Early Warning For Microsoft Premium Customers

techmuse writes "According to internetnews.com, Microsoft is giving its premium customers early warning about vulnerabilities and patches. Those of us who aren't lucky enough to have such a relationship with Microsoft may find ourselves at greater risk than premium customers as a result."

Early Warning For Slashdot

Kindof like the paid customers using slashdot who get a chance to read the clicky links before it dies.

Re:Early Warning For Slashdot

[MetalliQaZ]

If you actually read the article, you would know that they aren't actually offering patches early to their premium customers, they are only letting them know that patches are on the way. Everyone in the world gets the patches at the same time. Premium customers are at the same risk as we are. The reason for the "heads up" is so that IT managers can get ready for the huge task of updating every machine they manage. Individuals have only their own computer, or at most a handful of others. These patches are usually expected anyway. And you can find a "heads up" of your own just by reading tech news sites online.
-d

Re:Early Warning For Slashdot

[mrowlands]

I worked for a large pharmaceutical company and we got some (non critical) patches ahead of release schedule. This was as a result of cooperation between Cisco and MS and obviously so that
the patches could be tested on a large scale.

I would welcome MS handing patches to large corporate customers and breaking their computers before they break mine.

Re:Early Warning For Slashdot

[jazman_777]

To continue the vehicle manufacturer analogy...

Slashdot. News for Nerds. Stuff that Matters. Failed Car Analogies.

Elite.. microsoft and govt

[Davak]

The U.S. government's Computer Emergency Readiness Team (US-CERT) has also been heavily criticized for providing security advisories to paying customers ahead of coordinated public release.

Microsoft and the government using the same strategy! I am shocked! (sarcasm mode off)

Other juicy information from the article:

There won't be a patch this month for a "highly critical" bug in Internet Explorer browser's drag-and-drop feature.

So we are suppose to buy access to problems that won't be patched in a timely fashion? You've got to be kidding me.

The only justification that I can see to this might be that microsoft wants to release it to their "elite" first... so that work-arounds and patches might be generated by the community instead of within microsoft. Thus, trying to get one of the open source benefits...

While that's a good theory... I bet it's really just microsoft praying on the security worries of companies. Considering I run a Microsoft network... that's a sad conclusion for me to have to make.

Re:Elite.. microsoft and govt

[FortKnox]

Wow, you are compairing computer bugs to life and death situations.

What's worse is someone marked you 'insightful.'

Sometimes slashdot think truely amazes me.

Re:Elite.. microsoft and govt

[Munra]

To be fair, and I'm not necessarily agreeing with the grandparent, a computer bug can cause a life/death situation...airports, hospitals, etc... all use computers. Granted, they're unlikely to use untested/insecure systems (no specific OSes mentioned), and unlikely to be vulnerable through public facing ports/etc, but it is still a risk.

Secondly, even if a situation is not life/death, it can be very serious - think about business impact if every trader at a financial institution was unable to trade due to a virus/vulnerability.
Millions could be wiped off the economy of major countries.

Manta

Re:Elite.. microsoft and govt

[Martin+Blank]

Even so, do you really think there is a solid link between MS Security Support and 911? Honestly, is there a real comparison there?

There just might be.

Re:Elite.. microsoft and govt

[Fareq]

I hate to say this, but...

RTFA

Not getting patches or fixes sooner. Being told that there is a flaw sooner. In this case not even what the flaw is... just that there is one, and that in a day or so we'll tell the world what it is -- heads up, somethings coming. That's it.

No "protection," no early patches, no nothing. Just a nice little note saying "we're working on a couple of security flaws, details forthcoming"

Calm yourself please. If you want to hate Microsoft, please do it for a valid reason, not some bullshit like this.

Thanks.

-- Fareq

Re:Elite.. microsoft and govt

[b1scuit]

Dude. Most of the 'temporary solutions' involved in an MS vulnerability are along the lines of "don't run this service" and don't do this" and "catch that mime-type ahead of time". Seriously. If a certain malformed MIME header will run foriegn code on a workstation running Outlook Express 6, then I want to know so I can have procmail make messages that have that particular MIME header go bye bye.

When the best solution is to take care of the problem yourself, then I want to know what needs to be done, so I can do it, and the sooner I know, the sooner it'll get worked around. If som nasty bug appears that uses an exploit that I wasn't informed about because the hundreds of dollars we spent per machine weren't enough to warrant telling me when something is broke in a timely fashion, then I'd be pissed when those machines got exploited, and so would you.

If evil requires only that good people do nothing, is MS not good or doing nothing?

so how do it get this status

[InfoHighwayRoadkill]

Let me guess another potential revenue stream for MS?

Security through $$$

Re:so how do it get this status

[Nos.]

Well of course. I mean you wouldn't expect a software vendor to tell you about its vulnerabilities before there are exploits without paying for such a service would you?
All kidding aside, if MS knows of vulnerabilities in their software, they should be forced to do one of two things, tell everyone, or tell no one. Why? Well if they tell everyone, then at least there's a fighting chance. Tell no one, well, its an option I don't agree with, but if someone points out a vulnerability to a software vendor, they should have an option of producing a patch (within a reasonable time frame) and releasing it before advertising the details of the vulnerability.

Re:so how do it get this status

[wideBlueSkies]

>>Security through $$$

You mean "a false sense of security through $$$", right?

wbs.

Re:so how do it get this status

[Dr.+Evil]

No, "$$$ through security."

Re:so how do it get this status

[JudgeFurious]

Security through $$$ might even work for them to except for the fact that to date Microsoft has shown almost zero ability to produce anything that's actually "secure".

Even if I were so inclined to pay someone for security Microsoft would be the last company on the face of the earth I'd go to to get that.

Their pile of cash is legendary and no matter how much they have (or can figure out how to get) they seem unable to incorporate this "security" thing into their products. What would make anyone think that throwing more money at them is going to change that?

Newsflash!

[strictfoo]

Company gives preferntial treatment to its higher profit customers!

This is a big deal?

[Control+Group]

At the risk of sounding like a Microsoft apologist, I really don't see the big deal, here. It's not like they're releasing patches only to premium subscribers, they're providing earlier notice of what's going to be covered in the next security bulletin. This doesn't affect the timetable for the release of vulnerability information or the release of patches. This is just MS saying "heads up, we're going to have a patch for a vulnerability in Office XP rolling out in three days."

*shrug*

Doesn't sound like it affects overall computer security, really. It's nice for the organizations that sign on, so they have a couple more days to plan outages as necessary. It doesn't affect the vast majority of home users at all (I certainly don't plan my downtime, it just happens when I feel like it).

I can see this being irritating to customers who are unwilling to pay yet another Microsoft tax for early notification, but I don't see that it's some kind of horrible, evil practice, either.

Re:This is a big deal?

[slaad]

I think the concern is that by releasing any information early, they somehow risk the wrong person getting information that can cause a threat. I guess it really depends on how much/what kind of information they release. I have to agree though. The part of me that hates big business smells troube. The part of me that is more of an economist thinks the whole thing makes sense. The plain old user side of me doesn't see anything that will affect him.

Re:This is a big deal?

[Ayaress]

The plain old user side of me doesn't see anything that will affect him.

Exactly. It's not like they were telling us about the holes in a timely manner before.

Change one sentence in the summary...

I would re-write one sentence in the summary as:
"Those of us who aren't lucky enough to have such a relationship with Microsoft may find ourselves at greater risk FROM premium customers as a result."
(changed "than" to "FROM")

Best quote from article

[Portigui]

This is a quote from Gartner security analyst John Pescatore and it pretty much sums up my thoughts on this:

If Ford decided to issue recall notices for faulty brakes only to people who paid for extended warranty, that won't fly. That would be a horrible thing to do.

In a nutshell, is this not what MS is doing?

Re:Best quote from article

[Chess_the_cat]

In a nutshell, is this not what MS is doing?

No. Everyone on the list finds out the same information. This is just a way to sort the list. No biggie.

Re:Best quote from article

[MikeMacK]

Actually, if you have faulty brakes, you may fly. It's kinda like what MS is doing. It's more like, they are telling the people with the extended warranty about the faulty brakes before other customers, but they all will eventually get new brakes. I guess the point would be that if you knew you had faulty brakes, perhaps you wouldn't drive.

Re:Best quote from article

[wankledot]

The more things that are controlled by software in the world (warships, hospital equipment, critical infrastructure, etc.) the greater chance there is of software killing someone.

However, anyone who uses and relys on software to keep someone alive, or keep something from killing someone should not be waiting for the latest IE patch to make sure their shit works.

Re:Best quote from article

[revscat]

But why do they need to sort the list in the first place? It's not like they have to call people in a certain order in order to make them aware of the vulnerability. They just need to post the information on their website and make it available to everyone simultaneously.

Re:Best quote from article

[ohsoot]

Has there been a case where faulty software killed someone?

Yes.

Extortion

[Quasar1999]

This is extortion! You cannot force me to pay you more money to provide a warranty that I'm entitled to under law. Just try this logic in any other industry... Oh, you're car's got a major issue that could cause injury, but we won't tell you about it, until we tell our wealthy customers first.

Re:Extortion

[Control+Group]

Oh, for crying out loud.

Always with the car analogies. This isn't Pontiac only recalling and replacing a defective part if you pay more. This is Pontiac recalling and replacing a defective part on exactly the same schedule for everyone, but telling premium customers three days earlier "hey, we're going to be recalling something on the 2005 GTO in three days. Get ready."

This just isn't a big deal.

Re:Extortion

[boredMDer]

They're not forcing you to pay.

You'll still get your patches in the usual Microsoft timely manner (weeks, likely), but these so called 'premium' members will get them a lot sooner.

Things will still appear the same to you, but premium members will get a heads-up before everyone else.

except...

[Ignignot]

Bugtraq is almost always ahead of microsoft where it comes to vulnerabilities in their software. Why in the world would I pay Microsoft to tell me what might be wrong tomorrow when bugtraq will tell me what's wrong today? Does anyone have an experience where MS came out with vulnerabilities first?

Re: except...

[Black+Parrot]

> Bugtraq is almost always ahead of microsoft where it comes to vulnerabilities in their software. Why in the world would I pay Microsoft to tell me what might be wrong tomorrow when bugtraq will tell me what's wrong today? Does anyone have an experience where MS came out with vulnerabilities first?

Maybe their Premium customers get to hear the excuses first.

Re:except...

[Rust+Martialis]

Actually MS has a decent record of getting 0-day patches out. Mostly because the people who find them keep quiet. I didn't believe it so I scanned a bunch of MS Alerts from 2004, and tried to figure out when the vulnerabilities that they fixed were announced. Looking at MS04-011, there were 14 vulnerabilities listed (CAN-2003-0533,CAN-2003-0663, CAN-2003-0719, CAN-2003-0806, CAN-2003-0906, CAN-2003-0907, CAN-2003-0908, CAN-2003-0909, CAN-2003-0910, CAN-2004-0117, CAN-2004-0118, CAN-2004-0119, CAN-2004-0120, and CAN-2004-0123).

Now, I didn't look very hard, but as far as I can see, no mention of prior announcements of any of these 14 vulnerabilities on Bugtraq.

Now, compare that to MS04-019 (CAN-2004-0213) where a vulnerability was announced 124 days prior to patch, or MS04-025 where the three vulnerabilities (CAN-2003-1048, CAN-2004-549, and CAN-2004-566) were announced 332 days, 58 days and 166 days prior to patch. *Much* less impressive, Microsoft!

I gave up on this analysis after it was evident that for 2004, so far, MS does actually get a lot of patches out in sync with the announced vulnerabilities. They miss some, when people release them without sending them to MS (which is their right). But I looked at 37 vulnerabilities (MS04-001 to -011 and MS04-018 to -025) before I gave up, and of those, 27 were 0-day patches, and 10 were released in advance of patches.

So MS does actually seem to be getting a lot of researchers to keep vulnerabilities under wraps . I noted iDefense, Shatter, eEye, and @Stake listed as credited with some of these discoveries, others were uncredited and may be internal MS discoveries. So, sorry for your illusions, but of the above patches, about 2/3 were NOT announced on Bugtraq prior to patches coming out.

Disclaimer: I didn't scour the Internet for announcements, just looked on Bugtraq, Mitre and a couple places, so I may have missed some.

--R.

Equal?

We are all equal, just some of us are more equal than others.

Not So Bad

[blueZhift]

This isn't so bad, it just means that the premium customers get to beta test the patches for the rest of us!

So what? News will still spread quickly

[mdpowell]

That is silly. Are "premium customers" going to be bound by some NDA not to talk about the vulnerabilities? What's to prevent some news outlet from becoming a "premium customer" and then publishing everything they hear five minutes later. But now MSFT will look bad (worse) because the press is announcing there flaws instead of them.

This is a security focus?

[trilks]

M$ says they are focusing on security, but how does giving advance warning only to subscribers support security? It's the average user who doesn't know how to patch their computer that is at the most risk (and can also propogate the most damage to the rest of us). And the average user won't be a premium customer.

Does it seem like M$ is saying one thing and doing another?

Virus Writers

It wouldn't take much for virus writer to sign up for this premium service to obtain and potentially exploit vulnerabilities that they didn't already know about.

Then again, if all that Microsoft is worried about is their bottom dollar then I suppose they don't care who's paying for their premium service.

even better yet...

[Garabito]

Those of us who are lucky enough to have no relationship with Microsoft may find ourselves at even lower risk than premium customers

Not really

[TheHonestTruth]

Though this is a crummy thing to do, your/their example is not entirely accurate. It's not that Ford would not issue recalls to everyone, they would just let their premium customers know about the recall (that will be for everyone) in advance. People can then plan better when they will have their car serviced.

-truth

Car Industry Comparison

[Feneric]

Imagine if companies in the car industry worked the same way:

Gee, we found this safety problem in our latest line of cars; let's inform our premium customers now, and wait an arbitrary amount of time to inform our other customers.

People wouldn't stand for it. Why do they hold software companies to such lower standards?

Craig Mundie...

[Spoticus]

just came in his own pants.

Asked why it has taken Microsoft 25 years to get trustworthy computing into the forefront of its efforts, he said: "Because customers wouldn't pay for it until recently."

Assholes.

Re:Craig Mundie...

[jpetts]

just came in his own pants

Better in his own than in mine...

Re:Craig Mundie...

[notasheep]

Nice link and quote. It points to an article from 2002. The quote leaves out some important follow-up information as well - "Admitting this was a flippant answer to a flippant question, Mundie said that chief information officers had only recently begun to demand security, and it is only in the last ten years that Microsoft has attempted to play in the security-requiring worlds of banking payroll and networked systems."

Still not a great response from Mundie, but at least Slashdotters have the whole picture. And, yes, security is a potential revenue stream for MS - but it's through the creation of new products, not charging folks to download and apply patches.

My MS Rep woke me up in the middle of the night

No lie. Can't remember for which patch. It was right after they got burned on one of the many virus outbreaks.

At first I thought, cool, they are really taking this seriously. But then, I thought, what does he really think I'm going to do? go into the office and patch 1000 machines before morning?

Since then, we've just been getting these 'pre-warnings' via email. Which of course are marked as confidential.

For the record, we are an enterprise customer.

In related news ...

[Mr.Surly]

... GM announced today that a new "premium" warranty is available for it's vehicles. Vehicle owners who purchase this new warranty (Only $500, NDA required) will receive recall notices regarding vehicle roll-overs and potential explosions a full month before vehicle owners that do not have the new warranty option.

Re:So what? News will still spread quickly

[Araneas]

Yup the Microsoft Security Response Center Bulletin Releases are covered by an NDA.

What they give is a heads up of what will be affected by the upcoming patches or updates. This allows very large organisations with thousands or even tens of thousands of boxes to do some pre-release planning. Updates and patches may need to be tested against other critical applications to make sure nothing breaks. Overtime may need to be planned out etc etc. Huge amounts of time and money may be involved so a few days extra time can be invaluable.

Patch one XP box is a far far simpler thing to do than patching 10k machines of varying Windows versions and functions.

Yes.

[DAldredge]

http://www.mtholyoke.edu/~rzdalea/cs100/software_d isasters/sd.htm
http://www.baselinemag.com/article2/0,1397,1544403 ,00.asp

Also google for Therac-25

A serious question...

[east+coast]

How does one become a "premium customer"?

As a Premium Customer Who Sees The Advance Notice

[Rust+Martialis]

Look, I know you all hate MS for being evil and all that, but sorry, the 'advance warning' is basically nothing.

All you get is an email from MS saying 'oh, next Tuesday we're going to release X patches, with Y rated critical, and Z rated serious'.

There are ZERO details on what the patch is going to fix, personally, I consider the advance notice almost useless except to tell you you need to have resources ready to roll out critical patches.

You get *no* details, *no* access to patches, and I have several emails from MS Security people who always include ' sorry, I can't give you any details about Tuesday's patch'.

Please, hate MS all you want, but at least hate them for a reason, not the typical /. drooling paranoia I see here.

--R.

An act of desparation?

[nv5]

I can only wonder: MS really is in quite deep trouble with their customers, especially those, who have paid big bucks to have the right to upgrades of their products. Since Longhorn is a long way out, and any upgrades (OS or Office) seem not hugely attractive, why is anyone paying the maintenance fees, which were designed to save you money on product upgrades?

MS has made their staunchest customers (i.e. the executives and managers having talked their companies into spending the extra money on maintenance) look absolutely foolish. So now, they desprately need to give those folks a story to tell their bosses, why they should not get fired for such a wanton waste of their companies' money.

Playing this security card shows an amazing act of desparation by a wounded giant. If even Gartner starts to critisize MS, there is a lot going wrong in the belly of the beast.

If only I was a slashdot subscriber...

[DoubleDownOnEleven]

Then I could have commented on this article earlier on, and got a better score!

That's not fair, slashdot should give their information out freely to everyone...

Oh wait, they do, they just treat their paying customers a little better...

I really don't see this as much of an issue. The "premier" customers don't get the patches any sooner. They get an advance heads-up on what the patches will contain. Why will this affect anybody?

According to the article: Microsoft insisted the information provided in the notice was "very basic in nature" and intended only to provide general guidelines concerning the maximum number of bulletins that may be released, the anticipated severity ratings, and an overview of products that may be affected.

No, it's not...here's why

[rd_syringe]

Microsoft isn't issuing patches to Premium Customers first. They're just letting them know when a patch is coming out and what's in it. You get an early warning. Your analogy assumes Microsoft isn't issuing patches to regular users simultaneously, which isn't true. But, this is Slashdot, therefore such is implied in the article summary for maximum bash-Microsoft effect in the discussion threads.

Re:Yes,This is a big deal!

[OP_Boot]

It's an early *warning*
If you can show me a virus writer who can take advantage of a hole by reading about it in a very generalised security bulletin, then I'd hire him on the spot.

(From the article: "The information is purposely not specific and does not disclose any vulnerability details or other information that could put customers at risk." )

So here's what you do...

[http101]

you, being a 16-year old over-achiever, register yourself with Microsoft as a preferred customer using your daddy's company credit card. At that point, you learn of the impending vulnerabilities and release one hell of a worm virus on the net. Stick a fork in me, I'm done...

Why Microsoft gets attacked on Slashdot

[0x0d0a]

Please, hate MS all you want, but at least hate them for a reason, not the typical /. drooling paranoia I see here.

The drooling paranoia was built because of years of times when Microsoft really *did* screw over customers or competition in quite an unethical manner, like the DR-DOS application compatibility, or the IIS Netscape Navigator deprioritization. Microsoft generally didn't get in trouble for its misdeeds, so now IT folk angry after years of poor treatment have simply started attacking Microsoft for all sorts of things that really aren't very bad at all. Microsoft is simply paying back in installments for earlier nasty deeds.

Re:911 is a joke

[mcmonkey]

Everyday they don't never come correct
You can ask my man right here with the broken neck
He's a witness to the job never bein' done
He would've been in full in 8 9-11
Was a joke 'cause they always jokin'
They the token to your life when it's croakin'
They need to be in a pawn shop on a
911 is a joke we don't want 'em
I call a cab 'cause a cab will come quicker
The doctors huddle up and call a flea flicker
The reason that I say that 'cause they
Flick you off like fleas
They be laughin' at ya while you're crawlin' on your knees
And to the strength so go the length
Thinkin' you are first when you really are tenth
You better wake up and smell the real flavor
Cause 911 is a fake life saver

So get up, get, get get down
911 is a joke in yo town
Get up, get, get, get down
Late 911 wears the late crown

- Public Enemy

In other news...

[jrod2027]

...The National Weather Service has announced it will offer early warnings for natural
disasters such as tornadoes and earthquakes to subscribers of its new "Stay Alive Platinum" service.

Microsoft early warning service for $5 per user

[KWTm]

I am offering a low-cost service to users of Microsoft products. For a mere $5, you will receive a notice that says:

WARNING -- Your product is riddled with security holes!

There, now people can be warned.

Hurry, send in your money now! Otherwise you won't receive notice that Microsoft products are vulnerable!

Typically baseless /. FUD

[reverendslappy]

The poster clearly doesn't know what s/he's talking about, and is obviously just looking for something to cry about. Same old /. FUD.

The notifications sent to Premium customers are just that: notifications. We don't get the patches any earlier; the advance notice we receive simply gives us a general overview of the vulnerabilities and what they affect so as to help us plan the patch rollout.

And there's something wrong with that? Please... It's the responsible thing for Microsoft to do. And the poster thinks that leaves others "at a greater risk" than Premium customers? Please, explain to me how that could possibly be, given the fact that the patches are released to all customers (Premium and not) at the same time. Totally ridiculous FUD. You get the patches at the same time we do (unless you count betas, which... come on). We get advance notice because we have to plan for rolling out patches to tens of thousands of workstations and servers. We need to know in advance. Those of you who only have to worry about your PC (or maybe even 5 or 10 additional) don't. Simple as that.

Most of the anti-MS FUD on /. is at least informed and grounded in reality. This is totally reactionary, underinformed cry-babyism.