Microsoft Opens Access to Vulnerability Notifications

joseph schmo writes "Microsoft has announced that it will throw open the floodgates of vulnerability notifications for everyone who wants them. Previously, it was only offering early notifications to 'Premier and other 'representative' customers,' or those customers who would sign a Non-disclosure statement."

no posts and already /.'d

[sf]

A pre-emptive strike perhaps ?

Re:no posts and already /.'d

[AlexanderYoshi]

Must be that microsoft decided to change their mind and unleashed the fury of the swarm. :-)

Re:no posts and already /.'d

[Esteanil]

It was down even when it showed up in the Mysterious Future, and yeah, I did mail the editor about it...

http://www.computerweekly.com/articles/article.asp ?liArticleID=134810&liArticleTypeID=1&liCategoryID =1&liChannelID=13&liFlavourID=1&sSearch=&nPage =1 is a brand new article about MS giving advance notice of security updates, I guess it's the same piece of news.

Re:no posts and already /.'d

[Fallen+Andy]

More like a post emptive one. Talk about the stable door being open.. Most of us *already* spend 1+ hours trawling the usual sites -

SANS - http://sans.org and http://www.dshield.org
CERT - http://www.cert.org

symantec, clamwin, kaspersky, If I go through the whole list I'll /. /.
(sighs)

It's not like windows update *helps*. What happens if it clashes with a download from symantec or someone else. Help my machine got 0wned by Murphy?

(I always worry about which monster will hit the nuclear red switch first)

Sorry, but someone has to rant, and I've just pulled an all nighter (too old at 45, don't want to play cards with Peel/George Burns yet)

Somebody go nuke the MS campus and start again heeding Don Knuth's famous words about code being lost and ending up much better for the re-write...

Mark me a troll please. (Does this *always* work?)

Re:no posts and already /.'d

[glebd]

Right. So now all those "Security Update Notification from Microsoft" emails with suspicious attachments I've been receiving will become legitimate.

So?

Just set a Slashdot RSS up? Does the same thing!

Re:So?

The RSS feed will also keep your mail filter from misclassifying the endless messages as spam.

Re:So?

[einhverfr]

You mean they have to open their Access database to find their security vulnerability information?

Just finally?

About 5 years too late I think.

I guess this is their way of saying...

[AlexanderYoshi]

I guess this is their way of saying... "We don't understand these things either!"

Re:I guess this is their way of saying...

[nijk]

Is this one small step towards the open source model?

Re:I guess this is their way of saying...

[afd8856]

Sure, but it will only apply to their windows 2000 product :)

It's a cool trick

You still won't be able to learn about vurnerabilities due to overflooded mailbox.

Slashdotted

[PhrostyMcByte]

It was probably talking about this.

Re:Slashdotted

[essreenim]

Its amazing that they dont see the irony 'bulletinadvance.mspx'

bullet in advance -hehe

Re:Slashdotted

[Ingolfke]

You insenstive dolt...

'bull etinad vance' is latin...

move along now, nothing to see here.

Self Discipline?

[Amiga+Lover]

If this is indeed as open as it sounds, then it's a massive step forward. MS will be forcing itself not to become complacent and hide behind the obscurity of a vulnerability that may not be known, but instead will have to deal with the vulnerability in the correct way - fixing the thing.

Whether it's actually this open, and whether they do end up fixing more problems because of it still has to be seen. Past behaviour has me cynical.

Re:Self Discipline?

[blowdart]

MS will be forcing itself not to become complacent and hide behind the obscurity of a vulnerability that may not be known, but instead will have to deal with the vulnerability in the correct way - fixing the thing.

Hold on. By giving a summary of fixes coming up, thus indicating the fix is already there does not change anything, or do what you suggest. This is not full disclosure of unfixed problems.

All that's happening is you'll get advanced summaries of what the monthly security updates will contain. They've already fixed it when this happens.

Working links

[DeadSea]

Get your early warnings here:

Microsoft Security Bulletin Advance Notification

Another news story about it:

• Information Week - Microsoft To Issue Early Warnings For Patch Tuesday Nov. 4, 2004 - The software maker will provide a summary of planned security bulletins three days in advance.

Re:Working links

[ppz003]

Does it bother anyone else that the first advisory they post is set for November 9th, the same day as the Firefox release, and is for the Microsoft Internet Security and Acceleration (ISA) Server?

Me thinks an update to the firewall... Block all outbound access for process firefox.exe...

They were just jealous

[thewonderllama.com]

BitTorrent traffic down to 33% of all internet traffic.... 28%... 22%... ~BS

Re:They were just jealous

[advocate_one]

Expect to see Microsoft's own proprietary, Media company friendly, extension to Bittorrent to be included with next update to IE or MP... they want to control the traffic... to just those torrents officially published by the Media companies with access to them paid for and fully DRM'd...

Re:They were just jealous

[advocate_one]

Those who want access to legitimate content only available via that channel, or else those who have had the MS BT client foisted upon them as the bundled client and don't know or don't care that there are other clients... kind of like how so many continue to use outlook express or internet explorer despite so many excellent packages being available out there. There's a just about useable ms client and putting a real client on is just too much effort...

Re:They were just jealous

as far as I'm concerned, MS can't do that because bittorrent is open source. They would have to release all source code of any program that uses bittorrent code.

Re:They were just jealous

[advocate_one]

the bittorrent progam may be open source, but that can't prevent them from producing their own closed source client program to implement the protocol now can it... Interoperability works both ways.

Re:Karmawhore

[metlin]

So?

Big deal, how is posting useful information Karmawhoring?

I'm sure that when everyone started out, they've tried to getting their karma atleast a few times.

Atleast he's helping everyone out -- it sure as hell beats posting pointless AC comments and adding nothing worthwhile to the discussion.

Who cares?

[sridev]

Was anyone really waiting for this to happen?

I'm fine with the automatic Windows update!

Re:Who cares?

[metlin]

Well, it had to happen eventually.

I suspect that they came under a lot of fire for not having opened it up to everyone, especially since it would help alleviate a lot of the issues due to vulnerabilities, particularly worms.

Good thing, atleast they listen :-)

Re:Who cares?

[julesh]

I'm fine with the automatic Windows update!

That's what I thought until it stopped downloading patches for me without notification or error message (turns out I had failed to download an update that was labelled as non-critical which included a patch for BITS, which automatic update relies on, and it therefore stopped working... apply that patch and suddenly I had about two months' worth of critical updates coming down all at at once).

Re:Who cares?

Corporate sysadmins care. If you have three days warning of a really urgent patch, then you get to plan the patching better: notify users, set up testing, arrange overtime etc.

Re:Who cares?

[ssimontis]

Wow. You have it a lot better than me. I have automatic updates on and haven't noticed anything different. When it does try to download patches, it takes forever and I finally have to go download it myself. I think it would be nice if Microsoft secured their OS before they shipped it so we didn't have to worry about this.

More links....

Computer Weekly

Hmmm

[pmc255]

Considering the high amount, this could be considered a new form of spam ;)

Re:Hmmm

[metlin]

Well, look at the bright side - atleast they won't be asking you to grow new boobies.

That's Good...

[gowen]

... because before I was having to use an unpatched backdoor in IIS in order to access the webpages detailing the latest vulnerabilities.

Re:Who The Hell Uses Microsoft Products Anymore?

[thewonderllama.com]

Pfft. But then what do they do when you're on the road and need to access your documents and have forgotten their user name and password? They're screwed. ~BS

I donno

[lakiolen]

... that I would want to sign up for that. I don't think my mail server would be able to handle the strain.

Re:I donno

[Orgazmus]

Oh, is it running windows?

Well, not that interesting

[dago]

What they will do is pre-announce the forecoming security bulletings 3 days in advance, and without details.

So, on saturdays, every 3 months, you'll get something like : Next tuesday, there will be 5 new vulnerabilities, 2 of them being critical.

Re:Who The Hell Uses Microsoft Products Anymore?

[gowen]

Who The Hell Uses Microsoft Products Anymore?

About 90% of the world's home/office computer users. No stop asking stupid questions.

As If

[Dorsai65]

I don't already get enough email.

Re:Who The Hell Uses Microsoft Products Anymore?

[Jugalator]

Hasn't everyone moved on to OS X and Linux?

What, are you saying you need to run both to get an improvement over Windows?

Anyway, yeah I'll switch to OS X. Just hand me the damn hardware.

Watch network traffic go up

[supercytro]

"Microsoft has announced that it will throw open the floodgates of vulnerability notifications for everyone who wants them"
...and people thought spam was bad. Prepare to find mail-bombed by MS:-)

Anyways, yes, I'm being facetious. This is a good announcement for everyone. I could never understand what the logic was by trying to hide what vulnerabilities were fixed in an update. This should allow those in charge of admin to reasonably evaluate the state and impact of the updates and vulnerability.

Re:Who The Hell Uses Microsoft Products Anymore?

[baker_tony]

>Who The Hell Uses Microsoft Products Anymore?

The cave you are in must be very deep, unless that was some very poor attempt at humour on your behalf?

Dayly vulnerability

[julie-h]

When I get up in the morning, I always drink my coffee over the Dayly Vulnerability Report.

Re:Dayly vulnerability

How old are you? 10? Do yourself a favor - if you're really an adult and live in the technology world, learn how to freaking spell. God, you're pathetic.

Re:Dayly vulnerability

OH1 you must be referring to day lee.

Re:Who The Hell Uses Microsoft Products Anymore?

[Tim+C]

Expensive

Compared to what? My PC cost ten times what I can buy XP Pro for. I've personally used software costing hundreds of thousands of pounds.

buggy

Show me a complex piece of software that doesn't suffer from bugs. Linux distributors and Apple also release buggy software (and no, pointing out that most of the software that comes with a Linux distro is written by third parties is not an excuse - the distributor has the source and chooses to include the app. They assume some responsibility for it)

insecure

Put it behind a firewall, keep it up to date with patches, and don't be an idiot about using it - just as you should be doing with any network-aware piece of software.

Hasn't everyone moved on to OS X and Linux?

Actuall, I've moved back to Windows having used Linux for a couple of years. No real complaints, it just doesn't run some software I need to use, and most of the things that bugged the shit out of me about Windows have been fixed. The right tool for the right job; in my case, that's currently Windows.

No real difference

[dcam]

From the Article all this means that you get an extra 3 days notice before the monthly release of security bulletins. What is the point of that?

The problem with the new MS regime of patching cycle is that they did not release information as it became available to them. Microsoft should release patches as soon as they are available, not on a monthly cycle. The current MS situation means that you arr vulernable for up to a month (if not more).

Microsoft's initial assumtion that virus's & scripts are released only when the patch is release is largely flawed.

Re:No real difference

[ctr2sprt]

The problem with the new MS regime of patching cycle is that they did not release information as it became available to them. Microsoft should release patches as soon as they are available, not on a monthly cycle.

What's to be gained from that? "There's a critical IIS vulnerability that allows remote attackers to take complete control of your computer. Sorry, no patch yet. We recommend firewalling ports 80 and 443 or disabling IIS on your web server."

Recently, at least, MS has been telling us in advance of workarounds for critical vulnerabilities where a workaround exists. (For example, disabling ActiveX in IE.) Even when they don't have a real fix yet.

Microsoft's initial assumtion that virus's & scripts are released only when the patch is release is largely flawed.

I'm not sure that's their assumption at all. I think it's more like "Why draw attention to something bad we can't do anything about yet?" You're certainly right that some attacks begin before the patch is released. But remember that all the biggest worms - at least that I can remember - exploit vulnerabilities that were fixed by MS months before.

I really don't have any problems with MS's approach to issuing patches. Considering what they have to work with - a painfully insecure, bloated, complex, closed-source operating system - they are really doing about the best they can. (If you want to fault them for any of those problems I just listed, I'll absolutely agree with you.)

from the open-doors dept.

[neko9]

more like form the open-doors-closed-windows dept.

Re:Karmawhore

[dcam]

Anyone who posts AC for any reason other than for reasons of confidentiality is to be despised.

If you post AC for any other reason you are not willing to stand by your comments, which is beneath contempt. I have never posted AC and will not do so unless under an NDA, or I am posting information that is otherwise confidential.

Tool.

Scripted Updates

[bzBetty]

Does this mean i should be able to get a program/script soon to download updates automatically to a directory on my linux serveer for distribution at my pleasure? or can i get that already. Basically I'm just wanting a way to download the new updates for certain versions of windows, then maybe some form of notification that i have a new update sitting around. This is mostly to help with servicing alot of customer PCs

Re:Scripted Updates

[pandrijeczko]

Assuming this is a serious question, I don't play around with Windows much but I do recall that the Windows updates were available as standard HTTP/FTP downloads somewhere on Microsoft's web site, outside of Windows Update.

Assuming that's still the case and you can find out where they are, you could always use a program like wget on the BASH command-line to retrieve them (or any HTTP/FTP document or file).

Writing a script around that to determine what's available and what's been updated, as well as emailing you or a number of other people, should be fairly straightforward.

Re:Scripted Updates

[pandrijeczko]

PS. If you're new to shell-scripting or if you just want a collection of good useful scripts, you cannot IMHO do better than Wicked Cool Shell Scripts which has about 100 example scripts, a couple of which show how to do neat stuff with wget and the Lynx browser in command-line mode.

Re:Scripted Updates

[blowdart]

Whilst it's not what you ask for, how about a Windows solution.

Ok, have you stopped laughing? Windows SUS (software update services) will pull down all those nice updates.

Re:Scripted Updates

[Saint+Aardvark]

It's a little different from what you're talking about, but check out Daisy. It's basically an Open Source version of MS' Windows Update program (SUS, I think?) -- it runs on a Windows computer, and periodically checks an archive you maintain of patches to apply. It'll do the right thing -- apply 'em at once, reboot, email you the results and so on. I have yet to set it up at work, but that's lack of time, not not lack of interest.

Re:Scripted Updates

[HydrusZ]

You've been able to do this for a long time using SUS. It's a personal, configurable Windows Update server. Of course, you need a Windows server with IIS to use it.

Updates have always been available for download through http://support.microsoft.com, but they are not stored in any central area that you can get to programatically. But this is why Microsoft only releases updates once a month. You know exactly what day you'll get the security newsletter on, and all you have to do is follow the link and download what you need.

Re:Karmawhore

I have never posted AC and will not do so unless under an NDA, or I am posting information that is otherwise confidential.

Interesting. So your code of ethics allows you to break your word and reveal confidential information, but not to hide from Slashdot readers your nickname (dcam: email not shown publicly). Bravo.

But what happens if....

[pandrijeczko]

...there's a vulnerability in Microsoft Vulnerability Notification that causes Microsoft Vulnerability Notification to send out spurious vulnerability notifications?

Re:But what happens if....

[madaxe42]

Then vulnerability notifications regarding vulnerable vulnerability notifications won't get out, leading to more vulnerabilities in the vulnerability notification service, leading to more false vulnerabilities, causing vulnerabilities to be vulnerable?

Re:In Soviet Russia...

[madaxe42]

No no no...

In vulnerability, Soviet Russia Accesses YOU!

It took this long...

[Anti+Frozt]

For MS to open up Access to vulnerabilities? I mean, what gives? They did so well in opening Outlook to vulnerabilities years ago. I hope someone got fired for this blatant slacking off.

Oh wait...

The page ad says

"Windows XP Service Pack 2 can help. Download and evaluate it for free TODAY."

Sure, sure. And if you don't like it, you can fucking reformat your drive to get rid of it. That's like testing a rocket engine on your car, and you just run the thing into a brick wall to get it stopped. Awesome.

Anyway, I don't see how this is going to help anyone. Telling Goatse man that his anus is gaping wide open doesn't address the actual gaping anus. It just makes him aware of the gaping anus, and he's likely to tell you "Ok. Thanks!"

Shut up and take your identity theft like a man...

Re:Who The Hell Uses Microsoft Products Anymore?

[SilentChris]

"Hasn't everyone moved on to OS X and Linux?"

I personally find an OS X/Windows XP Pro/Linux combination come in quite handy. Run Linux as the server (storage and security), Windows XP Pro as the desktop (gaming and multimedia) and OS X on a portable (basic apps). All of them can talk to each other just fine, and each excels at what it does.

uhhh, daily?

I think you meant to type "daily," unless there is a pun here I'm missing. But if not, I completely understand being myself a product of the NC public schools system.

Half Of The Problem

[EXTomar]

You are correct: all vendors should release fixes and patches as soon as they've been internally "blessed". The problem with Windows however is that patching is such a pain. Almost none of their server technology can be "conditionally restarted". Almost none of their kernel modifications are actually put "installed" until the reboot. What is just as bad is you have to reboot again to roll back.

I do realize the importance of getting fixes, especially vulnerability in a very timely manner but because of the way Windows is built its nearly impossible to implement such a "patch on the fly" plan that so many other systems seem to enjoy.

Re:Half Of The Problem

[man_ls]

If you update your Linux kernel, you have to reboot too.

Most MS patches for non-Kernel things (although the "kernel" does tend to touch a lot more than the *nix ones.) can deal with a service restart too.

Linux costs 699.00!!!

[3.5+stripes]

Those SCO guys were nice though, gave a me nice framable certificate.

Re:Who The Hell Uses Microsoft Products Anymore?

Who handed you the damn hardware to run Windows?

Assuming that you don't use OS X because you can't afford the hardware, a cooler excuse would be that you are waiting for Apple to deliver the one you ordered ;-)

Re:Who The Hell Uses Microsoft Products Anymore?

Amen Brother.

Just a non disclosure agreements? *BOGGLE*

[relaxrelax]

You just have to sign a non disclosure agreements to know about vulnerabilities first? Or pay some token fee??? *BOGGLE*

You mean, spammers and spyware makers get notified of vulnerabilities *first* and if they abuse the vulnerabilities while keeping their mouth shut they can get away with it?

That's worse than I thought... Microsoft is handing the malware people the backdoor of the week on a silvery plate *before we know it exists*.

I'm visualizing a malware server doing its evil job, and getting a "backdoor of the week abuser" plug-in for whatever it's doing. Not having to hack themselves, the spammers just suscribe to a hacker who gets advance warnings and makes backdoor abusers... so convenient... thank you Microsoft, I can update my spamware without even rebooting!

Kudos to microsoft for finally stopping that stupid selective early warning practice, something they should have done in the late 80's...

(too little too late, I'm on freeBSD now!)

P.S.: With so many spammers, they are a fraction of the market worth their own "representative costumer" at Microsoft. Microsoft has an issue of not turning down certain "costumers"...

Re:Just a non disclosure agreements? *BOGGLE*

Inevitably, the "costumer" is always right...

That means that you have the green light to wear your clown suit after all.

very troubling

It's very troubling that they haven't been disclosing these vulnerabilities all along.

MS clearly has a culture that encouraged secrecy (or semi-secrecy) for many years about this. A sudden change in policy does not mean that the underlying culture has changed. It just means that there's now a certain amout of internal grumbling within MS about this new "reckless policy of airing our dirty laundry in public".

The true problem at MS is a poisonous culture that places a premium on secrecy: Closed source. Closed bug lists. It's all part of the same basic cultural weakness.

Re:Karmawhore

[Zarendahl]

Some people just don't take the agreements that they sign seriously anymore. In the line of work I am in I had to sign an NDA, and I would NEVER violate that under any circumstances.

If you are unwilling to abide by that CONTRACT you signed, then DON'T SIGN IT!!!!!

The company you work for, if they find out you were the person who broke that contract, can go after the person who broke said contract for among other things, breach of contract.

Other charges can include theft of information, and god forbid, Identity Theft charges. Those carry prison terms if convicted. Don't you realize that you are in a trusted position, otherwise they wouldn't have made you sign that piece of paper in the first place, now would they?

Read your NDA sometime, and see what the minimal punishment would be. Suffice to say, breaking the NDA can cause you to be terminated from your place of employment. And, possibly, charges pressed for theft, or worse...

Now, is posting such things here anonymously worth the risk?

Re:Who The Hell Uses Microsoft Products Anymore?

No stop asking stupid questions.

WTF does that mean? He is to continue asking such questions?

Re:Who The Hell Uses Microsoft Products Anymore?

[antoy]

I wish people would be more like you. Besides programming (I'm mainly a Windows programmer, and also do linux occasionaly), I don't really care about the platform I'm running for basic things (I used to, when I was, like, 17). I do recognize each platform's strengths and weaknesses, and mix n' match depending on what I want to do.

US$300K for PC software?

[nusratt]

"I've personally used software costing hundreds of thousands of pounds."

Did you mean this literally? Hundreds (plural) OF thousands?
I presume you're not referring to something like "five thousand pounds per single-PC license, multiplied across 40+ seats" --
because, if that's what you meant, then it would be somewhat misleading.

Just out of curiosity, what PC-based software do you personally use which costs a minimum of 200K *GBP* for a SINGLE user?

OK, so slashdot is showing it is clueless, again..

I have read so many post whining and crying about not being able to get the patches and updates to THEIR local network at a central point, and other ignorant FUD.

1 - SUS
2 - Hfnetchk
3 - MOM
4 - SMS
5 - GFI

so many ways to centralizae the updates, and push them, yet the bashing-wagon can't remove the blinders, so they spread the FUD out of ignorance...

ohhhh for the whiners that want to point at the price, SUS is free. Ohhhhh but now they want to whine that it cost to buy the Server OS, well DUH!
MS is not a group of zealots working for free while whining they can't live off the part time money they make flipping burgers...get a clue. MS is a CORP, CORP's are there to MAKE MONEY...

remember your "it should be free" whine the next time you want to be paid for your code...

MS Access is a flaw in itself

[lateralus_1024]

We already know about the Diebold issues, we're just to lethargic to demand a better democracy.

Re:MS Access is a flaw in itself

[lateralus_1024]

Sorry. A classic example of someone seeing "Access" in the title of an article& not r-ing the TFA, while trying to get a slashdot post fix at work.
I do stand by the parent post however!

Re:Who The Hell Uses Microsoft Products Anymore?

Compared to what? My PC cost ten times what I can buy XP Pro for.
You ever hear of something called 'bare-bones' or do you just like paying ten times more for your hardware then you need to?
Even then, a personal operating system should not cost the same amount as the hardware its running on.

Show me a complex piece of software that doesn't suffer from bugs. Linux distributors and Apple also release buggy software
They sure do. But at least when their users report bugs, they actually try to fix them.

Put it behind a firewall, keep it up to date with patches, and don't be an idiot about using it
Ahh, the good old 'its the users fault' for not running a fire wall. Guess what, if the OS was secure, it wouldnt need a firewall.

Readable version

http://shit.slashdot.org/article.pl?sid=04/11/05/0 312254

so...

[zxflash]

instead of fixing the flaws that are made public by hackers faster they're goint to tell us and those who have malicious intent about more problems more often?