should be soon. Thanks."
Since patching Windows and other MS stuff frequently is just a part of the system now a days, it really doesn't matter if you know a few days ahead of time. They don't give us the patches any sooner then anyone else, so it doesn't make us less vulnerable. They don't give us specifics, just that "A patch to RRAS will be released soon to address a vulnerability."
This is anti-MS FUD. I'm a Linux lover and MS hater just like the next guy on slashdot, but this crap is just as bad as the crap Balmer spits out every time he opens the pie hole. Rise above!
- It's not the Macs I hate. It's Digg users. -
The paying customers get immediate 911 support, and the regular citizens, well, we'll get to you when we can. You're not important.
Absurd, yes. Too bad it's real.
Ask any inner-city resident whether they feel they get the same emergency response service available in suburban gated communities.
what part of "fuck you! pay me!" didn't you understand
You need people like me so you can point your fuckin fingers and say, "That's the bad guy." So what that make you? Good?
That's not fair, slashdot should give their information out freely to everyone...
Oh wait, they do, they just treat their paying customers a little better...
I really don't see this as much of an issue. The "premier" customers don't get the patches any sooner. They get an advance heads-up on what the patches will contain. Why will this affect anybody?
According to the article: Microsoft insisted the information provided in the notice was "very basic in nature" and intended only to provide general guidelines concerning the maximum number of bulletins that may be released, the anticipated severity ratings, and an overview of products that may be affected.
Or on the boot-up screen. And then charge us for the early warning. Yeah.
Microsoft isn't issuing patches to Premium Customers first. They're just letting them know when a patch is coming out and what's in it. You get an early warning. Your analogy assumes Microsoft isn't issuing patches to regular users simultaneously, which isn't true. But, this is Slashdot, therefore such is implied in the article summary for maximum bash-Microsoft effect in the discussion threads.
Pay us lots of money and we will give you advanced warning of vulnerabilities to protect you from the rest of our customers and their owned boxen?
"Our funds have never taken part in toxic or death spiral convertible financings of any sort" -BayStar's managing partne
Because we all know rich people are better and more important than anyone else.
Someone's going to be bitten by a security hole between the time of the pre-announcement and the patch release, and it will come out that if the person had access to the pre-announcement he could've prevented or mitigated his pain.
Some lawyer's going to jump all over this and sue MS.
The case will probably be tossed but the PR damage from MS may make them wish they'd kept things under wraps.
Only in America. Sigh.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
1. build buggy software
2. ??? = charge people for the knowledge
3. Profit!
what a twisted world we live in
This is an early warning M$ gets hacked just about as often as I change my underwear (1 x week)
/End Warning
A loop, by its nature, continues. If that didn't make sense, start reading this sentence again.
Should the list of unalienable human rights be modified to: Life, liberty, the pursuit of happiness and knowledge of when the next software updates are arriving?
Microsoft will cater and pamper the ones with the bucks. The ones that have the huge contracts..
Those of you who are in small business or home users, well, you get the leftovers.. Oh, we wish you luck...
This isnt a new thing, they have always given the enterprise license holders unfair advantages that helps reduce support costs.. why change now?
---- Booth was a patriot ----
They're basically saying: become a premium customer or else you'll be vulnerable to our security holes.
What's to stop MS from covertly leaking their vulnerabilities leaving the rest of us wide open?
The ordinary citizen is the paying customer for the emergency services... it's called taxes.
Did you not make the connection between taxes and those services? Have you never actually stopped to think about what it is your taxes pay for?
Now if you're house catches on fire, and you have family trapped inside, I'll be happy to "picth in and support" as per your vision of an "Open Source Fire Brigade".... myself, I'll be hoping the real emergency services turn up along with ambulances and a swift trip to hospital.
"Um Doctor, sorry I mean John... are you supposed to be cutting that?"
*sigh* "RTFM wouldya, it says, step 5 cut the aorta in a clean upward stroke.... hang on.... damn! This is Open Heart Bipass Surgery For Dummies! Where's the Gallstone Removal For Dummies?!"
mod parent up!
This is the real world, paying for extra service is part of every industry.
you, being a 16-year old over-achiever, register yourself with Microsoft as a preferred customer using your daddy's company credit card. At that point, you learn of the impending vulnerabilities and release one hell of a worm virus on the net. Stick a fork in me, I'm done...
-- Game Developers: Stop porting badly-textured games from crappy console systems!
You dont get a warranty, after agreeing with the EULA, you dont get diddly..
..
You have agreed not to hold them liable for anything, and not even a guraratee that the software performs the advertised tasks
All you get is the option to return it.. That is if you havent used it, then they will refuse claiming you are a pirate..
Dont we just love signing rights away? We must, as a hell of a lot of people do it every day...
---- Booth was a patriot ----
So the premium cashcows^h^h^h^h^h^h^h^hcustomers pay money to help MS debug their 'fixes'. I can live with that.
In many EU legal systems there are liability terms, if MS is capable of warning customer a and renegs on warning customer b then it is liable for damages...
Product liability in software after all.. the only way out is to give the software free of charge and then it is as is. This would be the ultimate killer for OSS alternatives as many would choose free, vulnerable MS (many do already in the form of warez) over migration. This would prove the ultimate domination strategy.
-if at first you don't succeed, stay the heck away from paragliding.
Please, hate MS all you want, but at least hate them for a reason, not the typical /. drooling paranoia I see here.
The drooling paranoia was built because of years of times when Microsoft really *did* screw over customers or competition in quite an unethical manner, like the DR-DOS application compatibility, or the IIS Netscape Navigator deprioritization. Microsoft generally didn't get in trouble for its misdeeds, so now IT folk angry after years of poor treatment have simply started attacking Microsoft for all sorts of things that really aren't very bad at all. Microsoft is simply paying back in installments for earlier nasty deeds.
May we never see th
Microsoft's security patches have become a complete nightmare. Withholding information that could have severe security implications for confidential customer data is in no way acceptable. On my companies network, MS Boxes keep having to be rebooted because of their stupid patches - which means aborting large compuatational jobs that are running on these boxes, and praying to Lord Bill that they will come up again (which they usually do these days). As a company, we have just decided to abandon Microsoft platforms (partly because of the slow 64 bit support [absolutely crucial for the type of software we develop/use], and partly because of the dismal security record). This is not a decision taken lightly, but we are a multi-plaform shop, already with some 50%+ of machines running Linux, HP/UX, or Irix, and we do have the trained staff to cope with a stepped migration. Mirosoft has no one but themselves to blame for the loss of their customers due to ill considered feature security implications.
Sometimes you people are so hyped up on anti-Microsoft jargon that you forget economy 101. You pay for a service, you get that service.
Same with Anti-Virus software. You pay to get the protection, if you dont, you dont have anti-virus..
Makes sense to me, that if you pay for something, you get it, if you dont, you dont.
Capitalism doesn't 'entitle' anyone to anything. You pay for what you want, thats how it works.
Those of us who aren't lucky enough to have such a relationship with Microsoft may find ourselves at greater risk than premium customers as a result.
It is not as though someone is forcing you to use Windows. If you don't like it, don't use it.
Protection money. Terrific.
"You will see that we get a cut of your income, or else we cannot guarantee the safety and lives of your loved ones."
Whats the problem with people - cant MS do ANYTHING right? No matter WHAT they do there is some linux ("we do everything right") bigot complaining. Seriously.
First - the customers who get early warning, under NDA, only get VAGUE information. Is the update for Windows or Office or exchange. Is the update important or critical. Thats it.
Lets look at this for a moment. Like any feasible decision process we'll have to make a few assumptions. Lets divide all MS customers into one logical breakdown; large customers and small. Your small customers are, IN THEORY WITH SOME EXCEPTIONS, able to apply patches faster if they need to. Large customers need prep time - "gee, patch in office that is critical.. what do we need to do?". Sure, both small and large companies probably have to do testing but the complexity fora large enterprise (150,00+ hosts) is greater.
Now lets think about the reverse engineering of patches that the black-hats do meaning that the risk of exploits is MUCH greater after the patches are released. Even the announcement of the vulnerability focuses more research. How can MS let the bigger customers get a head start so they have SOME chance of getting patched before the xeploit comes out? Advanced warning of the scope. How do they know what the large customers are? Premium support.
MS isnt the only company to offer premium support. Look at your AV vendors - they give premium support customers much better information about viruses. Thats the way of business. deal with it.
No, i dont work for MS.
So when a Premium Customer buys the product, the box says right on it, "Windows is not even remotely Secure"?
That's really all the advance warning that anyone needs.
MS has long had a policy of not announcing vulerabilities publically until such a time as they have a patch for it. Right or wrong, their reasoning was to not publically identify those vulerabilities to more potential hackers. This new policy does not change that announcement schedule ACCEPT for the premium customers who will get a heads up prior to the public announcement. No changes for the public policy. You still won' know about the hole until they announce a patch, or someone else publicizes the hole.
"Millions could be wiped off the economy of major countries."
Is this anything like the "millions" loss that piracy could cause?
...they figured out how to leverage security flaws for increased profits.
Paranoia is a Survival Trait!
Oh good lord! Terrorists??? Are you people just not R'ing TFA, or are you simply lying to spew blind Microsoft hatred?
Contrary to what some morons are saying, Microsoft IS NOT witholding patches from people who aren't members of their premium service. They are simply giving NOTICE to premium customers earlier!
Get your stories straight, people. This kind of nonsense makes you sound like foaming-at-the-mouth fanatics.
"Ask not what your country can do for you." --John F. Kennedy
>They are simply giving NOTICE to premium customers earlier!
You're right.
I expect police will respond to a 911 call from a rich neighbouhood before responding to one in a poor neighbourhood too.
Thanks for showing us all the error of our ways.
Here is a "flow" of a threat warning coming into MSFT's "business process"
Part A
[some notice of a possible problem] | yielding a warning to the general public (If there is a real problem).
Part B
Develop and communicate a response/fix to mitigate the issue.
It seems ok to let premium users get a pipe from the with the understanding there will be false alerts, false positives, and of course some real early actual alerts as well. That's the sort of thing you can do with really good customers whom you know to understand the natural of the warnings (e.g., not vetted).
It is ethnically "wrong", however that vetted threats be released to some but not others. This is wrong in part given their monopoly market share.
Also it would be wrong to let premium users know about vetted problems before their is a mitigation while waiting to tell the general public only after a tested mitigation is found/released.
Waiting to tell the general public until after there is a fix is wrong in part because even if there isn't a solution users could choose to turn off their computers, disconnect from WAN/LAN or even run Read-Only based OS implementations.
http://www.hawknest.com/
...The National Weather Service has announced it will offer early warnings for natural
disasters such as tornadoes and earthquakes to subscribers of its new "Stay Alive Platinum" service.
It's hilarious that people are all upset about MS releasing a patch to premium customers (which isn't really what the article says), when just a few weeks ago everyone was griping about SP2 and saying they weren't going to install it right away in case it was really buggy. So what good would the early warning (which is really what it is, not actual files) do you?
W.E.P.
So Microsoft is profiting out of:
1. Building a necessity to be informed because of failuires in thier software
2. Making these failuires so deadly that quick action must be taken to save money
3. Screw up all thier patching, and take time to patch vunerabilities they do patch
So, the more they do the above, the more money they can take from those companies now learning the meaning of being 'tied to a large metamorphic rock plunging happily down into the Mariana trench'.
Microsoft - a monopoly in profiting from failiure, fear, and fraud.
#hostfile 0.0.0.0 primidi.com 0.0.0.0 www.primidi.com 0.0.0.0 radio.weblogs.com
Just as the case with the car, this opens up Microsoft to a bad liability situation. If they had a solution or a warning but didn't make it available and that cost someone a lot of $$$ or worse yet an injury, this opens them up for a lawsuit. If there is a class of people injured in this fashion, then it gets even more exciting!
This makes it much easier to prove that they knew -- especially if they told some of their higher paying customers first. Can you say conspiracy? Neglegence? Then, are they going to copyright that information? (The warning, that is...) Can you be sued because you "spilled the beans?"
Yes, I'm an Anonymous Coward. Do you have a problem with that?
Microsoft has been releasing early warnings for months, and they have regularly leaked to the press. The contents of the warning includes very little information: the number of vulnerabilities, the severity level, and the products affected. You might be able to infer which people you have to force to do overtime (Microsoft patches aren't released during business hours in all parts of the world), but apart from that, the information is not very useful.
Less well known is Microsoft's Patch Validation Program. Basically, you get patches a week or so in advance (without any further information about the scope of the patch), and you can test it in a production-like environment. This way, you can alert Microsoft about unexpected incompatibilities, but I'm not sure how helpful this is in practice. The patches surely make an interesting BinDiff target, so this program probably isn't available to all premium customers.
All in all, it appears to be a poor replacement for the vendor-sec community on the free software side of security, where distributors (which would be Microsoft's OEMs) can openly discuss security issues and resolve them in colaboration.
I am offering a low-cost service to users of Microsoft products. For a mere $5, you will receive a notice that says:
WARNING -- Your product is riddled with security holes!
There, now people can be warned.
Hurry, send in your money now! Otherwise you won't receive notice that Microsoft products are vulnerable!
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
What designates a "premium customer?" It looks like Microsoft has found yet another way to make $$, this time off their (more than) questionable security practices.
We all know there are vulnerabilities in their products, which is why the more intelligent of us simply run another OS. Who wants to pay them $$, just so they can tell you what you already know?
I'm sure I'll get modded down for this, but this is just more anti-Microsoft FUD from slashdot. Remember boys and girls, Microsoft == evil, Bush == evil. Make sure you tow the line with your liberal/Linux groupthink and you'll rack up the karma. Christ, you'd think the readers would have caught on by now and stopped reading the leftist mouthpiece that is slashdot. Moving slightly off-topic, Dick Cheney needs our help. He's running a little low on funds and we'd all appreciate it if you'd make a donation. Just make the check out to Halliburton Inc. Word out on the street is that the first fifty donators get a gmail account. Think technology, people, think technology.
A car company recalls their last car model for defective brakes only to their higher profit customer.
The warning for the normal customer will be issued 2 weeks later...
</joke>
Every company has the right to give "preferential treatment" to its higher profit customer.. but we're not talking about discount or special offers.. we're talking about defects and vulnerabilities and I guess all the customer have the same right to know it they're using an unsafe environment.
On the other side, as stated on the article, it makes perfect sense to warn "critical infrastructure company" before releasing information that could be used by malicious users.
This message doesn't need a sig
the boys in Redmond have figured out a way to wrench even more profit from their poorly designed, bug-ridden software... I was begining to worry for a minute how they were going to pay for all the R&D on Longhorn and Xbox...
What is the next logical step for MS?, intentionally introduce more bugs to get more customers to sign up for the premium service?
Or needlessly delay the release of patches for the same reason?
This is almost a strong-armed shakedown.
MS is basically saying "..Yo buddy, we knows you gotch yer license, but see it's like this, Billie boy says youse gotta cough up a little more dough, or things just ain't gonna work out the way you planned..."
C'mon M$, if your customer's already have a license for your product, and your product is broken, then it is YOUR (Microsoft's) responsibility to FIX it........
You must have missed the Surgeon General's warning:
Use of Microsoft software has been shown to cause severe data corruption and loss.
Friends don't help friends install M$ junk.
I am not a lawyer, but maybe a lawyer could comment:
Wouldn't a security hole have the potential to affect MS's stock price?
If so, would pre-notifying "premium customers" qualify as insider trading, etc.?
Microsoft apparently isn't content with creating security holes with code bugs only. They have to make things even worse by buggy approach to disclosure.
You know, I was thinking... this might be a way for Microsoft to look good in terms of responding to vulnerabilities.
Imagine: security hole found in IE by Joe Slashdotter. He tells MS. Two months go by, with no response. He publishes the hole. Only then does MS jump on it. When castigated, MS says, "Oh, but we already notified both of our premium customers ages ago! It only APPEARS to these Slashdot people that we took a long time, because for some reason they didn't sign up for our Premium Let-Us-Tell-You-How-We-Screwed-Up-Again Early Notification service!"
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
Quite the valid comparison! After all, we all know what it's like to be faced with LIFE AND DEATH computer problems! Won't somebody PLEASE think of the CHILDREN?!!?
"Ask not what your country can do for you." --John F. Kennedy
Doesn't my purchase of "Windows 98 - SE" three years ago qualify me as a "premium customer"? I spent nearly $100 on that!
I wish different terminology would be used here. "Premium" can refer to an actual MS product, as a Premium version browser and other Premium software for using MSN exists. I have it because MSN is bundled with my ISP. (It's an AOLish browser, and I have to use my regular ie browser whenever I want to modify functionality to the degree I want. I usually just use Mozilla these days for security reasons though.) "Premier" seems to refer more to an economic relationship. While reading the whole article for context helps, using both words as if interchangeable is initially confusing.
The difference between
We've all been wonder what step 2 was. Now I guess we know. Get way to capitalize on the insecure nature of the software they write. It might even provide better motivation to be less secure. Swell plan guys!
"Always with the car analogies. This isn't Pontiac only recalling and replacing a defective part if you pay more. This is Pontiac recalling and replacing a defective part on exactly the same schedule for everyone, but telling premium customers three days earlier "hey, we're going to be recalling something on the 2005 GTO in three day."
I'd say that the timely notification that I had faulty brakes would be important to me! Everyone has a right to know about the defects that will affect them, that way people can take steps to mitigate the risks without waiting for MS to get around to fixing them (if they ever do...)
Only on Slashdot could just an utterly rediculous statement be moderated Insightful.
Dear Valued Microsoft Customer,
As part of our increased security efforts, we are warning you in advance of the following exploits slated for next week:
35 Internet explorer related exploits
13 DCOM exploits
8 RPC exploits
683 Unknown exploits
Please check windowsupdate over the course of the next few months for security fixes.
PS: You can secure yourself from these exploits now by upgrading your version of Windows for a low price of $199.
I have two issues with this.
1) If Vulnerability information is sold at a premium, then those of us who find vulnerability should receive the largest royalties. Is it fair for us researchers to basically blackmail vendors.
2) Should vulnerability information be disclosured only after a GNU (type) agreement is made to outline the correct (non-profit) behavior in vulnerability mitigation and proper credit?
Microsoft has been very good at giving credit to researchers etc, and I believe they (like many others) are successfully jumping on the security bagwagon, however the overall conclusion for security problems is this.
Should the vendor pick up the cost of vulnerabilities as apart of the development q/a process, or should the consumer allot a budget for this and assume this as normal business costs?
If the latter is true, should software companies be rated on their product/service security history as a sign of good business/product?
What about opensource projects, take Bind and djbdns. I know vixie personally and have attended a bernstein lecture in chicago. They _BOTH_ are good people, however bind is the overwhelming standard for dns servers. Should bernstein charge for vulnerability information? Hells no, but he does offer money to someone who finds a vuln in his software. Why don't WE as consumers receive some of our money back when there is a vulnerability in the software I purchased? Especially if the vendor is receiving money (in the form of premier service contracts, or direct revenue explicitly for vuln info) to deal with the problem.
I will be honest and admit I see both sides of the situation, however IMHO this will only lead to more 0day posts of vuln+exploit code publically or shading business practices.
My conclusion is this;
For Profit vendors (Enterprise and Consumer) should have an auto update function, and secondly the vendor should provide loyal customers discounts (in an amount equal to the criticality of the vulnerability to 50% the cost of the software which was vulnerable; and any additional cost if legally proven) on future products for each vulnerability which affects the customer.
For example, if I buy a single copy of windows xp at $100, and a vulnerability was found which opens a remote system level compromise I should receive an auto update and $50 credit off a future microsoft products. Vendors won't like this solution but $1million oracle deployments will daily critical vulns deserve it. Microsoft really wouldn't be ruined by something like this, no more then the patent lawsuit bullshit.
Thanks for proving my point for me:0 4/2354241&tid=172&tid=128&tid=201
http://it.slashdot.org/article.pl?sid=04/05/
It sucks, but there we are.
As people have time and time again pointed out, a patch for the vulnerability that allowed Sasser to spread had been available long before Sasser became a problem. That was a case of lazy sysadmins, not Microsoft.
"Ask not what your country can do for you." --John F. Kennedy
Doesn't this have criminal negligence written all over it, at the very least class action? I wonder if that's how their licensing is labelled internally: Premium (we tell you about the fucked up shit that we shipped) Standard (the FBI may come to your house some day because there were security vulnerabilities that allowed a kiddie porn ring to be based on your computer) What do you think they'll be able to charge for software that actually works? We may never know. Managing customer expections is a sound business practice- don't set the bar too high or you'll just let them down. Automotive Counter Part BMW 720L $50K BMW 720 - steering wheel may fall off with no warning $35K BMW 720e - has been known to spontaneously combust $30K
Hay;
What are you expecting??? This is pay to play! This rule applies everywhere you go.
The trick here is to just turn off stuff that you know is a problem, keep it updated as stuff comes along, don't go to those "sites of ill repute", and you'll be more or less fine.
All content in this message is copyright (c) 2008. All rights reserved. RIAA is prohibited here.
If you continue that analogy even further, what is the user going to do? Not drive for a week until he finds out whether the unknown problem is one that affects him. Unless he is told that the brakes are potentially bad at +80mph, he doesn't know whether he can drive safely at all. But he needs to drive to get where he's going.
Same with these corporations. Being told that there is a bug / security risk without adequate detail doesn't help. Unless they are told the exact circumstances of the vulnerability, their choice is to use a potentially unsafe system or pull the system offline. Not a very good choice, especially if it turns out the security risk is only an issue under certain circumstances (like running more than 5 copies of IE simultaneously).
I was taking one day at a time, but then several days got together and ambushed me. (from a Rhymes with Orange comic)
I'm posting this anon because I don't want people to know that I've been posting this information... though I'm not letting anything confidential out.
I work for a premium customer of Microsoft... and yes, the article's actually true... to a point. You see, what the article doesn't mention is that these "heads up" conference calls are so that big customers with lots and lots of boxes to patch (thousands in our environment) can get ready for a rollout, get an idea of time taken, and plan for headcount (consultants) if required. This allows us to better plan our rollouts, and thus be more "on top of it" when the patch is released. All the information we get is under an agreed NDA, so no I can't talk about the content of the latest call. All I can say is there ARE updates coming soon...
Yes, I know what they entail... I know what vulns they fix... and no I'm not saying.
Optionally, yes we are given the opportunity to download beta patches from MS... but note they're BETA. At the time we get to hear about them they're in early testing, and many of them have caused irreperable damage to boxes we try them on. This is why I like undoable disks in VMWare ESX... I can test patches and if they destroy a VM I can roll back the change in a few minutes.
While yes, potentially we get a fix for a problem before the masses, that also means that we can get a fix that causes all kinds of exciting new problems that won't get fixed because a beta is by definition UNSUPPORTED! Note also that having a beta patch on your machine CAN prevent you from rolling out the final patch when it's released, thus potentially leaving you vulnerable indefinitely.
While I see why some people are getting this knee jerk reaction about "us and them" and MS Premium customers getting preferential treatment, it's really not an accurate portrayal. Point is that we as a premium customer lend our support in trying to ensure the final patch works properly for "the masses" by beta testing these patches. In exchange, we get to hear about the patches up to 6 weeks in advance so we can plan the rollour and test the patches during that period. The fact that we also spend a huge amount of money with MS every year doesn't hurt our standing with them in the slightest.
I know this will probably get modded down or ignored due to being Anon... but hopefully enough people will see this information to make my typing it worthwhile.
I work in a place where we work on various average user computers. I notice that some people don't have patches that were available in 2002. Most people will not care that there is a new security update available when they haven't been getting them for years anyway. And it won't matter to me if I have to wait three more days to fix a security hole that has been around for a few years anyway.
It's all so simple.
1. Pay $$$ for Microsoft products, complete with security vulnerabilities.
2. Pay $$$$$$$ for a "premium" relationship with Microsoft so you can get early fixes to those vulnerabilities.
3. Pay $ (or no $ at all) for OSS solutions that have no such vulnerabilities -- or, at least, quickly identified and patched vulnerabilities.
-- The reason it's called the right wing? Irony.
To: Corporate Customer
/body
From: Security Department
Subject: Another patch...
We're currently working on a patch for the gigantic hole we left in our code and then sent on to you as enterprise grade software. We consider this security breach a code Dark Golden Rod, we're not sure when this might impact you but don't worry in 1-2 weeks we might have a patch for you. In case of panic cover your entire machine with duck tape and plastic wrap your disk arrays.
Ciao.
I think there's a psychological explanation here (I kid you not): researchers found some time ago, that people attach more weight to opportunities missed, than to opportunities grabbed. If you had a chance to earn $100, and skipped it, you feel bad about missing that chance, more than you feel good if you grabbed the chance and earn the money. It's like bad publicity sticking longer to a brand name than good news involving that brand.
Features are sexy, reliability isn't, even if it's important. I hope that for software at least, times are changing. But don't count on it.
There are ZERO details on what the patch is going to fix, personally, I consider the advance notice almost useless except to tell you you need to have resources ready to roll out critical patches.
Yeah, but they get more chances of marketing directly to you ("oh and BTW, here's information you might be interested in...").
Wheee!
The chain is as strong as the weakest peart.
Regardless of premium parts or regular parts.
But there is nothing surprizing here. We are talking about Microsoft, they have to meet the expectations of The Street at each quarter.
They have to be innovative - at least in generating revenues.
*Modified slightly to get past lameness filter*
u lletin /MS04-027.mspx
Microsoft Security Bulletin MS04-027
Vulnerability in WordPerfect Converter Could Allow Code Execution (884933)
Bulletin URL:
http://www.microsoft.com/technet/security/b
Version Number: 1.0
Issued Date: Tuesday, September 14, 2004
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Important
Patch(es) Replaced: This update replaces the security update that was provided as part of Microsoft Security Bulletin MS03-036.
Caveats: None
Tested Software:
Affected Software:
* Microsoft Office 2000 Software Service Pack 3 Microsoft Office 2000 Service Pack 3 Software:
- Word 2000
- FrontPage 2000
- Publisher 2000
* Microsoft Office XP Software Service Pack 3 Microsoft Office XP Service Pack 3 Software:
- Word 2002
- FrontPage 2002
- Publisher 2002
* Microsoft Office 2003 Microsoft Office 2003 Software:
- Word 2003
- FrontPage 2003
- Publisher 2003 Microsoft Works Suites:
- Microsoft Works Suite 2001 - Download the update (same as Microsoft Office 2000 link)
- Microsoft Works Suite 2002 - Download the update (same as the Microsoft Office XP link)
- Microsoft Works Suite 2003 - Download the update (same as the Microsoft Office XP link)
- Microsoft Works Suite 2004 - Download the update (same as the Microsoft Office XP link)
Software Not Affected:
* Microsoft Office 2003 Service Pack 1
Affected Components:
* Microsoft WordPerfect 5. x Converter
Technical Description:
* WordPerfect 5.x Converter Vulnerability - CAN-2004-0573: A remote code execution vulnerability exists in the Microsoft WordPerfect 5. x Converter. If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of the affected system. However, user interaction is required to exploit this vulnerability.
$_='while(read+STDIN,$_,2048){$a=29;$b=73;$c=142;
Not to use Microsoft products.
100% Insightful
You're missing the point:
I wrote that sharing critical information with EVERYONE during an emergency is the right thing to do.
I don't know the meaning of the word 'don't' - J
The poster clearly doesn't know what s/he's talking about, and is obviously just looking for something to cry about. Same old /. FUD.
/. is at least informed and grounded in reality. This is totally reactionary, underinformed cry-babyism.
The notifications sent to Premium customers are just that: notifications. We don't get the patches any earlier; the advance notice we receive simply gives us a general overview of the vulnerabilities and what they affect so as to help us plan the patch rollout.
And there's something wrong with that? Please... It's the responsible thing for Microsoft to do. And the poster thinks that leaves others "at a greater risk" than Premium customers? Please, explain to me how that could possibly be, given the fact that the patches are released to all customers (Premium and not) at the same time. Totally ridiculous FUD. You get the patches at the same time we do (unless you count betas, which... come on). We get advance notice because we have to plan for rolling out patches to tens of thousands of workstations and servers. We need to know in advance. Those of you who only have to worry about your PC (or maybe even 5 or 10 additional) don't. Simple as that.
Most of the anti-MS FUD on
We don't insert bugs into YOUR code. Be Secure, Be Reliable, Be Microsoft. [que darth vader theme]
To HELL and back?
OK, uncle. Where's the Koolaid?"
There are some governments, companies, and individuals that still drink that stuff?
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
My entire business is Microsoft free....except for this one machine I'm using that will soon be reloaded with Linux. *shrug* No skin off my ass any way you look at it.
You mean I'm not a premium microsoft customer? *sniff .......Welcome to RedHat!..... Install?..... 'Y'
The Property of One's : "The Oneitude is directly proportional to the Colditude of the one." - S.B.
Pay us today so we may tell you that you might be protected from future vulnerabilities.
Man I need a business plan like this...
--WooooHoooo--
Actually wait it's the entire security industry!
Many people sell 'sploits these days, get over it.
Oddly MS is the only one here who *isn't* selling them. Look at the article again and try to get past the first few paragraphs.
First, " the program was expanded in April 2004 to include all customers who will sign an appropriate non-disclosure agreement". Yes you have to be a customer but it includes mom and pop shops as well.
Second IF you read the last few paragraphs you'll likely notice this line:
"At the time, NGSS co-founder Mark Litchfield said it was "annoying" that CERT gave early warning on six vulnerabilities to its paid sponsors before vendor patches were created and made available."
CERT is someone you wouldn't expect to sell information about vulnerabilities. but wait.. it gets much better
iDefense has built an entire business model over this. They sell information about vulnerabilities to their client roster. If you've ever seen an advisory from iDefense there is a timeline at the bottom. The disclosure always starts with the vendor, then it's client list, then the public.
Here is an example from an IBM fault injection advisory
VIII. DISCLOSURE TIMELINE
04/21/2004 Exploit acquired by iDEFENSE
05/05/2004 iDEFENSE clients notified
05/05/2004 Initial vendor notification
05/07/2004 Initial vendor response
06/23/2004 Public disclosure
Let's see now, clients notified 5/5 and public notified 6/23!
Ford issuing an advanced notice to it's fleet customers so they can prep for the downtime.
Everyone gets the recall work done at the same time, but the fleet customers need a heads up so they can schedule things to minimize the impact to themselves ( and their customers ).
Now, dont get me wrong, I dislike much of MS's business practices as much or more than most. I dont see this as a legitimate item to throw stones at them about.
emt 377 emt 4
I am truly amazed at how the industry has woken up to the potential a simple shift of priorities gives us all. It's refreshing to know that if you scream loud enough, even Microsoft can "get it."
I do not fail; I succeed at finding out what does not work.
At least until 2001, NYSE could bost of having one and only one Windows-based PC on the floor, and it was used to monitor another system. If it BSODed, then no big whoop. Everything else was custom coded Unix derivative.
So, how many Windows boxes run in the NASDAQ (NWII) cluster? How many Windows boxes serve Bloomberg? What about Reuters terminal service?
Yeah, right.
Just read Bugtraq and NT Bugtraq, and you'll know even before Microsoft!
steve
Oh, you're not stuck, you're just unable to let go of the onion rings.
Much to microsoft's dismay, a work around has been found allowing non-premium customers to get an earlier warning than Microsoft gives to its premium customers, and often an earlier warning than even Microsoft themself has.
c losure
Information on this work around is here: http://lists.netsys.com/mailman/listinfo/full-dis
This is about the same "early warning" methodology used by linux via mailing lists. Possible security issues are discussed quite quickly and 'decided upon' on these boards. No big thing. As far as the PAY as U go M$$$$$$$$$ thingy, well, we all know they are not there to "serve"..... They are there to empty pocketbooks.
Uh, why should I worry about whether or not one of the "preferentially treated subjects" leaks the information? That is as likely to be helpful to me as not. As for the "couple of bucks" buying the vulnerability information, I cannot help but think that reinforces my original point. You get what you pay for.
http://shit.slashdot.org/article.pl?sid=04/09/14/1 56244
You don't want early patches anyway... then you'd be paying extra $$$ to beta test the patch for the rest of the masses...
:)
I guess at least there would be less undoing of botched patches for the rest of the masses!
This is just like the Justice Department:
:-)
"We've raised the alert level in recognition of a general threat"
i.e. There is a threat. We're working on it.
Big deal - who cares? Just because there's a general threat, what, am I going to go and hide in my basement?
Similarly, so what if there is early warning - no specifics, no technical data - who gives a shit?
This warning is BS. Sorry. Is valid reason to hate MS. (As if we really need a reason?
Generally you find that organisations who are Premier customers either have massive install base of Microsoft products, or have system they see as mission critical running on Microsoft, and require Premier support that they are willing to pay for.
These environments generally require extra testing and rollout strategies, so I don't see how customers who pay Microsoft for premier support, or Microsoft themselves, are performing some evildoing by receiving information that there is a patch coming out in the coming out in the next two weeks, so get your testing cycles, deployment strategies ready.
BTW these emails from Microsoft are under a NDA.
Cisco does exactly the same thing...
When the IPv4 bug came out (the bug that struck about everything that was Cisco branded), we were warned and patched by them for all of our routers and switches about one week in advance.
That's the kind of things that are necessary when you're a big ISP but that are totally useless when things like 0-day vulnerability warnings are sent out by lists like Full Disclosure that don't respect much of anything
RedVortex
(1) Build an insecure and unstable operating system and get everyone to use it.
(2) Make security patches and bug fixes available to a set of 'premium' customers before you make them available to regular customers.
(3) Profit!
That depends on what side you are. If you are the one who pays, or the one to whom the info leaked to, regardless of the color of your hat, you have an advantage against the ones who aren't.
Which puts to disadvantage all the ones who aren't members of (or friendly with) big corporations or e-crime rings. For a small admin of a small network it means just that the adversaries have more time to write worms and that the time between a vulnerability getting known and a vulnerability getting exploited shrunk again, at least for the ones who didn't play the advance-info racket (who will pay for it once more, indirectly, in the form of bandwidth wasted by worms from even more machines patched too lately).
Luckily, as some other posts suggest, the advance information is in this case next to worthless anyway.
Unlike Mozilla, which has released three sets of security patches since Mozilla 1.7 was released without any ability to directly contact users to notify them. _We_ know about the updates, but the proverbial Aunt Tille has no clue that she's at risk. If Tillie were running WinXP, she would get the updates without having to think about it. ...Assuming she was properly configured. But since I would have set her up in the first place, she would be. After all, that's the same way she would have gotten Mozilla.
-Message posted using Mozilla 1.7.3
Geez, I've seen a lot of tripe written in response to this article and not much substance.
If the value of Premium is only that you hear about a MS bug before getting a patch like everyone else, it's poor value. But coming from a company that believes that noone should warn customers of a bug in case the baddies hear about it, it's plain hilarious. You're paying for an earlier admission of a problem. Exactly what advantage do you think you're supposed to get? And does MS seriously think the information isn't going to get out this way?
Premium customers should be furiously demanding earlier patches for their money, or they'll spill the beans.
insecurity asks the wrong question irritation gives the wrong answer
Sounds like the Mob: "pay us some 'protection' money, or else you might have an 'accident'!"
Somebody throw the RICO statute at them.
Is Capitalism Good for the Poor?
Proveable negligence for a whole class of small businesses and people who are just as equal in rights in the eyes of the courts.
Ford Australia once had a bug in a run of their cars (Falcon EA, I think? Can never remember those model numbers) in which pressing hard on the brake pedal broke the mount loose form the firewall due to incorrect welding. Result: no brakes, just when you need them most.
Got time? Spend some of it coding or testing
where i does it mention a single machine and no checks or balances? you wouldn't *believe* how many checks and balances there are. this is an FDA-compliant system: we use a custom network that's taken about 5 man-years of testing and implementation to implement. and yes, i run windows on it. before you linux zealots jump down my throat rest assured that i know more about data integrity, FDA compliance, systems testing and ER/ES compliance than you do and these are not connected to the net in any way, shape or form, and i have answers for any other criticisms anyone may with to make, along with approximately 40 feet of shelf space with the paper documentation to back this up.
i'm sure in ten minutes someone will be along to flame me for this, but big pharma + millions in design, build and testing + windows CAN equal a very very good and secure system, like it or not.
keep yourself nice.