Microsoft Taking Longer to Fix Flaws

An anonymous reader writes "A look back at the last three years of security patches from Microsoft shows Redmond is taking at least 25 percent longer to issue patches for "critical" vulnerabilities, now averaging around 135 days to issue a fix. The exception appears to be with "full disclosure" flaws, for which Redmond issued fixes in an average of 46 days last year."

And this is bad why?

[saleenS281]

So they're concentrating efforts on the full disclosure exploits... and this is bad why?

Re:And this is bad why?

[Cat_Byte]

I was thinking the same thing. They announced months ago that they would only release updates on certain days of the month unless it was highly critical.

Re:And this is bad why?

[kg4gyt]

Focusing on the exploits or not, 46 days is a long time to wait for a critical fix.

Re:And this is bad why?

[saleenS281]

when you're accountable to that many customers with so many "supported" configurations, it takes a while to test. They don't have the luxury of most linux distro's where if it breaks some obscure program they can go "whupps, well, tell the author to write a fix for his app".

Re:And this is bad why?

yes, it kinda long. but they have to write the patch, test the make sure it doesn't kill anything in windows. Test to make sure it doesn't kill any legit software... It isn't exactly as if they can write up a patch and through to everyone in a day or two. Too bad they couldn't do it somewhere closer to that though.

Re:And this is bad why?

[Lifewish]

when you're accountable to that many customers with so many "supported" configurations, it takes a while to test. They don't have the luxury of most linux distro's where if it breaks some obscure program they can go "whupps, well, tell the author to write a fix for his app". And yet Debian manages to consistently not break stuff despite supporting more architectures than Microsoft could dream of.

Apart from that time a while back when they had to transition between GCC versions, that could have been better managed. I hold out hope that one day GCC will come out with some specification to ensure binary compatibility.

Re:And this is bad why?

[saleenS281]

architecture != software packages. And definitely != enterprise software packages. Veritas, oracle anyone?

I won't even begin to go into how many times a redhat update has "broken" both of these.

Re:And this is bad why?

[freshman_a]

when you're accountable to that many customers

When who's accountable? The disclaimer included with the last MS security update I downloaded read as follows:

In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages.

Now, unless I misunderstood, it's telling me that if I install said security patch, and it breaks something, I can't hold MS accountable.

Re:And this is bad why?

[MECC]

"architecture != software packages. And definitely != enterprise software packages."

Well, to be accurate, debian as distro supports a number of packages that dwarfs what Microsoft supports. Just look at a list. Now multiply that by the number of platforms, compared to MS's platforms, which is just one. As for 'enterprise' packages, yes many of the debian (and linux in general) packages are smaller than things like exchange or veritas, but many are also on par as well. So the statement "definitely != enterprise" while accurate, is an overgeneralization.

I think the parent's point is that given the number of packages MS supports, and the number of platforms they support, their response time could easily be much better, especially given the literal mountains of cash they have at their disposal to marshal resources to getting their act together. Strictly from a customer-is-always-right point of view, what's their excuse? Not enough testors? Not enough programmers? Not enough managers?

Re:And this is bad why?

[an_unknown_soldier]

When was Micro$oft accountable to anyone for anything they ever developed, marketed and forced on their customers? Here's their standard EULA for every shoddy piece of crap they release (including shoddy patches to the shoddy crap): "Microsoft and its suppliers provide the Software and support services (if any) AS IS AND WITH ALL FAULTS, and hereby disclaim all other warranties and conditions, whether express, implied or statutory, including, but not limited to, any (if any) implied warranties, duties or conditions of merchantability, of fitness for a particular purpose, of reliability or availability, of accuracy or completeness of responses, of results, of workmanlike effort, of lack of viruses, and of lack of negligence, all with regard to the Software, and the provision of or failure to provide support or other services, information, software, and related content through the Software or otherwise arising out of the use of the Software. " NOTE: no warranty, no support, might not be fit for *ANY* purpose, etc

Re:And this is bad why?

[Lifewish]

Strictly from a customer-is-always-right point of view, what's their excuse? Not enough testors? Not enough programmers? Not enough managers?

I'd go with "not enough clearly-defined interfaces". If software producers are forced to use undocumented APIs to get their product working fast/well enough, it seems obvious that any behind-the-scenes changes are going to break a whole load of products.

Re:And this is bad why?

[hachete]

All flag-ship companies should look to set an example. They after all have the money and resources to fix their own problems. It's not as if Microsoft are short of either.

Re:And this is bad why?

[cli_man]

I know the excuse for the time always seems to be so they can completely test their fix. However I have a good majority of my machines that run windows that cannot do windows updates. Every time I do a windows update I cannot boot the computer again without doing a system restore to get rid of the update.

Now I know that Microsoft cannot be perfect but I don't think it is going to take them that much time to test and if it did I wouldn't think we would have to be so scared of installing a patch on a server in case it crashes it.

Re:And this is bad why?

[Itchy+Rich]

Now, unless I misunderstood, it's telling me that if I install said security patch, and it breaks something, I can't hold MS accountable.

You may or may not be able to hold them accountable in court, but third party adjudication is not the only form of accountability.

If Microsoft didn't bother to test their patches carefully they'd risk upsetting their corporate customers, and hence their bottom line.

Re:And this is bad why?

[sgt_doom]

M$ accountable???? Are you nuts?????

Re:And this is bad why?

[Giometrix]

Have you ever purchased software that didn't have a similar statement....?

Re:And this is bad why?

[jmp_nyc]

Now, unless I misunderstood, it's telling me that if I install said security patch, and it breaks something, I can't hold MS accountable.

There's accountable, and then there's accountable.

Let's say MS releases a patch that ends up causing major problems for mission critical systems at a nonzero number of Fortune 500 companies. The next time those companies are looking at major systems overhauls, do you think they're going to seriously consider MS products?

Sure, MS isn't liable if their products cause major business problems, but it'll certainly hurt their future sales if they let it happen too frequently.
-JMP

Re:And this is bad why?

Let's say MS releases a patch that ends up causing major problems for mission critical systems at a nonzero number of Fortune 500 companies. The next time those companies are looking at major systems overhauls, do you think they're going to seriously consider MS products?

How would a distro like SUSE thats looking for corporate adoption be any less accountable in this manner? It sounds like distros must be just as accountable, but can leverage the actual nature of open source in which security teams for all dists can produce fixes that will likely work with the application in other dists, the original author can fix it, or even the person who found the vulnerability can fix it.

Re:And this is bad why?

[yetAnotherWebAccount]

We should be more concerned with 33l33t haXX0rz ("it's a creepy guy! creepy guy!") who know about exploits and use them to gain entry with intent of theft. That's why full disclosure is important, not because it motivates the companies to do something (you rely on Microsoft for your security fixes? sucks to be you) but because those of us who know what we're doing can address potential problems ahead of time.

Worms, while they're a pain in the butt, don't usually do much damage... it's when you don't hear anything that you need to be worried.

Re:And this is bad why?

[Fruit]

Let's say MS releases a patch that ends up causing major problems for mission critical systems at a nonzero number of Fortune 500 companies. The next time those companies are looking at major systems overhauls, do you think they're going to seriously consider MS products?

Actually, yes. Just like they always have.

Re:And this is bad why?

[swillden]

Let's say MS releases a patch that ends up causing major problems for mission critical systems at a nonzero number of Fortune 500 companies. The next time those companies are looking at major systems overhauls, do you think they're going to seriously consider MS products?

Good point. Similarly, Let's say MS releases a product that ends up causing major problems for mission critical systems at nearly every Fortune 500 company, a product that requires them to spend exorbitant amounts of money and resources on keeping the systems free of malware, which occasionally gets through anyway, wreaking havoc on productivity. The next time those companies are looking at major systems overhauls, do you think they're going to seriously consider MS products?

Oh, wait...

Re:And this is bad why?

[geobeck]

Exactly. Monopoly breeds mediocrity.

Re:And this is bad why?

[dotgain]

Ahh, how nice. I'm still vulnerable, but at least Microsoft are focussing on it. A 3rd party releases a patch, but that's not good enough for me. I want the "focussed" one from Microsoft.

Re:And this is bad why?

[pembo13]

You mean they will upset the companies IT department. I hardly think that would trouble management that much.

Re:And this is bad why?

[nolife]

So it is a delicate balance between pissing them off with a delay and pissing them off with a potentialy broken fix. They can address reduce the toal amount of pissed of user in two ways.
1- Produce and test a fix faster. I'll assume that since this is Microsoft and they have a lot of money in the bank, they could afford a few more coders and testers.
2- Release a work around/fix with some simple testing and only release the official patch after some amount of testing has been completed. This allows the system administrators to make a choice and weigh the risk. Of course, that might not go over to well as it would require more IT managers to think.... The way it is now, the IT managers can always blame it on MS, but there was no patch, what was I supposed to do!!!

Re:And this is bad why?

[rapidweather]

Maybe they are running out of good luck. Windows, so I have been told, has a lot of code. It has been around a while. Perhaps it is outliving it's developers. Maybe the new coders they have now need more time to go through all that code, and do a lot of testing, etc. to fix things. Some of the flaws are not simple ones anymore, would take anyone a lot of time to fix. I would wonder if they fixed problems in just a few days. Do they have an army of coders up there?

Re:And this is bad why?

[Ponyegg]

That's the trouble, customers aren;t always right are they?

As an example, if you work in Tech Support, your customer base is your cubicle/offices full of "l-users". Now, repeat after me, "The l-users are always right". :-)

Ponyegg

[KTF]

It's not just Microsoft...

[squidguy]

Unfortunately, this trend seems to plague many of the major application vendors as well.

Re:It's not just Microsoft...

For many people, Microsoft is the _only_ application vendor (IE, Office, the OS, .NET, etc.). But that will not be a long-term phenomenon, IMO. What is happening is that Microsoft is losing it's battle to maintain centralized and absolute control over their platform, and they are being consumed by software bandits who are exploiting their swiss cheese software architecture. On top of that, their biggest competition is built significantly on top of open source code (OpenSolaris, Darwin, Linux, *BSD), which is making Microsoft look even more desparate as they clench their fists around their code base. Don't forget just how much progress is being made by Mozilla Firefox and web applications, and their platform is looking more and more outmoded every day. The new Macs announced this week are looking quite awesome, Sun is selling the fastest web/database server on the market, Linux thin clients are popping up everywhere, and the big guys (IBM, Sun, Red Hat, etc.) are more-or-less jointly developing GNOME/KDE against Windows. UNIX/Linux are even becoming the best development environments, as Intel, IBM, and Sun are offering their best compilers and IDEs for free, in addition to the ubiquitous GCC/GNU toolset. What makes this all possible: open standards.

Rome did not fall in a day. Microsoft might hang around a long while, but in a Netware sort of way.

Realities of patching.

[Godeke]

I was expecting to find a scathing review of the patch process, but instead found a fairly reasonable assessment of the realities of issuing security patches: disclosed vulnerabilities get patched faster in an attempt to cover the users from the most probable exploit vectors whereas undisclosed vulnerabilities give the breathing room to do more testing and attempt to repair related flaws that are discovered in the process.

That doesn't make me happy with the current situation, but it does make sense to react quickly (even if it puts the reaction at risk of being a problem itself) when something is actively being exploited. More quality assurance can be placed on patches that are not actively exploited (although each day increases the chance it will be exploited) and even more quality assurance can be placed on patched for flaws that are unlikely vectors.

Being responsible for very high reliability networks (our customer facing web and their support servers), high reliability networks (the corporate network, where I can apologize to someone's face if it blows up) and low reliability networks (my own internal network where I can fire anyone who complains) I have different thresholds for pain in the patching process depending on the network involved.

I'm far more willing to just slap a patch on my internal network: after all, it is my testing ground and it affects me far more than anyone else if it dies. After I have assured myself it isn't total bunk, I will patch our corporate network. Finally, our high reliability network is patched only after the corporate network's servers and clients have given us confidence in the patch. Of course, that means our high reliability network has to be far more insulated (URL scanning proxies in another operating system, tightly controlled trust relationships, intrusion detection, etc) but it is worth the extra effort and cost to avoid a "bum" patch bringing down the show.

Microsoft may not be reacting perfectly, but I think they are trying to balance corporate stability with the realities of exploitation. It sounds like they do need to throw some more resources to the departments involved to shorten the critical path, but with a system this complex, test cycles are going to be long and involved.

Re:Realities of patching.

[morgan_greywolf]

Microsoft may not be reacting perfectly, but I think they are trying to balance corporate stability with the realities of exploitation. It sounds like they do need to throw some more resources to the departments involved to shorten the critical path, but with a system this complex, test cycles are going to be long and involved

It's not just corporate stability. A lot of it is the architecture of their systems. While Dave Cutler designed a nice, highly-modular system in Windows NT, the newest versions of that OS are a far cry from Cutler's original design. Everything is tightly integrated and various system components do many many different things these days. So when changing one component, Microsoft programmers have to way that change against the rest of the system and all of the software that relies on that component.

The UNIX philosophy has always been and remains: "Do one thing and do it well." Combined with truly standards-based interfaces between components, this means that patching a particular component is far less likely to break lots and lots of other things. And if someone who wrote an application wrote it in such a way that it depends on the buggy behaviour -- well, shame on them.

That's just one reason why the Linux and *BSD communities are generally much, much faster at reacting to bugs than Microsoft. It's not just about corporate stability -- It's about the realities of a very, very poor operating system design.

Re:Realities of patching.

[Godeke]

We use both Windows and Linux in our environment, so I agree that the "UNIX philosophy" is usually a favorable choice for speed of patches and such. However, I have run into instances where someone coded to "buggy behaviour". If you build an app that makes a call and it doesn't work, sometimes you notice "oh, it did X, it just needs Y to work". A better solution would be addressing the flawed component, but when the component is in C and the programmer works in something else, the workaround is often implemented instead due to the knowledge level of the programmer.

However, I have found such instances are very infrequent (but ask anyone about Readline updates and I'm sure you will get a few stories).

Re:Realities of patching.

[drsmithy]

While Dave Cutler designed a nice, highly-modular system in Windows NT, the newest versions of that OS are a far cry from Cutler's original design. Everything is tightly integrated and various system components do many many different things these days. So when changing one component, Microsoft programmers have to way that change against the rest of the system and all of the software that relies on that component.

I don't think "modular" and "integrated" mean what you think they mean.

Combined with truly standards-based interfaces between components, [...]

What standards are you thinking of ? Pipes and ASCII text ?

[...] this means that patching a particular component is far less likely to break lots and lots of other things.

You think ? Try breaking glibc to see how little impact it has. Even less commonly used (relative to glibc) components like qt or gtk++, if broken, would bring down thousands of applications in their wake.

And if someone who wrote an application wrote it in such a way that it depends on the buggy behaviour -- well, shame on them.

This sort of attitude - while common in the OSS world - is not sustainable in the commercial world.

Re:Realities of patching.

[Nevyn]

The UNIX philosophy has always been and remains: "Do one thing and do it well."

IT has? Why does cat have like 6 different options then, including numbering lines (which we also have nl for). Why did we move on from ed to vi? And then move on to xemacs?:) -- I still read my email in xemacs/gnus. One word: perl. Another one word: apache-httpd (this one is esp. close to my heart as I wrote my own webserver because apache-httpd had way to many options/bugs).

in other news...

[tont0r]

a bear shits in the woods.

Re:in other news...

[Foofoobar]

Steve Ballmer throws a chair

Re:in other news...

Steve Ballmer shits in a chair?

Re:in other news...

Steve Balmer throws a bear

Re:in other news...

[trandism]

bug fixers. Bug Fixers!. Bug Fixers!!!. BUG FIXERS!!!!!!

Re:in other news...

[mopslik]

(rolls) ... and does +50HP critical damage to the bear.

Re:in other news...

[vertinox]

If Balmer throws a chair in the woods, does he make a sound?

Or...

If a Windows Server crashes and no one is around to see it, does it make a blue screen?

Well, Duh...

[shepmaster]

So, you mean to tell me that they fix flaws faster when they have users and system administrators breathing down thier necks? Say it ain't so!

Re:Well, Duh...

Thread title: Microsoft Taking Longer to Fix Flaws

Captain Obvious posts: So, you mean to tell me that they fix flaws faster when they have users and system administrators breathing down thier necks? Say it ain't so!

It ain't so. It would be reasonable to expect "users and system administrators breathing down thier(sp) necks" for ANY flaw, fully disclosed, partially disclosed or even just quietly emailed to them and noone else.

Now read the title again. I can understand most people not reading the FA, but really the absolute minumum you could do before mashing the keyboard and hitting enter is read the f###ing title of the discussion!

Re:Well, Duh...

Nah, they should just buy Apple. Apple have gone from PPC="Insanely Great" to x86="4x Faster" which is 4x faster than Insanely great. If MS baught Apple their security and social problems would vanish!

Meh

Seems as though the reason stems from the fact that Microsoft actually has to make sure their patches are compatible with the rest of the things they support. As they support more and more hard and software, the total can only go up.

Re:Meh

[varmittang]

So Linux doesn't? I mean, it runs on more hardware, PPC, SPARC, blah blah put your chip in here. Linux also has multiple languages and lots of programs that need to share the same libraries. Sure you are more likely to have something break in Linux after a patch, but usually a few hours or a day later you have a patch for the program that got broken so it works properly again, although I haven't had a program break due to a security patch yet on Linux but I have on MS. And Linux vendors have their patches out quicker than MS. So, again, why does MS take so long?

Re:Meh

[The+Angry+Mick]

So, again, why does MS take so long?

The legal department?

Re:Meh

So Linux doesn't?

No. For example I have a logitech quickcam web that us supported by the qc-usb driver. Under kernel 2.6.5 it runs fine and is stable. Under kernel 2.6.12 it hangs the machine periodically. The same codebase for the driver on both kernels. So the change that made it break was the 2.6.12 kernel. Something changed semantically in the USB stack between 2.6.5 and 2.6.12 that causes said driver to stop working. I wouldn't say that 2.6.5, 2.6.12 or the qc-usb driver are broken, but something changed and it stopped working. Since the change was the linux kernel that's where the finger ought to be pointed.

Changing your internal behaviors with a micro version bump that results in an interaction that leads to a complete lockup is definitely not conducive to the argument that stability and reliability are on your roadmap.

Additionally the driver for the nm256 chipset in my little Dell Latitude LS 500 (yes it's old, but isn't that what everybody has been bleating about recently: how well linux supports old shit) locks up the system solid about 50% of the time when the audio device is first accessed. The funny thing is that there was a fix for the problem in the 2.4 line, and it's been ported to the 2.6 line and is added in and removed about every third release.

The OSS attitude of "that bit of code/idea/methodology/approach is wrong so it's just going to be removed" permanently prevents acceptance of OSS as enterprise ready. If you want to be accepted in the enterprise environment you have to eat your own dogfood and ensure that you continue to support and fix the shit you hate because it was basically "wrong".

Re:Meh

[fshalor]

This one bit me bad the other day:

http://lists.debian.org/debian-user/2006/01/msg004 08.html

However, the "issued patch" solved the problem. And better yet, I could patch it myself by editing one text file and rebooting.

So yes; patches can and do break stuff in linux.

That being said, a similar issue in would have required a reinstall.

Like the three win2k machines I have here right now which *refuse* to actually use windows update. I'm having to download all patches by hand and force feed them one at a time.

Re:Meh

[Nazadus]

Because Linux doesn't have a single beurocratic atmosphere.
Let's make a reality check, Linux is a kernel whereas (insert distro here) is the collection of the kernel and applications that run on the kernel. Those applications are fixed by their own authors.

It's not like RedHat fixes Gimp's error's or vice-versa.

Stuff moves at a faster pace when you don't have a gazillion levels of management to go through. Plus in Linux their isn't much in the way of testing, it's "Here take this and tell us if you have problems!"

Re:Meh

[drsmithy]

So Linux doesn't?

Nowhere near as much (I'm assuming here by "Linux" you mean "people writing open source software for Linux).

Sure you are more likely to have something break in Linux after a patch, but usually a few hours or a day later you have a patch for the program that got broken so it works properly again [...]

And that's the problem it produces.

Not the WMF vulnerability

[Saint37]

In the Windows Meta File case MS patched my machine and rebooted it without my consent after just a few days. I guess it all depends on how serious the flaw is.

http://www.stockmarketgarden.com/

Re:Not the WMF vulnerability

That wasn't MS that patched and rebooted your system.... ;)

Re:Not the WMF vulnerability

You gave your consent to be rebooted when you chose automatic installation of patches via auto-update.

Re:Not the WMF vulnerability

[varmittang]

Um, no. They said to download and notify before installing. MS just went right ahead and installed and rebooted the computer for them. http://www.emailbattles.com/archive/battles/vuln_a acfhddccc_de/

Re:Not the WMF vulnerability

[jav1231]

"I guess it all depends on how serious the flaw is."
Or how much press they're getting for not having one.

Do expoits speed up the fixing?

[chriss]

The most interesting result of Security Fix's study is that Microsoft took longer to fix a problem if the researcher waited to disclose the problem until after Microsoft published the patch.

I'd like to know if the time to issue a fix also depends on existing exploits, i.e. is Microsoft faster if there is already an exploit out there. If yes, than it seems obvious that Microsoft does not really put as much afford into fixing bugs as they claim, they're "motivated" by public pressure.

One explanation for additional delay in case of a not yet disclosed or not yet exploited problem may be more thorough testing, so it may not even be a bad thing. But I'm afraid that the delay is not really "in the best of the customers", more in the best of Microsoft. I have no prove, but it seems to be the general company policy.

Chriss

--
memomo.net - brush up your German, French, Spanish or Italian - online and free

Re:Do expoits speed up the fixing?

[man_of_mr_e]

Another explanation is that banging out a patch to fix the symptom is faster than fixing the problem. When there's exploit code running in the wild, the former is what happens. When there is no evidence that the vulnerability is being exploited, the latter is what happens.

Re:Do expoits speed up the fixing?

[towsonu2003]

The most interesting result of Security Fix's study is that Microsoft took longer to fix a problem if the researcher waited to disclose the problem until after Microsoft published the patch

Well, isn't that the only finding in the article as well?

Re:Do expoits speed up the fixing?

[Z0mb1eman]

Or a simpler explanation might be that, given a certain budget for fixing bugs/security flaws, they have to prioritize, and since bugs that have an exploit out in the wild are much more likely to have a negative impact, they get pushed to the front of the queue... which makes sense to me.

I don't think they set out to solve X bugs in Y months. I would assume they have a certain number of manhours devoted to fixing bugs, and fix however many they get around to. They can always increase the resources devoted to this, yes, but I doubt anyone over there says "oh, this one doesn't have an exploit in the wild, try to take as long as you can to fix it".

Re:Do expoits speed up the fixing?

[chriss]

I don't think they set out to solve X bugs in Y months. I would assume they have a certain number of manhours devoted to fixing bugs, and fix however many they get around to. They can always increase the resources devoted to this, yes, but I doubt anyone over there says "oh, this one doesn't have an exploit in the wild, try to take as long as you can to fix it".

If you had the public reputation of Microsoft and also declared years ago, that from now on security would be priority no 1, don't you think that "fix anything as fast as possible" would be the only possible answer? Since this is Microsoft with > 50,000 developers, there should never be a situation where it is technically possible to "increase the resources devoted to this". Maybe there is a reasonable limit (e.g. groups with more than seven developers are inefficient"), but they could finance several hundred teams of bug fixers, testers etc. So why don't they?

Chriss

--
memomo.net - brush up your German, French, Spanish or Italian - online and free

Re:Do expoits speed up the fixing?

Maybe there is a reasonable limit (e.g. groups with more than seven developers are inefficient"), but they could finance several hundred teams of bug fixers, testers etc. So why don't they?

This might be an interesting read: http://blogs.msdn.com/ericlippert/archive/2003/10/ 28/53298.aspx

Granted, it's about adding features and not fixing bugs, but it goes on to show that a 5-minute change would translate into hundreds of hours of work. From my experience as a senior developer, that's most certainly true...

Re:Do expoits speed up the fixing?

[innocent_white_lamb]

One explanation for additional delay in case of a not yet disclosed or not yet exploited problem may be more thorough testing, so it may not even be a bad thing.
 
The problem with this is simply that you can never know that a given exploit is NOT being taken advantage of somewhere. "It's safe for now; nobody knows about it." Meanwhile someone is quietly carrying the goods out of the back door somewhere.
 
Just because a flaw isn't being broadcast from the rooftops doesn't mean that it's not being quitely exploited.
 
That's my concern with the concept of "responsible disclosure." If I have a vulnerable system I want to know about it even if there is no current fix available. I can always make physical or software changes to avoid problems if I know about them, right up to pulling the plug if I have to. If I know about the problem. Otherwise I can be merrily carrying out my normal routine while someone is getting ready to pull the rug out from under me.
 
Tell me if there is a problem and I can deal with it or not as I choose. If I don't know about the problem, I don't have that choice.

Why is this a bad thing?

[esac17]

In the Linux world, the deployment of a bug fix and discovery of any potential bugs is part of the testing cycle. So you get a quick turn around time when a bug is reported.

When Microsoft has to issue a bug fix (and all jokes aside about not testing), I am sure they have a team devoted to testing it, then it has to get sent to all internal Microsoft employees and tested, and then probably even has some initial customer testing with the bigger companies to make sure nothing breaks, and then finally gets released to the public.

Hopefully 165 or 365 days .. whatever it takes to make sure it is tested is a GOOD thing. I don't want to be their beta tester :)

Re:Why is this a bad thing?

[GoodbyeBlueSky1]

How dare you post such a comment in this story! Where do you think you are?!

BTW, you're totally right and I completely agree with you.

Re:Why is this a bad thing?

Suck, suck, suck - splat!

Re:Why is this a bad thing?

[randyflood]

You ask why it is a bad thing if the time between the discovery of a security vunerability and the time to relase a patch is increasing. You ackowlegde that in the Linux world, patches are fixed much faster due to their development model. So why is it a big deal if hackers can own your systems for longer without a patch being availiable? Isn't it obvious? HACKERS CAN OWN YOUR SYSTEM FOR LONGER BECAUSE A PATCH IS NOT AVAILIABLE. That is what the big deal is. They can use whatever development model they want. Releasing shoddy patches is only one solution that is available to them. The fact that they are able to cut the time it takes to release a patch in half if a working exploit has been publically released shows that it is more a matter of what resources they want to bring to bear on the problem rather than the minimum time to release a good patch. Or another way of stating this is, they are 25% less concerned with getting patches out in a timely manner than they used to be. So, the importance of security at Microsoft is decreasing.

Re:Why is this a bad thing?

MS must have also tested its software as good as Linux is tested, but MS seemed to have more flaws since there are more users using MS. The large number of users that use MS makes more variety of user's behaviour and more variety of hardware configuration, and this makes MS's flaws found faster than Linux's flaws. (Althoguh there is also possibility that MS actually have more flaws, but one of the factor for the lots of flaws in MS products is because of the large number of users)

Re:Why is this a bad thing?

[po8]

It's a bad thing because Linux's process—which involves having thousands of alpha and beta testers of the patch with direct access to the source code and the knowledge to make that access useful deploy it on their boxes—turns out to produce better patches faster. You, as a user who "doesn't want to be their beta tester", don't have to be. In 5-10 days (not 46 or 135) your distro vendor will have enough evidence that the patch is harmless and effective that they will make it available to you, and you will have enough evidence that you can make a rational decision about whether you want it.

Why do corporations continue to use Windows?

now averaging around 135 days to issue a fix.

That's totally unacceptable, in almost every way. FOUR months. FOUR months for the flaws to be potentially exploited. /me Shakes head.

Re:Why do corporations continue to use Windows?

[slashk]

if air tight security was the only thing that mattered to a corporation, they'd all be running Solaris on their desktops.

why - applications, integration, managability and lots of products to choose from

we used to kid about our vp of network engineering - his ideal machine was a hardened solaris box, powered off, in a lead safe, with no network card

every business operates with risk - computer security included even CIO's know that

It is how corporate world works ...

... no presure to fix .... ... no danger to market monopoly ...

so who cares ?

move alogn, there is nothing to see for you here....

Still too long, but you can take precautions.

[gasmonso]

If you look at the data, you will notice that some critical flaws were patched in less than 3-4 weeks. While that may seem long, it is somewhat reasonable due to the amount of verification/validation necessary. People forget that 95% of the world runs on M$ so they have to really test a patch before releasing it.

On the other hand... because so much of the world depends on M$, they have an obligation to its customers to provide a secure OS and timely patches. Personally, I feel they are doing an "ok" job and seem to be getting better. Alot of vulnerabilities can be avoided just by running your PC behind a router and/or by using a firewall application. Personally, I have NEVER had a virus at home on any of my computers because I take simple preventative measures like running Norton AV and AdAware. I also put all my pcs behind a router.

http://religiousfreaks.com/

Re:Still too long, but you can take precautions.

[Trolling4Columbine]

Just so you know, I was going to mod your post up. However your inane use of the childish "M$" cliche prevented me. Grow up.

Re:Still too long, but you can take precautions.

So, what, I should use "$" in place of "S" when spelling company names now?

I suppose you also use phrases like "teh l33t" and "pwn3d" too, right?

Re:Still too long, but you can take precautions.

[thePowerOfGrayskull]

Slightly OT, but a legitimate question..
The background: I've never had a virus at home (well, not since DOS days). I don't run antivirus; I used to run antispyware, but it kept turning up nothing so I stopped. I run 3 windows xp PCs and several linux PCs. I don't use MS products for web browsing or e-mail (ever. period.) I do run windows firewall on my laptops (my wife uses hers at school, and I use mine at work and school, so it's safest), and I have a hardware firewall/router. I have open ports for a web server and a game server (both directed to linux machines).

I /have/ heard that the hardware router/firewall combinations can be compromised, but has anyone ever had that actually happen? I've been running mine for 4 years with zero successful intrusions (and hundreds of attempts logged daily).

Re:Still too long, but you can take precautions.

[Dunbal]

prevented me.

      who cares?

Re:Still too long, but you can take precautions.

So you feel Microsoft security is OK since running the system in a very small environment with no internal threats and that is protected by a router/firewall that is running Linux or some other non-Microsoft OS has protected your miniscule network so far?

Well, that certainly is a ringing endorsement. Thanks for the insightful post!!!

Re:Still too long, but you can take precautions.

[WhiteWolf666]

Umm... How exactly is MS's track record improving?

Details, please?

Why do you feel like they are doing better? Because they release more marketing materials advertising security?

How is XP now more secure than at release? Is the rate of infection down? (no, its not). Are patches being released more quickly? (no, they aren't).

I guess the XP firewall is on by default since SP2. I can't think of anything else, however.

Re:Still too long, but you can take precautions.

[this+great+guy]

some critical flaws were patched in less than 3-4 weeks. While that may seem long, it is somewhat reasonable due to the amount of verification/validation necessary. People forget that 95% of the world runs on M$ so they have to really test a patch before releasing it.

HOW THE HELL can you be so indulgent ? Sure 3-4 weeks may seem reasonable but the average 135 days can in no way whatsoever be justified by this argument ("they need to QA patches"). Microsoft is a multi-billion-dollar software company who claim security is their number one priority. Microsoft is continuously releasing major versions of their softwares (Windows, Office, etc) each 24 to 36 months, you have to figure out somehow that 135 days, or 4.5 months, to fix a single vuln is way too long !

I cannot understand while people are thinking MS is "doing ok".

Re:Still too long, but you can take precautions.

[Botty]

Soooo you don't run anything that can DETECT problems so you assume you have none?

Why don't you just put a blindfold on and walk around a cliff. Since you can't see the cliff you obviously aren't in danger of falling.

Do you also forgo backups because you've never had to do a restore?

Do you not have life insurance because you've never died?

I haven't had a virus in years either but you can be damn sure I ALWAYS have my antivirus running.

Re:Still too long, but you can take precautions.

[thePowerOfGrayskull]

Um, thanks for that concise answer to my question.

But to answer your question, I do run clam against all files across the computers once a week or so. I am also intimately familiar with my running process list -- I know what belongs there and what does not, as well as what should be taking CPU cycles and what should not.

Re:Still too long, but you can take precautions.

[TheUser0x58]

People forget that 95% of the world runs on M$ so they have to really test a patch before releasing it.

No, 95% of the desktop world runs on Microsoft. Microsoft certainly doesn't have that kind of marketshare in server systems.

Re:Still too long, but you can take precautions.

There is no such thing as a hardware firewall. All firewalls are software firewalls as it would be to expensive to fabricate new chips whenever you wanted to change something. That Linksys router is nothing more than a computer (often StrongARM or MIPS based) running a stripped down OS (often Linux or BSD) with a web server for the GUI. There is really no difference between the "hardware" routers from Linksys and an old Pentium box with a LRP floppy in it. The more expensive firewalls include hardware acceleration for certain things such as VPN but they are all nothing more than computers running an OS with firewall software on them.

Re:Still too long, but you can take precautions.

95% of the world does not run Windows.

One could argue that 95% of the desktops run on Windows (which seems rather high), or that 95% of the desktops purchased are Windows (which doesn't include Linux or *BSD downloads), but there is far more to the computing world than the desktop.

Unless all of those Apache servers found by Netcraft are running on Windows.

Sorry, I get really tired of that misconception.

Re:Still too long, but you can take precautions.

[drsmithy]

Umm... How exactly is MS's track record improving?

How many security problems has Windows 2003 had ?

I guess the XP firewall is on by default since SP2. I can't think of anything else, however.

Most of the system has been recompiled to thwart buffer-overflow style attacks.

Still, just what do you propose they do to "fix" all the Windows XP machines out there ?

Re:Still too long, but you can take precautions.

[WhiteWolf666]

How many security problems has Windows 2003 had ?

http://secunia.com/product/1174/#advisories lists 8 out of 76 vulnerabilites as 'unpatached'. I have a feeling that Windows 2003 is also vulnerable to the new, critical WMF problems (yes, the ones discovered AFTER the previous one was patched last week.) XP complaint is here: http://secunia.com/advisories/10968/

Either way, the answer is 'a lot'.

Why not compare Redhat ES 3.0 with Windows 2003?
http://secunia.com/product/1174/#advisories_2003
http://secunia.com/product/2535/#statistics_soluti on

Notice something interesting with Redhat ES 3.0? 0 unpatched. 31% system access bugs, versus 55% for Windows 2003. And notice the nature of the vulnerabilities? Things like cups, or curl. Or Realplayer (wtf?). Why aren't realplayer vulnerabilities included for 2003? Surely the vast majority of ES 3.0 installs do NOT include realplayer. *shrug*.

Is 2003 doing better than XP? Yes, perhaps. Then again, NT is doing better than 2003. So that's not "technically" improvement.

The problem is that bug counting gets you no where. Far more useful is number of compromised installations over time. This a metric that reflects administrator competance as well of 'ease of lockdown'. As far as I know, the Unix or Unix-like platform has greater deployment as a server than Windows 2003, or other Windows platforms.

Why is this a fair comparison? Why is it fair to group Linux with Unix?

Exactly how many of those secunia vulnerabilities is a "Linux Kernel" vulnerability? On Redhat ES 3.0, 13. The rest exist in GNU/Unix platform utilies, or utterly weird stuff that _shouldn't_ be included like OpenOffice.org.

I mean, what the hell: http://secunia.com/advisories/12546/

OpenOffice.org is going to be exploited on a Solaris server as much as it will be on a Redhat server. Either not at all (not installed), or in exactly the same fashion (installed).

So lemme use the famous MS marketshare argument. If Microsoft servers had greater marketshare than Unix or Unix-like platforms, than perhaps Microsoft Windows would have a greater number of vulnerabilities discovered. Sadly, even though Microsoft has LESS marketshare than Unix or Unix-like platforms, the number of critical vulnerabilities, remote vulnerabilities, and unpatched vulnerabilities are greater.

Windows 2003 is no security nirvana. Better than XP? Perhaps. But not by much, and only by exclusion of certain software and disabled services.

Most of the system has been recompiled to thwart buffer-overflow style attacks.
Still, just what do you propose they do to "fix" all the Windows XP machines out there ?
Grand. I don't care that they recompiled most of the system. Vulnerabilities continue to abound.

What do I propose? Fucked if I know. If I had a good security solution for MS, I'd sell it to them for billions.

Step one, don't release Vista in the same state that the latest Visual Studio was released in. http://minimsft.blogspot.com/2005/11/hey-sharehold ers-vs-2005-is-fantastic.html

Yes, Vista is really, really late. No, I haven't been following Vista's development very closely, because I find MS's press releases as having far too much marketspeak for the average human, and all the Vista "previews" are fluff pieces.

If Vista is released in a state similar to Visual Studio 2005, which is MS's latest "major" (and rushed) release, Vista will be a security disaster.

Re:Still too long, but you can take precautions.

[drsmithy]

Notice something interesting with Redhat ES 3.0?

Yep. It came out 6 months after Windows 2003 and it has had 250 advisories (vs 76 for Windows 2003).

31% system access bugs, versus 55% for Windows 2003.

Ah, but raw percentages can be so delightfully misleading. Let's attach some real numbers to that:

RHEL3 has had 78 "system access bugs" in the past ~25 months, Windows 2003 has had 42 in the past ~31 months.

And notice the nature of the vulnerabilities? Things like cups, or curl. Or Realplayer (wtf?).

And on Windows 2003 we have bugs in similarly irrelevant things like Hyperterminal, Client Service for Netware and the commandline FTP Client.

Why aren't realplayer vulnerabilities included for 2003?

Because it doesn't ship with it.

The problem is that bug counting gets you no where.

An excellent point that so few seem to grasp.

Far more useful is number of compromised installations over time.

Only if examined relative to the total number of installations.

This a metric that reflects administrator competance as well of 'ease of lockdown'. As far as I know, the Unix or Unix-like platform has greater deployment as a server than Windows 2003, or other Windows platforms.

Why on Earth would you limit yourself to only servers ? Is there some magic aura around desktop machines that makes them invulnerable ?

Exactly how many of those secunia vulnerabilities is a "Linux Kernel" vulnerability?

No idea, but if you're going to try and compare numbers, make sure you only compare against "Windows kernel" vulnerabilities to make the comparison relevant.

So lemme use the famous MS marketshare argument.

It's pretty clear you don't understand "the marketshare argument". It's a tad more complicated than "more machines -> more bugs".

If Microsoft servers had greater marketshare than Unix or Unix-like platforms, than perhaps Microsoft Windows would have a greater number of vulnerabilities discovered. Sadly, even though Microsoft has LESS marketshare than Unix or Unix-like platforms, the number of critical vulnerabilities, remote vulnerabilities, and unpatched vulnerabilities are greater.

Firstly, Windows (in general) has around an order of magnitude more marketshare than all the other platforms combined.

Secondly, Windows 2003 probably has - at worst - similar marketshare to RHEL.

Thirdly - according to the web pages you linked to - Windows 2003 has had less than 1/3 the vulnerabilities of RHEL3, despite being on the market for approximately 15% longer (about 6 months). It does, however, have more unpatched vulnerabilities. Certainly, not all vulnerabilities are equal, or equally as likely to be exploited. But I strongly suspect we would never be able to reach an agreement as what should and should not be included, so right now it's the best we can do (FWIW, I think that including Realplayer and OO is dumb, but I can see a strong argument for including things like curl and cups).

Windows 2003 is no security nirvana.

No OS is.

Better than XP? Perhaps.

The majority of security "problems" that afflict XP have little to do with OS vulnerabilities.

But not by much, and only by exclusion of certain software and disabled services.

Disabling services *is* one of those ways most people consider important for improving security.

Grand. I don't care that they recompiled most of the system. Vulnerabilities continue to abound.

As they do in Linux.

Step one, don't release Vista in the same state that the latest Visual Studio was released in. http://minimsft.blogspot.com/2005/11/hey-sharehold ers-vs-2005-is-fantastic.html

I'm sure we can both find partisan blogs to support any argument we want.

Yes, Vista is really, real

Does Full Disclosure Increase Eventual Harm?

[ThinkFr33ly]

While it is certainly interesting (if true) that Microsoft takes longer to release patches with no known exploits roaming around, I would find it far more interesting to see which causes more harm: the longer patch times or the full disclosure.

Just because Microsoft releases a patch quicker when full disclosure is used doesn't mean this results in less harm to users. It might take Microsoft 200 days to release a patch, but if the only people who know about the bug are the researchers who discovered it and Microsoft, then the end result is that little harm was done to the users.

If, however, an easily understandable exploit is posted before Microsoft has fixed the bug, those 45 days might be a lot more dangerous for those users than the 200 days in the previous example.

Of course, it's very difficult to know if the security researchers who discovered the bug are the only ones with knowledge of that bug. Could other people know about it and be actively using it to compromise machines? Maybe. But I would really like to see some data on this.

I suspect that the vast majority of major worms and viruses take advantage of well known exploits published on the Internet by usually well meaning security researchers. Certainly all of the major worms I can think of off the top of my head follow this pattern. (MYTOB, LOVGATE, NETSKY, SASSER, ZAFI, SOBER, BAGEL, etc.)

If so, people really are safer when the exploit is not published before Microsoft releases a patch despite the significant lag time for those fixes.

So I guess which approach you take depends on your goal. If your goal is the glory of a 0-day exploit, then post away. But if your goal is the security of the end user, maybe you should keep it to yourself for the time being.

Re:Does Full Disclosure Increase Eventual Harm?

[Beryllium+Sphere(tm)]

That's an insightful and interesting question. The security community hasn't agreed on an answer yet.

There's a good biblbiography of the full disclosure debate that will point you to many, many arguments.

My personal favorite was a big study of many CERT reports which concluded that the practical window of vulnerability begins when the first automated exploit code hits the street and ends only when attackers lose interest. Practically speaking, not enough people install patches to affect the dynamics. You do, I do, my clients do, everyone who listens to us does, but think of all the worms and spyware that have exploited vulnerabilities that had been patchable for months.

Re:Does Full Disclosure Increase Eventual Harm?

[ThinkFr33ly]

You do, I do, my clients do, everyone who listens to us does, but think of all the worms and spyware that have exploited vulnerabilities that had been patchable for months.

Good point. Hopefully things like auto-updates will mitigate this problem a bit. Since WinXP SP2 comes with auto-updates enabled, I have a feeling this will slowly be changing for the better as more and more people update to SP2 or buy new computers with SP2 pre-installed.

Re:Does Full Disclosure Increase Eventual Harm?

[Daedala]

You're begging the question of whether the Major Internet Worm/Virus is the main thing worth patching to avoid. I'm not sure that's the case; most vulnerabilities are used in a variety of exploits, and the major malware is just the one that makes the most headlines. Also, most of the ones you mention already had patches available; they weren't zero-day exploits precipitated by "usually well meaning security researchers."

I appreciate that you've said you need more data, but I think you actually need a lot more data than you seem to realize. Your rhetoric ("glory of a 0-day exploit") seems to be pushing for a conclusion that is not yet warranted.

There are researchers who publish too fast. There are also vendors who take way, way too long to do anything about vulnerabilities.

Re:Does Full Disclosure Increase Eventual Harm?

[99BottlesOfBeerInMyF]

So I guess which approach you take depends on your goal. If your goal is the glory of a 0-day exploit, then post away. But if your goal is the security of the end user, maybe you should keep it to yourself for the time being.

You've made a number of incorrect assumptions and failed to consider several important concerns. First, is the vulnerability likely being exploited? Is the vulnerability able to be mitigated by users and if so, are there drawbacks to the fix? What systems would be made vulnerable?

For example, suppose I find a trivial exploit in code I know blackhats have already reviewed. That means there is a good possibility that it is being quietly exploited. Or what if I am running a network that needs network access, but is top-secret and would be disastrous if compromised. I find a flaw that has a work-around that requires disabling a service. This will cost hundreds of thousands of dollars a day, but I can't risk exposure. Should I:

• quietly disclose it to MS and wait for them to fix it, costing millions of dollars
• disclose it publicly thus allowing other admins to disable it and spurring MS to fix it faster and thus saving myself millions of dollars

Here's my general take on things. Windows machines will be compromised in huge numbers until MS gets their act together. Compromises to the average machine are not too important to me. Why do I care if 100,000 idiots turn into spam bots? Compromises to my system do concern me. The best way for me to keep my machine secure (and for other security conscious people who run important systems) is for me to be well informed about vulnerabilities. If there is a vulnerability in a particular service I want to know, so that I can disable it if need be, plan work arounds, migrate to a different service, and set up honey pots and IDSs to look for attacks or strange behavior.

To put it bluntly, in some cases it is best for me to publicly disclose vulnerabilities and in others it is not. To imply, however, that it has something to do with trying to garner fame or a reputation is very mistaken. In some cases the security of end users if better served by full disclosure, while in other cases it is not. It all depends upon the vulnerability.

Re:Does Full Disclosure Increase Eventual Harm?

[iabervon]

Major worms tend to happen after full disclosure, because full disclosure allows people with no particular interest in exploiting a flaw to exploit it, and major worms are general of little or no value to their creators. This is not to say that any particular unreported flaw is being exploited, but if nefarious types know about a flaw, chances are that the result will be more effective targetted phishing, data theft, etc., not a major worm, and nobody will ever realize that the flaw had been exploited, because professionals are more likely to find a flaw (simply by time spent looking), and they're likely to use it for financial gain (either by reporting it, if they're working for a security company, or by exploiting it).

Re:Does Full Disclosure Increase Eventual Harm?

[PlusFiveTroll]

Of course, what we can't see here is the long tail effect. How many Windows boxes are being exploited by holes unknown to the public, but that Microsoft is aware of. There is not any way to tell easily.

Heres a new benchmark that Microsoft would not like.

T.C.C.M.

Total Cost of Code Maintnence, how much does it cost to patch and test the base operating system source code per year? Microsoft vs Other commerical operating systems? Vs opensource operating systems.

The T.C.O Microsoft does not talk about is on there end, That is the price of closed source code.

Re:Does Full Disclosure Increase Eventual Harm?

[slugstone]

And still M$ has 2 to 5 rounds of the same type of exploits before it seems to be fixed.

Re:Does Full Disclosure Increase Eventual Harm?

[Todd+Knarr]

If so, people really are safer when the exploit is not published before Microsoft releases a patch despite the significant lag time for those fixes.

I'd counter that with the WMF vulnerability. The details of it were released with no Microsoft patch available. Now, once I know where the vulnerability is, I can protect myself immediately by unregistering the offending DLL and using my registry-monitoring tool to block any attempt by other software to re-register it. Or I can take advantage of a third-party patch. Either way, I'm protected during the window from disclosure to me until Microsoft releases a permanent fix. Without disclosure, I'm wide open during that window and I don't even know it.

That's the down-side of non-disclosure that the anti-full-disclosure people don't want to mention: non-disclosure may keep the bad guys from finding out about the problem, but it also prevents users from taking any prophylactic steps of their own like blocking firewall ports, disabling vulnerable services or removing the offending software pending a fix.

Re:Does Full Disclosure Increase Eventual Harm?

You do realize that in the case of the WMF vulnerability the malware writers were already using it and the proof of concept exploit was the same code the bad guys were using with the malware stripped out so your counter argument is not really relavent. The question was that given no widespread use by the bad guys, is full disclosure better than waiting for MS to bother to fix it.

Re:Does Full Disclosure Increase Eventual Harm?

[Todd+Knarr]

Ancient and respected rule of thumb: if you've found it, the bad guys have. I assume that any vulnerability has black-hats trying to exploit it, and that if I haven't seen any evidence of exploits that simply means I haven't noticed my being cracked yet. Assuming otherwise leads to the WMF situation. I don't consider "given no widespread use by the bad guys" to be a valid modifier ever, because all too often it turns out to be false. To me the question is "Given that there's a vulnerability you must assume is being exploited, is it better to know about it or not?".

I've kept my systems virus-, trojan- and malware-free for 25 years. This does not seem to be the case with anyone taking other positions, else we wouldn't be seeing the mass infestations we see regularly.

Intrusion Prevention Systems (IPS)

This is a great case for Intrusion Prevention Systems. I have seen many vendors providing "Virtual Software Patches" during the window from when a vulnerability is released to the time that it's actually patched. It's not the ideal solution, but it's definitely one of the best ways to take care of the problem today without waiting for m$ to get their stuff together.

I'd say that in this week I've seen stuff from 3Com/TippingPoint, Secure Computing, Sonicwall, etc. all about securing WMF fairly quickly after the exploit had been announced.

Re:Intrusion Prevention Systems (IPS)

Sorry to rain on your parade, but most of the IPS solutions to the WMF vulnerability were nowhere CLOSE to being comprehensive and still let many forms of the exploit through. To fully catch these nasties via IPS would be extremely CPU intensive and hence causes a secondary DoS vulnerability.

Re:whoa!

[sgtboost]

Why bother if you are gonna post crap like this?

Think about it

[GmAz]

With work going full force on Windows Vista, you would have to understand that Microsoft has other things on its plate. Also, perhaps these issues are a little more difficult to fix.

Re:Think about it

[Necrotica]

With work going full force on Windows Vista, you would have to understand that Microsoft has other things on its plate. Also, perhaps these issues are a little more difficult to fix.

I hope you're being facetious because making excuses for the world's largest software company is just plain ignorant.

They have NO excuse. Period. OpenBSD, a free open source operating system, is constantly auditing their code for security flaws. Windows has millions, perhaps billions of more code to audit, however they also have billions of dollars to spend on it.

The only excuses they have is carelessness and arrogance.

Re:Think about it

[WhiteWolf666]

Translation:

"Sit down, shut up, and eat the gruel we put in front of you. We're better than you, smarter than you, and we know whats best."

I'm not aware of any other software project, free or proprietary, that has as poor of a security record as an equivalent Microsoft product.

Don't blame it on marketshare; otherwise, Apache would lead IIS in terms of infection. And even if it is because of marketshare, you would think that the completely untouched (as in 0 viruses) environment of OS X would be a great target.

Surely, there must be some contingent of hackers out there that would love to be the FIRST to get an OS X virus into the wild.

The only reason MS gets away with this crap is because they have no liability whatsoever. MS will not, and does not stand behind the quality of its products. Security is not, and will not be a priority for MS because not having it doesn't cost them ANYTHING, and in many ways makes them money (more MSCE's needed for administration, more parterning with anti-virus firms, and the possibiltiy of future MS anti-virus rent).

I don't believe that the liability situation should be radically changed, however, MS should be punished for constantly advertising 'top notch security', when in reality their products are shoddy and poorly written, both in terms of implemenation (code bugs), and poor design.

Re:Think about it

[slugstone]

So should I tell my customers, that they are working on Windows Vista and have no time for what is in production?

Re:Think about it

[coastin]

"With work going full force on Windows Vista, you would have to understand that Microsoft has other things on its plate. Also, perhaps these issues are a little more difficult to fix."

Ok, let me get my mind wrapped around your logic here...

--Timed out-- trying to understand why MS would not want to fully protect the existing user base and understand what exploits need to be fixed before releasing yet another flawed product that will require even more patches. Seems to me you are advocating that MS let security take a back seat to new product roll-out. That approach has always cost MS and their users much pain in the past. Why would MS users want more of the same?

That kinda kinky logic explains why I (a Linux user) get the calls when my local hosting clients need to clean and secure their networks after years of letting MS trained techs milk their budgets and leave them with slow running worm and virus infected PCs.

Re:Think about it

I don't think you understand the market. Namely what the market wants. They don't want perfect audited but quite limited in scope. They want broadscope that does what they need with minimal nuisance factor. There are places where OpenBSD can be legitimately compared to Windows, for example static content web server, mail relay, standalone dns server, standalone dhcp server. But you can not realistically be comparing OpenBSD to Microsoft in the office workstation area.

Re:Think about it

[GmAz]

You know, for a product that Millions upon Millions use and that has hundreds of thousands trying their best to find holes in it to exploit, it does a pretty good job. But a lot of people are just M$ haters and no matter what happens, they will always hate M$. But does that mean that if you buy a car and it has a flaw in it, you no longer will buy that brand. Or furniture. If you get a bad mattress, or a chair that breaks, will you never buy from that store again or from the manufacturer? Linux people just like Apple people keep themselves in this little bubble where they think their stuff is supperior. Well guess what, it isn't. If it was, they would have much more of the market. Face it, you need to me quite computer savy to use Linux. You also need to either want to do very little to use a Mac or search and search to find software you want that does what you need it to do with a small sacrifice of features you can do without. Do I like Microsoft, no. Do I respect Microsoft, yes. And for being a multi-national corporation where some people do nothing but look for holes in Windows just to find them and point them out, you gotta admin, they have done a pretty damn good job. So you can stay with your Linux and sacrifice convience for arrogance and I will continue computing with ease and knowing that if I buy something (hardware of software) its going to work just fine.

Re:Think about it

[colinrichardday]

Some people might switch car brands if they have problems with a particular manufacturer. Same with furniture and other products. That's how competition keeps companies honest. In the absence of Linux, *BSDs, and Apple, would Microsoft be so concerned about quality?

It would be more informative ...

If only they reported a MEDIAN time to fix rather than an AVERAGE.

Assuming that the more important repairs are done in under thirty days,
I'm willing to overlook the 365 day fixes that push the average way up.

Re:It would be more informative ...

[Dunbal]

If only they reported a MEDIAN time to fix

OK, so how useful would it be to know that exactly half the patches are over the median time, and exactly half are under? If you want something really useful, we should have the mean time plus a standard deviation or two...

How much would it cost?

[khasim]

when you're accountable to that many customers with so many "supported" configurations, it takes a while to test.

What is this "a while"?

Is it a day?
Is it a week?
Is it a month?

Doesn't Microsoft have enough money to maintain images of different configurations just for such testing?

Doesn't Microsoft have the people who could automate such testing?

Is the problem that they don't have enough money? Or that they don't have people who are smart enough? Or that they just aren't doing it?

Re:How much would it cost?

I think it's more along the line of how long does it take to build the binaries for the new components and run it through a battery of automated test scripts.

The software that we write at my current employer is a complex vector editing system and image RIPing. Our regression test suite can take up to 3 days to run. Whoops, that last fix broke something in abc.dll that depended on some behavior coming from def.dll. That will take a day to fix, 4 hours to build and rerun the test suite. Rince repeat until no more errors. An average fix may take us up to 10 days to code, test and deploy for patching.

The thought of regression testing on an entire OS gives me the sweats.

Re:How much would it cost?

[Austerity+Empowers]

It's more likely how long it takes to run that battery of test scripts on several hundred "typical" hardware configurations. It takes a while, we should not berate MS for testing, if indeed that is what is happening.

In all likihood they are diverting resources from patching to Vista so they can ship it sooner. This is bad.

Re:How much would it cost?

[drsmithy]

Is the problem that they don't have enough money? Or that they don't have people who are smart enough? Or that they just aren't doing it?

No, the problem is it takes time.

Much like you can't produce a baby in a month just by getting 9 women in the same room.

3rd Party Patch

[jcaldwel]

That's it! I'm putting in a suggestion to my company that we put in this 3rd party patch for the few Windows servers we have left.

No the flaw is in the user

[SmallFurryCreature]

No the flaw is in the user. Old saying, "Fool me once shame on your, fool me twice shame on me".

Or to paraphrase, "sell me a bug ridden OS once shame on you, sell me a bug ridden OS twice shame on me".

Cue everyone giving lousy examples of why they cannot live without windows.

Proposal for a new moderation system, you can only mod people in OS discussions who are on the same OS as you.

Re:No the flaw is in the user

For Work.

Adobe Photoshop. Macromedia Dreamweaver. MS Visual Studio.NET

For Play.

Battlefield 2, Civilization 4, F.E.A.R, Far Cry, Half-Life 2.

For Music.

Cubase SX, Reason 2.5, Soundforge. The endless list of VSTI's..

This isn't a bash per se.. I'm just pointing out how ignorant your comment was.

Re:No the flaw is in the user

[gallwapa]

Funny, because my windows boxes at home work just great Why do I use windows? Dark Age of Camelot: Darkness Rising Before you get your linux pants in a tissy, Cadega support _sucks_ for any of the remotely new clients. Just for S&Gs I installed SUSE 10oss on my second machine, and frankly, it does the same stuff it did when windows was on it It opens IRC it opens a multi-client IM product It pops up (linux being way more frequent) saying critical security updates available update now That being said, there _is_ something nice to knowing every second Tuesday there will be patches (as opposed to every day) Finally, My windows machines do not have spyware-malware-whored out infected PC status, and never have, nor will they ever. I run firefox with NoScript, Adblock, and visit only trusted sites. My firewall and router are secured... and all that was done in less than 1 hour of config.

Re:No the flaw is in the user

[Bellum+Aeternus]

Don't get too complacent, nothing is perfect. All the locked down routers, adblockers, and antivirus apps were not going to protect you from the WMF flaw. Firefox or not, you were exposed. Never assume that you live in aa fortress.

That's the biggest mistake of most end users.

Re:No the flaw is in the user

If you used Firefox, you would've received a message from Firefox asking you if you really wanted to open the WMF file. Personally, I wouldn't have opened it, but maybe that's just me.

Delayed Ratification

[digitaldc]

Redmond is taking at least 25 percent longer to issue patches for "critical" vulnerabilities, now averaging around 135 days to issue a fix.

It wasn't necessarily because it actually took longer for them to fix these new vulnerabilities, rather, their marketing department just wanted you realize the immediate benefits of installing Microsoft Anti-Spyware beta.

Reduce the critical path for non-critical patches

[gerardlt]

While releasing non-critical patches on a monthly cycle seems sensible, three months is a very long time. I wish I could believe it was all being spent on testing.

A danger is that the time difference between patches for undisclosed vs. fully-disclosed vulnerabilities will encourage people to fully disclose without waiting. I hope Microsoft are working to bring down their cycle time for characterising the vulnerability, and developing and testing the patch.

Does anyone have statistics for the number of bugs found in patched code vs. the time taken before releasing the patch?

Doesn't seem too awful

[XMilkProject]

The timeframe doesn't seem entirely unreasonable. When you think that they are releasing a patch which will be automatically downloaded and installed on literally tens of millions of computers, most of which without any system administrator to aid in the process.

That is a daunting task, and I can imagine theres a very lengthy process a patch must go through.

To Microsofts credit, I can hardly remember a time that a patch was released which cuased any major problems, which in itself is a great achievement given the amazing variety of hardware and software the users may have. There was of course alot of hype over compatibility issues in SP2, but to the best of my knowledge any actual issues were understood ahead of time and due to compromises that were made intentionally for one reason or another.

Re:Doesn't seem too awful

[gregarican]

Good points. The last patch I recall that negatively affected our business environment was Windows NT 4.0 Server SP6. This patch basically broke the TCP/IP stack and left dozens of my company's servers on their knees. Of course it was partially our stupidity for not testing out the patch on a non-production box first :-) Good thing SP6a came out relatively quickly thereafter.

I know that as consumers we should expect Microsoft to test out there patches and since back in 1997 I think they are obviously doing a better job of it. Windows XP SP2 was controversial in that it potentially left certain third party apps incompatible, but the security holes it helped close were long coming...

Re:Reduce the critical path for non-critical patch

[gerardlt]

Sorry, guilty of not fully R'ing TFA before posting. To quote:

One final note: Security Fix did not attempt to determine whether there was a correlation between the speed with which Microsoft issues patches and the quality or effectiveness of those updates.

They thought that would require too much work to compile.

Why MS takes so long to release patches

[DoktorFuture]

I'm sure that the QA aspect of testing the patches takes the most time, because that is where Microsoft has the most to loose.

Imagine if their patch accidentally disabled * * * TENS OF MILLIONS * * * of computers. If that happened, they'd loose so much consumer confidence -- essentially loosing whatever gains (if any) they have made in the last several years (and billions in spending).

(okay, that did happen on a lot of sp2 systems, and MS is not loved for it)

MS has to ensure that the patch works on a staggering and dizzying array of systems and architectures (lots of different mobos, pentiums, AMD's, dual core CPU's, XENON's, via chips), and for dozens upon dozens of applications. That's why you often find that they'll often release a patch on NT or more server based systems before they release it for consumer systems.

Another reason is that, depending on the type of problem, will do a full tracability check, and also cross reference all their code that references the changed module, and evaluate (probably manually) if they put that dependency at risk. A huge, horrible job, suitable only for type-A micro-detail oriented folks. I wouldn't want to do it!

If MS disabled TENS OF MILLIONS of computers, you would see a huge shift away from regular Patch Tuesday activities, towards one of 'install on a test bed' -- extremely tedious and manual that everyone would hate. Millions of people would be put out. Seriously bad Karma.

So, they can:

• Release a damaging patch -> like an A-Bomb wiping away consumer confidence
• Release a patch late -> some systems might be infected, but often, threats can be mitigated on key systems (firewall rules, policies, use different software), or third party patches appear to fix the problem.
• Ignore a problem -> Perhaps try to luer people to exploit it instead of finding new holes? :) Perhaps encouraging the industry to develop technologies like 'IPS' and 'worm crushers'?

I'm sure at least someone is thinking "Heck: our flaws are the manure in which an entire security industry will grow in".

Re:Why MS takes so long to release patches

[freeweed]

Imagine if their patch accidentally disabled * * * TENS OF MILLIONS * * * of computers.

Imagine if them delaying a patch ended up with HUNDREDS OF MILLIONS of disabled computers.

I, for one, am amazed this hasn't happened yet. Fortunately malware authors haven't gotten to the pure vandalism stage of their development.

Re:Why MS takes so long to release patches

often release a patch on NT or more server based systems

I'd be checking my supported OS matrix if I were you ... I think there's something you've missed about NT ...

As for "staggering and dizzying array of systems and architectures" THEY ARE ALL FUCKING i386! If it is some driver prolem then fair enough, but mostly ther are not.

If they wrote decent APIs in the first place which did not requre the use of "undocumented" calls then the "dozens upon dozens of applications" would not be affected.

Re:Amazing, just fucking amazing

[Ravatar]

If the brakes on your cars were discovered to have a fatal bug would you want your car company to first test a patch and see how it effects every car in the world OR that they contact your ASP and tell you your brakes are untrustworthy and to stop driving your car?

Depends, can my computer fail to come to a complete stop at an intersection, leading to a fatal collision?

On Full Disclosure

[SHP]

A common argument of those who oppose full disclosure is that it does harm by allowing the development of worms, and provides infection vectors for Spyware. I personally think the widespread worms are a good thing. The act like wildfire clearing the underbrush of vulnerable machines.

What really concerns me is not some 14 year kid in Bulgaria playing "my botnet is bigger than yours" games. I'm concerned about hostile governments, terrorist groups, and organized criminals who already have a stable of zero day holes to attack my company's systems. These are the threats that keep corporate and government security teams awake at night. All the piddly little public nuisances are just ploys to get funding.

Yesterday, eEye released information about a Windows hole that they reported over 5 months ago. The WMF hole was known to Microsoft long ago, and has existed for YEARS! Does anyone really believe that the REAL bad guys don't have the knowledge to get inside any (at at least very nearly any) company in the world. The US military is getting hacked for God's sake.

I say full disclosure now. It won't make us less secure, it will only appear to.

-SHP

Re:On Full Disclosure

[Keeper]

Except worms don't clear the underbrush. Traffic from slammer, blaster, and other worms can STILL be seen today. Those machines are still compromised. They will probably remain compromised until the machine dies.

EVERY vulnerability is a race between the people trying to fix it and the people tring to exploit it. It is NOT possible to "win" every race; the best you can do is set the rules in such a way that winning is much more likely for the good guys than the bad guys.

I don't care what metric you try to use, the above is true. No matter how badly you think things are screwed up now, it can only get worse by leveling the playing field -- not better.

But seriously folks...

[digitaldc]

I don't live under a bridge and eat little children, really.

The reason it is taking so long to fix vulnerabilities in my best estimation is that they have many different applications/OSs to test these patches with, while at the same time are trying to ramp up the efforts for a smooth release of Windows Vista. Attacks against Windows PCs are increasing by the day and it is probably much more time consuming to fix the myriad of these vulnerabilities than what it was say 5 years ago. But that is just a guess.

phising with MS security

http://www.knoxnews.com/kns/local_news/article/0,1 406,KNS_347_4379932,00.html

Hackers 'phish' $70k from Y-12

By BOB FOWLER, fowlerb@knews.com
January 11, 2006

OAK RIDGE -- Savvy computer hackers siphoned off nearly $70,000 from Y-12 Federal Credit Union members' credit cards in an intricate Internet fraud scheme that lasted only 90 minutes Monday night.

"It was extremely sophisticated,'' Y-12 Credit Union Vice President Chris Smith said of the latest version of online phishing.

There was a late-December surge in underground hacking of various Web sites after a hole was discovered in Microsoft software, Smith said.

"These folks figured out how to exploit it (the hole),'' Smith said.

They hacked into the credit union's Web site so when customers hit the account login button, it redirected them to a bogus Web site in Greece, he said.

That Web site featured a picture of the credit union's Web page. But in the login process, members were asked to enter both their credit card number and their personal identification number, or PIN.

"Your credit card is your vault, and your PIN is your key,'' Smith said. "We would never, ever, ever ask for your PIN.''

"Our systems are so secure that they (hackers) know it's much easier for them to trick you into giving them what they need.''

Smith said the hackers apparently used the information they gleaned to generate a magnetic strip for an ATM card, which they then used to plunder customers' credit card accounts from ATM machines.

The elaborate phishing trip lasted only from 7 to 8:30 p.m. Monday. By then, several credit union members had called "and let us know something wasn't right,'' Smith said.

The credit union promptly shut down its Web site, used the patch only recently made available from Microsoft, and made the necessary repairs, he said.

Initially, 17 credit union members were affected. Others called in Wednesday, Smith said, "and that number could grow.''

Members who lost money will have it refunded by the credit union, Smith said.

Bob Fowler, News Sentinel Anderson County editor, may be reached at 865-481-3625.

I can see it now...

[mangus_angus]

If you're a MICROSOFT GOLD member click here to get the patch !!NOW!! from our super faster servers!!


All other members please use the public servers. Wait time is 10 minutes to 90 days. Please be patient. OR UPGRADE TO GOLD MEMBERSHIP STATUS!! FIND OUT HOW BY CLICKING HERE!!!

inaccurate summary

[towsonu2003]

I was expecting a statistical analysis, a longitudinal study as claimed by the article itself, but instead found some almost-nonsense anectodes...

Maybe someone will use the .Excel files (as if they are making fun of us), open it with OpenOffice.org, save it as native OpenOffice.org files, then conduct a honest statistical analysis of what happened and whether it was statistically significant or not and what consequences the results predict...

Re:Amazing, just fucking amazing

[Funakoshi]

...Only semi-attractive women can ask and they need to allow me to fuck them in the ass in return...

It's comments like these that help to strengthen the argument that you are a sane, well-balanced individual, who should be listened to, due to your high level of intellect. Welcome to grade 4.

...The WMF idiocy showed that MS and its users still live in a dreamland...

Flatery will get you nowhere.

Amazing, just fucking true...

Parent is speaking .raw truth here...

It's amazing that the trolls justifying the software giant's bad track record are modded insightful, and parent is modded troll. Ballmer, do you have mod points here?

You had me until...

[RealProgrammer]

It sounds like they do need to throw some more resources to the departments involved to shorten the critical path, but with a system this complex, test cycles are going to be long and involved.

Would throwing more resources actually help speed the process, though? More resources (meaning more people) just tend to get more done in the same or longer time. It's not a linear relationship, anyway. And the "more" they get done is not necessarily productive. On its face, adding more resources to the test phase would seem to make testing faster, but what happens to the bugs that the testers find? More testers, more bugs, and an increased need to analyze and correct them.

What it comes down to is setting arbitrary deadlines, and project-managing backwards to say how thorough a job you'll do with the time and resources at hand. In other words, the only thing more resources buys you is additional thoroughness, and maybe not even that.

Re:Amazing, just fucking amazing

[trandism]

semi-attractive women only?? and in the ass?? what about their sisters, mothers, aunts, cousins, pets?? what about 2 hours on Google Earth??

Patch testing

[Savage-Rabbit]

Focusing on the exploits or not, 46 days is a long time to wait for a critical fix.

Fixes like this have to be tested and re-tested which is not exactly something you do .... Yawn.... While you wait for the expresso machine to finish filling up that paper cup. I used to work for a *NIX vendor where the usual procedure was to offer a workaround to plug up the security hole. The patch was then developed and sent off for testing from where it would sometimes return for a rework because it caused unexpected problems in some other part of the OS. If Microsoft, Sun, IBM, Apple or any of the numerous enterprise quality Linux distros out there would sling these fixes out as soon as the developers finish them you would now be griping about how unstable these systems are because of badly tested patches. I will admit my former employer usually got better turnover times per pach than 6 weeks but for 3-4 weeks to pass from the time problem being reported and until the patch had been fully tested accross all major OS versions still in widespread use and approved for release was not unusual and we only had one Server OS to worry about. I can even remember a couple of errors that took over a year to track down because they were hard to reproduce and the culprit was difficult to isolate. Of course this was a few years ago and OS'es, at least in my experience, do not tend to get simpler as time passes.

Re:Patch testing

[drsmithy]

I used to work for a *NIX vendor where the usual procedure was to offer a workaround to plug up the security hole. The patch was then developed and sent off for testing from where it would sometimes return for a rework because it caused unexpected problems in some other part of the OS.

How long ago ? What were your userbase demographics like ?

Beta patches...

[AZURERAZOR]

Microsoft does have a problem with the variety of configurations and applications which need to be tested for them to release a patch... but a "beta" patch would enable them to get a fix out for the majority of users in the majority of configurations... while they work to get a final version to test on every known permutation of application and hardware possibilities.

That would surely speed the "beta" by at least two weeks.

Re:Amazing, just fucking amazing

[Amouth]

to comment on your sig...

joe

Re:Amazing, just fucking amazing

[A+beautiful+mind]

If you would have said what you've said in a bit more polite manner, your post would have been rated insightful not flamebait, because you're making a lot of good points.

This is perfectly reasonable.

[Dorsai65]

I mean, when you consider how long it takes them to put the flaws in their products in the first place, it's only reasonable that it would take them longer to get the flaws back out again, right?

MS is a very lucky company.

[WhiteWolf666]

Why? Because the black hat community is very, very nice to MS.

I've never met a truly destructive worm or trojan. I don't mean one that disabled systems as a side effect of its operation. I mean one specifically designed to destroy data, and/or BIOS/CMOS/anything flashable.

A 4 month patch cycle. I imagine that if North Korea, or whoever felt angry about the global economy, decided to try and do something devestating that they could easily prepare some kind of trojan payload that would install itself, replicate for a week or so, and then destroy the system in question. Blow away the BIOS (won't be determined until a reboot), blow away the partition table, and then start writing loads of garbage all over the disk.

Such a worm would break MS. MS execs would be brought before a congressional hearing.

That is, after banks, airlines, and major companies managed to rebuild some kind of IT infrastructure.

MS is very luck that no black hats have decided to do such a thing. I guess its most likely because no one wants to bring THAT kind of heat down upon themselves.

Re:MS is a very lucky company.

[zlogic]

Mod parent up Insightful.

Re:I THINK I SPEAK FOR EVERYONE HERE WHEN I SAY

Fuck off, you racist asshole!

The study proves MS benefits from vulnerabilities

Here is a simple analysis I did. It proves that MS makes more money when there are more vulnerabilities.

Re:Amazing, just fucking amazing

Windows = 700 million computers
Microsoft = 40.34 billion in annual sales
Microsoft = 289.7 billion market cap

You = childish

Wonder who is really living in the "real world" and who is living in the "dreamland" as you so eloquently put it.

Re:Amazing, just fucking amazing

[Mortimer82]

What do you mean "Only semi-attractive women...", what's wrong with going for "Only women who are at least semi-attractive...", were you trying to tell us you would exclude "very attractive women"? ;-)

Seriously though, while Microsoft has countless issues and problems, I think that saying Linux is an easy replacement is like saying windows is easy to fix.

I gather that Microsoft Windows is an abortion of code, and the fact that it actually works as well as it does could be considered a miracle. I watched a Channel9 interview of the Vista Kernel guys, they, although not quite in these words, admitted that Microsoft's past practices has resulted not only in bad code, but bad code in 3rd party software vendors. Microsoft is slowly rewriting Windows to bring it to a truly secure level, but are also being hampered by 3rd party code that just does not play by the rules.

Consider the following situation, a commercial application is released for Linux which insists on running as root, now, if a million users buy this, and follow the instructions by the software vendor on how to make the software run as root we land up with a million users with inherently insecure software, could that be considered a fault of Linux?

I know that with XP it is hard to get by as a limited user, but if one sticks to Microsoft apps, everyday tasks can be achieved with no headaches. But then one day the user comes home with a piece of software like Pastel Accounting which for some God forsaken reason HAS to be run as an Administrator, and now they are vulnerable.

I use Windows, I run as an Administrator, I use Firefox, I use the standard Windows XP SP2 Firewall, I don't use any Anti-Virus or Anti-Spyware software, but most importantly, I do my Windows Updates regularly, by regularly I mean to say that my machine is told to automatically download updates, and if I happen to be logged on to my machine, it will prompt for a restart which I do as soon as possible, or alternatively, if I left my machine logged off, it will automatically restart at 3am.

This machine is close to a year old now, it has not had any malware issues, this is attributed to my computer's software being up to date, and more importantly my knowledge of software and computers. For using Windows I get the convenience of being able to run any software written for it, commercial or open source, and I get access to drivers which I know will work on my OS with no more hassle than clicking an "install" button.

If I switched to Linux, I would be on a more secure system, but wouldn't have access to half the software I am using right now, and the other half would probably require weeks of tweaking and reading of news groups to get working, and at the end of it, I still would end up using Windows for games, because it's just easier.

What I am trying to say is, yes Windows is bad from a security perspective, but right now it is not only Microsoft that has to come to the party to sort it out, however, in spite of this if the users weren't such dumbasses, we would also have far less problems, so users also need to be informed, as demonstrated by my running a Linux app as root example.

And in all honesty, Windows works perfectly for me, it installed with absolute ease, not a moments problem during operation either, not even a system hang, why should I switch to Linux which I know will frustrate me because it just doesn't run some of the things as easily as Windows?

luck or economics?

[Ubernurd]

I agree that one truly nasty worm could do significant damage to MS' empire (though I wonder if it would utterly ruin them or not). I think the main reason this hasn't happened is that the risk/benefit ratio is too high. Look at parasites in nature. The ones that destroy a host quickly and utterly don't get a lot of time to reproduce themselves and ensure the continuation of their species and they end up having to find a new source of resources much too often. So what we're left with are ones that seek to remain undetected and feed off a host for a longer period of time while reproducing like crazy.

The obvious computer analogue is that wanton destruction is simply not profitable nor worth going to jail for. Selling personal data to spammers, phishers and shady marketing companies is.

Re:luck or economics?

[colinrichardday]

It wouldn't be very "profitable" to drop atomic bombs on cities, so I guess the nice residents of Hiroshima and Nagasaki are safe.

I assume this means the whole company is on Vista

[guysmilee]

I assume this means the whole company is working on Vista (there next money maker) and XP is legacy ... Just a guess ...

It's all about how you dedicate your resources.

[khasim]

The software that we write at my current employer is a complex vector editing system and image RIPing. Our regression test suite can take up to 3 days to run. Whoops, that last fix broke something in abc.dll that depended on some behavior coming from def.dll. That will take a day to fix, 4 hours to build and rerun the test suite. Rince repeat until no more errors. An average fix may take us up to 10 days to code, test and deploy for patching.

The question is, how many people and machines do you have dedicated to that?

There are various approaches that are possible:

#1. We have one guy writing the patch and one guy doing the testing and it's released when it is released.

#2. We want 95% of our patches coded, tested and released within 4 weeks of notification, how many people and machines do we need to dedicate to hit that target?

Vista

[kurtis25]

Microsoft's slogan for Vista "Microsoft Vista... Patches in a week" On hearing that many people will upgrade based on security reasons. What I'm saying is that Microsoft is playing politics with patches so you are more likely to upgrade.

Re:Amazing, just fucking amazing

How about this: Can a computer fail to tell the traffic light to switch to stop at an intersection, leading to a fatal collision?

Of aircraft crash, or fatal medical misdiagnosis, etc etc?

An Interesting Argument, but WRONG

[ratboy666]

Consider:

Linux runs on ALL those platforms (Intel, AMD, etc). And more (Alpha, IBM Mainframe, Sparc, etc.). There is really no comparision.

Consider:

Linux supports more legacy hardware with the OS core.

Consider:

Linux vendors typically support 4+ GB of object code with a typical installation.

Not that I care one way or the other about Linux/Windows comparisions, but this should give you something to think about.

The obvious conclusion to draw? That the Open Source model is SO SUPERIOR to Microsofts, that there is really no direct comparision possible. Of course, that is probably wrong. Another possibility is that Microsoft really doesn't care. Which makes sense (ob disc: I *am* a Microsoft shareholder) to me -- their goal is to maximize profit. And if the OSS model where THAT much superior, Microsoft should have adopted something like the Redhat model years ago.

Of course the problem is that Microsoft installations are more vulnerable to quiet "black hat" attacks. The general rule is to assume that if YOU found a vuln, someone else has already found it. So it really doesn't make sense to keep quiet about them, and, as a user, there seems to be some kind of speed-up on the fixes.

I don't like this a a Microsoft shareholder; more resources have to be spent on fixing 'sploits, and less on actually making money.

Your conclusions may vary.

Ratboy.

Maybe?

[somethingprolific]

Could be a lack of motivation among their people. Perhaps Microsoft isn't noticing that most of their employees are wearing Google t-shirts lately. ;)

Ooooh....

[ShoobieRat]

Possibly an indication that they're taking their time for once and solving the problems more properly?

They are NOT getting better

[this+great+guy]

Personally, I feel they are doing an "ok" job and seem to be getting better.

No, statistics show they are not getting better (though it looks like Microsoft is putting more efforts into improving their patch development process), read TFA: "In 2003, Microsoft took an average of three months to issue patches for problems reported to them. In 2004, that time frame shot up to 134.5 days, a number that remained virtually unchanged in 2005."

Re:They are NOT getting better

[tjwhaynes]

No, statistics show they are not getting better (though it looks like Microsoft is putting more efforts into improving their patch development process).

That probably reflects the standard problem with large-scale software development - as the product gets larger, the number of bugs increases and the difficulty of fixing each bug also increases. One of the reasons you see so many apps being duplicated and rewritten from the ground up is that it is often easier to start from scratch than fix a flawed program. That isn't an option for large projects which have a huge legacy of customers and code so you see an increasingly complex fixing-cycle. Automated systems for bug finding and stress testing help identify some of the stuff earlier but it isn't an easy problem.

That's not to say that MS gets off this hook - I'd be mad as hell if my servers got rooted and MS had known about the problem for months and hadn't worked on/released a fix. 135 days is a little scary... If MS was liable for costs incurred by customers on issues that MS actually knew about, they would either a) fix them more quickly or b) go bankrupt.

Cheers,
Toby Haynes

Re:Amazing, just fucking amazing

I do the same thing, and for the same reasons. Yeah, Windows isn't as secure as Unix/Linux. Yeah, it tends to be a chore to keep everything up to date and patched. Yeah, Microsoft is an evil corporate machine that I don't like supporting. But the simple truth is that compared to most Linux distros, Windows is a much more painless experience from a usability standpoint. If I happen to want some new killer app, chances are I can easily find a copy that will run on Windows with minimal difficulty. Linux? Forget about it. I'm not saying I don't like Linux, because I do. I think it's great. But when very few software vendors support it, it's just not practical for me to use it as my everyday machine. When software vendors finally start aggressively supporting Linux, then I'll make the switch, but until then, I'll rely on firewalls, anti-virus, anti-spware, and my own know-how to keep my Windows machine from getting owned. The reason so many Windows machines get owned is because (and I've seen this even with people who claim to know some things about computers) the end users don't take the time to set up Windows properly, install a firewall, anti-virus, and anti-spyware, or apply the updates. Lots of people seem to be stuck on the idea that Norton Anti-Virus is some magical app that will protect them from anything.

Also, I think that a lot of the reason that Linux is praised for being more secure is the fact that most hackers don't really give a rat's ass about trying to exploit the 5% (or whatever the stat is now) of Linux/Unix/Mac machines out there. It's just not worth the trouble. If it was, I bet we'd be seeing a lot more vunerabilities being discovered.

My thung is thighed

[r3adah3ad]

Did anyone else read that as "flix flaws flaster"?

Reason why they take so long -- and why it worsens

[tonicxt]

Not enough man power? not enough money? Wrong questions. Try again When it comes to software development, throwing more people at a problem entailing a complex peice of software in fact increases the amount of development time taken to produce a deliverable. This is one of the first concepts taught in IT management. The most obvious reason why any fix is taking longer, rather than shorter, is from bad design. It is from bad design that these exploits are appearing in the first place -- issuing "on-the-fly" fixes makes this design even worse; therefore, fixes will continually be on the trend of taking longer and longer, irreguardless of the amount of money and manpower thrown at it. A solution would be to redesign windows; however, given the beaucratic atmosphere now present at Microsoft, this sort of change is impossible.

Kind of Applogetic...

[EXTomar]

This would be akin to having the anology of cars without modern safety features. "Personally, I have NEVER had a serious injury while driving any car because I take simple preventative measures like buying seat belts, safety glass, and air bags." The question one should be asking is why does the user have to buy "seat belts, safety glass, and air bags" for their computer in the first place?? Shouldn't these things be standard features? Turning around responsiblity to the user is allowing MS off the hook. Users are using Windows as designed and getting sometimes serious malfunctions. It would be one thing if people were abusing their machines and breaking them. It is something else to be normally surfing the internet, reading email, or doing any other nominal activity and hitting a serious problem that leaves their system bare to the hackers. This is squarely Microsoft's problem not the users!!

I'm tired of this kind of applogetic excusing for Microsoft. As much as people want to blame the users, its still all in MS's lap since many of the problems stem from software doing things that it should never be allowed to do in the first place. AV software, hardware and software firewalls, malware scanners...its all a hack to stop users from breaking their machines doing normal operations because MS won't or can't engineer a system that disallows it.

Years of experience on other systems have shown that computers are complex machines with complex interactions all of which are prone to error and worst exploit if not carefully designed. On the other hand Microsoft sold most of the world on the promise that Windows is as easy to use as a VCR and requires just as much maintaince and look at where we are. We have to throw more and more money and time into work arounds while MS takes longer and longer to fix up things. Why aren't more people asking why does Windows work this way?

Re:Kind of Applogetic...

[gargan]

I bet you're also against 'Trusted Computing'. As many evil implications as it has, hardware control is the only way to make truly secure computers. I also personally am not entirely comfortable with all the applications on my Windows computer being Microsoft applications. If they supply everything out of the box, will you use it? 'Seatbelts, safety glass, and airbags' are basic components of a car, so what are the basic applications of a computer? Doesn't Microsoft already do a lot of them? Don't we have third party applications for almost everything? It seems to me there are situations where it's best to use Windows' inbuilt functionality, and sometimes when you HAVE to use a third party program. I say the situation is not so bad the way it is, and things like execute disable are only going to help. Things like buffer overflows are where a lot of the problems are, and those have been around for ever. This is where I lose any hope of being modded up, but I think Microsoft is a good company. They do terrible things like most corporations now days, but as a company they are pretty damn good. If it weren't for lawyers they and the rest of the world would be a lot better.

Re:Kind of Applogetic...

[colinrichardday]

Isn't "Trusted Computing" more about DRM than security?

Re:Kind of Applogetic...

[gargan]

That's the trick, it can be both. It's like the CPU id that Intel started putting into chips and everybody flipped out about several years ago. Only this time it's actually active and checked. It can be used to make sure you only play a certain file a certain amount of times, but it can also be used to make sure that files don't do things they aren't supposed to.

The Microsoft Effect

[SgtChaireBourne]

There's a lot of misdirection going on here. The day an exploit is made public is not the same as when the bug it uses is reported. Nor is that the same as when the bug is found, not is that the same as when MS acknowledges the bug.

We're dealing with a number of different dates, some of which are often months or years apart:

1. Date bug found by black hat
2. Date bug found by white hat
3. Date bug is reported
4. Date bug is made public
5. Date exploit is published
6. Date exploit is found 'in the wild'
7. Date MS acknowledges the bug
8. Date MS announces a patch
9. Date MS releases a patch
10. Date MS releases a patch that fixes the bug / repairs damage from first patch

Somehow, being a political movement / cult, MS becomes exempt from the rules of a normal business and from what customers expect. No other device or appliance has had even a fraction of the defects as MS' without going through a major product recall. Our dear Chairman Bill will go down in history as the man that made bad engineering acceptible aka the Microsoft Effect

Re:The Microsoft Effect

[16K+Ram+Pack]

I've noticed this with my own software. Bugs that 15 years ago (when I worked on a mainframe) would have resulted in a lot of grief from users are barely an issue now. People just don't seem to expect robust code in the way they did.

Re:The Microsoft Effect

[SgtChaireBourne]

People just don't seem to expect robust code in the way they did.

One of the more harmful byproducts of the Microsoft Effect is that people generalize the acceptance and expectation of poor performance and poor quality beyond just MS. This gets projected onto not just other vendor's products or even ICT, but onto technology in general. People quickly get used to a lower quality of service and it spreads. Since everything these days relies on software, the Microsoft Effect generates a very expensive and dangerous situation.

Think Fruit

[Screamer49]

If we can assume that, in general, each exploit found is slightly more complex than the last one found then the increasing amount of time to fix these exploits makes sense. I know this isn't always the case, but I suspect there is some truth to it.

It's the whole low hanging fruit metaphor. As each venerability because more difficult to identify and exploit, the fix for it also because more difficult to identify and patch.

Why does Microsoft need to test patches so much?

[Omnifarious]

I mean really, why? If I get a patch to, say, gaim, I know that my motherboard and soundcard just aren't going to matter. That's what the job of the OS is, to abstract away those details from the application.

Why does Microsoft have to test patches to things like browsers against all possible configurations? Why does it matter which CPU or motherboard or soundcard you have for a stupid browser issue?

This all comes down to the stupidly broken architecture of having a largely monolithic system that has a spaghetti-like mass of depencies within whatever modules it might have internally. So, despite the fact that the argument that Microsoft has to test patches so extensively, I still think that's Microsoft's own fault, and they should be held accountable for the increasing amount of time it takes to test patches.

Re:Why does Microsoft need to test patches so much

[Keeper]

Hardware is not perfect. Read errata on processors or motherboards sometime.

makes sense to me

[fuzzylollipop]

they are so busy creating new exploits in the next version of windows they don't have the time to fix the old ones!

Re:Amazing, just fucking amazing

[colinrichardday]

It may be that Open Source apps are more modular, and thus easier to fix in a way that doesn't affect everything else.

Re:Amazing, just fucking amazing

And in all honesty, Windows works perfectly for me, it installed with absolute ease, not a moments problem during operation either, not even a system hang, why should I switch to Linux which I know will frustrate me because it just doesn't run some of the things as easily as Windows?

One word: FREEDOM.

Maybe they have other things to worry about

[szhao]

I think microsoft is going to care less and less about windows xp and 2000. I hope singularity and their other research OS does well at least, cause those are the interesting ones. WINDOWS IS CRAP, especially if you like to tweek your computers! ~Shan

Re:Amazing, just fucking amazing

[Mortimer82]

Great, I am "free" to make my life more difficult...

Comments like yours are mostly just a waste of everyone's time, did you even fully read my post, and by responding with a comment "one word", are your trying to tell me my post was of no real substance that it deserved no more? You really need to learn to justify your statements.

I fully understand the concept of free software, but I don't see how the fact that Linux is free changes the fact that Windows works better for me. It's absolutely wonderful that I can see what Linux may be doing behind the scenes, and if I so wish, actually change it, but for my purposes, Linux may as well be closed source, because I do not have the knowledge or expertise to fully appreciate the freedom that Linux offers me.