Slashdot Mirror
Microsoft to Introduce Faster Security Disclosures
Starwax writes "Here's a very interesting strategy by Microsoft. After years of complaining about irresponsible disclosure of security alerts by grey hats, Microsoft will now confirm and discuss the vulnerabilities in a new pilot project launching on Tuesday. Advisories will be issued within one business day of a publicly reported security hole along with guidance and mitigation."
Microsoft isn't open on weekends? Is that too much to ask a multi-billion dollar company?
Waiting until monday (especially as weekend time is usually the best to schedule downtime) strikes me as a silly idea.
Microsoft will now announce that Microsoft will announce security alerts within one business day of their reporting to Microsoft. Microsoft announces that any security holes not announced by Microsoft must therefore not exist. It's the industry standard: "We have a policy that we are not being hacked."
--
make install -not war
Someone who can't decided on whether to be a black hat or a white hat. Kinda like Michael Jackson
Gray Hat Somewhere between a "good guy" and a "bad guy" in terms of computer security.
It's a big cone shaped hat you have to put on before you sit in the corner.
A hacker/cracker who does illegal stuff but not unethical things.
I am trolling
Like a True-Neutral alignment in D&D terminology. They're a kit of the Hacker class, focused on searching out and exposing security vulnerabilities in software, and releasing that information to the public at large. Lawful-Good White Hats would be more likely to send in the information to the company without public exposure. Chaotic-Evil Black Hats (crackers) are the types more likely to exploit the vulnerabilities for their own nefarious purposes. Grey Hats are quite cool.
"Advisories will be issued within one business day of a publicly reported security hole"
If it is already public, does it matter? So, does this mean that if they know of something, they are going to wait until somebody else finds the problem and makes it public before letting their customers (and the rest of the world) know?
I'm missing the interesting strategy on this one. Just sounds like they want us to think that they are being proactive. I dunno. Perhaps I am the only one that thinks that Microsoft is evil.
It could be worse, it could be Monday.
Advisories will be issued within one business day of a publicly reported security hole along with guidance and mitigation.
So, Microsoft only will do something if inaction stands to bring them negative attention. What I would like to see from Microsoft (and other commercial and/or closed source vendors) is a commitment to treat the security holes their own developers discover in the same way.
I just don't think it is right to withhold the information, espcially if admins can use it so secure their sites, until the threat of public disclosure by a third party is imminent or past.
when researchers jump the gun and release vulnerability details before a patch is available.
Jump the gun? Oh that's right telling Microsoft there's a security flaw and waiting months before going public is jumping the gun after all.
Gotta love these articles. Nice spin make the researchers look like the bad guys...
At least now we'll get to hear about flaws quicker and that they don't have a patch or a work around.
I discussed this with the MS Head of UK security (during a MS/ISSA conference) and he nearly bit my head off. Mostly because I wouldn't back down, saying "You only confirm a problem, and release a fix when you know bad press is on the way." and followed up with "What is the point of announcing 'There is a big windows but out on Tuesday', whithout aenough information to judge impact - either before or after the announcement...
I seriously doubt that this will make any difference, except to CTOs who are getting pressure to go to Linux...
MS is a sales and marketing machine, with massive numbers of legal eagles, and a few software engineers.
In the computer security community, a "Gray hat" is a skilled hacker who sometimes acts legally and in good will and sometimes not. They are a hybrid between white and black hat hackers. They hack for no personal gain, and do not have malicious intentions, but commit crimes. For example, attacking corporate businesses with unethical practices could be regarded as highly ethical and yet would normally be tagged with the title of Blackhat activity. However, to a Gray hat, it may not appear bad even though it is against that local law. So instead of tagging it Black hat, it is a Gray hat hack.
It's a big cone shaped hat you have to put on before you sit in the corner.
Okay, can we get the PC police over here? That is no longer allowed because it might damage the self-esteem of people who have no reason to have any. Take the poster away, and book him.
At a Microsoft press conference today, aging software tycoon William Gates III touted his company's new "Accessible Code" policy whereby developers may examine the uncompiled routines which make up the Windows operating system and modify it to suit their needs provided they publicly release their changes under the same MSAC license.
Gates also outlined several points which he says gives Microsoft an advantage over "Open Source Software" such as the ubiquitous Linux operating system and the Apache web server which runs more than 92% of all internet sites. Among these points were: advisories addressing publicly reported security vulnerablities within one business day, free usage of Microsoft software by anyone (the Microsoft patented Pay-only-for-support model), and remarkable stability since there is no pressure from Marketing to release an unready version just to realize a revenue stream.
'These policies combine synergistically to leverage Microsoft over Open Sores Software', said Gates. 'The American system of patents and copyright clearly works. It gives people the freedom to choose. Because of this, almost half of all computer owners choose Microsoft Windows to be their desktop operating system. And the American jobs it creates may be yours. Recently after hiring 58,000 Bangledeshi software engineers, we created over 100 new jobs for Americans to proofread those engineer's milestone reports.'
'And if it weren't for our trusted copyright system, the Walt Disney Corporation would have had to lay off many of the foreigners they import from third world countries to sell snow-cones and wear that suit that makes them look like a certain mouse character whose name I'm not currently licensed to say in public, Gates continued nervously, 'but you know the one I'm talking about.'
Investors reacted positively to the news as Microsoft shares rose fifty cents breaking the five dollar barrier which had kept Microsft in danger of being delisted from the NASDAQ as a penny stock. Only a 3 for 1 reverse split had kept it listed since the company was warned last September. The former billionairre left the building in a hail of applause stopping briefly only to ask the time since his MS WinWatch had blue-screened and to ask several bystanders for a ride to the bus station.
Liberals call everyone Nazis yet they are the closest thing to it.
I'll head in on a weekend for really critical problems - for example, an OpenSSH vunerability that I know will affect work's firewall. No way do I want to clean up the mess if I leave that unfixed - it sucks much less to go in on a weekend and fix it.
Most security holes are trivially fixed by remote admin anyway. "apt-get update; apt-get upgrade" and you're done in my case, usually. Windows admins have to use RDP/VNC/ICA and Windows Update, but can still get the job done pretty easily.
Of course, if the patch breaks something you need to go in, but in most cases it's really fuss-free.
Does anyone else get a sinking feeling in their tummy every time Microsoft does something right, something better, or something intelligent? I like hating them. If I can't hate them, I'll have to hate something else. And I haven't been paying much attention to worthy targets over the past few years. I'm afraid I might have to turn my hate inwards if they improving. And that can't be good.
You actually think it's okay for a company to release exploit info if they're going to get sufficient PR for it?
If by okay you mean it should be legal, yes. If by okay you mean it should be encouraged, sure. I'd appreciate it if a proper advisory was published at least a day before the exploit was released. But like I said, it's okay legally to print it anytime.
And no, the advisory wouldn't have made this security company's announcement moot. Their announcement contained specifics MS doesn't put in their advisories, like explicit steps to exploit.
You obviously don't understand what an advisory is. A proper advisory list steps to avoid being exploited. This might be as simple as blocking a port or as deep as disabling a service which one needs. As such, a proper advisory by MS would mean that those who took steps to avoid being exploited would not be exploited even if the security company released details about the exploit. Of course, for those unwilling to disable services the release of the exploit doesn't help them, though it might not hurt them any if the exploit is already well known by black hats or other exploits exist which are more convenient to use.
And the company not releasing the exploit info earlier wasn't a favor to MS, it was a favor to us all. A big favor to those who use MS machines and smaller favor to others who would have been affected by a worm circulating the internet or more spam from owned machines.
Just because it was a big favor to everyone doesn't mean it wasn't a favor to MS. MS PR uses the public exploit to patch time as a statistic to try to make their software look better. At the same time, if the company hadn't release the exploit ever there's nothing to have kept MS from silently patching the exploit (like I'm sure it silently patches exploits it finds) without ever making it known there was ever a problem.
Either way, keeping silent two days before the fix is just greedy. It's a PR grab, get the thunder before it goes away. This kind of "I'll get mine, others be damned" hurts us all.
No doubt it's a PR grab, just as sleazy as MS PR. You don't see me calling for an end to MS PR, do you? That doesn't mean I don't criticize MS and MS PR for not doing a better job in the first place to mitigate risk for people. Having stated that, I would love to see the security company releasing a proper advisory and possibly advise replacement software such that the exploit would be moot. If you have any other suggestions on ways the security company could have maximized the security of users, I'm all ears. Obscurity, in this situation, doesn't maximize security.
Eurohacker European paranoia, gun rights, and h