Slashdot Mirror


Early Warning For Microsoft Premium Customers

techmuse writes "According to internetnews.com, Microsoft is giving its premium customers early warning about vulnerabilities and patches. Those of us who aren't lucky enough to have such a relationship with Microsoft may find ourselves at greater risk than premium customers as a result."

7 of 454 comments (clear)

  1. Virus Writers by Anonymous Coward · · Score: 4, Interesting

    It wouldn't take much for virus writer to sign up for this premium service to obtain and potentially exploit vulnerabilities that they didn't already know about.

    Then again, if all that Microsoft is worried about is their bottom dollar then I suppose they don't care who's paying for their premium service.

  2. My MS Rep woke me up in the middle of the night by Anonymous Coward · · Score: 5, Interesting

    No lie. Can't remember for which patch. It was right after they got burned on one of the many virus outbreaks.

    At first I thought, cool, they are really taking this seriously. But then, I thought, what does he really think I'm going to do? go into the office and patch 1000 machines before morning?

    Since then, we've just been getting these 'pre-warnings' via email. Which of course are marked as confidential.

    For the record, we are an enterprise customer.

  3. Re:Elite.. microsoft and govt by FortKnox · · Score: 4, Interesting

    Wow, you are compairing computer bugs to life and death situations.

    What's worse is someone marked you 'insightful.'

    Sometimes slashdot think truely amazes me.

    --
    Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
  4. Re:So what? News will still spread quickly by Araneas · · Score: 4, Interesting
    Yup the Microsoft Security Response Center Bulletin Releases are covered by an NDA.

    What they give is a heads up of what will be affected by the upcoming patches or updates. This allows very large organisations with thousands or even tens of thousands of boxes to do some pre-release planning. Updates and patches may need to be tested against other critical applications to make sure nothing breaks. Overtime may need to be planned out etc etc. Huge amounts of time and money may be involved so a few days extra time can be invaluable.

    Patch one XP box is a far far simpler thing to do than patching 10k machines of varying Windows versions and functions.

  5. Re:Elite.. microsoft and govt by Munra · · Score: 4, Interesting

    To be fair, and I'm not necessarily agreeing with the grandparent, a computer bug can cause a life/death situation...airports, hospitals, etc... all use computers. Granted, they're unlikely to use untested/insecure systems (no specific OSes mentioned), and unlikely to be vulnerable through public facing ports/etc, but it is still a risk.

    Secondly, even if a situation is not life/death, it can be very serious - think about business impact if every trader at a financial institution was unable to trade due to a virus/vulnerability.
    Millions could be wiped off the economy of major countries.

    Manta

  6. Re:except... by Rust+Martialis · · Score: 4, Interesting
    Actually MS has a decent record of getting 0-day patches out. Mostly because the people who find them keep quiet. I didn't believe it so I scanned a bunch of MS Alerts from 2004, and tried to figure out when the vulnerabilities that they fixed were announced. Looking at MS04-011, there were 14 vulnerabilities listed (CAN-2003-0533,CAN-2003-0663, CAN-2003-0719, CAN-2003-0806, CAN-2003-0906, CAN-2003-0907, CAN-2003-0908, CAN-2003-0909, CAN-2003-0910, CAN-2004-0117, CAN-2004-0118, CAN-2004-0119, CAN-2004-0120, and CAN-2004-0123).

    Now, I didn't look very hard, but as far as I can see, no mention of prior announcements of any of these 14 vulnerabilities on Bugtraq.

    Now, compare that to MS04-019 (CAN-2004-0213) where a vulnerability was announced 124 days prior to patch, or MS04-025 where the three vulnerabilities (CAN-2003-1048, CAN-2004-549, and CAN-2004-566) were announced 332 days, 58 days and 166 days prior to patch. *Much* less impressive, Microsoft!

    I gave up on this analysis after it was evident that for 2004, so far, MS does actually get a lot of patches out in sync with the announced vulnerabilities. They miss some, when people release them without sending them to MS (which is their right). But I looked at 37 vulnerabilities (MS04-001 to -011 and MS04-018 to -025) before I gave up, and of those, 27 were 0-day patches, and 10 were released in advance of patches.

    So MS does actually seem to be getting a lot of researchers to keep vulnerabilities under wraps . I noted iDefense, Shatter, eEye, and @Stake listed as credited with some of these discoveries, others were uncredited and may be internal MS discoveries. So, sorry for your illusions, but of the above patches, about 2/3 were NOT announced on Bugtraq prior to patches coming out.

    Disclaimer: I didn't scour the Internet for announcements, just looked on Bugtraq, Mitre and a couple places, so I may have missed some.

    --R.