Early Warning For Microsoft Premium Customers

techmuse writes "According to internetnews.com, Microsoft is giving its premium customers early warning about vulnerabilities and patches. Those of us who aren't lucky enough to have such a relationship with Microsoft may find ourselves at greater risk than premium customers as a result."

Early Warning For Slashdot

Kindof like the paid customers using slashdot who get a chance to read the clicky links before it dies.

Re:Early Warning For Slashdot

[MetalliQaZ]

If you actually read the article, you would know that they aren't actually offering patches early to their premium customers, they are only letting them know that patches are on the way. Everyone in the world gets the patches at the same time. Premium customers are at the same risk as we are. The reason for the "heads up" is so that IT managers can get ready for the huge task of updating every machine they manage. Individuals have only their own computer, or at most a handful of others. These patches are usually expected anyway. And you can find a "heads up" of your own just by reading tech news sites online.
-d

Re:Early Warning For Slashdot

[jazman_777]

To continue the vehicle manufacturer analogy...

Slashdot. News for Nerds. Stuff that Matters. Failed Car Analogies.

Elite.. microsoft and govt

[Davak]

The U.S. government's Computer Emergency Readiness Team (US-CERT) has also been heavily criticized for providing security advisories to paying customers ahead of coordinated public release.

Microsoft and the government using the same strategy! I am shocked! (sarcasm mode off)

Other juicy information from the article:

There won't be a patch this month for a "highly critical" bug in Internet Explorer browser's drag-and-drop feature.

So we are suppose to buy access to problems that won't be patched in a timely fashion? You've got to be kidding me.

The only justification that I can see to this might be that microsoft wants to release it to their "elite" first... so that work-arounds and patches might be generated by the community instead of within microsoft. Thus, trying to get one of the open source benefits...

While that's a good theory... I bet it's really just microsoft praying on the security worries of companies. Considering I run a Microsoft network... that's a sad conclusion for me to have to make.

Re:Elite.. microsoft and govt

[FortKnox]

Wow, you are compairing computer bugs to life and death situations.

What's worse is someone marked you 'insightful.'

Sometimes slashdot think truely amazes me.

Re:Elite.. microsoft and govt

[Munra]

To be fair, and I'm not necessarily agreeing with the grandparent, a computer bug can cause a life/death situation...airports, hospitals, etc... all use computers. Granted, they're unlikely to use untested/insecure systems (no specific OSes mentioned), and unlikely to be vulnerable through public facing ports/etc, but it is still a risk.

Secondly, even if a situation is not life/death, it can be very serious - think about business impact if every trader at a financial institution was unable to trade due to a virus/vulnerability.
Millions could be wiped off the economy of major countries.

Manta

Re:Elite.. microsoft and govt

[Fareq]

I hate to say this, but...

RTFA

Not getting patches or fixes sooner. Being told that there is a flaw sooner. In this case not even what the flaw is... just that there is one, and that in a day or so we'll tell the world what it is -- heads up, somethings coming. That's it.

No "protection," no early patches, no nothing. Just a nice little note saying "we're working on a couple of security flaws, details forthcoming"

Calm yourself please. If you want to hate Microsoft, please do it for a valid reason, not some bullshit like this.

Thanks.

-- Fareq

This is a big deal?

[Control+Group]

At the risk of sounding like a Microsoft apologist, I really don't see the big deal, here. It's not like they're releasing patches only to premium subscribers, they're providing earlier notice of what's going to be covered in the next security bulletin. This doesn't affect the timetable for the release of vulnerability information or the release of patches. This is just MS saying "heads up, we're going to have a patch for a vulnerability in Office XP rolling out in three days."

*shrug*

Doesn't sound like it affects overall computer security, really. It's nice for the organizations that sign on, so they have a couple more days to plan outages as necessary. It doesn't affect the vast majority of home users at all (I certainly don't plan my downtime, it just happens when I feel like it).

I can see this being irritating to customers who are unwilling to pay yet another Microsoft tax for early notification, but I don't see that it's some kind of horrible, evil practice, either.

Change one sentence in the summary...

I would re-write one sentence in the summary as:
"Those of us who aren't lucky enough to have such a relationship with Microsoft may find ourselves at greater risk FROM premium customers as a result."
(changed "than" to "FROM")

Best quote from article

[Portigui]

This is a quote from Gartner security analyst John Pescatore and it pretty much sums up my thoughts on this:

If Ford decided to issue recall notices for faulty brakes only to people who paid for extended warranty, that won't fly. That would be a horrible thing to do.

In a nutshell, is this not what MS is doing?

Re:Best quote from article

[Chess_the_cat]

In a nutshell, is this not what MS is doing?

No. Everyone on the list finds out the same information. This is just a way to sort the list. No biggie.

Re:Best quote from article

[MikeMacK]

Actually, if you have faulty brakes, you may fly. It's kinda like what MS is doing. It's more like, they are telling the people with the extended warranty about the faulty brakes before other customers, but they all will eventually get new brakes. I guess the point would be that if you knew you had faulty brakes, perhaps you wouldn't drive.

Re:Best quote from article

[wankledot]

The more things that are controlled by software in the world (warships, hospital equipment, critical infrastructure, etc.) the greater chance there is of software killing someone.

However, anyone who uses and relys on software to keep someone alive, or keep something from killing someone should not be waiting for the latest IE patch to make sure their shit works.

except...

[Ignignot]

Bugtraq is almost always ahead of microsoft where it comes to vulnerabilities in their software. Why in the world would I pay Microsoft to tell me what might be wrong tomorrow when bugtraq will tell me what's wrong today? Does anyone have an experience where MS came out with vulnerabilities first?

Re: except...

[Black+Parrot]

> Bugtraq is almost always ahead of microsoft where it comes to vulnerabilities in their software. Why in the world would I pay Microsoft to tell me what might be wrong tomorrow when bugtraq will tell me what's wrong today? Does anyone have an experience where MS came out with vulnerabilities first?

Maybe their Premium customers get to hear the excuses first.

Re:except...

[Rust+Martialis]

Actually MS has a decent record of getting 0-day patches out. Mostly because the people who find them keep quiet. I didn't believe it so I scanned a bunch of MS Alerts from 2004, and tried to figure out when the vulnerabilities that they fixed were announced. Looking at MS04-011, there were 14 vulnerabilities listed (CAN-2003-0533,CAN-2003-0663, CAN-2003-0719, CAN-2003-0806, CAN-2003-0906, CAN-2003-0907, CAN-2003-0908, CAN-2003-0909, CAN-2003-0910, CAN-2004-0117, CAN-2004-0118, CAN-2004-0119, CAN-2004-0120, and CAN-2004-0123).

Now, I didn't look very hard, but as far as I can see, no mention of prior announcements of any of these 14 vulnerabilities on Bugtraq.

Now, compare that to MS04-019 (CAN-2004-0213) where a vulnerability was announced 124 days prior to patch, or MS04-025 where the three vulnerabilities (CAN-2003-1048, CAN-2004-549, and CAN-2004-566) were announced 332 days, 58 days and 166 days prior to patch. *Much* less impressive, Microsoft!

I gave up on this analysis after it was evident that for 2004, so far, MS does actually get a lot of patches out in sync with the announced vulnerabilities. They miss some, when people release them without sending them to MS (which is their right). But I looked at 37 vulnerabilities (MS04-001 to -011 and MS04-018 to -025) before I gave up, and of those, 27 were 0-day patches, and 10 were released in advance of patches.

So MS does actually seem to be getting a lot of researchers to keep vulnerabilities under wraps . I noted iDefense, Shatter, eEye, and @Stake listed as credited with some of these discoveries, others were uncredited and may be internal MS discoveries. So, sorry for your illusions, but of the above patches, about 2/3 were NOT announced on Bugtraq prior to patches coming out.

Disclaimer: I didn't scour the Internet for announcements, just looked on Bugtraq, Mitre and a couple places, so I may have missed some.

--R.

Equal?

We are all equal, just some of us are more equal than others.

Not So Bad

[blueZhift]

This isn't so bad, it just means that the premium customers get to beta test the patches for the rest of us!

So what? News will still spread quickly

[mdpowell]

That is silly. Are "premium customers" going to be bound by some NDA not to talk about the vulnerabilities? What's to prevent some news outlet from becoming a "premium customer" and then publishing everything they hear five minutes later. But now MSFT will look bad (worse) because the press is announcing there flaws instead of them.

This is a security focus?

[trilks]

M$ says they are focusing on security, but how does giving advance warning only to subscribers support security? It's the average user who doesn't know how to patch their computer that is at the most risk (and can also propogate the most damage to the rest of us). And the average user won't be a premium customer.

Does it seem like M$ is saying one thing and doing another?

Virus Writers

It wouldn't take much for virus writer to sign up for this premium service to obtain and potentially exploit vulnerabilities that they didn't already know about.

Then again, if all that Microsoft is worried about is their bottom dollar then I suppose they don't care who's paying for their premium service.

even better yet...

[Garabito]

Those of us who are lucky enough to have no relationship with Microsoft may find ourselves at even lower risk than premium customers

Not really

[TheHonestTruth]

Though this is a crummy thing to do, your/their example is not entirely accurate. It's not that Ford would not issue recalls to everyone, they would just let their premium customers know about the recall (that will be for everyone) in advance. People can then plan better when they will have their car serviced.

-truth

Re:Extortion

[Control+Group]

Oh, for crying out loud.

Always with the car analogies. This isn't Pontiac only recalling and replacing a defective part if you pay more. This is Pontiac recalling and replacing a defective part on exactly the same schedule for everyone, but telling premium customers three days earlier "hey, we're going to be recalling something on the 2005 GTO in three days. Get ready."

This just isn't a big deal.

Re:so how do it get this status

[wideBlueSkies]

>>Security through $$$

You mean "a false sense of security through $$$", right?

wbs.

Craig Mundie...

[Spoticus]

just came in his own pants.

Asked why it has taken Microsoft 25 years to get trustworthy computing into the forefront of its efforts, he said: "Because customers wouldn't pay for it until recently."

Assholes.

My MS Rep woke me up in the middle of the night

No lie. Can't remember for which patch. It was right after they got burned on one of the many virus outbreaks.

At first I thought, cool, they are really taking this seriously. But then, I thought, what does he really think I'm going to do? go into the office and patch 1000 machines before morning?

Since then, we've just been getting these 'pre-warnings' via email. Which of course are marked as confidential.

For the record, we are an enterprise customer.

Re:So what? News will still spread quickly

[Araneas]

Yup the Microsoft Security Response Center Bulletin Releases are covered by an NDA.

What they give is a heads up of what will be affected by the upcoming patches or updates. This allows very large organisations with thousands or even tens of thousands of boxes to do some pre-release planning. Updates and patches may need to be tested against other critical applications to make sure nothing breaks. Overtime may need to be planned out etc etc. Huge amounts of time and money may be involved so a few days extra time can be invaluable.

Patch one XP box is a far far simpler thing to do than patching 10k machines of varying Windows versions and functions.

As a Premium Customer Who Sees The Advance Notice

[Rust+Martialis]

Look, I know you all hate MS for being evil and all that, but sorry, the 'advance warning' is basically nothing.

All you get is an email from MS saying 'oh, next Tuesday we're going to release X patches, with Y rated critical, and Z rated serious'.

There are ZERO details on what the patch is going to fix, personally, I consider the advance notice almost useless except to tell you you need to have resources ready to roll out critical patches.

You get *no* details, *no* access to patches, and I have several emails from MS Security people who always include ' sorry, I can't give you any details about Tuesday's patch'.

Please, hate MS all you want, but at least hate them for a reason, not the typical /. drooling paranoia I see here.

--R.

If only I was a slashdot subscriber...

[DoubleDownOnEleven]

Then I could have commented on this article earlier on, and got a better score!

That's not fair, slashdot should give their information out freely to everyone...

Oh wait, they do, they just treat their paying customers a little better...

I really don't see this as much of an issue. The "premier" customers don't get the patches any sooner. They get an advance heads-up on what the patches will contain. Why will this affect anybody?

According to the article: Microsoft insisted the information provided in the notice was "very basic in nature" and intended only to provide general guidelines concerning the maximum number of bulletins that may be released, the anticipated severity ratings, and an overview of products that may be affected.

Why Microsoft gets attacked on Slashdot

[0x0d0a]

Please, hate MS all you want, but at least hate them for a reason, not the typical /. drooling paranoia I see here.

The drooling paranoia was built because of years of times when Microsoft really *did* screw over customers or competition in quite an unethical manner, like the DR-DOS application compatibility, or the IIS Netscape Navigator deprioritization. Microsoft generally didn't get in trouble for its misdeeds, so now IT folk angry after years of poor treatment have simply started attacking Microsoft for all sorts of things that really aren't very bad at all. Microsoft is simply paying back in installments for earlier nasty deeds.

Re:911 is a joke

[mcmonkey]

Everyday they don't never come correct
You can ask my man right here with the broken neck
He's a witness to the job never bein' done
He would've been in full in 8 9-11
Was a joke 'cause they always jokin'
They the token to your life when it's croakin'
They need to be in a pawn shop on a
911 is a joke we don't want 'em
I call a cab 'cause a cab will come quicker
The doctors huddle up and call a flea flicker
The reason that I say that 'cause they
Flick you off like fleas
They be laughin' at ya while you're crawlin' on your knees
And to the strength so go the length
Thinkin' you are first when you really are tenth
You better wake up and smell the real flavor
Cause 911 is a fake life saver

So get up, get, get get down
911 is a joke in yo town
Get up, get, get, get down
Late 911 wears the late crown

- Public Enemy

In other news...

[jrod2027]

...The National Weather Service has announced it will offer early warnings for natural
disasters such as tornadoes and earthquakes to subscribers of its new "Stay Alive Platinum" service.

Microsoft early warning service for $5 per user

[KWTm]

I am offering a low-cost service to users of Microsoft products. For a mere $5, you will receive a notice that says:

WARNING -- Your product is riddled with security holes!

There, now people can be warned.

Hurry, send in your money now! Otherwise you won't receive notice that Microsoft products are vulnerable!