Slashdot Mirror


Early Warning For Microsoft Premium Customers

techmuse writes "According to internetnews.com, Microsoft is giving its premium customers early warning about vulnerabilities and patches. Those of us who aren't lucky enough to have such a relationship with Microsoft may find ourselves at greater risk than premium customers as a result."

11 of 454 comments (clear)

  1. Extortion by Quasar1999 · · Score: 3, Interesting

    This is extortion! You cannot force me to pay you more money to provide a warranty that I'm entitled to under law. Just try this logic in any other industry... Oh, you're car's got a major issue that could cause injury, but we won't tell you about it, until we tell our wealthy customers first.

    --

    ---
    Programming is like sex... Make one mistake and support it the rest of your life.
  2. Re:so how do it get this status by Nos. · · Score: 3, Interesting

    Well of course. I mean you wouldn't expect a software vendor to tell you about its vulnerabilities before there are exploits without paying for such a service would you?
    All kidding aside, if MS knows of vulnerabilities in their software, they should be forced to do one of two things, tell everyone, or tell no one. Why? Well if they tell everyone, then at least there's a fighting chance. Tell no one, well, its an option I don't agree with, but if someone points out a vulnerability to a software vendor, they should have an option of producing a patch (within a reasonable time frame) and releasing it before advertising the details of the vulnerability.

  3. Virus Writers by Anonymous Coward · · Score: 4, Interesting

    It wouldn't take much for virus writer to sign up for this premium service to obtain and potentially exploit vulnerabilities that they didn't already know about.

    Then again, if all that Microsoft is worried about is their bottom dollar then I suppose they don't care who's paying for their premium service.

  4. My MS Rep woke me up in the middle of the night by Anonymous Coward · · Score: 5, Interesting

    No lie. Can't remember for which patch. It was right after they got burned on one of the many virus outbreaks.

    At first I thought, cool, they are really taking this seriously. But then, I thought, what does he really think I'm going to do? go into the office and patch 1000 machines before morning?

    Since then, we've just been getting these 'pre-warnings' via email. Which of course are marked as confidential.

    For the record, we are an enterprise customer.

  5. Re:Elite.. microsoft and govt by FortKnox · · Score: 4, Interesting

    Wow, you are compairing computer bugs to life and death situations.

    What's worse is someone marked you 'insightful.'

    Sometimes slashdot think truely amazes me.

    --
    Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
  6. Re:So what? News will still spread quickly by Araneas · · Score: 4, Interesting
    Yup the Microsoft Security Response Center Bulletin Releases are covered by an NDA.

    What they give is a heads up of what will be affected by the upcoming patches or updates. This allows very large organisations with thousands or even tens of thousands of boxes to do some pre-release planning. Updates and patches may need to be tested against other critical applications to make sure nothing breaks. Overtime may need to be planned out etc etc. Huge amounts of time and money may be involved so a few days extra time can be invaluable.

    Patch one XP box is a far far simpler thing to do than patching 10k machines of varying Windows versions and functions.

  7. Re:Elite.. microsoft and govt by Munra · · Score: 4, Interesting

    To be fair, and I'm not necessarily agreeing with the grandparent, a computer bug can cause a life/death situation...airports, hospitals, etc... all use computers. Granted, they're unlikely to use untested/insecure systems (no specific OSes mentioned), and unlikely to be vulnerable through public facing ports/etc, but it is still a risk.

    Secondly, even if a situation is not life/death, it can be very serious - think about business impact if every trader at a financial institution was unable to trade due to a virus/vulnerability.
    Millions could be wiped off the economy of major countries.

    Manta

  8. No, it's not...here's why by rd_syringe · · Score: 3, Interesting

    Microsoft isn't issuing patches to Premium Customers first. They're just letting them know when a patch is coming out and what's in it. You get an early warning. Your analogy assumes Microsoft isn't issuing patches to regular users simultaneously, which isn't true. But, this is Slashdot, therefore such is implied in the article summary for maximum bash-Microsoft effect in the discussion threads.

  9. Re:except... by Rust+Martialis · · Score: 4, Interesting
    Actually MS has a decent record of getting 0-day patches out. Mostly because the people who find them keep quiet. I didn't believe it so I scanned a bunch of MS Alerts from 2004, and tried to figure out when the vulnerabilities that they fixed were announced. Looking at MS04-011, there were 14 vulnerabilities listed (CAN-2003-0533,CAN-2003-0663, CAN-2003-0719, CAN-2003-0806, CAN-2003-0906, CAN-2003-0907, CAN-2003-0908, CAN-2003-0909, CAN-2003-0910, CAN-2004-0117, CAN-2004-0118, CAN-2004-0119, CAN-2004-0120, and CAN-2004-0123).

    Now, I didn't look very hard, but as far as I can see, no mention of prior announcements of any of these 14 vulnerabilities on Bugtraq.

    Now, compare that to MS04-019 (CAN-2004-0213) where a vulnerability was announced 124 days prior to patch, or MS04-025 where the three vulnerabilities (CAN-2003-1048, CAN-2004-549, and CAN-2004-566) were announced 332 days, 58 days and 166 days prior to patch. *Much* less impressive, Microsoft!

    I gave up on this analysis after it was evident that for 2004, so far, MS does actually get a lot of patches out in sync with the announced vulnerabilities. They miss some, when people release them without sending them to MS (which is their right). But I looked at 37 vulnerabilities (MS04-001 to -011 and MS04-018 to -025) before I gave up, and of those, 27 were 0-day patches, and 10 were released in advance of patches.

    So MS does actually seem to be getting a lot of researchers to keep vulnerabilities under wraps . I noted iDefense, Shatter, eEye, and @Stake listed as credited with some of these discoveries, others were uncredited and may be internal MS discoveries. So, sorry for your illusions, but of the above patches, about 2/3 were NOT announced on Bugtraq prior to patches coming out.

    Disclaimer: I didn't scour the Internet for announcements, just looked on Bugtraq, Mitre and a couple places, so I may have missed some.

    --R.

  10. Re:Elite.. microsoft and govt by b1scuit · · Score: 3, Interesting
    Dude. Most of the 'temporary solutions' involved in an MS vulnerability are along the lines of "don't run this service" and don't do this" and "catch that mime-type ahead of time". Seriously. If a certain malformed MIME header will run foriegn code on a workstation running Outlook Express 6, then I want to know so I can have procmail make messages that have that particular MIME header go bye bye.

    When the best solution is to take care of the problem yourself, then I want to know what needs to be done, so I can do it, and the sooner I know, the sooner it'll get worked around. If som nasty bug appears that uses an exploit that I wasn't informed about because the hundreds of dollars we spent per machine weren't enough to warrant telling me when something is broke in a timely fashion, then I'd be pissed when those machines got exploited, and so would you.

    If evil requires only that good people do nothing, is MS not good or doing nothing?