Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Opens Access to Vulnerability Notifications

Posted by CowboyNeal on from the open-doors dept.

joseph schmo writes "Microsoft has announced that it will throw open the floodgates of vulnerability notifications for everyone who wants them. Previously, it was only offering early notifications to 'Premier and other 'representative' customers,' or those customers who would sign a Non-disclosure statement."

36 of 104 comments (clear)

  1. no posts and already /.'d by sf · · Score: 3, Funny

    A pre-emptive strike perhaps ?

    1. Re:no posts and already /.'d by Esteanil · · Score: 2, Informative

      It was down even when it showed up in the Mysterious Future, and yeah, I did mail the editor about it...

      http://www.computerweekly.com/articles/article.asp ?liArticleID=134810&liArticleTypeID=1&liCategoryID =1&liChannelID=13&liFlavourID=1&sSearch=&nPage =1 is a brand new article about MS giving advance notice of security updates, I guess it's the same piece of news.

      --
      I'm a dreamer, the world is my playpen. But hey, I'm a serious person, I can't dream all the time.
    2. Re:no posts and already /.'d by glebd · · Score: 2, Funny

      Right. So now all those "Security Update Notification from Microsoft" emails with suspicious attachments I've been receiving will become legitimate.

  2. So? by Anonymous Coward · · Score: 5, Funny

    Just set a Slashdot RSS up? Does the same thing!

  3. Just finally? by Anonymous Coward · · Score: 3, Insightful

    About 5 years too late I think.

  4. I guess this is their way of saying... by AlexanderYoshi · · Score: 3, Funny

    I guess this is their way of saying... "We don't understand these things either!"

  5. It's a cool trick by Anonymous Coward · · Score: 3, Funny

    You still won't be able to learn about vurnerabilities due to overflooded mailbox.

  6. Slashdotted by PhrostyMcByte · · Score: 5, Informative

    It was probably talking about this.

    1. Re:Slashdotted by essreenim · · Score: 2, Funny

      Its amazing that they dont see the irony 'bulletinadvance.mspx'

      bullet in advance -hehe

  7. Self Discipline? by Amiga+Lover · · Score: 4, Insightful

    If this is indeed as open as it sounds, then it's a massive step forward. MS will be forcing itself not to become complacent and hide behind the obscurity of a vulnerability that may not be known, but instead will have to deal with the vulnerability in the correct way - fixing the thing.

    Whether it's actually this open, and whether they do end up fixing more problems because of it still has to be seen. Past behaviour has me cynical.

    1. Re:Self Discipline? by blowdart · · Score: 5, Insightful

      MS will be forcing itself not to become complacent and hide behind the obscurity of a vulnerability that may not be known, but instead will have to deal with the vulnerability in the correct way - fixing the thing.

      Hold on. By giving a summary of fixes coming up, thus indicating the fix is already there does not change anything, or do what you suggest. This is not full disclosure of unfixed problems.

      All that's happening is you'll get advanced summaries of what the monthly security updates will contain. They've already fixed it when this happens.

  8. Working links by DeadSea · · Score: 5, Informative

    Get your early warnings here:

    Microsoft Security Bulletin Advance Notification

    Another news story about it:

    1. Re:Working links by ppz003 · · Score: 2, Interesting

      Does it bother anyone else that the first advisory they post is set for November 9th, the same day as the Firefox release, and is for the Microsoft Internet Security and Acceleration (ISA) Server?

      Me thinks an update to the firewall... Block all outbound access for process firefox.exe...

  9. They were just jealous by thewonderllama.com · · Score: 5, Funny

    BitTorrent traffic down to 33% of all internet traffic.... 28%... 22%... ~BS

    --
    Home of the EULA shirt
  10. Who cares? by sridev · · Score: 3, Interesting

    Was anyone really waiting for this to happen?

    I'm fine with the automatic Windows update!

    1. Re:Who cares? by metlin · · Score: 2, Insightful

      Well, it had to happen eventually.

      I suspect that they came under a lot of fire for not having opened it up to everyone, especially since it would help alleviate a lot of the issues due to vulnerabilities, particularly worms.

      Good thing, atleast they listen :-)

    2. Re:Who cares? by julesh · · Score: 5, Interesting

      I'm fine with the automatic Windows update!

      That's what I thought until it stopped downloading patches for me without notification or error message (turns out I had failed to download an update that was labelled as non-critical which included a patch for BITS, which automatic update relies on, and it therefore stopped working... apply that patch and suddenly I had about two months' worth of critical updates coming down all at at once).

    3. Re:Who cares? by Anonymous Coward · · Score: 2, Insightful

      Corporate sysadmins care. If you have three days warning of a really urgent patch, then you get to plan the patching better: notify users, set up testing, arrange overtime etc.

  11. More links.... by Anonymous Coward · · Score: 2, Informative

    Computer Weekly

  12. Hmmm by pmc255 · · Score: 3, Funny

    Considering the high amount, this could be considered a new form of spam ;)

  13. That's Good... by gowen · · Score: 5, Funny

    ... because before I was having to use an unpatched backdoor in IIS in order to access the webpages detailing the latest vulnerabilities.

    --
    Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
  14. Well, not that interesting by dago · · Score: 4, Informative

    What they will do is pre-announce the forecoming security bulletings 3 days in advance, and without details.

    So, on saturdays, every 3 months, you'll get something like : Next tuesday, there will be 5 new vulnerabilities, 2 of them being critical.

    --
    #include "coucou.h"
  15. Re:Who The Hell Uses Microsoft Products Anymore? by gowen · · Score: 2, Informative

    Who The Hell Uses Microsoft Products Anymore?

    About 90% of the world's home/office computer users. No stop asking stupid questions.

    --
    Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
  16. Watch network traffic go up by supercytro · · Score: 2, Interesting

    "Microsoft has announced that it will throw open the floodgates of vulnerability notifications for everyone who wants them"
    ...and people thought spam was bad. Prepare to find mail-bombed by MS:-)

    Anyways, yes, I'm being facetious. This is a good announcement for everyone. I could never understand what the logic was by trying to hide what vulnerabilities were fixed in an update. This should allow those in charge of admin to reasonably evaluate the state and impact of the updates and vulnerability.

  17. Re:Who The Hell Uses Microsoft Products Anymore? by Tim+C · · Score: 4, Insightful

    Expensive

    Compared to what? My PC cost ten times what I can buy XP Pro for. I've personally used software costing hundreds of thousands of pounds.

    buggy

    Show me a complex piece of software that doesn't suffer from bugs. Linux distributors and Apple also release buggy software (and no, pointing out that most of the software that comes with a Linux distro is written by third parties is not an excuse - the distributor has the source and chooses to include the app. They assume some responsibility for it)

    insecure

    Put it behind a firewall, keep it up to date with patches, and don't be an idiot about using it - just as you should be doing with any network-aware piece of software.

    Hasn't everyone moved on to OS X and Linux?

    Actuall, I've moved back to Windows having used Linux for a couple of years. No real complaints, it just doesn't run some software I need to use, and most of the things that bugged the shit out of me about Windows have been fixed. The right tool for the right job; in my case, that's currently Windows.

    --
    It's official. Most of you are morons.
  18. No real difference by dcam · · Score: 5, Insightful

    From the Article all this means that you get an extra 3 days notice before the monthly release of security bulletins. What is the point of that?

    The problem with the new MS regime of patching cycle is that they did not release information as it became available to them. Microsoft should release patches as soon as they are available, not on a monthly cycle. The current MS situation means that you arr vulernable for up to a month (if not more).

    Microsoft's initial assumtion that virus's & scripts are released only when the patch is release is largely flawed.

    --
    meh
    1. Re:No real difference by ctr2sprt · · Score: 2, Insightful
      The problem with the new MS regime of patching cycle is that they did not release information as it became available to them. Microsoft should release patches as soon as they are available, not on a monthly cycle.
      What's to be gained from that? "There's a critical IIS vulnerability that allows remote attackers to take complete control of your computer. Sorry, no patch yet. We recommend firewalling ports 80 and 443 or disabling IIS on your web server."

      Recently, at least, MS has been telling us in advance of workarounds for critical vulnerabilities where a workaround exists. (For example, disabling ActiveX in IE.) Even when they don't have a real fix yet.

      Microsoft's initial assumtion that virus's & scripts are released only when the patch is release is largely flawed.
      I'm not sure that's their assumption at all. I think it's more like "Why draw attention to something bad we can't do anything about yet?" You're certainly right that some attacks begin before the patch is released. But remember that all the biggest worms - at least that I can remember - exploit vulnerabilities that were fixed by MS months before.

      I really don't have any problems with MS's approach to issuing patches. Considering what they have to work with - a painfully insecure, bloated, complex, closed-source operating system - they are really doing about the best they can. (If you want to fault them for any of those problems I just listed, I'll absolutely agree with you.)

  19. from the open-doors dept. by neko9 · · Score: 4, Funny

    more like form the open-doors-closed-windows dept.

  20. Re:Scripted Updates by pandrijeczko · · Score: 2, Informative
    Assuming this is a serious question, I don't play around with Windows much but I do recall that the Windows updates were available as standard HTTP/FTP downloads somewhere on Microsoft's web site, outside of Windows Update.

    Assuming that's still the case and you can find out where they are, you could always use a program like wget on the BASH command-line to retrieve them (or any HTTP/FTP document or file).

    Writing a script around that to determine what's available and what's been updated, as well as emailing you or a number of other people, should be fairly straightforward.

    --
    Gentoo Linux - another day, another USE flag.
  21. Re:Scripted Updates by pandrijeczko · · Score: 4, Informative

    PS. If you're new to shell-scripting or if you just want a collection of good useful scripts, you cannot IMHO do better than Wicked Cool Shell Scripts which has about 100 example scripts, a couple of which show how to do neat stuff with wget and the Lynx browser in command-line mode.

    --
    Gentoo Linux - another day, another USE flag.
  22. But what happens if.... by pandrijeczko · · Score: 2, Funny

    ...there's a vulnerability in Microsoft Vulnerability Notification that causes Microsoft Vulnerability Notification to send out spurious vulnerability notifications?

    --
    Gentoo Linux - another day, another USE flag.
    1. Re:But what happens if.... by madaxe42 · · Score: 2, Funny

      Then vulnerability notifications regarding vulnerable vulnerability notifications won't get out, leading to more vulnerabilities in the vulnerability notification service, leading to more false vulnerabilities, causing vulnerabilities to be vulnerable?

  23. The page ad says by Anonymous Coward · · Score: 2, Funny

    "Windows XP Service Pack 2 can help. Download and evaluate it for free TODAY."

    Sure, sure. And if you don't like it, you can fucking reformat your drive to get rid of it. That's like testing a rocket engine on your car, and you just run the thing into a brick wall to get it stopped. Awesome.

    Anyway, I don't see how this is going to help anyone. Telling Goatse man that his anus is gaping wide open doesn't address the actual gaping anus. It just makes him aware of the gaping anus, and he's likely to tell you "Ok. Thanks!"

    Shut up and take your identity theft like a man...

  24. Linux costs 699.00!!! by 3.5+stripes · · Score: 3, Funny

    Those SCO guys were nice though, gave a me nice framable certificate.

    --


    He tried to kill me with a forklift!
  25. Re:Scripted Updates by HydrusZ · · Score: 2, Informative

    You've been able to do this for a long time using SUS. It's a personal, configurable Windows Update server. Of course, you need a Windows server with IIS to use it.

    Updates have always been available for download through http://support.microsoft.com, but they are not stored in any central area that you can get to programatically. But this is why Microsoft only releases updates once a month. You know exactly what day you'll get the security newsletter on, and all you have to do is follow the link and download what you need.

  26. very troubling by Anonymous Coward · · Score: 2, Insightful


    It's very troubling that they haven't been disclosing these vulnerabilities all along.

    MS clearly has a culture that encouraged secrecy (or semi-secrecy) for many years about this. A sudden change in policy does not mean that the underlying culture has changed. It just means that there's now a certain amout of internal grumbling within MS about this new "reckless policy of airing our dirty laundry in public".

    The true problem at MS is a poisonous culture that places a premium on secrecy: Closed source. Closed bug lists. It's all part of the same basic cultural weakness.