Early Warning For Microsoft Premium Customers

techmuse writes "According to internetnews.com, Microsoft is giving its premium customers early warning about vulnerabilities and patches. Those of us who aren't lucky enough to have such a relationship with Microsoft may find ourselves at greater risk than premium customers as a result."

Elite.. microsoft and govt

[Davak]

The U.S. government's Computer Emergency Readiness Team (US-CERT) has also been heavily criticized for providing security advisories to paying customers ahead of coordinated public release.

Microsoft and the government using the same strategy! I am shocked! (sarcasm mode off)

Other juicy information from the article:

There won't be a patch this month for a "highly critical" bug in Internet Explorer browser's drag-and-drop feature.

So we are suppose to buy access to problems that won't be patched in a timely fashion? You've got to be kidding me.

The only justification that I can see to this might be that microsoft wants to release it to their "elite" first... so that work-arounds and patches might be generated by the community instead of within microsoft. Thus, trying to get one of the open source benefits...

While that's a good theory... I bet it's really just microsoft praying on the security worries of companies. Considering I run a Microsoft network... that's a sad conclusion for me to have to make.

Re:Elite.. microsoft and govt

[Walt+Dismal]

Gee, how about if we have two levels of support from police and firemen? The paying customers get immediate 911 support, and the regular citizens, well, we'll get to you when we can. You're not important.

The old citizen fire brigades, where people in small towns pitched in, in mutual support, makes me think of a civic Open Source.

Re:Elite.. microsoft and govt

[System.out.println()]

(ob Family guy)

We....we call you "normies".

Re:Elite.. microsoft and govt

[FortKnox]

Any situation where it could cause a life or death issue is already backed by some serious security.

And you obviously have never worked for a financial institution. I'm a contractor who is regularly contracted to banks and insurance agencies. There isn't any way someone is hacking into something like that.

Even so, do you really think there is a solid link between MS Security Support and 911? Honestly, is there a real comparison there? What you gave me was a reach.

Newsflash!

[strictfoo]

Company gives preferntial treatment to its higher profit customers!

Re:Newsflash!

[Lesrahpem]

This is not simply a matter of a company giving preferential treatment to paying customers.

Many of the systems we rely on daily run some variant of a Microsoft product. If there is something wrong with a product which could cause a failure, especially in a case like this, everyone should be notified as soon as the manufacturer finds out about the bug.

How would you like to find out that there's a remote DoS in the version of Windows the equipment at the local hospital uses, but that hospital didn't feel the need to pay MS for early warnings? In many of the cases (dare I say most) that a security related bug is found in a software product it's not the mfg that finds it. That is why there end up being so many worms and such that exploit these sorts of holes long before anyone releases a patch.

Again, I say that this is not a simple matter of a corporation giving preferance to paying customers. I think congress would do well to pass a law that makes it manditory for all software vendors to release security related bug reports to all known customers as soon as they discover or are notified of the bug themselves. Also, maybe as an additional clause to that, customers should be able to register (for free) to receive such reports.

This is a big deal?

[Control+Group]

At the risk of sounding like a Microsoft apologist, I really don't see the big deal, here. It's not like they're releasing patches only to premium subscribers, they're providing earlier notice of what's going to be covered in the next security bulletin. This doesn't affect the timetable for the release of vulnerability information or the release of patches. This is just MS saying "heads up, we're going to have a patch for a vulnerability in Office XP rolling out in three days."

*shrug*

Doesn't sound like it affects overall computer security, really. It's nice for the organizations that sign on, so they have a couple more days to plan outages as necessary. It doesn't affect the vast majority of home users at all (I certainly don't plan my downtime, it just happens when I feel like it).

I can see this being irritating to customers who are unwilling to pay yet another Microsoft tax for early notification, but I don't see that it's some kind of horrible, evil practice, either.

Re:This is a big deal?

[slaad]

I think the concern is that by releasing any information early, they somehow risk the wrong person getting information that can cause a threat. I guess it really depends on how much/what kind of information they release. I have to agree though. The part of me that hates big business smells troube. The part of me that is more of an economist thinks the whole thing makes sense. The plain old user side of me doesn't see anything that will affect him.

Re:This is a big deal?

[Control+Group]

Sorry, I should have been more clear.

The practice of withholding information on vulnerabilities at all is questionable, but I was coming from the standpoint that such withholding is a given in the software industry today.

Given that such information will be withheld, allowing people to pay to get notice that some information regarding an unspecified vulnerability in a particular application three days before other people (along with the paying subscribers) get the detailed information doesn't seem to be an unethical practice.

Potentially very annoying to their customers, as you point out, but not unethical. They're saying "we'll give you a competitive advantage if you pay us." Which is much the same thing they're saying (accurately or not) when they market, say, SQL Server. The burden of scheduling and applying patches as available already lies on the shoulders of the customers. This is an add-on service to help relieve that burden.

Change one sentence in the summary...

I would re-write one sentence in the summary as:
"Those of us who aren't lucky enough to have such a relationship with Microsoft may find ourselves at greater risk FROM premium customers as a result."
(changed "than" to "FROM")

Best quote from article

[Portigui]

This is a quote from Gartner security analyst John Pescatore and it pretty much sums up my thoughts on this:

If Ford decided to issue recall notices for faulty brakes only to people who paid for extended warranty, that won't fly. That would be a horrible thing to do.

In a nutshell, is this not what MS is doing?

Re:Best quote from article

[don_carnage]

Except for with faulty brakes, you could end up killing someone. Has there been a case where faulty software killed someone? (Other than by sheer annoyance, that is.)

Re:Best quote from article

[Chess_the_cat]

In a nutshell, is this not what MS is doing?

No. Everyone on the list finds out the same information. This is just a way to sort the list. No biggie.

Re:Best quote from article

[MikeMacK]

Actually, if you have faulty brakes, you may fly. It's kinda like what MS is doing. It's more like, they are telling the people with the extended warranty about the faulty brakes before other customers, but they all will eventually get new brakes. I guess the point would be that if you knew you had faulty brakes, perhaps you wouldn't drive.

Re:Best quote from article

[wankledot]

The more things that are controlled by software in the world (warships, hospital equipment, critical infrastructure, etc.) the greater chance there is of software killing someone.

However, anyone who uses and relys on software to keep someone alive, or keep something from killing someone should not be waiting for the latest IE patch to make sure their shit works.

Perfectly Valid

[domselvon]

This seems perfectly valid practice to me. People who pay more should get better service. Think of the subscribers to /. they get better service than the rest...

MS is a business afterall

You pay more, you get more.

except...

[Ignignot]

Bugtraq is almost always ahead of microsoft where it comes to vulnerabilities in their software. Why in the world would I pay Microsoft to tell me what might be wrong tomorrow when bugtraq will tell me what's wrong today? Does anyone have an experience where MS came out with vulnerabilities first?

So what? News will still spread quickly

[mdpowell]

That is silly. Are "premium customers" going to be bound by some NDA not to talk about the vulnerabilities? What's to prevent some news outlet from becoming a "premium customer" and then publishing everything they hear five minutes later. But now MSFT will look bad (worse) because the press is announcing there flaws instead of them.

Well...

[bert.cl]

I know this is slashdot and we're not supposed to even remotely like MS & stuff.

But just maybe, this might be logical, if you have to update everyone about a glitch in your software then that would take time*. If everyone starts to download patches at the same time you just might get slow downloads

It would be a Bad Thing for MS if their premium customers were the last ones to be notified (as in, turn the story around) or had to wait just as long as some John Doe who copied Windows, to get a patch or download it at some lame speed.

This is just economics, nothing to see here

*Especially if bugs are your business

maybee i'm reading it wrong...

[Ziak]

Maybee I'm reading it wrong but I never read anything about having to pay for this "service" when they say Premium... do they just mean people who buy alot more of M$'s programs? i.e. Large Corprations, and is this just a notice to them because in a Large Corparation its alot harder to update 1000s of machines vs lets say a office of 15? They just send a e-mail stating that there will be a update, its not like it actually contains the update.

This is a security focus?

[trilks]

M$ says they are focusing on security, but how does giving advance warning only to subscribers support security? It's the average user who doesn't know how to patch their computer that is at the most risk (and can also propogate the most damage to the rest of us). And the average user won't be a premium customer.

Does it seem like M$ is saying one thing and doing another?

It's sort of a lose/lose situation for them.

[asdfasdfasdfasdf]

I can see there's some genuine reasoning behind this: When they announce an exploit potential, they're serving warning to those who can actually generate the exploit. If they control WHO gets the information first, they can keep their "worst case scenario" customers happy.

Script kiddies aren't likely to subscribe, and if they were, it might make it easier to track them down or trap them.

I can see the logic in it. I don't know if it's a "good" solution, but it must be difficult when they become aware of a problem that has not been exploited yet. It's open season on the security hole thanks to reverse-engineering the patch, but if they don't announce it then their at fault for a "known hole"

I think anything where there's a working exploit out should be released immidiately to everyone, but non-exploited holes might be well served by slowly releasing it to clients that pay to have that information-- and therefore are more likely to listen up and patch their systems.

Service in exchange for money...

[Daniel+Ellard]

... doesn't seem all that unreasonable. The anti-virus subscriptions are much the same way -- pay more money, get more frequent updates/better tools.

The only question is what it takes to become a "premium cusomter". Is it simply a matter of giving MS a few bucks, or is it up to them to choose their friends? MS has a monopoly on the ability to patch their operating systems; if they don't market it openly and fairly then perhaps they'll get another visit from the DoJ (well, I guess this depends on what happens in November...).

Re:so how do it get this status

[nat5an]

I wonder if this might backfire. Microsoft already has a rep amongst techies for its slowness to respond to its numerous security holes. Now maybe it'll get a rep with the PHBs as the company that charges its users to fix its own mistakes.

Car Industry Comparison

[Feneric]

Imagine if companies in the car industry worked the same way:

Gee, we found this safety problem in our latest line of cars; let's inform our premium customers now, and wait an arbitrary amount of time to inform our other customers.

People wouldn't stand for it. Why do they hold software companies to such lower standards?

Re:Extortion

[Control+Group]

Oh, for crying out loud.

Always with the car analogies. This isn't Pontiac only recalling and replacing a defective part if you pay more. This is Pontiac recalling and replacing a defective part on exactly the same schedule for everyone, but telling premium customers three days earlier "hey, we're going to be recalling something on the 2005 GTO in three days. Get ready."

This just isn't a big deal.

Re:so how do it get this status

[wideBlueSkies]

>>Security through $$$

You mean "a false sense of security through $$$", right?

wbs.

Re:so how do it get this status

[JudgeFurious]

Security through $$$ might even work for them to except for the fact that to date Microsoft has shown almost zero ability to produce anything that's actually "secure".

Even if I were so inclined to pay someone for security Microsoft would be the last company on the face of the earth I'd go to to get that.

Their pile of cash is legendary and no matter how much they have (or can figure out how to get) they seem unable to incorporate this "security" thing into their products. What would make anyone think that throwing more money at them is going to change that?

Shocking

[Swamii]

Slashdot is giving early previews of stories to paying customers. Those of us who aren't lucky enough to have such a relationship with Slashdot may find ourselves at greater risk of missing the story than premium customers as a result."

Microsoft - Terrorists?

[Progman3K]

Pay us or we WON'T tell you about the next worm/vulnerability.

Wait, that's not terrorism, that's extorsion.

I don't mind them witholding premium services as long as there are no safety issues with doing that.

For example, a hospital that ISN'T paying Microsoft through the nose for these "heads-ups" can have it's medical data destroyed because of it.

For SHAME, Microsoft, for shame.

A serious question...

[east+coast]

How does one become a "premium customer"?

An act of desparation?

[nv5]

I can only wonder: MS really is in quite deep trouble with their customers, especially those, who have paid big bucks to have the right to upgrades of their products. Since Longhorn is a long way out, and any upgrades (OS or Office) seem not hugely attractive, why is anyone paying the maintenance fees, which were designed to save you money on product upgrades?

MS has made their staunchest customers (i.e. the executives and managers having talked their companies into spending the extra money on maintenance) look absolutely foolish. So now, they desprately need to give those folks a story to tell their bosses, why they should not get fired for such a wanton waste of their companies' money.

Playing this security card shows an amazing act of desparation by a wounded giant. If even Gartner starts to critisize MS, there is a lot going wrong in the belly of the beast.

If only I was a slashdot subscriber...

[DoubleDownOnEleven]

Then I could have commented on this article earlier on, and got a better score!

That's not fair, slashdot should give their information out freely to everyone...

Oh wait, they do, they just treat their paying customers a little better...

I really don't see this as much of an issue. The "premier" customers don't get the patches any sooner. They get an advance heads-up on what the patches will contain. Why will this affect anybody?

According to the article: Microsoft insisted the information provided in the notice was "very basic in nature" and intended only to provide general guidelines concerning the maximum number of bulletins that may be released, the anticipated severity ratings, and an overview of products that may be affected.

So... what they are saying is. . .

[emtboy9]

Pay us lots of money and we will give you advanced warning of vulnerabilities to protect you from the rest of our customers and their owned boxen?

Re:Yes,This is a big deal!

[OP_Boot]

It's an early *warning*
If you can show me a virus writer who can take advantage of a hole by reading about it in a very generalised security bulletin, then I'd hire him on the spot.

(From the article: "The information is purposely not specific and does not disclose any vulnerability details or other information that could put customers at risk." )

Re:Early Warning For Slashdot

[kabloom]

Not every corporation with a large number of computers to administer is a Microsoft premium customer, so it's not just individuals with 2 or 3 computers that have to wait. The premium customers are paying Microsoft to be more prepared competitively against the bug guys- not for advance information that the little guys don't need.

So here's what you do...

[http101]

you, being a 16-year old over-achiever, register yourself with Microsoft as a preferred customer using your daddy's company credit card. At that point, you learn of the impending vulnerabilities and release one hell of a worm virus on the net. Stick a fork in me, I'm done...

Why Microsoft gets attacked on Slashdot

[0x0d0a]

Please, hate MS all you want, but at least hate them for a reason, not the typical /. drooling paranoia I see here.

The drooling paranoia was built because of years of times when Microsoft really *did* screw over customers or competition in quite an unethical manner, like the DR-DOS application compatibility, or the IIS Netscape Navigator deprioritization. Microsoft generally didn't get in trouble for its misdeeds, so now IT folk angry after years of poor treatment have simply started attacking Microsoft for all sorts of things that really aren't very bad at all. Microsoft is simply paying back in installments for earlier nasty deeds.

Conflict of Interests

[tod_miller]

So Microsoft is profiting out of:

1. Building a necessity to be informed because of failuires in thier software

2. Making these failuires so deadly that quick action must be taken to save money

3. Screw up all thier patching, and take time to patch vunerabilities they do patch

So, the more they do the above, the more money they can take from those companies now learning the meaning of being 'tied to a large metamorphic rock plunging happily down into the Mariana trench'.

Microsoft - a monopoly in profiting from failiure, fear, and fraud.

In other news..

[insac]

A car company recalls their last car model for defective brakes only to their higher profit customer.
The warning for the normal customer will be issued 2 weeks later...
</joke>

Every company has the right to give "preferential treatment" to its higher profit customer.. but we're not talking about discount or special offers.. we're talking about defects and vulnerabilities and I guess all the customer have the same right to know it they're using an unsafe environment.

On the other side, as stated on the article, it makes perfect sense to warn "critical infrastructure company" before releasing information that could be used by malicious users.

Re:Early Warning For Slashdot

[Moirke]

If you actually read the article, you would know that they aren't actually offering patches early to their premium customers, they are only letting them know that patches are on the way. Everyone in the world gets the patches at the same time. Premium customers are at the same risk as we are.

Not true. To continue the vehicle manufacturer analogy, Ford motor company realizes their brakes may fail when the vehicle is operating +80mph. Engineers are working diligently to resolve the issue, but a fix will not be available for another week. Wouldn't you agree that a premium customer, who is notified of the issue would be at less risk than someone who believes their car to operate properly?

If there is a vulnerability in the Microsoft file system and an administrator is aware of it, he may take action to protect crucial information from the vulnerability (i.e. move it to a UNIX server or server running different version of windows).

Extra revenue stream from writing bad software?

[james_in_denver]

This is absolutely ridiculous. Microsoft will be getting a new revenue stream from broken software.

What is the next logical step for MS?, intentionally introduce more bugs to get more customers to sign up for the premium service?

Or needlessly delay the release of patches for the same reason?

This is almost a strong-armed shakedown.

MS is basically saying "..Yo buddy, we knows you gotch yer license, but see it's like this, Billie boy says youse gotta cough up a little more dough, or things just ain't gonna work out the way you planned..."

C'mon M$, if your customer's already have a license for your product, and your product is broken, then it is YOUR (Microsoft's) responsibility to FIX it........

Re:Nerds Socialsts

[Thomas+Shaddack]

Uh, why should I worry about whether or not one of the preferentially treated subjects" leaks the information? That is as likely to be helpful to me as not.

That depends on what side you are. If you are the one who pays, or the one to whom the info leaked to, regardless of the color of your hat, you have an advantage against the ones who aren't.

Which puts to disadvantage all the ones who aren't members of (or friendly with) big corporations or e-crime rings. For a small admin of a small network it means just that the adversaries have more time to write worms and that the time between a vulnerability getting known and a vulnerability getting exploited shrunk again, at least for the ones who didn't play the advance-info racket (who will pay for it once more, indirectly, in the form of bandwidth wasted by worms from even more machines patched too lately).

Luckily, as some other posts suggest, the advance information is in this case next to worthless anyway.