Slashdot Mirror
Microsoft Admits to Hiding Flaw Details
Spongeform writes "eWeek has an interview with a Microsoft security official admitting to hiding details on software vulnerabilities that are discovered internally. The reason? Microsoft believes that full disclosure of every security-related product change only serves to aid attackers. However, companies using host-based IPS that rely on flaw information to build signatures are basically left at risk because of Microsoft's silent fixes."
Well, here's another reason why that report was flawed - it turns out that Microsoft are fixing multiple vulns in one advisory - from the article:Of course, Microsoft is going to argue that they fix vulns silently to prevent the 'bad guys' from using the patch info to create attacks, but this is refuted by the same researcher:
There are shills on slashdot. Apparently, I'm one of them.
I seem to remember being told in my software engineering class of a type of protection that provides a false sense of security. I think that Microsoft may be becoming more and more guilty of it.
Perhaps it's time they should change their "Who would ever think to put those bytes there anyways?" mantra.
My work here is dung.
Why should Microsoft tell people about security flaws which are not known about in the public domain? It makes sense to fix them, issue a patch, and then make a statement.
Also, it's an internal engineering matter. When I find a bug/security flaw in the software I work on, should I make a public announcement? Of course not! I should go fix it and issue a patch.
Reavey said businesses should use Microsoft's severity rating system to help with patch deployment timetables. "It's important to remember that the best way to be safe and secure is to apply all the updates. We are providing patches for everything."
'Everything' you say? Um, well...apparently NOT.
Can there truly be a flawless operating system?
Is it possible to design an easy to use, accessible, and reliable application that has no security holes?
I think not, but if you could, you may become richer than Gates himself.
He who knows best knows how little he knows. - Thomas Jefferson
Relying on software developed and maintained by someone else always leaves you vulnerable to changes they make.
This isn't exactly limited to Microsoft.
However, companies using host-based IPS that rely on flaw information to build signatures are basically left at risk because of Microsoft's silent fixes.
Default decision to update automatically whenever MS update (including the one silently fixing bugs) is ready seems to be taking care of that.
There is an inevitable time gap between announcement of update and zillions of updates on customer computers. In principles, hackers could use the time gap to attack computers that are not updated.
Eh... Mustdie?
I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
Doesn't SLASH have a similar policy?
For security-related bugs, please email security@slashcode.com . We will adhere to the RFPolicy and request that you do too; please keep security issues private until all sites running Slash have a chance to apply fixes. Thanks.
I'm not outta order! You're outta order! The whole freakin' system's outta order! You want the truth? You want the truth? You can't handle the truth! 'Cause when you reach over and stick your hand into a pile of goo that used to be your best friend's face! You'll know what to do forget it Marge it's Chinatown!
"I'm going to f***ing bury that guy, I have done it before, and I will do it again. I'm going to f***ing kill Google"
"Of course, Microsoft is going to argue that they fix vulns silently to prevent the 'bad guys' from using the patch info to create attacks, but this is refuted by the same researcher:"
I'm not really sure how the statement you posted really refutes it. He's right under the assumption that the attackers are aware of that particular flaw existing. But if Microsoft (or a good samartian) finds it first, then why wouldn't staying mum mean less risk of attack? We can metaphor joust about it, but I wouldn't say the argument is totally hot air.
Don't confuse this post as support of MS's practices here. I don't agree with it. If I know an exploit is out there, even though I don't have the skills to build my own patch, I can at least take other steps to minimize or even prevent damage from happening. I just don't entirely blame Microsoft for advertising to the world the exact details of how to be a total butthead on the internet.
"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
However, companies using host-based IPS that rely on flaw information to build signatures are basically left at risk because of Microsoft's silent fixes.
Users who refuse to install Microsoft security patches are left vulnerable to security holes in Microsoft products they use!? Scandalous!
The shareholder is always right.
FTA: "We want to make sure we don't give attackers any [additional] information that could be used against our customers.
But, if they are your customers, they can get the patches no problem right? So really this policy only helps out the pirates. Right?
Your sig(k) has been stolen. There is a puff of smoke!
If you had read the article rather than rushing to get first post, you would know that they're talking about releasing information about flaws after the patch is released.
If you still don't understand why they should release information, consider the following from the article:
There are shills on slashdot. Apparently, I'm one of them.
So they really had ( 7* 812 ) 5684 vulnerabilities?
Billy: Acording to my calculations every hacker will eventualy run amok with the killing and the scripting and the botnetting...
Ballmer: My God Bill, when will this happen?
Billy: In exactly 24 hours! (hackers immediatly start posting 0day exploits) Oh dear, I forgot to carry the one.
"I'm going to f***ing bury that guy, I have done it before, and I will do it again. I'm going to f***ing kill Google"
The security community has strongly suspected (ie: known) Microsoft has been doing this for years. It's amusing that the statistics are still against them even when they attempt to load the results. Microsoft will go to any lengths to sell their sub-standard software and that is not really news; there's an old quote where Gates himself basically says this.
Perhaps I should be clearer. My quote included The attackers are already reverse-engineering the patches.
All the attacker needs is the patch - they can look at that to see whats changed and where & deduce from that where to start looking for attack vectors. It's not particularly a big help for them to hear "Function blah in program blah has changed"
System Administrators on the other hand do not have time to reverse engineer the patch, but can read the summary and say "we don't use function blah in program blah, lets apply the patch as it won't affect our operations" or "Holy shit, we have program blah exposed to a hostile network, lets quickly test our stuff & rush the patch out"
So what Microsoft is actively hampering administrators and not hindering attackers.
There are shills on slashdot. Apparently, I'm one of them.
From Microsoft's side, they heaping pile of exploitable code that is the Windows code base. Of course they don't want to expose any more than they have to because they can see, or know, what they are in for.
On the other hand, like the article brings out, the customers who really deploy on test systems first or have to be super careful about breaking their system due to very custom sofware are at a disadvantage.
There must be a channel, especially for larger customers, where MS could/would divuldge this information so they aren't in the dark? I can see MS being closed out in public but not behind the scenes. Does anyone know?
But didn't I read someplace that Microsoft were coming out with their own anti-virus/anti-whatever suite with a monthly service charge?
With that in mind - why would they tell other, competing, anti-virus companies what flaws to protect against?
Come to think of it - why bother fixing flaws at all - just defend against them in the MS Anti-virus gadget instead and encourage people to pay the anti-virus tax. It might even be tempting to add the occasional flaw just to make that work better.
I don't know whether any of these things will actually happen - but you simply can't trust the motives of a company that behaves the way MS consistently does.
www.sjbaker.org
Swedish plasma phys. PhD student; MSc EE; knows maths, programming, electronics; finance interest; seeks opportunities
There is only one possible reaction to this.
My other post is a First.
RFPolicy is a solid policy for allowing a vendor to be notified in a timely manner (5 days), let them work with the reporter to get a plan of action together (such as a quick way to notify customers and let them get the fix rolled out) and help the vendor reproduce the bug/verify the fix, before notification of the general populace.
If, at any point, the vendor suddenly decides to play not-nice, the RFPolicy is quite clear -- go ahead and post it to bugtraq or whatever you like. It also states that the vendor should acknowledge the original disclosure. That is, if I found a vulnerability in slashcode, but delayed publication because I was trying to get it fixed in good faith, the Slashcode developers would acknowledge my efforts in their advisory -- even if someone else comes along and posts an advisory after I report it to the team, but before the team has posted an announcement.
Nowhere in the RFPolicy v2.0 does it say anything along the lines of, "Hey, you should silently slip-stream fixes without ever notifying anyone ever " -- which is what this article is about Microsoft doing.
The shit that gets modded up. I swear, we need a "-1 WRONG" tag we can apply to posts. Some kind of clue stick for the mods that don't bother to look up RFPolicy would also be good.
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
I recall reading an article on the ISC website asking folks if they knew the inner working of Oracle's (many, many) patches. It seems as if this vendor as well hides in innermost details of the bugs their patches fix too. It takes many levels of registration, subscription, etc. to get one of their update e-mail newsletters outlining the patches. But even then the details are a bit sketchy. Perhaps this practice isn't just limited to Microsoft. But since Microsoft is perceived as the big bully on the block this makes better fodder.
This approach might help Microsoft avoid some embarrassment, under the plausible excuse of not helping hackers, but what about businesses that don't automatically apply every update that comes out? I worked for a manufacturing plant that carefully evaluated each vulnerability and weighed the security risk it posed against the risk that an update might break something.
This is VERY important for the customer, which Microsoft has shown repeatedly not to give a rat's ass about. So, no surprise here. The best defense for the customer is to just assume MS is evil, and act accordingly.
I think that 'the critics' in this article have their own agenda. Unknown software vulnerabilities are much less likely to cause widespread damage than published ones.
There are many non-technical Windows users out there who just use the automatic windows update and the builtin firewall to protect their computer. Publishing vulnerabilities before patches would have worms on the Internet in the same day.
To try to suggest Microsoft is at fault for finding security problems in the Windows code or for keeping them to themselves until they can protect their user base simply looks like another tired round of Microsoft-bashing.
What you have to understand, what the American people have to understand, is that we're at war. The fact that we're talking about these vulnerabilities simply emboldens the enemy.
Perhaps this practice isn't just limited to Microsoft.
I completely agree - I'm sure Oracle, Apple, Sun (and other closed source vendors) all do this.
But since Microsoft is perceived as the big bully on the block this makes better fodder.
Microsoft is the big bully on the block, but that's not what makes this better fodder - what makes this better fodder is the sheer weight of Microsoft users. The number of people affected by a patch to the most widely distributed oracle product is miniscule compared to a the amount of people affected by a typical MS patch.
There are shills on slashdot. Apparently, I'm one of them.
The mechanisms that you are asking about do exist (and not just for Microsoft software). The people who are aware of the details of such mechanisms are certainly not going to tell you about those mechanisms.
...if you are too incompetent to provide fixes ASAP and instead hide the flaw.
I guess it depends on your definition of affected. Directly you are certainly correct. The desktop computer home and business users spend most of their time working with would be directly affected. But Oracle databases likely power the back-end of a lot of people's world. Banking, retail, transportation, government records, etc.
Another vendor I could cite as being possibly in the same league would be Cisco. Sure not every home and business user has a Cisco router, switch, access point, etc. but Cisco equipment likely connects a large portion of the Internet's key structure points. And most techies know the IOS has been poked full of holes like so much swiss cheese. If the inner workings of every IOS patch was made public knowledge there are so many more potential attack vectors a black hat would have in their arensal.
System Administrators on the other hand do not have time to reverse engineer the patch, but can read the summary and say "we don't use function blah in program blah, lets apply the patch as it won't affect our operations" or "Holy shit, we have program blah exposed to a hostile network, lets quickly test our stuff & rush the patch out"
And that's the crux of the problem. Of course, given Microsoft's checkered security history, why should this come as a shock? If I were a system administrator, I'd be applying every patch they handed me, on the off chance it's patching an obscure vulnerability I'd never catch in a million years. You can't worry about what Micrososft thinks is severe; while not every vulnerability is immediately exploitable, we've seen how easily unpatched vulnerabilties have allowed the black hats to create botnets overnight. If there's a way, the bad guys will find it, and it's stupid to leave any part of your system vulnerable for too long.
GetOuttaMySpace - The Anti-Social Network
After all, if they put up the code that has the bug in it for every bug found, people could piece together the entire Windows source code!
Anyone remember the (deeply flawed) Cert statistics [tectonic.co.za] where Microsoft had 812 vulnerabilities compared to Unix + Linux's 2328?
Well, here's another reason why that report was flawed - it turns out that Microsoft are fixing multiple vulns in one advisory - from the article:
Manzuik said Microsoft has been silently fixing bugs as far back as 2004. He referred to the company's MS04-007 [microsoft.com] bulletin as a classic example of Microsoft announcing a fix for a single vulnerability when in fact a total of seven flaws were quietly fixed.
A) Who in the tech world didn't aleady know this?
B) Do you realize even *nix vendors do this, including Linux distributions?
C) Do you also realize that Apple patches more items in a single Patch on average compared to MS by a factor of 10 or more?
If you search back through my posts, I responded and talked about this several months ago in a request that we need better exploit and bug tracking that what is currently available for industry standards.
For example, if my third party program creates a vulnerability in Windows, do you REALIZE that Windows gets the mark for the exploit, not my company or software, when Windows HAD NOTHING TO DO WITH IT?
This is the same with Apps on Linux, OSX, etc. You can't brand exploits to an OS based on third party applications, there needs to be higher levels of granularity.
For example, an Apache flaw get marked for almost every OS it runs on that exposes the exploit.
However I do believe that the granularity should list the difference between OS and Applcation level exploits but ALSO track the applications that are installed by the OS by default or in a standard configuration.
For example a Windows Media Player flaw should show up a mark for Microsoft for Windows Media Player, but also be a mark against Windows since it is part of the standard installation.
However a Microsoft Word Flaw should show a Mark for Microsoft, but not show up as an OS flaw or exploit.
This should also hold true for all *nix distributions. If the distribution in the standard install throws Application XXXX on the system, then the OS gets a mark. However if Application XXXX is only RAN on the OS, the Company's name should get the flaw, and not the OS itself.
And even with that said, the exploits list should also maintain a collection of 3rd party application exploits that could 'possibly' affect the OS.
This is just the like the JAVA exploits over the past year. They are Sun's responsibility. However I read several recent articles about it being an exploit in OSX because Apple includes the fix in their patch.
This needs to be clear so that we know it who the flaw belongs to, who is to fix it, who fixed it, and when they fixed it. We can't have stuff lumped into just an OS level.
So the articles I have seen on the latest JAVA flaw stating it is a flaw in OSX are just wrong and misleading.
As for the original article, I don't think anything was stated anybody didn't already know, except that it is somehow making 'press'. All OS vendors do not release every found exploit before they patch them, especially when the OS vendor has the SOLE responsibility to fix the exploit. Apple does this, Sun does this, even Linux distributions do this with exploits specific to their builds.
Now it can be debated if this is safer for the consumer or not. I tend to lean towards 'less press' on an exploit, as being safer for the consumer.
Simply here is why I lean this direction. Hackers and nerds and people that are 'capable' of using the exploit are 10-100 times more likely to read the 'tech industry' news and these advisories than the average person that is not into the technology news nor could care about it.
The second aspect to this, is the question, "Who can do more with this information?"
A typical user, depending on the exploit, can do nothing until one is issued, even in the *nix world, as Linux and others move to the desktop
The attackers are already reverse-engineering the patches. They have the time and resources to find out where the flaw lies. The guy that feels the pain is the system administrator who is in the dark and who can't do his own reverse-engineering.
That would be an insightful comment... in fantasy land. Most Windows system administrators are not programmers, and of those that are fewer still are technically skilled enough to reverse engineer a binary patch. Microsoft has a valid point when they say that publishing vulnerabilities mainly helps out 'bad guys' because the majority of their 'good guy' users don't have the skills to counterattack. It's not like the open-source world, where there's a large community of skilled programmers ready and willing to publish fixes... and, more importantly, outnumber skill-wise any malicious programmers.
We apply every avail. patch using that same mentality.
A quick testbed and then patch. We have to worry more about the patches breaking things than otherwise, since not patching isn't even a possibility.
Browsing with classic discussion, noscript, at -1 and nested
no hidden comments and I only mod UP
That's the crucial problem in this policy. People, especially people who're wary when it comes to MS "patches" or those who have to watch their bandwidth (unless they want to pay extra for more traffic) will read patchnotes carefully, then ponder what the patch does according to the info given and more often than not (especially when the patch is supposedly for a feature they don't use) they'll simply say "Don't need it. Doesn't apply to me."
This patch might have fixed a key security hole. But if you don't know it, how should you decide whether you should apply it? I don't buy the story that MS knows what's good for me. If anyone knows, I do. And I certainly won't hand this decision over to someone else.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Shocked I say! ...
This is not what I've come to expect from -
Wait, this is EXACTLY what I've come to expect from them.
Carry on.
Mod me flamebait if you will, but it is obvious that this is S.O.P.
Why is this even news?
Do we even NEED to bash Microsoft anymore?
Come on, Linux is better and all, so let's concentrate on how great it is and just ignore this type of Microsoft-reporting: It's not news and it's not new.
I don't know the meaning of the word 'don't' - J
I would bet that most vendors don't air all their dirty laundry, but that they do risk analysis and only release the bare minimum amount of information required.
If I were a system administrator, I'd be applying every patch they handed me, on the off chance it's patching an obscure vulnerability I'd never catch in a million years.
If you apply a Microsoft patch for something that is never likely to affect you, you're taking a bigger risk by applying the patch!
Most people here should be aware that applying a Microsoft patch is likely to screw something up -- something Microsoft has become renowned for.
Linux/Open Source/Anti Microsoft News
I really disagree. This is security through obscurity, and hiding the plain english description of an available patch only limits the n00b level black hats (scriptkiddies and the like!)
all the information about what is patched is directly available in patch, exposed via a relatively simple decompiling operation. A compare of the newly provided DLL and the original show you clearly what the original lacks. And as such, how you can attack anyone unpatched, or figure out what other DLLs may have such a problem.
I remember helpctr.exe was the first executable I ever did this to. Simple buffer overflow, before SP1.
Browsing with classic discussion, noscript, at -1 and nested
no hidden comments and I only mod UP
A) Who in the tech world didn't aleady know this?
The news is that microsoft are admitting it. The security community have 'stronly suspected' this for years.
B) Do you realize even *nix vendors do this, including Linux distributions?
Could you please provide an example of this (for linux vendors)?
Of course - even if you do find an example (I doubt it), it doesn't change the fact that its just the distribution - the upstream developers will have released patch information, etc. There is no parallel for this sort of openess in the windows world.
C) Do you also realize that Apple patches more items in a single Patch on average compared to MS by a factor of 10 or more?
I do realise Apple patches multiple vulns in one go. Fortunately however, anything remotely important that is distributed by Apple is written by third parties with more responsible discolure policies (ie openbsd, the apache foundation).
You make a good point about granularity of "bug counting" lists. There's a lot of room for improvement.
There are shills on slashdot. Apparently, I'm one of them.
Do BSD variants run as much hardware & drivers for as many varied equipment types as Windows 2000/XP/Server 2003?
NO??
*snort*
netBSD refutes you troll.
There are shills on slashdot. Apparently, I'm one of them.
Please reread my post.
You write:Most Windows system administrators are not programmers, and of those that are fewer still are technically skilled enough to reverse engineer a binary patch.
Which is exactly what I quoted:The guy that feels the pain is the system administrator who is in the dark and who can't do his own reverse-engineering,"
It's the attacker doing the reverse engineering, not the sysadmins.
There are shills on slashdot. Apparently, I'm one of them.
If you still don't understand why they should release information, consider the following from the article:
"Microsoft's customers depend on that information to figure out how to respond to Patch Tuesday. The reality is, system administrators will delay deploying a patch based on the details of the bulletin. When details aren't included, he won't install that patch"
I always install patches. What is wrong with it?
I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
Is it possible to design an easy to use, accessible, and reliable application that has no security holes?
I dunno, why don't you ask the BSD users.
"It never fails to amaze me how the Mac/Linux fanboys "run for big brother UNIX (like BSD variants)" when their OS of choice is shown as bearing more security holes &/or vulnerabilities than Windows NT-based OS have." - by Anonymous Coward on Thursday April 20, @09:17AM (#15164110)
It never fails to amaze me how the Anonymous Cowards post false information when hardly anybody reads it.
Besides, Anonymous Cowards who post without backing their opinions up have no girlfriends, and tiny peckers. Argue with the numbers, facts & figures.
Anyone remember the (deeply flawed) Cert statistics where Microsoft had 812 vulnerabilities compared to Unix + Linux's 2328?
Indeed.
What makes it worse is that Microsoft knows full well that this data is false, and still uses this in its FUD attacks against Linux/Open Source.
Even if Microsoft persuades people that it has a good reason for not disclosing vulnerabilities, Microsoft has no good reason to use false statistics, created by its hiding of information, in order to help persuade people that its software is more secure.
Linux/Open Source/Anti Microsoft News
If you still don't understand why they should release information, consider the following from the article:
So why is "this patch fixes an important vulnerability" different from "this patch fixes seven important related vulnerabilities"? If you're responsible about security in your organization you're going to want to test it and deploy it either way.
when GNU/Linux had a vulnerbility it was counted for each distro that had the vulnerable piece of software.
Politics is Treachery, Religion is Brainwashing
Those previous statistics also failed to take into account that most of the vulnerabilities in apps for linux, can also exist if those same apps are installed on windows...
Apps such as Apache for instance, can easily be installed on windows and most of the issues found will affect any platform running the software.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
This got moderated Insightful?
That would be an insightful comment... in fantasy land. Most Windows system administrators are not programmers, and of those that are fewer still are technically skilled enough to reverse engineer a binary patch.
Exactly - so how are they meant to know what it does? On the other hand, at least some of the bad guys can and will reverse-engineer to the patches. (Some security researchers are able to too, hence why this came out, but they probably don't have the time to do it for every single patch.)
Microsoft has a valid point when they say that publishing vulnerabilities mainly helps out 'bad guys' because the majority of their 'good guy' users don't have the skills to counterattack. It's not like the open-source world, where there's a large community of skilled programmers ready and willing to publish fixes... and, more importantly, outnumber skill-wise any malicious programmers.
We're talking about vulnerabilities for which Microsoft has already released a patch - all the sysadmins need to know is that it exists and they need to apply it. The fact that Microsoft is providing incomplete information about what its patches fix means that some systems might not get patched because the administrators think it doesn't apply to them and don't want to risk breaking stuff by applying it.
Can there truly be a flawless operating system? Yes, my HP 25 had one. So do many other embeded devices.
Is it possible to design and easy to use, accessible, and reliable application that has no security holes?Again, the answer is "Yes." Minesweeper is such an application in Windows.
However, I believe you were meaning an operating system. To which, again, I would answer "Yes." What you cannot do, however, is to keep adding layers to an existing operating system that was never designed to be accessible, reliable and secure, and expect it become so. Windows is relatively easy to use (some may argue that), but the ease of use has come at the expense of reliability and security.
It is possible, however, to go the otherway. You can take an operating system that is designed to be reliable and secure and add features to make it easier to use. Mainframe operating systems are an example of this. I am not saying they are easy to use, by any means, but from the user perspective, they are easier today than they were in 1960. And yet, they are just as secure and reliable.
When focus is on reliability and security first, then ease of use features need to be evaluated in terms of that. For instance, wireless networking is great. It's great to be able to just turn on the a wireless router and turn on the computer and anywhere in the house you can be on the network. From an ease of use perspective, that shines. However, from a reliability/security perspective, it sucks, because not only, but your neighbor and anyone else can be on that connection. Wireless router manufactures realize this and most now longer ship with wireless enabled anymore.
So, back to your original question whether it is possible to design an easy to use accessible and reliable [operating system] that has no security holes? The answer is yes, if one sets that as their priority and has the willpower to follow through.
I don't quite see how people can get so righteous about this.
MS has internal business. Some of this includes security. It is their choice whether to release the info or not.
Other companies are making similar decisions. Does Apple ever tell you what is fixed in iPod 1.1.1 software or iTunes 6.0.4?
MS is taking a risk people might not patch. But if they want to take that risk, it's up to them. Why do people just love explaining how they'd do things better than MS all the time?
http://lkml.org/lkml/2005/8/20/95
Isn't that sort of like Telly Savales admitting that he's bald?
+troll
... we'll let you know when it's fixed"
get over it folks, full disclosure doesn't work. all it does is say "HEY LOOK AT US WE SUCK AT PROGRAMMING BUT WE ADMIT IT SO PLEASE DON'T PWN US!!"
microsoft says "yea we know we have some problems
there will always be new exploits with or without full disclosure.
You mean: "It compiled? Ship it?"
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
I would add that the patches by Oracle and many other vendors are typically MUCH less likely to break something.
If I have two binaries, I can compare them. I have tools that can walk the function entries and traverse code. If I find a function binary difference, I can scrutinize it to try to determine what has been "fixed".
Now, I *am* an experienced developer. When I do initial probes on "black box" binaries, I actually prefer to NOT have source available (as I am interested in what it is doing, not the comments or source that the original programmer put down indicating what it was intended to do).
Administrators? Generally can't do it. If I WERE a "black-hat", I would be all over the actual patches. I don't care about the paper reports.
The paper reports are critical to the administrators. They are not looking for a crack -- they have to trust that the changes have been checked and the work done carefully to avoid additional problems. But the only way the administrator has to determine if a patch should be applied, and what the risk is, is by full vendor disclosure. The "black-hats" don't really care that much. Of course, full disclosure can be a public relations nightmare.
The advantage that "open source" has here is that the laundry is already out in the open. Reputation can be (perhaps) slightly reduced by exploits, but it (again generally) doesn't destroy the product.
As an example, many people (including me) use sendmail and bind.
However, a closed source provider typically stakes a marketing created reputation. Exploits can really hurt. Take Windows 9x as an example. About the only thing Microsoft can do is state that future Windows are more secure. (even though Windows 98 as a core is reasonably hardened, as long as trojans are not executed, which it is VERY vulnerable to).
Oh, and "good guys" don't "counterattack". Just because someone attacks sshd on my box doesn't mean I turn around and attack. Generally, I ignore it. A "counterattack" stops at reporting the attempts to an upstream provider if they are very persistent (or successful).
Just another "Cubible(sic) Joe" 2 17 3061
Depends on how you view the question. netBSD (or any of them) runs on more platforms. But if you confine yourself to the x86, Windows has better hardware support.
Perhaps, but do you really think microsoft tests every possible patch configuration? I'd bet they only test the last service pack plus the patch and maybe current with all updates. You're taking a risk running a "non standard" environment too. Besides, you should always patch a few systems that seem common to your environment before rolling out patches in a large corporate environment anyway.
MidnightBSD: The BSD for Everyone
The big difference is a patch for Oracle 9.0.7, isn't going to change the functionality of your email client. Just as a patch for a Cisco 9320, isn't going to change how your flatbed scanner works. A MS Word patch could change how your email client works, or how your flatbed scanner works.
Food not Bombs is a nice platitude but it breaks down when you notice that the Bombees are usually well fed
"Apps such as Apache for instance, can easily be installed on windows..."/i>
You would only do that for a non-production, non-internet facing web server. Apache does not recommend that it runs on win32 as real http server ready to face the hostile world.
do you really think microsoft tests every possible patch configuration?
No.
You're taking a risk running a "non standard" environment too.
I am?
Besides, you should always patch a few systems that seem common to your environment before rolling out patches in a large corporate environment anyway.
Indeed. You should test the patches first; however, if there is a vulnerability that you really must patch, and it's going to knock out something you're dependent on, either way you lose.
Linux/Open Source/Anti Microsoft News
I'll view it precisely as the OP posted it. Here it is again for you, with relevant bit bolded:They talk about hardware drivers & equipment. Nowhere do they mention confining to x86.
There are shills on slashdot. Apparently, I'm one of them.
Most people here should be aware that applying a Microsoft patch is likely to screw something up -- something Microsoft has become renowned for.
I should mention that in my experience I've only ever got screwed by a patch from Microsoft once. The patch was for a login delay on metaframe, and it screwed up Acrobat 5 dialogues (you could no longer type into them). I honestly believe with most well behaved applications this sort of thing is pretty rare - especially with the sort of testing that microsoft does before hand.
Linux however - I've had patches break applications all the time - especially binary only programs.
I MS actually used those claims in any advertisements... that's false advertising.
http://en.wikipedia.org/wiki/False_advertising
I'm not sure how the FTC would deal with MS Sales Reps using that survey in their promotional/sales materials, but I imagine that someone could probably make a Lanham Act case out of it. To get damages under the Lanham Act, "Actual loss is not required to show an injury. All that is needed is a reasonable basis for the belief that the plaintiff is likely to be damaged as a result of the advertising." Read http://www.poznaklaw.com/articles/falsead.htm for the rest of "Basics In False Advertising"
[Fuck Beta]
o0t!
Of course - even if you do find an example (I doubt it), it doesn't change the fact that its just the distribution - the upstream developers will have released patch information, etc. There is no parallel for this sort of openess in the windows world.
Ok, so you think flaws in Linux have never been corrected without a full published disclosure? Really... I have this bridge I would like to sell...
As for distributions, I have seen everyone from Redhat to SuSE push through patches that were 'previously' undisclosed.
Even OpenBSD has done this, they do not always Announce the flaw before a patch is made available.
Yes, you are right it WOULD happen less in Open Source OSes due the process and nature of open source, but that does not mean it doesn't happen.
This really isn't big news.. Sorry you think it is...
PS. I have heard people from MS say many times that flaws are not disclosed if possible to give them time to create a patch. Heck even do a Google search on this. THIS IS NOT THE FIRST TIME MICROSOFT HAS ADMITTED IT. Ok?
in my experience I've only ever got screwed by a patch from Microsoft once.
I've never been screwed by any Microsoft patches on my Windows network either. I guess we should be thankful.
Linux however - I've had patches break applications all the time - especially binary only programs.
All the time?
Any particular apps? Was anything important broken? When did these problems occur? This sounds terrible!
I've heard from people in charge of Windows networks who have told me that a patch from Microsoft caused problems. No, I couldn't tell you what happened, as I don't remember -- it didn't happen to me. Besides, I know for a fact that many people have problems with patches from Microsoft; you can read about it quite frequently in the news.
Linux/Open Source/Anti Microsoft News
MS releases full patch details, scary contents coax people into updating, people-with-a-clue patch or protect their systems immediatly, and for the lesser-clued people, there's always survival of the fittest.
I think MS just hates freedom of information.
Good god!
*sighs*
If you read the discussion rather then have a knee-jerk-pro-MS reaction, you would realize that this is about disclosure after the patch has been released.
Please, please, even if you can't be assed reading TFA, read the discussion before posting.
There are shills on slashdot. Apparently, I'm one of them.
Second, I think something most people haven't covered here is that code defects vary wildly in terms of visibility and seriousness. I pretend to do software development (as a day job), and know full well that after my first code-build-test-debug iterations complete and I hit an alpha stage of functionality for some feature (it appears to work and passes my initial tests), I will likely still make Q changes per K lines of code (unknown constants to me). Some of these are actually critical, segfaults hiding in unchecked variables, potential buffer overruns, exceptions I forgot to try-catch. Others are cosmetic or for readability -- changing formatting or variable/class names to make more sense, adding comments. Others are for performance improvements or memory efficiency. I know full well many of the issues I fix will probably never be seen by any client of my code, but I fix 'em anyway, but only as often as I find them. And even for serious defects, there are definite (unknown) probabilities that my clients are going to see them.
My point here is that there's no clear principle for when the public needs to know. If it affects one in a trillion people, should it be declared in press conference? 1 in one billion? one million? 100000? 10000? Sure, there's a threshold there, but it is arbitrary and biased -- if I'm the one in 10000, I will wish that they'd talked about it; if I'm one of the other 9999, well, I don't care. And if some fellow fixing the 1 in 10000 fatal flaw finds and fixes 10 other 1 in a trillion flaws in the same area of code (and that's quite common in my experience, because bad code tends to localize well), do I really need publication on the other 10 tiny flaws? No. Just fix the one big one publicly, and spare me the details on the other 10. But post it somewhere so I can google it.
So is Microsoft evil for their bug tracking and disclosure policies? Beats me, but probably. :-) My comments above neither defend nor attack them, they're just comments.
In Soviet Russia, us are belong to all your base.
They are everything you say... well mostly. And they have OpenSSH to support!
I only look human.
My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
If software can fix user error with software, why doesn't the original software "fix" the potential for error. It is obviously possible, so why not?
I only look human.
My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
If you apply a Microsoft patch for something that is never likely to affect you, you're taking a bigger risk by applying the patch!
There's very few updates that are pushed as "must install" downloads via Windows Update that aren't likely to pose a threat to the system. IE is so tied into the system and other software that keeping it patched is important even if you don't do web browsing on the system. Many of the other vulnerabilities may not seem like they're important behind a firewall, but firewalls fail or can be worked around.
Most people here should be aware that applying a Microsoft patch is likely to screw something up -- something Microsoft has become renowned for.
To be fair, every major vendor I can think of has released a patch or ten that screwed something up. The MS faulty patches have gotten better and with less significant problems.
Someone mod parent down. Its pure fantasy and a troll.
Microsoft 'has become known for' providing timely patches for their software like no-one else. Nobody on the face of the planet invests the amount of time and effort in this area that MS does.
Microsoft may have, at some stage in the past, caused a problem with a fix, but sitting here applying 45 updates to every OEM copy of XP+Office I've sold, I can't say I ever noticed a patch screwing up a machine.
Grrr.
It's OK Bender, there's no such thing as 2.
Someone mod parent down. Its pure fantasy and a troll.
e el-pain-latestn ews.jhtml?articleId=185302749h tml?articleID=180202426g litch/s ecurity_patch/j html?articleID=1686006209 92.php/Faulty_Microsoft_patches_highlight_quality_ concerns3 &CIaNID=18362
Please note: the above sentance was not a quote from the parent of this post, I just happen to have used the same wording because I have the same feelings.
"Microsoft 'has become known for' providing timely patches for their software like no-one else. "
Microsoft's patches are coming quicker than they used to, which is probably why more of them seem to be causing problems.
Timely patches like no-one else? I don't think so. I know Microsoft has left critical flaws unpatched for longer than others...
"I can't say I ever noticed a patch screwing up a machine."
You and me are a pretty small percentage of the world's Windows users, so I don't think it really matters. Here are a few articles pointing to problems with Microsoft's patches:
http://www.vnunet.com/vnunet/news/2154155/users-f
http://www.crn.com/sections/breakingnews/breaking
http://www.informationweek.com/news/showArticle.j
http://www.theregister.co.uk/2005/10/17/ms_patch_
http://www.theregister.co.uk/2005/09/12/ms_pulls_
http://www.informationweek.com/story/showArticle.
http://tech.monstersandcritics.com/news/article_7
http://news.zdnet.com/2100-1009_22-5648595.html
http://www.itnews.com.au/newsstory.aspx?CIaNCID=4
And a number of the open-source apps in which vulnerabilities were found are not considered largeproduction-ready... For instance some of the vulnerabilities in prerelease betas of firefox etc.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Apparently written by a diehard Linux geek. Which is to say, hardly worth the space it took in Slashdot or the dignity of a reply (blush).
"netBSD [netbsd.org] refutes you troll." - by Whiney Mac Fanboy (963289) * on Thursday April 20, @09:31AM (#15164214)
:)
First of all, it doesn't refute this:
From CERT (an agency that specializes in computer based security findings):
http://it.slashdot.org/it/06/01/05/0027219.shtml?t id=172&tid=218 http://it.slashdot.org/it/06/01/05/0027219.shtml?t id=172&tid=218
&
http://www.us-cert.gov/cas/bulletins/SB2005.html http://www.us-cert.gov/cas/bulletins/SB2005.html
QUOTE EXCERPT:
"Linux/Unix (including Mac OS) had almost three times the number of OS-specific vulnerabilities reported last year compared to Microsoft Windows."
Also, I don't see BSD able to run 1/10th the types of peripherals Windows does, point-blank.
(You can try to add up all of those other platforms, CPU-wise, but it still doesn't equal or surpass Windows support of peripheral equipment... no questions asked).
I nearly hate to tell you this, but you need a "dose of reality":
It's a WIDELY known & accepted fact that Windows based OS run on a good 90% of the world's computers... most of which, machine-for-machine out there nowadays, are x86 based!
In fact, X86 has proven such a versatile and fast platform, that it just took down stuff from the RISC world, 1 by 1 over the last decade or so.
(Anyone recall MIPS &/or PowerPC? They are being used less & less, and Apple's MacOS X is one recent proof of it... a UNIX based example, no less).
AND, that same 90%++ or better numbers in favor of machines running Windows based OS (specifically nowadays NT-based types like 2000/XP/2003 Server) are fully inclusive of systems ranging from:
Home desktops/laptops, to work based workstations on the job, up thru departmental servers and right up to the Enterprise-Class type (DB servers, webservers, app servers, file & print, you-name-it).
Versatility & ubiquity IS what Windows is all about, & why it's ontop!
(And, x86 is where it is at, especially since distributed & clustered computing is taking hold, ontop of client-server application designs).
E.G.-> It's already been proven time & again, that a few dozen/hundred/thousand clustered rigs can do more than many larger "big-iron" rigs can, which is why systems of that nature take the top-spots in today's super-computer shootouts/challenges.
(YES, Linux does clustering, as do many UNIX variants, AND, Windows can as well nowadays (albeit not final yet but close), via its compute-cluster edition versions).
ABOVE ALL:
Overall, since more systems worldwide run Windows NT-based OS from home desktop/laptop, departmental workstations, thru departmental servers as well as up to enterprise-class/mission-critical servers (web, db, application, file & print you-name-it), where are your employment opportunities greater?
Windows, or UNIX & its variants??
Windows, hands-down, of course!
*
Yup... You Linux Penguins & UNIX nuts either need to gain experience in this field, or wake up earlier & have more coffee in the A.M., to get the better of me...
Same to you mods also:
You've blocked me via 1 IP from replying (literally, lol, the "geek angst" of the defeated only shows itself MORE in that little debacle which I easily blew by)...
Mods blocking my IP addy or Mac Address doesn't stop me from posting from another set of those... Simply by just merely setting up my own anonymous servers, & blowing by your PUNY block attempts THAT way, seen here:
"Due to excessive bad posting from this IP or Subnet, anonymous comment posting has temporarily b
Time to dismantle this 'pot-calling-the-kettle-black' Ad-Hominum attack utilizing Linux Penguin who's already on the ropes, tossing names:
t id=172&tid=218 http://it.slashdot.org/it/06/01/05/0027219.shtml?t id=172&tid=218
:)
"It never fails to amaze me how the Anonymous Cowards post false information when hardly anybody reads it." - by Anonymous Coward on Thursday April 20, @09:37AM (#15164261)
Funny, you read it, first of all!
"Argue with the numbers, facts & figures." - by Anonymous Coward on Thursday April 20, @09:37AM (#15164261)
No no, senor:
You argue with these facts & figures here, from CERT (an agency that specializes in computer based security findings):
http://it.slashdot.org/it/06/01/05/0027219.shtml?
&
http://www.us-cert.gov/cas/bulletins/SB2005.html http://www.us-cert.gov/cas/bulletins/SB2005.html
QUOTE EXCERPT:
"Linux/Unix (including Mac OS) had almost three times the number of OS-specific vulnerabilities reported last year compared to Microsoft Windows."
Argue with the numbers & facts + findings from a gov't. organization that specializes in that area... you'll see it's better than your F.U.D. attempts & puny attempts @ it.
"Besides, Anonymous Cowards who post without backing their opinions up have no girlfriends, and tiny peckers." - by Anonymous Coward on Thursday April 20, @09:37AM (#15164261)
LOL, well... JUST in case you hadn't noticed?
You also post as "A/C" as well!
(YES, folks - yet another typical Linux user oversight, lol! They can't even realize they are the pot calling the kettle black! AND, I posted quite the body of facts & figures from a respected source in this field.)
Secondly - Ah, the INEVITABLE "Ad-Hominum" attack from the Linux/UNIX boys when they get floored by facts - Yes, truly the "VERY BEST" you can expect from Linux/UNIX people, when they are 'down-for-the-count' attack YOU, not the subject matter @ hand!
LOL!
(That the BEST you've got? No WONDER your OS & software are fast becoming (or in the case of Linux already are) the '2nd-class citizenry' of computing by comparison to Microsoft-based OS users worldwide, machine for machine)
*
hogwash, windows still runs more equipment types in peripherals alone than all of those diff cpu type platforms you noted.