Slashdot Mirror
Microsoft's Security Disclosures Come Under Fire
Old Banana writes "Is Microsoft silently fixing security vulnerabilities and deliberately obfuscating details about patches in its monthly security bulletins? Matthew Murphy, a security researcher who has worked closely with the MSRC (Microsoft Security Response Center) in the past, is accusing the software maker of 'misleading' customers by not clearly spelling out exactly what is being patched in the MS06-015 bulletin released on April 11."
I can't really see Microsoft refraining to spread FUD...
How would you like a birth control patch that also doubles as a nicotine patch without your knowledge? Sure you can have sex without worrying about getting pregnant, but there would be no cigarette afterwards. What MS has done is taken away the cigarette from the consumer. My Windows sex machine can "interface" all night long without getting pregnant, but it can still get STDs and won't be smoking any more afterwards.
If you explain exactly what is being patched, then you give the hackers a pretty clear roadmap of what they need to do to exploit all of the unpatched systems, don't you? The sad truth is that most systems remain unpatched. Granted, Microsofts assumption that it's customers are idiots that couldn't handle the truth is annoying to those of us that do understand the problems, but in the majority of cases there assumption is pretty close to the truth - they are protecting the naive by not giving hints out to the malicious.
I've abandoned my search for truth; now I'm just looking for some useful delusions.
As long as Microsoft are fixing them I'm not too bothered about this, but it would be nice to know what exactly they are fixing.
"Oh boy"
For Business users, they might actually want to know what might break if they do the update - especially since many cannot be "un-done".
This issue is a bit more complicated than you think.
FTA ...."is accusing the software maker of 'misleading' customers by not clearly spelling out exactly what is being patched in the MS06-015 bulletin released on April 11"
Other than being nice and helpful, does Microsoft have a duty to advise everyone of product flaws?
I believe corporations should be responsible but I fail to see any law or EULA where such notifications are required.
Although they are the most successful software maker on the planet, to my knowledge this is the first time Microsoft has ever come under criticism for their practices concerning security patches. Could this be a turning point?
I would speculate that more people download Windows updates then almost any other piece of software (mostly because they are unaware mostly because this feature comes standard and enabled in Win XP). So why would microsoft want to divulge the security holes it is patching so openly? If I was looking to break into someone elses system the first place I would go is to microsoft.com check to see what security holes it has just patched and then see if my neighboor has patched yet.
It would be way to easy for people to learn about the problems that microsoft has riddled the world with.
Let's see, company wants to avoid at all possible costs associations with the phrase "insecure" deliberately hides supposed insecurity. Hmmm...
Nothing new here.
I'll also add that this behavior will (if it hasn't already) find its way into more well-regarded systems (linux-based kernel OS's anyone?) given enough wealth is at risk.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
I think the real point of the article was a few paragraphs in when Murphy said that "You simply don't know what the patches are for. It's virtually impossible to make a determination about a deployment time frame if not deploying a patch has the potential to place you at an additional, unknown risk."
One of my favorite things about open-source systems like Redhat's RHN up2date is that you know exactly what a patch will effect and what code it will be changing. An update to the kernel, or to an individual program, will have a description of what it does, and in may cases a list of files that it will modify/replace.
I can see how microsoft could be more open about what specifically a patch does, but without making the patches open-sourced I don't see how they will ever be able to match Linux's level.
To me this looks like MS have patched the flaw they say they have, and maybe seen some other bugs that were in there whilst they were there.
This is not necessarily a good thing though, as vagueness in what a patch fix implies vagueness in testing that the patch works properly. Microsoft should post exactly what it fixes, so people know what they are putting on their system. For instance, what if the patch breaks third party software? As the third party won't know what was changed, they can't fix it.
If I'm getting the gist of the article correct, it sounds like this guy is just whining because he found a variation of a vulnerability that was being fixed and he didn't get his name posted in the headline as finding the main vulnerability.
So, really, this is just a single guy complaining because he feels like he should have been a headliner but MS felt he was just an extra.
This brings up the age old debate which I will not revive. However, my spin is that if you are patching a vulnerability you should disclose that. Otherwise the end user might not apply the patch. This very same situation happened with Cisco at Blackhat and ended up in the Courts and Cisco ended up with a public black-eye. Based upon the IT reaction to that I would venture the assumption that we want to know.
Quality Hosting e3 Servers
MS is pretty well getting in the habit of understating or perhaps blandly stating any problems. I particularly have noticed that with every release of Windows, error messages get more and more vague. I fully expect that by the time Vista makes it to market, all error messages will be replaced by a single pop-up that reads "Something bad happened". Figuring out exactly which bad thing happened will be left as an exercise for the poor techie who gets called in to "Fix this problem right now!".
If you explain exactly what is being patched, then you give the hackers a pretty clear roadmap of what they need to do to exploit all of the unpatched systems, don't you?
You do that already by providing a patch. The bad guys will simply look at the differences of the binaries and find out what has been patched. So instead of helping the good guys, Microsoft gives an information advantage to the bad guys.
OS Reviews: Free and Open Source Software
Remember when there was an update to Windows Media Player that added those DRM module things and there was a big outcry? I may be acting a bit paranoid, but isn't it remotely possible that Microsoft could sneak in other restrictions like this without users ever knowing?
If we can hit that bull's-eye, the rest of the dominoes will fall like a house of cards... Checkmate.
New patch advisory: "This patch solves yet another attack vector that can be exploited by a malicious hacker. The fact is, this is like sticking your finger in a dike. Actually, it is more like sticking your finger in a non-existant dike against a tsunami. Tomorrow, five other security holes will be discovered. Odds are, this patch will introduce yet more attack vectors. You are screwed"
Microsoft: You may use the above for a small fee. TIA. HTH.
See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
The big problem when they do this is compatibility testing. I work at numerous companies where we need to read through each patch to see what they 'fix'. Now when Microsoft does this we will just have to guess what they might break in a legacy application deployed across the world.
I think the fear is when they start "patching" the "flaw" where your computer doesn't send Microsoft [insert your sensitive data here].
Until then, this is fine. (But when is then?)
Hello, we'd like to announce a new security patch, that's um, kind of critical. What is it? Well, let's just say when we say it, everyone said "OMFG!" and started running around like people with their hair on fire ...
... well ... it's not optional.
... um ... your security ... yeah, that's right ...
Now, we can't tell you what it is, because if we did that, you might clue in that we probably made the same mistake in pretty much all the code we rolled out to give you that latest Feature (Patent Pending), and telling you would mean that lots of script kiddies would be making your copy of Windows Vista turn into a large pr0n server that played Death Metal tunes.
So, just trust us on this one, and
P.S.: Please ignore the large backdoor we installed to scope your box out to see if you're trying to run some kind of Linux device on your network. It's just there for
-- Tigger warning: This post may contain tiggers! --
Microsoft's just trying to save face, they could quite obviously still tell you that your applications and/or operating system had flaws that you needed to be aware of without going into specifics. Regardless of how much they want to disclose, one would imagine that they should have a legal responsibility to their customers to release any knowledge they have about a fault in their product that could compromise the security of their customers financial and private information, particularly in today's age of putting warnings out for every little possible fuck-up imaginable for other products (you know, like pepsi bottles that tell you to open with the cap pointing away from your face, etc...).
Ex nihilo nihil fit.
How to find out? MD5 sum your /windows folder including the sub-directories (don't forget the hidden ones) before the patch. MD5 Sum again after the patch and compare the results. bdiff the questionable file differences and dis-assemble. At least thats what I used to do as a prior legitimate Windows license(s) owner (but before being called a thief by Microsoft).
Like I said earlier today, you either own a Microsoft appliance or a personal computer, these days you can't have both. Switch to something else or stay with Windows.
Enjoy,
It's just the normal noises in here.
Its obvious why MS wouldn't want to explain what exactly the problem was. If it did this, people would know exactly what to exploit on unpatched computers. Who cares exactly what they fixed anyway?
The main reason for implementing the monthly patch cycle (AFAICT) was PR. A bad week with 3 critical patches could really kill a sales rep's story that MS 'professional programmers' was the way to go if you wanted a secure system. It was only a matter of time until some PR hack realized that things could look even better if you didn't bother to document every security hole that a monthly patch fixed.
The upside for the user end (most often touted) of the monthly patch cycle is that a company doesn't sometimes need a full time crew just to go through the sometimes daily critical patches to see if/and what they break. The two downsides are that you don't always know what the monthly patches fix, and a well timed zero-day patch can mean that the black hats have up to a month to stomp on your system before the official fix comes out.
Free Software: Like love, it grows best when given away.
This site mentions a high-level I/O-processing bug that was present in csrss.exe in many versions of NT/2K/XP that could be triggered by something as simple as a opening a text file that contains a bunch of backspace characters.
"On 2002-09-24, Microsoft KnowledgeBase article ID Q311486, promised six months ago, finally appeared. Its publication date is falsified to claim that it appeared on 2001-10-26. It talks about programs that "pass invalid screen size parameters" when the sample program code that it gives for replicating the bug clearly contains nothing at all relating to screen size parameters."
A good analogy, but perhaps a bit inappropriate considering slashdot's users.
MS has been doing this for years... Sad thing is, people are just now noticing it?!?!?
*Sigh*, wake up and smell Linux/Mac. Smells good over here...
The bad guys don't need to spend time with compatibility or regression testing for their software.
They can download the patch the day it is released and have an exploit ready that same day. You'll still be meeting to discuss the test plan for your servers.
Attempting to hide information doesn't help anyone except the vendor and the bad guys.
At least if you have the information, you can determine your own level of exposure and decide what mitigating actions you want to take based upon your environment.
You tell people what you're doing to their systems.
It's that simple.
Security reasons, or no security reasons, you tell people. Anything else is misleading, which equates to lying.
They own the systems, not you, regardless of your fucking EULA.
Then if anybody doesn't care or doesn't want to know, it's on them.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
This eWeek story is about nothing. Please don't encourage them by posting links to it.
Every software maker there is will fix bugs or patch holes without disclosing them. The story is obviously some green journalists first attempt.
Last year when I had my problem with Windows 2000 hosing my system's partition table because installing it with Service Pack 3 on, THEN installing Service Pack 4 was insufficient to prevent it from hosing the partition table on a big disk when the outer portions of the disk eventually ended up being used, I finally dug up a Microsoft Knowledgebase article that admitted that "some disks" geometry wouldn't be read correctly in that situation.
Nowhere did Microsoft identify WHAT disks, WHY, or HOW. It was a "throwaway line" like that referenced in the present article. Microsoft was happy to say that LBA48 was supported by Windows 2000 Service Pack 4, but NOT that if you installed it first WITHOUT Service Pack 4 and then installed SP4, that Windows 2000 would silently wait until you actually tried to use the larger partitions before trashing your hard drive.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
Too bad you are using software from a company that thinks it's OK to treat people like "consumers". When you think it's OK to treat one person that way, who won't you abuse?
Friends don't help friends install M$ junk.
Yesterday, my office gets a frantic call from one of our clients, a lawyer. She had a filing deadline and was trying to finish a document she needed for this filing. Word 2002 stopped responding to user input every time she tried to save her document. All of my techs were out in the field, so I had to respond to this one (I'm VP Operations).
True enough, saving a document in Word or trying to open a new one while another document was open would hourglass the cursor. Only Task Mangler could end WINWORD.EXE.
Sysinternals's PROCEXP showed that every time a document was saved, Word would spawn VERCLSID.EXE as a child process, an executable that was "patched" by KB908531, which was pushed through Windows...err, Microsoft Update the day before.
I googled "verclsid". Let me tell you that yesterday, this search string returned no results. This morning, it returned exactly one. Now, it comes up with 67 web hits and 21 Usenet results.
Also, because of this "patch", typing "www.google.com" would return the generic IE "Server Not Found" page. One had to prepend "http://" to the URL. VERCLSID.EXE checks the validity of COM objects, so the damage wasn't confined to Office applications; it affected EXPLORER.EXE and IEXPLORE.EXE.
The workaround was to rename the current version of VERCLSID.EXE and restore the file from the backup created by KB908531 (a System Restore would have sufficed as well). I expect a patch for the patch to be released by Microsoft Real Soon Now. I guess this one was rushed out the door without sufficient testing.
Our company policy for patches is this: updates for servers are tested in-house before being deployed on production machines. For workstations, however, Windows Update is set to automatically update, unless the client's workstations run legacy applications, like the Reflection terminal emulator, or if high-end esoteric applications are present, like DataCAD or Design 20-20. As with servers, they're tested on a non-production system first.
I'd say that 10% of our clients got burned by 908531. Rolling it back wasn't that hard once we identified the problem, but this costs money.
I don't want to single out MSFT; last year an Apple Mac OS X security update broke Samba for me for about a week until I could figure out a workaround. But let's put this in perspective: how many people using Mac OS X (2 to 5% of the workstation market) also use Samba? Contrast this with the percentage of Windows XP/2K users also using Word (must be in the high 80% range), Internet Explorer, and the GUI, all affected by a buggy 908531 patch.
k.
"In spite of everything, I still believe that people are really good at heart." - Anne Frank
No, the crux of his complaint is that he can't tell what he's supposed to be looking for. How is he supposed to test what M$ does not tell him? For some reason he thinks M$ is going to tell him what their "updates" do. How many hours do you expect him to test every month?
It's incredibly stupid to put yourself out on the line like that. One day it'll come back and bite him when he's wrong.
Looks like you've already bitten him. Do you work for M$ or do you just like shooting your mouth off?
The only dumb thing here is trust in M$. Look at the reward he's getting for all of his "responsible disclosure" and patient work trying to patch the XP sieve. He sits and waits for 700 days while everyone else gets hosed. M$ is oh so happy he's put their interests ahead of yours. Yet, you've acted like Steve Baller and called him incredibly stupid now that he's changed his mind and stood up for you. Other's have called him selfish and publicity seeking. I think he's getting a little fed up with it all, which is the first step in a very smart move.
Friends don't help friends install M$ junk.
He was pretty clear about it all:
The bottom line is this: we just dont know [what's being patched].
Your little smear does nothing to change that fact.
Friends don't help friends install M$ junk.
Given that girls are time and money (G = T * M)
and that time is money (G = T^2)
and that money is power (G = P^2)
and that power is the root of all evil (G = (EVIL^2)^(1/2))
Girls are evil.
There have been many a case where the marketing department of a very large firm has singificantly harmed said firm, if not outright destroyed it.
HP is one such example. They were well-known for the pure technical prowess of their calculators, workstations, high-reliability servers, and printers. Marketing eventually became more influential than R&D, and the result is the husk of a once-great company that we have today.
Micrsoft, it would seem, is following a similar path.
Now, what might the outcome have been in the HP situation had the engineers, programmers, and other technically-inclined folks fought back against the marketing juggernaught? What if they had stood strong for quality, rather the bullshit of the Marketing Dept.? We might still have quality HP calculators with solid plastic buttons.
The true developers at Microsoft must do the same. They need to put the Marketing Department back in its place. They need to be vocal, and they need to be harsh.
I'm certain MS's EULA absolves them of any responsibility or liability for what happens to your machine or your data.....
Rick B.
Funny
Insightful
Informative
Any one will do, right?
What was the number of the KB article?
And what about all the "security studies" sponsored by MS in which only vulnerabilities acknowledge by the own company are counted? Isn't this another shot at making them more misleading yet?
What's it like?
So it is OK to screw the little guy and protect big business? - Bah! well I say we should STICK IT TO DA MAN!
Well, if you have access to a tool like Wise Package Studio, you can capture the changes to registry, files, etc. and review after install in your test lab. There are also a few tools to look at registry changes. I use tracker for this. There are others.
You could also set up a Windows box in a virtual machine like VMWare and test without harming the system and have easy rollback. I have a base XP ghost image that I can put on my machine, run a patch or program, test it, beat the hell out of it, capture it for building a remote push and then reimage and do something else. Also have each of the 2 main system image used in my building on there, Developer image and standard user. I test my pushes on those and patches.
If you don't have a lab where you can easily break and rebuild stuff, then you are not working smart.
--Somewhere there is a village missing an idiot.
I then started deleting and disabling all the crap the comes by default... final "clean", basic WinXP system boots in under 25 seconds - on a notebook HDD.
MS test is getting much more effective at this kind of compatibility testing than it used to be. Passing the app compat automation battery is becoming a quality gate for code checkins, not just for releases. Instead of testing hundreds of apps manually on each release, we're automating thousands of them and pushing the pain upstream and into developers' faces, where it needs to be.