Slashdot Mirror
Microsoft's Security Disclosures Come Under Fire
Old Banana writes "Is Microsoft silently fixing security vulnerabilities and deliberately obfuscating details about patches in its monthly security bulletins? Matthew Murphy, a security researcher who has worked closely with the MSRC (Microsoft Security Response Center) in the past, is accusing the software maker of 'misleading' customers by not clearly spelling out exactly what is being patched in the MS06-015 bulletin released on April 11."
How would you like a birth control patch that also doubles as a nicotine patch without your knowledge? Sure you can have sex without worrying about getting pregnant, but there would be no cigarette afterwards. What MS has done is taken away the cigarette from the consumer. My Windows sex machine can "interface" all night long without getting pregnant, but it can still get STDs and won't be smoking any more afterwards.
As long as Microsoft are fixing them I'm not too bothered about this, but it would be nice to know what exactly they are fixing.
"Oh boy"
For Business users, they might actually want to know what might break if they do the update - especially since many cannot be "un-done".
This issue is a bit more complicated than you think.
This brings up the age old debate which I will not revive. However, my spin is that if you are patching a vulnerability you should disclose that. Otherwise the end user might not apply the patch. This very same situation happened with Cisco at Blackhat and ended up in the Courts and Cisco ended up with a public black-eye. Based upon the IT reaction to that I would venture the assumption that we want to know.
Quality Hosting e3 Servers
The guy making all the noise is just shooting his mouth off until he's actually tested the patch.
Yes, he has a valid gripe that the wording is unclear, but the crux of his complaint balances on the fact that MS allegedly patched something without coming out and saying so.
It's incredibly stupid to put yourself out on the line like that. One day it'll come back and bite him when he's wrong.
[Fuck Beta]
o0t!
If you explain exactly what is being patched, then you give the hackers a pretty clear roadmap of what they need to do to exploit all of the unpatched systems, don't you?
You do that already by providing a patch. The bad guys will simply look at the differences of the binaries and find out what has been patched. So instead of helping the good guys, Microsoft gives an information advantage to the bad guys.
OS Reviews: Free and Open Source Software
Remember when there was an update to Windows Media Player that added those DRM module things and there was a big outcry? I may be acting a bit paranoid, but isn't it remotely possible that Microsoft could sneak in other restrictions like this without users ever knowing?
If we can hit that bull's-eye, the rest of the dominoes will fall like a house of cards... Checkmate.
The big problem when they do this is compatibility testing. I work at numerous companies where we need to read through each patch to see what they 'fix'. Now when Microsoft does this we will just have to guess what they might break in a legacy application deployed across the world.
Hello, we'd like to announce a new security patch, that's um, kind of critical. What is it? Well, let's just say when we say it, everyone said "OMFG!" and started running around like people with their hair on fire ...
... well ... it's not optional.
... um ... your security ... yeah, that's right ...
Now, we can't tell you what it is, because if we did that, you might clue in that we probably made the same mistake in pretty much all the code we rolled out to give you that latest Feature (Patent Pending), and telling you would mean that lots of script kiddies would be making your copy of Windows Vista turn into a large pr0n server that played Death Metal tunes.
So, just trust us on this one, and
P.S.: Please ignore the large backdoor we installed to scope your box out to see if you're trying to run some kind of Linux device on your network. It's just there for
-- Tigger warning: This post may contain tiggers! --
I would think that corporate "Software Assurance" customers who are paying for continual updates and support, and have to support MANY legacy applications that may be affected by such flaws or patches would be (and ARE) demanding such notifications. Joe Bob Home User does't really care, but Fortune 100 Fred in IT sure does, especially when his job (which is to keep the companies infrastructure up and running) is on the line.
I like what you've said and agree. , I work in the aviation industry and aircraft manufacturers release similar 'patches'. One operator of a certain aircraft (say B747) discovers a crack in a certain part of the wing, or a control cable that is jamming. They report this to Boeing, who then release a service buletin to all the users with all the details, inluding the approprite timeframe with which the inspection / modification must take place and steps required for the repair.
It may be to inspect a part, it may be to ground the fleet and inspect for a major crack or replace a rudder control cable before next flight. ALL the details are provided which allows operators to have enough knowledge to make an educated decision on how many resources to put into fulfilling the service buletin, and if they cant fulfill it in the timeframe, what the risks are.
Without the vendor providing all the information, the end user does not know the risks they are opening themselves up to, and thus the ability to assess if its worth committing (valuable) resources to immeadiatly. An airplane may well require full testing of systems after the repair, perhaps even a test flight to ensure full functionality from before the repair.
In an ideal world, MS would provide all the information required, and IT departments would have unlimited resources to test the patch the second its released before deploying on their 'fleet'. Its not an ideal world, and IT departments dont have those kind of resources. The least MS can do is provide GOOD information to allow IT management to make an assessment of the risk they are exposing themselves and their company to. If MS dont want to give out that infomation, the least the can do is re-grade their criticality of updates. If the can gain the trust of the IT world that a critical patch is critical, and not over use it, that would go someway to providing the IT world with the ability to manage the resources to deploy these updates.
While the analagy to aircraft is not everybodys way of thinking. Know that more and more safety critical systems are using MS products. Would you fly on an 'unpatched' 747? Would you ride on an 'unpatched' subway? Would you like it if the computer that monitors your credit and banking information at the local financial institution is unpatched? What if each case, the patch was not fully explained, deployed in a hurry and the system not fully tested, or not deployed at all? Crash, Crash, Crash. Game over.
How to find out? MD5 sum your /windows folder including the sub-directories (don't forget the hidden ones) before the patch. MD5 Sum again after the patch and compare the results. bdiff the questionable file differences and dis-assemble. At least thats what I used to do as a prior legitimate Windows license(s) owner (but before being called a thief by Microsoft).
Like I said earlier today, you either own a Microsoft appliance or a personal computer, these days you can't have both. Switch to something else or stay with Windows.
Enjoy,
It's just the normal noises in here.
The main reason for implementing the monthly patch cycle (AFAICT) was PR. A bad week with 3 critical patches could really kill a sales rep's story that MS 'professional programmers' was the way to go if you wanted a secure system. It was only a matter of time until some PR hack realized that things could look even better if you didn't bother to document every security hole that a monthly patch fixed.
The upside for the user end (most often touted) of the monthly patch cycle is that a company doesn't sometimes need a full time crew just to go through the sometimes daily critical patches to see if/and what they break. The two downsides are that you don't always know what the monthly patches fix, and a well timed zero-day patch can mean that the black hats have up to a month to stomp on your system before the official fix comes out.
Free Software: Like love, it grows best when given away.
The bad guys don't need to spend time with compatibility or regression testing for their software.
They can download the patch the day it is released and have an exploit ready that same day. You'll still be meeting to discuss the test plan for your servers.
Attempting to hide information doesn't help anyone except the vendor and the bad guys.
At least if you have the information, you can determine your own level of exposure and decide what mitigating actions you want to take based upon your environment.
Yesterday, my office gets a frantic call from one of our clients, a lawyer. She had a filing deadline and was trying to finish a document she needed for this filing. Word 2002 stopped responding to user input every time she tried to save her document. All of my techs were out in the field, so I had to respond to this one (I'm VP Operations).
True enough, saving a document in Word or trying to open a new one while another document was open would hourglass the cursor. Only Task Mangler could end WINWORD.EXE.
Sysinternals's PROCEXP showed that every time a document was saved, Word would spawn VERCLSID.EXE as a child process, an executable that was "patched" by KB908531, which was pushed through Windows...err, Microsoft Update the day before.
I googled "verclsid". Let me tell you that yesterday, this search string returned no results. This morning, it returned exactly one. Now, it comes up with 67 web hits and 21 Usenet results.
Also, because of this "patch", typing "www.google.com" would return the generic IE "Server Not Found" page. One had to prepend "http://" to the URL. VERCLSID.EXE checks the validity of COM objects, so the damage wasn't confined to Office applications; it affected EXPLORER.EXE and IEXPLORE.EXE.
The workaround was to rename the current version of VERCLSID.EXE and restore the file from the backup created by KB908531 (a System Restore would have sufficed as well). I expect a patch for the patch to be released by Microsoft Real Soon Now. I guess this one was rushed out the door without sufficient testing.
Our company policy for patches is this: updates for servers are tested in-house before being deployed on production machines. For workstations, however, Windows Update is set to automatically update, unless the client's workstations run legacy applications, like the Reflection terminal emulator, or if high-end esoteric applications are present, like DataCAD or Design 20-20. As with servers, they're tested on a non-production system first.
I'd say that 10% of our clients got burned by 908531. Rolling it back wasn't that hard once we identified the problem, but this costs money.
I don't want to single out MSFT; last year an Apple Mac OS X security update broke Samba for me for about a week until I could figure out a workaround. But let's put this in perspective: how many people using Mac OS X (2 to 5% of the workstation market) also use Samba? Contrast this with the percentage of Windows XP/2K users also using Word (must be in the high 80% range), Internet Explorer, and the GUI, all affected by a buggy 908531 patch.
k.
"In spite of everything, I still believe that people are really good at heart." - Anne Frank