Slashdot Mirror
Early Warning For Microsoft Premium Customers
techmuse writes "According to internetnews.com, Microsoft is giving its premium customers early warning about vulnerabilities and patches. Those of us who aren't lucky enough to have such a relationship with Microsoft may find ourselves at greater risk than premium customers as a result."
This is extortion! You cannot force me to pay you more money to provide a warranty that I'm entitled to under law. Just try this logic in any other industry... Oh, you're car's got a major issue that could cause injury, but we won't tell you about it, until we tell our wealthy customers first.
---
Programming is like sex... Make one mistake and support it the rest of your life.
Well of course. I mean you wouldn't expect a software vendor to tell you about its vulnerabilities before there are exploits without paying for such a service would you?
All kidding aside, if MS knows of vulnerabilities in their software, they should be forced to do one of two things, tell everyone, or tell no one. Why? Well if they tell everyone, then at least there's a fighting chance. Tell no one, well, its an option I don't agree with, but if someone points out a vulnerability to a software vendor, they should have an option of producing a patch (within a reasonable time frame) and releasing it before advertising the details of the vulnerability.
It wouldn't take much for virus writer to sign up for this premium service to obtain and potentially exploit vulnerabilities that they didn't already know about.
Then again, if all that Microsoft is worried about is their bottom dollar then I suppose they don't care who's paying for their premium service.
let me get this straight.
They put out a crappy product, them make you pay for the knowledge of knowing it's crappy?
I already knew that! I should sell this knowledge on ebay, if there's already paying customers out there, there's bound to be millions of other idiots who will bid on it.
seriously though, we already get the updates before microsoft, from symantec and buqtraq. This is very sad for whoever is dishing out money to them.
Runnin' On Empty
just came in his own pants.
Asked why it has taken Microsoft 25 years to get trustworthy computing into the forefront of its efforts, he said: "Because customers wouldn't pay for it until recently."
Assholes.
No lie. Can't remember for which patch. It was right after they got burned on one of the many virus outbreaks.
At first I thought, cool, they are really taking this seriously. But then, I thought, what does he really think I'm going to do? go into the office and patch 1000 machines before morning?
Since then, we've just been getting these 'pre-warnings' via email. Which of course are marked as confidential.
For the record, we are an enterprise customer.
My company gets the premium support advanced warnings.
Honestly, they are vague to the point of useless...other than "don't make any plans on this day" when the notices to everyone are released.
so they have a couple more days to plan outages as necessary
It's withholding information on vulnerabilities (that if available shouldn't be withheld) from customers (everyone using their products is their customer) that haven't paid an Additional Fee.
Tell MSDN Subscribers / Developers about new products early? Fine. Give my competition preferencial treatment, through advanced notice of upcoming updates? Not cool. More time to plan patches / outages can mean shorter down time. Turn around on flaw exploits used to be months, now it's days. I just think everyone should have equal opportunity to prepare.
Michalangelo Progr
Wow, you are compairing computer bugs to life and death situations.
What's worse is someone marked you 'insightful.'
Sometimes slashdot think truely amazes me.
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
by Max Barry
http://www.maxbarry.com/jennifergovernment/
It gives an interesting look at a hypercapitalist world. It's also a highly entertaining read.
What they give is a heads up of what will be affected by the upcoming patches or updates. This allows very large organisations with thousands or even tens of thousands of boxes to do some pre-release planning. Updates and patches may need to be tested against other critical applications to make sure nothing breaks. Overtime may need to be planned out etc etc. Huge amounts of time and money may be involved so a few days extra time can be invaluable.
Patch one XP box is a far far simpler thing to do than patching 10k machines of varying Windows versions and functions.
To be fair, and I'm not necessarily agreeing with the grandparent, a computer bug can cause a life/death situation...airports, hospitals, etc... all use computers. Granted, they're unlikely to use untested/insecure systems (no specific OSes mentioned), and unlikely to be vulnerable through public facing ports/etc, but it is still a risk.
Secondly, even if a situation is not life/death, it can be very serious - think about business impact if every trader at a financial institution was unable to trade due to a virus/vulnerability.
Millions could be wiped off the economy of major countries.
Manta
Not quite. Vulnerabilities can be monetarily and specially costly to customer. The only damage done to slashdotter is having to wait a little till the mad rush dies down or someone puts up a mirror. I’m sorry but this definitely a bad idea on Microsoft’s part. I mean, it ties extra cost to fixing their software problems. Can you imagine a car company saying those customers that pay extra will get early recall notices?
-----
One is born into aristocracy, but mediocrity can only be achieved through hard work.
To some extent you already get this. If you want extra security, you can pay for a security guard, otherwise you fall back on the regular police service.
And how about health service - in the UK (and I suspect many other places in the world), if you want immediate treatment, you pay (or get your insurance to pay) to go private. If you don't pay, you end up at the back of the NHS waiting list.
Not saying whether it's a good or a bad thing, but this is pretty much how a market economy is meant to work - you get what you pay for.
Microsoft isn't issuing patches to Premium Customers first. They're just letting them know when a patch is coming out and what's in it. You get an early warning. Your analogy assumes Microsoft isn't issuing patches to regular users simultaneously, which isn't true. But, this is Slashdot, therefore such is implied in the article summary for maximum bash-Microsoft effect in the discussion threads.
Now, I didn't look very hard, but as far as I can see, no mention of prior announcements of any of these 14 vulnerabilities on Bugtraq.
Now, compare that to MS04-019 (CAN-2004-0213) where a vulnerability was announced 124 days prior to patch, or MS04-025 where the three vulnerabilities (CAN-2003-1048, CAN-2004-549, and CAN-2004-566) were announced 332 days, 58 days and 166 days prior to patch. *Much* less impressive, Microsoft!
I gave up on this analysis after it was evident that for 2004, so far, MS does actually get a lot of patches out in sync with the announced vulnerabilities. They miss some, when people release them without sending them to MS (which is their right). But I looked at 37 vulnerabilities (MS04-001 to -011 and MS04-018 to -025) before I gave up, and of those, 27 were 0-day patches, and 10 were released in advance of patches.
So MS does actually seem to be getting a lot of researchers to keep vulnerabilities under wraps . I noted iDefense, Shatter, eEye, and @Stake listed as credited with some of these discoveries, others were uncredited and may be internal MS discoveries. So, sorry for your illusions, but of the above patches, about 2/3 were NOT announced on Bugtraq prior to patches coming out.
Disclaimer: I didn't scour the Internet for announcements, just looked on Bugtraq, Mitre and a couple places, so I may have missed some.
--R.
Even so, do you really think there is a solid link between MS Security Support and 911?
Umm... 90+% of 911 dispatch software runs only on Microsoft Windows...
Why worry? Each of us is wearing an unlicensed "nucular" accelerator on his back.
Sig changed for readability by G.W.
No, they're just telling those people SOONER.
And I'll bet someone who has the extended warranty is finding out about a recall sooner than say, someone who bought a Ford used at a Honda dealership.
Microsoft has been releasing early warnings for months, and they have regularly leaked to the press. The contents of the warning includes very little information: the number of vulnerabilities, the severity level, and the products affected. You might be able to infer which people you have to force to do overtime (Microsoft patches aren't released during business hours in all parts of the world), but apart from that, the information is not very useful.
Less well known is Microsoft's Patch Validation Program. Basically, you get patches a week or so in advance (without any further information about the scope of the patch), and you can test it in a production-like environment. This way, you can alert Microsoft about unexpected incompatibilities, but I'm not sure how helpful this is in practice. The patches surely make an interesting BinDiff target, so this program probably isn't available to all premium customers.
All in all, it appears to be a poor replacement for the vendor-sec community on the free software side of security, where distributors (which would be Microsoft's OEMs) can openly discuss security issues and resolve them in colaboration.
I have 4 issues with your post:
1) Not every bug/hole has to be 'hacked into' - email worms, and worms that spread through cross-site scripting and browser exploits can do just as much damage, and can be caused by OS/app bugs/holes.
2) There is no way to that a company has never been hacked in to. Just becuase a company may find out that it has, there's no proof that it hasn't been. Go ask any good security consultancy.
3) Where did I draw a link between MS security and 911 (and do you mean 911 as in the emergency services, or 9/11)?
4) Who said I've never worked/am not working for a financial institution?
Manta
When the best solution is to take care of the problem yourself, then I want to know what needs to be done, so I can do it, and the sooner I know, the sooner it'll get worked around. If som nasty bug appears that uses an exploit that I wasn't informed about because the hundreds of dollars we spent per machine weren't enough to warrant telling me when something is broke in a timely fashion, then I'd be pissed when those machines got exploited, and so would you.
If evil requires only that good people do nothing, is MS not good or doing nothing?
Wow, "There isn't *ANY* way someone is hacking into something like that." Please say you are *NOT* part of the security team for these banks and insurance agencies. The first rule of security is that there is no such thing as perfect security. You can only mitigate risks. Banks tend to mitigate them fairly well, but I seem to remember a few banks trying to hush up compromises last year.
... I call BULL.
On the other side of the coin, when I work with insurance agencies, I can say truthfully they make a valiant effort at security. Yes, every company I have been at has exposed major blunders while I was there. Not intentionally of course, but what would you say if I said that one of the major (read: they own their own skyscraper) insurance companies in Heartford still has Windows 98 on desktops because the terminal emulator didn't work on 2000? Or that same said terminal emulator passed everything in cleartext?
"There isn't any way..."
Sig under construction since 1998.