Security Firm Reveals Microsoft's "Silent" Patches

← Back to Stories (view on slashdot.org)

Security Firm Reveals Microsoft's "Silent" Patches

Posted by timothy on Thursday May 6, 2010 @07:23AM from the when-md5-sums-won't-help dept.

CWmike writes "Microsoft silently patched three vulnerabilities last month, two of them affecting enterprise mission-critical Exchange mail servers, without calling out the bugs in the accompanying advisories, a security expert said on Thursday. Two of the three unannounced vulnerabilities, and the most serious of the trio, were packaged with MS10-024, an update to Exchange and Windows SMTP Service that Microsoft issued April 13 and tagged as 'important,' its second-highest threat ranking. Ivan Arce, CTO of Core Security Technologies, said Microsoft patched the bugs, but failed to disclose that it had done so — which could pose a problem. 'They're more important than the [two vulnerabilities] that Microsoft did disclose,' said Arce. 'That means [system] administrators may end up making the wrong decisions about applying the update. They need that information to assess the risk.'" "Secret patches are neither new or rare. 'This has been going on for many years and the action in and of itself is not a huge conspiracy," said Andrew Storms, director of security operations at nCircle Security. What is unusual is that Core took Microsoft's silent updates public. Saying that Microsoft 'misrepresented' and 'underestimated' the criticality of MS10-024 because it didn't reveal the two bugs, Core urged company administrators to 'consider re-assessing patch deployment priorities.' Microsoft confirmed this instance and defends the practice, noting that updates can "be destructive to customer environments." But Storms echoed Arce's concern about possible misuse of the practice, which could result in a false sense of security among users."

84 comments

Min score:

Reason:

Sort:

"Silent..." by gyrogeerloose · 2010-05-06 07:24 · Score: 3, Funny

...but deadly.

--
This ain't rocket surgery.
1. Re:"Silent..." by Anonymous Coward · 2010-05-06 07:49 · Score: 0
  
  Silent.... means not counted? Think about all those surveys that indicate that free software is buggy because the number of disclosed bugs and fixes is high. Does this mean MS is less problematic because their bugs and fixes do not "count."
Tru Dat by MrTripps · 2010-05-06 07:27 · Score: 2, Informative

Updates can be destructive to customer environments. Just ask anyone who uses McAfee.

--
"I'm not a quack, I'm a mad scientist! There's a difference." - Dr. Cockroach
1. Re:Tru Dat by bsDaemon · 2010-05-06 07:30 · Score: 3, Funny
  
  yeah, but McAfee is disruptive/destructive by default. Are you sure that's a fair example?
2. Re:Tru Dat by guruevi · 2010-05-07 03:58 · Score: 1
  
  Yes because so is Microsoft.
  
  --
  Custom electronics and digital signage for your business: www.evcircuits.com
sneaky bastards! by Anonymous Coward · 2010-05-06 07:27 · Score: 3, Insightful

they should tell us about everything they're doing. they can do/undo bugs and we'd never know it.
How so? by khasim · 2010-05-06 07:28 · Score: 3, Interesting

Saying that Microsoft 'misrepresented' and 'underestimated' the criticality of MS10-024 because it didn't reveal the two bugs, Core urged company administrators to 'consider re-assessing patch deployment priorities.
How so? If it is a patch, it needs to go through your testing process for deployment.
1. Re:How so? by h4rr4r · 2010-05-06 07:34 · Score: 4, Insightful
  
  Because the level of the threat may determine how long that testing process is, and such. You may be willing to take more risk from the patch if the issue it cures is very important.
2. Re:How so? by Bearhouse · 2010-05-06 07:35 · Score: 1
  
  Mod up. Beat me to it.
  A competent admin, (and if you're running a 'mission critical Exchange server', you'd better be) will be all over this...
  Of course, patched or not, Exchange is still a steaming pile IMHO
3. Re:How so? by Bearhouse · 2010-05-06 07:42 · Score: 0, Offtopic
  
  BTW, is that the wind or the car?
  (Had one of the cars back in the 80s; amazing, but you needed to be either rich or a great mechanic)
4. Re:How so? by Tubal-Cain · 2010-05-06 07:44 · Score: 1
  
  Because if the patch only says that it corrects a typo in a description somewhere, a good admin will probably not be in a hurry to deploy it. If it closes a bug that allows root access because someone logs in with the username "Joshua", the admin might be more eager to test and apply the patch ASAP.
5. Re:How so? by Todd+Knarr · 2010-05-06 07:45 · Score: 2, Informative
  
  Because what's in the patch determines the priority for testing/QA. If the patch apparently only addresses low-risk vulnerabilities or ones we've got other mitigation in place for, we may decide to give that patch a low priority and not test and deploy it quickly. If the patch's description doesn't disclose that the patch also addresses a severe high-risk vulnerability that we have no mitigation in place for, then we've given the deployment the wrong priority and don't know that we have. The end result won't be pretty.
6. Re:How so? by timeOday · 2010-05-06 08:54 · Score: 1
  
  Or you can go the other way: cloud computing. Nobody expects google to publicise every security patch they make to the gmail servers. Instead of admins at every company in the world trying to independently evaluate every patch, you trust google to do it correctly.
7. Re:How so? by h4rr4r · 2010-05-06 09:12 · Score: 1
  
  Which means when they don't everyone suffers, and you get to pay forever.
  Both have tradeoffs.
8. Re:How so? by sortius_nod · 2010-05-06 10:58 · Score: 1
  
  There's also the effort in getting the patch to play nice. I know if there are mitigations elsewhere for vulnerabilities that most companies won't bother putting much effort into getting it to work, which usually ends up with the patch being canned. If the patch fixes a major vulnerability, more resources are deployed due to the higher priority and/or nature of the bug. If there is no bug/patch information and I'm not able to prioritise, well, you pretty much said it - not pretty. I've yet to come across an IT department that can commit 100% to dev/testing for every patch.
  This is just an example of bad customer relationship practices. MS seems to think they know what's best for their customer, which is really why we see Windows turning into the mess it is (both at a consumer & corporate level).
9. Re:How so? by vegiVamp · 2010-05-06 20:51 · Score: 1
  
  Maybe that's because we're a) not paying for b) using their software and machines.
  
  When Google delivers a free service, I can't much complain when they do updates without telling me. If I pay for their services, I expect there to be SLAs and for them to apply patches non-disruptively and without breaking contract.
  
  If I BUY software from Microsoft, run it on my own hardware, pay for their support and have to do the patching myself, I feel they have an obligation to tell me what a patch does in order for me to be able to decide wether or not it's worth applying.
  
  --
  What a depressingly stupid machine.
10. Re:How so? by Anonymous Coward · 2010-05-06 23:23 · Score: 0
  
  That's totally different. Google runs the Gmail servers themselves and they don't distribute the software it runs on. There is absolutely no reason for them to disclose what they do to their own servers unless it will affect their users.
11. Re:How so? by jim_v2000 · 2010-05-07 06:45 · Score: 1
  
  You realize that this article is all about some security firm that thinks the patched problems were more important than Microsoft did, right? They think the updates should have been marked "Critical", while Microsoft thinks they were "Important". I'd go with MS on this one instead of some attention whoring security firm.
  
  --
  Don't take life so seriously. No one makes it out alive.
Phwew, back to status quo... by hoggoth · 2010-05-06 07:28 · Score: 5, Funny

Phwew! Thank you Microsoft. Just yesterday I posted that I usually find a reason to hate Microsoft each day, but yesterday I loved the new Office 10. Thanks for bringing me back to my comfortable place.
http://slashdot.org/comments.pl?sid=1641038&cid=32102920&art_pos=1

--
- For the complete works of Shakespeare: cat /dev/random (may take some time)
1. Re:Phwew, back to status quo... by huckamania · 2010-05-07 03:26 · Score: 1
  
  You hate them because they patched a bug in their software? Something might be wrong with your hardware.
2. Re:Phwew, back to status quo... by cant_get_a_good_nick · 2010-05-07 04:15 · Score: 1
  
  META POST:
  RE: your signature
  that's a great song, odd to say that the lyrics are better than santana in it (and i love santana)
  Most people don't know, everlast didn't start in house of pain, but was solo before it. He was a sorta gangsta-rapper from Ice-T's Rhyme Syndicate
3. Re:Phwew, back to status quo... by hoggoth · 2010-05-07 04:17 · Score: 1
  
  I hate them because they silently make changes to MY computer without my permission or knowledge.
  They are sneaky and untrustworthy.
  Why couldn't they just list these patches along with the ones they DID disclose?
  It fits right in with the entire design of their operating systems. Hide information from the owner, "for their own good."
  Time and time again I spend hours or days struggling with problems whos root comes down to Microsoft thought I shouldn't know what is really happening inside my computer.
  Well, not everything can be fixed by a damn talking paperclip.
  
  --
  - For the complete works of Shakespeare: cat /dev/random (may take some time)
4. Re:Phwew, back to status quo... by jim_v2000 · 2010-05-07 06:43 · Score: 1
  
  This is such a non-story. MS found a few bugs that they patched and this security company happens to think that they were more critical than Microsoft did.
  
  --
  Don't take life so seriously. No one makes it out alive.
huh huh.... by Anonymous Coward · 2010-05-06 07:31 · Score: 0

he said "asses"s
Nobody ever got fired for lying by Aighearach · 2010-05-06 07:32 · Score: 5, Insightful

they've got to keep those great security stats they publish about themselves somehow, right?
How appropriate by somersault · 2010-05-06 07:33 · Score: 4, Funny

Ivan Arce
I've an arse too, but I don't feel the need to point it out to everyone..

--
which is totally what she said
1. Re:How appropriate by gyrogeerloose · 2010-05-06 07:42 · Score: 1
  
  Ivan Arce
  I've an arse too, but I don't feel the need to point it out to everyone..
  You know, I'm embarrassed to admit it but I missed that entirely. Good catch.
  
  --
  This ain't rocket surgery.
2. Re:How appropriate by Cro+Magnon · 2010-05-06 08:24 · Score: 2, Funny
  
  It's probably just as well that they didn't mention his sister, Imma.
  
  --
  Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
3. Re:How appropriate by Anonymous Coward · 2010-05-06 08:29 · Score: 0
  
  I'm not sure why I find this so amusing, but that's got to be the funniest comment I've seen on Slashdot in a looooooooong time.
  Well played, sir. Well played.
  /CF
4. Re:How appropriate by PotatoFiend · 2010-05-06 10:24 · Score: 1
  
  He has a wife, you know. You know what she's called? She's called... Incontinentia.
  
  --
  "Liberty may be endangered by the abuses of liberty as well as the abuses of power." -- James Madison
5. Re:How appropriate by insufflate10mg · 2010-05-06 12:48 · Score: 0
  
  You're hilarious, using a tragic disorder as a karma-farming / /.-respect-gaining "joke."
6. Re:How appropriate by PotatoFiend · 2010-05-06 14:56 · Score: 1
  
  You're hilarious, using a tragic disorder as a karma-farming / /.-respect-gaining "joke."
  You're serious, there's someone on /. who doesn't recognize a Monty Python reference?
  
  --
  "Liberty may be endangered by the abuses of liberty as well as the abuses of power." -- James Madison
7. Re:How appropriate by vegiVamp · 2010-05-06 20:39 · Score: 1
  
  It appears that you would be very surprised indeed about the number of noobs on here. Note the "eternal" part about "eternal september" ? It's not a joke.
  
  --
  What a depressingly stupid machine.
Quote. by Mekkah · 2010-05-06 07:34 · Score: 1

"Secret patches are neither new or rare. "This has been going on for many years and the action in and of itself is not a huge conspiracy," said Andrew Storms, director of security operations at nCircle Security."

What is unusual is that Core took Microsoft's silent updates public.

Not that this should go on anyway, but don't go thinking this is a rare instance and they are stealing your milk money, it happens enough to be of some sort a standard business practice.

--
~Mekkah
1. Re:Quote. by Anonymous Coward · 2010-05-06 10:01 · Score: 0
  
  So does rape.
Simple solution by Anonymous Coward · 2010-05-06 07:38 · Score: 0

Use GNU/Linux.
Apply all critical patches regardless of platform by kervin · 2010-05-06 07:40 · Score: 5, Insightful

All vulnerabilities and patch side effects should be described, so I'm not defending the practice,. But until a system administrator has the full source code of the system and is willing and capable of auditing it, they should apply all critical patches.
Regardless of the operating system.
Re:Apply all critical patches regardless of platfo by petermgreen · 2010-05-06 07:46 · Score: 2, Informative

According to the article some of these patches were only marked as important not critical.

--
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
There is a bigger risk to consider... by erroneus · 2010-05-06 07:51 · Score: 0

... themselves!
Microsoft doesn't need additional bad press. The more bad press they can prevent, the better...for them anyway.
Unsurprising by Todd+Knarr · 2010-05-06 07:52 · Score: 1

No surprise here. Sysadmins need to know exactly what bugs are being fixed in each patch so they can decide on appropriate priorities for deployment. However, vendors need to not disclose exactly what bugs are being fixed in each patch to minimize the damage to their reputations that comes from large numbers of major bugs or having to fix the same bug over and over and over. And since the vendors get to control the patch descriptions, guess who gets their way.
This is one reason I favor full disclosure of security bugs. Vendors can only hide the fact that they're fixing a bug if the world at large doesn't know the bug exists. If the bug's publicly disclosed, the vendor now takes the PR/image hit if they don't say when they've fixed it. This then encourages not only quicker fixes to high-risk vulnerabilities but full and complete disclosure of what's being fixed (so users don't keep asking "Why haven't you fixed this yet?").
1. Re:Unsurprising by cortesoft · 2010-05-06 08:17 · Score: 1
  
  I agree, and would never argue that vendors should hide bugs they find or bugs they fix.
  HOWEVER, require all bug fixes be fully publicly disclosed could create some perverse incentives to not patch a bug. If they feel that not many people know about it, it may seem advantageous to a short sighted vendor to just hide the bug and pretend it doesn't exist, since fixing it requires disclosing its existence.
  This is a horrible thing of course, but I don't think a vendor being this short sighted would be shocking.
2. Re:Unsurprising by Todd+Knarr · 2010-05-06 08:58 · Score: 1
  
  Full disclosure of vulnerabilities typically isn't done by the vendor, it's done by the party finding the vulnerability. If the vendor's the first one to find the problem they can, of course, always not say anything about it, but then they've got to fix it before anybody else finds it.
3. Re:Unsurprising by jim_v2000 · 2010-05-07 06:48 · Score: 1
  
  >Sysadmins need to know exactly what bugs are being fixed in each patch so they can decide on appropriate priorities for deployment.
  
  If it's a security update, you apply it. If you don't, and you get owned, it's your fault.
  
  --
  Don't take life so seriously. No one makes it out alive.
You're looking at this the wrong way by spun · 2010-05-06 07:53 · Score: 3, Informative

Microsoft was not fixing a bug, it was removing a remote access feature. They didn't mention it because they didn't want people to complain that this valuable functionality was being removed.

--
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
1. Re:You're looking at this the wrong way by Anonymous Coward · 2010-05-06 11:25 · Score: 0
  
  It's not a bug, it's a feature!
2. Re:You're looking at this the wrong way by vegiVamp · 2010-05-06 20:40 · Score: 1
  
  Maybe Sony should've tried that, too.
  
  --
  What a depressingly stupid machine.
3. Re:You're looking at this the wrong way by drinkypoo · 2010-05-07 01:02 · Score: 1
  
  Maybe Sony should've tried that, too.
  You jest, but actually, simply breaking the 'Other OS' feature and never fixing it would have made them look merely incompetent, which they've been through time and time again (remember Minidisc? The market sure doesn't.) But this makes them look Evil (which of course they are) which is a little harder to forget. I'll give incompetents another chance — I keep buying ATI video cards in between every couple nVidia cards, for example. But the truly evil? That's a little tougher. With that said, I have a 360, so I must be a big hypocrite. I did buy it used, though, and I make an effort to buy games used as well.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
"Secret patches are neither new or rare..." by Anonymous Coward · 2010-05-06 07:57 · Score: 0

"Secret patches are neither new or rare..." So counting fixed vulnerabilities of closed software will not count the number of vulnerabilities in said software.
If such secret patches are neither new nor rare, why then are vuln patches used to ascertain whether CSS or FLOSS is better quality???
1. Re:"Secret patches are neither new or rare..." by V!NCENT · 2010-05-06 08:41 · Score: 1
  
  Money
  
  --
  Here be signatures
Dr. Egon Spengler, Microsoft Chief Securiy Officer by RevWaldo · 2010-05-06 07:59 · Score: 5, Funny

(on conference call)

Dr. Egon Spengler: There's something very important we forgot to tell you.
Ivan Arce: What?
ES: Advise your clients to install security update MS10-024.
IA: Why? What would happen if they didn't?
ES: It would be bad.
IA: I'm fuzzy on the whole good/bad thing. What do you mean, "bad"?
ES: Try to image all their Exchange servers locking up all at once and all their mail traffic being rerouted to parts unknown, effectively bringing about the end of your client's existence as a functioning company.
Dr. Ray Stantz: Total packet reversal!
IA: Right. That's bad. Okay. All right. Important safety tip. Thanks, Egon.

.

--
Prisencolinensinainciusol. Ol Rait!
security fixes or hacking guidelines by Vapon · 2010-05-06 08:11 · Score: 0, Redundant

unless the patch breaks something which you should test in a test lab you should apply most patches, and half of the releases that explain what it fixes explain how to take advantage of any computers that don't use this patch, if it's a serious threat then it might be better to let people protect themselves before you tell the hackers how to use that exploit.
1. Re:security fixes or hacking guidelines by Anonymous Coward · 2010-05-06 10:02 · Score: 0
  
  #1, How will you possibly know if a patch breaks something BEFORE you install it in your environment?
  If you KNEW that you wouldn't need a test environment.
  #2, The crackers already know about the exploits. If MS knew about them before they did you might have a point.
  You are arguing from false premises and reaching bad conclusions.
  Security by obscurity is a PHB fantasy and has no relationship to the real world
Is Microsoft Now by Anonymous Coward · 2010-05-06 08:12 · Score: 0

a botnet?
Yours In Astrakhan,
Kilgore Trout
administrators... wrong decisions by Culture20 · 2010-05-06 08:19 · Score: 3, Insightful

administrators may end up making the wrong decisions about applying the update.
Decision? Automatically apply updates and reboot? Check.
One year later: BREAK
Well, that's Microsoft, Boss. Whatada gonna do? Sure I'll come in for overtime; you buying pizza? I want Hawaiian.
Makes you wonder... by xlsior · 2010-05-06 08:28 · Score: 1

...how much the numbers are actually mis-represented in side-by-side vulnerability comparisions between the various platforms (windows/linux, etc.), if there's a bunch of them that being swept under the carpet.
1. Re:Makes you wonder... by V!NCENT · 2010-05-06 08:53 · Score: 1
  
  Side-by-side vulnerability comparisions are bullshit to begin with.
  Anyone with a brain larger than a peanut will have noticed that software is created by humans and that there has always been security vulnerabilities in any OS, including remote exploits in OpenBSD, which is basically as secure as an OS can get from a human creation policy perspective.
  The point is what security measures are there to prevent such bugs from becoming a remote security hole?
  Windows means anti-malware, but this is after the effect basically.
  The Mac fanboys (which do not include all Mac users) will tell you that file permissions are the holy grail of why there are no virusses. This is ofcourse wrong because there is also exploitable software running as root.
  SELinux gets even further and has security profiles on what a piece of software can actually do, so if your root running browser (for example) is 'hacked' then the hacker/cracker can still only use the bare certain system functionality that, in this case, the browser needs to operate without crashing.
  OpenBSD has the same permission policy as Mac OS X but splits its programs up in pieces to get the sort of effect that SELinux has, but less effective, while more effective than Mac OS X's policy.
  When a computer is capable of doing something and it is in the range of a hacker/cracker to touch it (say... the internet) then it can always be hacked/cracked, no matter what you do. Although Windows has an amazing track record of failure due to obviously very bad programming (in certain places at least).
  
  --
  Here be signatures
Re:Amazing... by V!NCENT · 2010-05-06 08:38 · Score: 1

"You will NEVER be happy with anything Microsoft does."
I know. I figured it wasn't realy my thing, so I jumped onto a different OS bandwagon and absolutelt love it!

--
Here be signatures
More important by MC68040 · 2010-05-06 09:19 · Score: 1

"[...]they're more important than the [two vulnerabilities] that Microsoft did disclose,' said Arce. 'That means [system] administrators may end up making the wrong decisions about applying the update."
Right, there's been a fair few times where I've not applied security patches "right away" for simple reasons; like they did not affect the way my system was set up.
But in the end I am hoping "[...]end up making the wrong decisions about applying the update" is talking about a time aspect rather than if-at-all... (this should explain itself)
Then that they did not declare this in their patch info is a whole other issue; Microsoft are certainly not the only ones who have a history of not doing so...
Microsofts creative stats has been known for ages. by miffo.swe · 2010-05-06 09:32 · Score: 0, Troll

Microsofts very creative way of handling security has been known for a long time. Instead of fixing the bugs they go for the statistics. By downplaying any security issue until openly proven wrong and rate vulnerabilities as low as possible the statistics look much better.
Another smart move was UAC that puts all the blame on the user but doesnt fix the underlying security issues.
Comparing only Windows to Linux + All applications is also very deceptive, especially with the practices above in mind.
The sad thing is, it works. People tend to think Microsoft has improved their security when infact Windows 7 in many cases are worse than than its predecessor. If you lie enough times with a straight face stupid cheep will think its true.

--
HTTP/1.1 400
Big Brother knows best .. by Anonymous Coward · 2010-05-06 09:46 · Score: 0

if you have not yet figured out that the ruling class and the corporations that they own and control .. own and control this planet and your sorry ass .. you are just not paying attention ..
after all they control 98% of all the wealth on earth .. and it is because they are smarter and more deserving than the rest of humanity .. the divine rights of royalty and all that crap.
big brother knows what is best for us and them ..
and besides better if i can hide my shortcomings from scrutiny .. so no one is aware that in fact we are not really all that much brighter just more ambitious cunning and greedy .. as that might lead the masses to start questioning whether the ruling class is really deserving of controlling 98% of everything .. although with the effectiveness of 50% +1 demonocracy .. mass brainwashing through public education and the media .. i doubt it ..
and we would not want a second french revolution .. or one like the 60's were the awakening of consciousness among the youth(the peacemakers .. the biblical children of god) being asked to die for them in one of their for profit WARs and a relatively open and free press almost beat them .. which is why they have retaken control of the educational institutions .. mass media .. and effectively outsourced 95%+ of the government and the militarily to their corporations since 1984 and reagen's second term election .. while the working class grunts are under the threat of losing their livelihood or even death for not fallowing the orders they are given ..
that part is quit cunning .. really nothing new though .. and if it were not for lewis f. powell who went on to become a supreme court judge and his manifesto .. http://old.mediatransparency.org/story.php?storyID=21 .. WE THE PEOPLE might have fulfilled the true meaning of democracy and actually gained control over our own lives ..
what a perfect Catcha for the day .. indolent
Re:Microsofts creative stats has been known for ag by twidarkling · 2010-05-06 10:14 · Score: 1

You're a moron. I can tell by your use of words like "cheep."
So, explain how UAC differs significantly from OS X's requesting you input username and password each time it wants to update, or do other tasks, or in *nix, when it asks for temporary root access to install things? Or are those also just ways to put it on the user and not fix security issues?

--
Canada: The US's more awesome sibling.
This invalidates studies of Windows security by mysidia · 2010-05-06 11:10 · Score: 1

A claim researchers have sometimes made is that Windows has fewer critical security issues.
That this has come to light raises even more doubt about the validity of such studies.
This is a demonstration that Microsoft sometimes hides critical security bugs, and doesn't release advisories, even when they have been reported.
This is Prima Facie evidence that Microsoft closed-source software probably has many critical security vulnerabilities that were never publicized such, and were instead kept secret, and if patched, the patch was a hitch-hiker on top of a lesser prioritized patch.
Why hide security vulnerabilities, or make them seem less critical? To give a false impression that the software is more secure, and deceive researchers that try to estimate security through blind counting of vulnerabilities.
1. Re:This invalidates studies of Windows security by Anonymous Coward · 2010-05-06 15:01 · Score: 0
  
  It doesn't invalidate the studies anymore than the fact many linux bugs are silently fixed invalidates the linux studies. Neither is a good thing but most studies tend to use independent 3rd parties for numbers as they are less likely to bend the truth.
2. Re:This invalidates studies of Windows security by Ol+Olsoc · 2010-05-07 02:26 · Score: 1
  
  And this is new somehow?
  Dunno if its related, but a recent update killed my computer at home. So between silent updates, updates that make your computer secure by making it non-functional, it's just more of the same from our friends at Redmond
  
  --
  Why is this even on SlashDot?... Why is this even on Slashdot?...Why is this even on Slashdot?
3. Re:This invalidates studies of Windows security by mysidia · 2010-05-07 02:45 · Score: 1
  
  I don't think it's new, but you see... this is tangible credible evidence that can be cited. Much better than anecdotes from individuals about MS practices.
  It's very rare that MS silently patches something or pretends an issue doesn't exist, and the industry and major publications actually acknowledge that it happened.
4. Re:This invalidates studies of Windows security by jim_v2000 · 2010-05-07 06:50 · Score: 1
  
  Read the article before you go spouting off about Microsoft.
  
  >The truth is that it's business as usual for not just Microsoft, but for most software makers, said Storms. "Vendors commonly find bugs themselves in released code and will distribute the fixes inside a bundle of other patches," he noted. "Many times there simply is no benefit to anyone to disclose the bug."
  
  --
  Don't take life so seriously. No one makes it out alive.
5. Re:This invalidates studies of Windows security by mysidia · 2010-05-07 06:57 · Score: 1
  "Many times there simply is no benefit to anyone to disclose the bug."
  This is sure and utter nonsense.
  
  Failing to publicize the more critical issue means fewer people will apply the patch -- less pressure to apply the patch
  Sometimes higher-priority vulnerabilities are applied, and lower-priorities are not.
  Often IT professionals will review the specific security advisory in question, and run the patch early only if the advised security issue impacts their setup; more general patching of issues that do not currently effect them, can wait until the normal upgrade cycle (possibly once every 12 to 24 months, or sometimes even longer).
  Releasing the patch discloses the bug to anyone who is concerned into looking at it deeply -- they will analyze what is being changed by the patch, and can find the vulnerability based on the contents of the patch and what changed.
  Second, more vendors doing something similar sometimes would just further invalidate studies of windows security, if you can prove they do.
  You see... the mere possibility that their practices may be completely different or inconsistent makes the incidence of vulnerability report numbers useless as a metric.
6. Re:This invalidates studies of Windows security by jim_v2000 · 2010-05-07 07:53 · Score: 1
  
  These weren't released as anonymous patches, they were bundled with other security updates. If you don't think you need to install security patch marked as "important", you should look into a career other than IT.
  
  --
  Don't take life so seriously. No one makes it out alive.
7. Re:This invalidates studies of Windows security by mysidia · 2010-05-07 11:36 · Score: 1
  
  Time for you to get out of IT, if you think you need to blindly apply every patch marked important, that is an extreme waste.
  It doesn't matter what the rating is, if the patch isn't for an issue that effects you, it is not worth the cost in terms of downtime risk and overhead to apply that patch.
  Doubly so for non-critical rated issues.
  For every patch, you read the security advisories in detail, and determine whether to implement the patch, or design a workaround to prevent the issue from being exploited until the next major upgrade cycle.
  Or you may determine that the severity isn't sufficient to warrant patching, even if the rating is important.
Re:Microsofts creative stats has been known for ag by mysidia · 2010-05-06 11:18 · Score: 1

A key difference is Mac OS input for Administrative credentials and *nix sudo (which are the same thing), MacOS prompt for an Admin login is essentially a graphical sudo ------
Is that in those OSes, the elevation is a true security boundary respected by the underlying kernel, and actual user credentials are required to defeat it.
Whereas with UAC, the 'security boundary' is a soft, artficial one that is easily defeated through various techniques.
Also, the UAC prompts are required for many routine operations, such that users will get used to clicking OK/Continue.
In MacOS/*ix such prompts are extremely rare, rare enough to give the user pause.
Typing in the password also requires considerably more effort and thought than simply clicking Ok.
Most likely the user will at least see what is prompted for and part of the warning message, rather than blindly clicking OK.
Re:Microsofts creative stats has been known for ag by Kalriath · 2010-05-06 12:00 · Score: 1

In Windows 7, many of those operations no longer require UAC approval - regardless of the fact that they impact the system (i.e. changing the loaded driver for hardware without installing new hardware to do it) - just like Mac OS X.
UAC can also be configured to require the user's credentials to elevate, even when logged in as an admin.
Also, UAC is indeed a boundary at the lowest level, hence the requirement to bloody reboot when you change it (can you tell I hate rebooting).
But hey, don't let facts get in the way of your anti-Microsoft rant.

--
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
Re:Apply all critical patches regardless of platfo by jonwil · 2010-05-06 13:14 · Score: 1

Anything that fixes security issues or appears under "high priority" in Windows Update is considered critical by me.
Re:Microsofts creative stats has been known for ag by mysidia · 2010-05-06 13:54 · Score: 1

Also, UAC is indeed a boundary at the lowest level, hence the requirement to bloody reboot when you change it (can you tell I hate rebooting).
Nonsense. If the user is an administrator, UAC is not a security boundary. See here:

Security Boundary: this is a special term to Microsoft. It means that if someone discloses a way to violate a Microsoft-defined security boundary, that Microsoft will release a security patch as soon as possible, so that the method to violate the boundary no longer works against patched systems.

Administrator running in Admin Approval Mode (AAM): this is kind of a hybrid between An Administrator and a Standard User. You get a split token, which means you have the credentials of both a Standard User and an Administrator, and the right one is applied depending on what is going on.
...

Administrator in AAM: this is definitely not a security boundary. With the Administrator token available in the user’s space, it is too easy for malware to attack something in this very broad attack surface and gain elevation without the user’s approval. Microsoft could not patch this barrier without substantially breaking application compatibility. ..
trust? by mrdtr · 2010-05-06 16:17 · Score: 1

So basically if you can't trust MS with be truthful and upfront about security updates, what can you trust them with?
what? by Anonymous Coward · 2010-05-06 16:22 · Score: 0

Microdosft? Are they still kicking around ?
Re:Amazing... by Anonymous Coward · 2010-05-06 16:34 · Score: 0

That's great. Now if you could work on not being such a fag, then the rest of us would be happy to.
Re:Dr. Egon Spengler, Microsoft Chief Securiy Offi by randyleepublic · 2010-05-06 17:54 · Score: 0

I get chuckles sometimes from /. ramblings, but this, this is truly funny. Excellent!

--
Social Credit would solve everything...
Re:Amazing... by V!NCENT · 2010-05-07 01:51 · Score: 1

You must be mistaking me for a Mac user, coward.

--
Here be signatures
Re:Amazing... by X0563511 · 2010-05-07 11:52 · Score: 1

I would be quite happy if Microsoft were to die a horrible death involving fire.

--
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Re:Microsofts creative stats has been known for ag by Kalriath · 2010-05-09 11:46 · Score: 1

You can actually configure UAC so you don't have the token, you know. Require password every time you try to elevate.
Anyway, if you say that UAC is not a boundary (you'll note I didn't specify which user type you elevate from) then neither is sudo or Mac OS X elevation.

--
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
Re:Microsofts creative stats has been known for ag by mysidia · 2010-05-09 14:37 · Score: 1

I'm talking about default configurations here, it's not worth it to dicuss imaginary high-security configurations that real users never apply to their systems in real life.
Repeat after me: If it is not secure by default, then it is not secure.
When Microsoft makes the default that the user does not possess the second token, and a password is required, then we can refer to UAC as a security boundary.
Re:Amazing... by V!NCENT · 2010-05-10 03:44 · Score: 1

That explosion would be kinda deadly... You know... flying chairs and all...

--
Here be signatures
Re:Amazing... by X0563511 · 2010-05-10 20:30 · Score: 1

Hmm... so Seattle is sitting on a ticking fuel-chair bomb eh?

--
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...