Actually MS has a decent record of getting 0-day patches out. Mostly because the people who find them keep quiet. I didn't believe it so I scanned a bunch of MS Alerts from 2004, and tried to figure out when the vulnerabilities that they fixed were announced.
Looking at MS04-011, there were 14 vulnerabilities listed (CAN-2003-0533,CAN-2003-0663, CAN-2003-0719, CAN-2003-0806, CAN-2003-0906, CAN-2003-0907, CAN-2003-0908, CAN-2003-0909, CAN-2003-0910, CAN-2004-0117, CAN-2004-0118, CAN-2004-0119, CAN-2004-0120, and CAN-2004-0123).
Now, I didn't look very hard, but as far as I can see, no mention of prior announcements of any of these 14 vulnerabilities on Bugtraq.
Now, compare that to MS04-019 (CAN-2004-0213) where a vulnerability was announced 124 days prior to patch, or MS04-025 where the three vulnerabilities (CAN-2003-1048, CAN-2004-549, and CAN-2004-566) were announced 332 days, 58 days and 166 days prior to patch. *Much* less impressive, Microsoft!
I gave up on this analysis after it was evident that for 2004, so far, MS does actually get a lot of patches out in sync with the announced vulnerabilities. They miss some, when people release them without sending them to MS (which is their right). But I looked at 37 vulnerabilities (MS04-001 to -011 and MS04-018 to -025) before I gave up, and of those, 27 were 0-day patches, and 10 were released in advance of patches.
So MS does actually seem to be getting a lot of researchers to keep vulnerabilities under wraps . I noted iDefense, Shatter, eEye, and @Stake listed as credited with some of these discoveries, others were uncredited and may be internal MS discoveries. So, sorry for your illusions, but of the above patches, about 2/3 were NOT announced on Bugtraq prior to patches coming out.
Disclaimer: I didn't scour the Internet for announcements, just looked on Bugtraq, Mitre and a couple places, so I may have missed some.
Look, I know you all hate MS for being evil and all that, but sorry, the 'advance warning' is basically nothing.
All you get is an email from MS saying 'oh, next Tuesday we're going to release X patches, with Y rated critical, and Z rated serious'.
There are ZERO details on what the patch is going to fix, personally, I consider the advance notice almost useless except to tell you you need to have resources ready to roll out critical patches.
You get *no* details, *no* access to patches, and I have several emails from MS Security people who always include ' sorry, I can't give you any details about Tuesday's patch'.
Please, hate MS all you want, but at least hate them for a reason, not the typical/. drooling paranoia I see here.
People listen to Stallman all the time; then they get sick of his rantings and leave the room. Or, so I've heard at USENIX, in his case, aircrew get sick of his rantings and make him leave the plane.
RMS was up in Toronto once, and kept interrupting a speaker on "Linux" to say "GNU/Linux". He was informed that he should kindly keep quiet, and got pissy. Stallman's contributed a lot, but it doesn't excuse his being an ass. I mean, he managed to be rude enough to have the chair of the CS dept. at U of T get up from a free lunch and leave...
As to his post to the LKML, it was pure troll - but the RMS lapdogs here evidently didn't bother reading the thread before jumping in to support RMS.
Slashdot Mirror
Now, I didn't look very hard, but as far as I can see, no mention of prior announcements of any of these 14 vulnerabilities on Bugtraq.
Now, compare that to MS04-019 (CAN-2004-0213) where a vulnerability was announced 124 days prior to patch, or MS04-025 where the three vulnerabilities (CAN-2003-1048, CAN-2004-549, and CAN-2004-566) were announced 332 days, 58 days and 166 days prior to patch. *Much* less impressive, Microsoft!
I gave up on this analysis after it was evident that for 2004, so far, MS does actually get a lot of patches out in sync with the announced vulnerabilities. They miss some, when people release them without sending them to MS (which is their right). But I looked at 37 vulnerabilities (MS04-001 to -011 and MS04-018 to -025) before I gave up, and of those, 27 were 0-day patches, and 10 were released in advance of patches.
So MS does actually seem to be getting a lot of researchers to keep vulnerabilities under wraps . I noted iDefense, Shatter, eEye, and @Stake listed as credited with some of these discoveries, others were uncredited and may be internal MS discoveries. So, sorry for your illusions, but of the above patches, about 2/3 were NOT announced on Bugtraq prior to patches coming out.
Disclaimer: I didn't scour the Internet for announcements, just looked on Bugtraq, Mitre and a couple places, so I may have missed some.
--R.
All you get is an email from MS saying 'oh, next Tuesday we're going to release X patches, with Y rated critical, and Z rated serious'.
There are ZERO details on what the patch is going to fix, personally, I consider the advance notice almost useless except to tell you you need to have resources ready to roll out critical patches.
You get *no* details, *no* access to patches, and I have several emails from MS Security people who always include ' sorry, I can't give you any details about Tuesday's patch'.
Please, hate MS all you want, but at least hate them for a reason, not the typical /. drooling paranoia I see here.
--R.
RMS was up in Toronto once, and kept interrupting a speaker on "Linux" to say "GNU/Linux". He was informed that he should kindly keep quiet, and got pissy. Stallman's contributed a lot, but it doesn't excuse his being an ass. I mean, he managed to be rude enough to have the chair of the CS dept. at U of T get up from a free lunch and leave...
As to his post to the LKML, it was pure troll - but the RMS lapdogs here evidently didn't bother reading the thread before jumping in to support RMS.
--R.