MS Security Chief: Windows Never Exploited Until Patch Available

BenBenBen writes "The head of Microsoft's security business and technology unit states that Windows is never vulnerable until a patch appears, and that releasing patches is what causes exploits to be developed. Good quotes: 'We have never had vulnerabilities exploited before the patch was known', and '[he] could only think of one instance when a vulnerability was exploited before a patch was available'. Erm..."

To be fair if I were to write an exploit....

[Bob Zer Fish]

If I were going to write an exploit, I'd write the exploit AFTER Microsoft had patched my OS so I didn't zombie my own computer up!!!!

With all the script-kiddies out there, would they know how to patch microsoft to protect themselves? They probably use code from security sites which show the exploit in action, and don't understand the underlying code.
Of course for the others, they probably realise that many people are forced to use Windows, and there only protection is Windows with a decent firewall and up to date WindowsUpdates.

Which one is next?

[loftwyr]

Nigel Beighton, who runs a research project for security firm Symantec that attempts to predict which vulnerabilities will be exploited next.

So Symantec has a full list of all vulenrabilities and is keeping that a secret. Then why does it take 3 days to get a Outlook patch to fix the latest vulnerability?

Yes... upgrade

[nulltransfer]

"If you want more secure software, upgrade."

I concur! :) Upgrade [linux.org] today!

Just one?? Really?!

[thesolo]

I think [slashdot.org] he might [slashdot.org] be wrong [infoworld.com].

How I read it

[chrisbtoo]

When I read this story earlier, I figured that what they really meant was, "most of our vulnerabilities don't get announced until we have a patch, and people don't start to exploit them until they're announced".

Given that they're binary patches, it seems to me that it'd be a whole lot less effort to look at the details of the advisory (and example 'sploit) than to go reverse-engineering the patches. Particularly since they're accusing the h4x0rZ of being lazy.

Re:Piffle

[darkjedi521]

Linux 2.0.40 - release 2/8/04 Linux 2.2.26 - release 2/25/04 Linux 2.4.25 - release 2/18/04 Linux 2.6.3 - release 2/18/04 The older versions of the Linux kernel seem to be alive, well, and still being patched for security flaws. In fact, the most recent kernel release is 2.2.26.

Re:Piffle

[jone1941]

That quote goes for Linux as well as MS. How many people do you know that are still running 2.0.34

Probably not many who have security concerns, since 2.0.40 is now the current release. I'm not sure what you are insinuating, but there are still maintainers for these releases because people still want to use them and still want any bugs/security issues to be fixed.

This in my opinion is one of the greatest benefits of the open source community. You see with both Windows and OS X, if you want all the security patches you need to pay for the latest version of the software. The linux community (note I didn't say RedHat but community) will continue to support prior software so long as there are enough users out there. Just look to the linux kernel or apache for examples. Just my $0.02.

Then explain this.

[gr]

Perhaps David Aucsmith would care to explain this [eeye.com] then? Though eEye (purposely) doesn't describe the vulnerabilities that they list there, it's been indicated (on mailing lists like Full-Disclosure) that several of them are being actively exploited.

Re:Piffle

[yakovlev]

Actually, linux 2.2.XX and even 2.0.XX are still supported and still receive security fixes.

This isn't to say that it's reasonable to expect a commercial company to support software indefinitely, but one of the benefits of open source is that you CAN find/hire someone to support your old software and backport bugfixes as appropriate.

One of the nice things about MS is that they DO backport bugfixes to old software. Patches are almost always provided for free for all supported versions of Windows. Windows is supported for an established number of years (5, I believe) and at that point the user is reasonably expected to upgrade.

The Linux kernel has a better reputation than MS, but there are plenty of companies that have worse reputations. Even Redhat only supports its products for about 3 years before expecting an upgrade.

Re:Criminal tools like "diff"?

[Bull999999]

FYI, fc still exists in both XP and 2003 server.

Re:Piffle

[Anonymous Coward]

Uh, lessee... Blaster?

It affected XP, NT 4 and win 2k3. Win 98 and 95 were immune.

Re:Piffle

[ronaldb64]

The article states that Microsoft urges you to upgrade. The last time I checked UPGRADE to a new version of Windows did cost you some money.

If you don't want to read the article all the way through, here are the last two paragraphs:

"Almost all attacks against our software are against the legacy systems," he said.

"If you want more secure software, upgrade."

Yup

[Geccie]

I'd check to see if it still exists in Windows, but there aren't any Winboxen around here :-)

Good news fellow criminals its still there. I checked on WinNT and Win2k and its located in the System32 folder. Its listed as the Dos 5 File Compare Utility I did a fc /? from the command window and it responded.

Here, I've been using Windiff all this time... Dang

Re:Piffle

[Erratio]

Up until a couple months ago at least, 2.2 ws the still the official kernel version for Debian (which obviously takes security seriously).

IE unpatched bugs (with exploits)

[Anonymous Coward]

here [safecenter.net]. I rest my case.

Let's start a list of counterexamples

[Mr. Underbridge]

OK, so let's get a list going of examples to the contrary of what this dipshit says.

I'll give 2:

1) The original Melissa email virus (enabled by idiotic default settings in OE)

2) The one recently where remote web sites could hijack your address bar while redirecting you and doing nasty shit - that MS didn't patch for 6 months.

Someone might say those weren't strictly "Windows," but both OE and IE come installed by default, so it counts for me.

Others?

Re:Oh really?

[eweu]

Next big thing in computers: the then-if statement!

print "this already exists\n" if ($usingPerl);

This vuln wasn't found in a patch!

[SysKoll]

This is marketing BS in the purest form. Here is a nice juicy MS vulnerability [infoworld.com]that wasn't found by reverse engineering a patch.

As for real security experts, they routinely find vulnerabilities in Windows [eeye.com] beforesending a description to MS which would then, a few months later, issue a patch. Maybe.

There is a fine line between marketing and outrageous lying. I'm glad to see that MS gleefully steps over it every single time. Any other conduct would actually be unsettling. You see, we geeks revel in a binary vision of the world, and we cannot thank MS enough for consistently being a caricature of evil villain. It makes working against them so much more rewarding.

I have an acquaintance..

[ProudClod]

in real life who could be described as black hat. He showed me exploit code for the ASN1 exploit (this was remote shell code) about a week before the Microsoft patch was release. He said it was big news in his community.

From what i could see, it was very tight C code which compiled and worked on the winxp test machine (his own), so I guess it was authentic.

Re:a quick read through thte comments yields.....

[Pyrosz]

This posting counters it...

http://slashdot.org/comments.pl?sid=98387&cid=83 98 802

Quick Link to Post [slashdot.org]

Re:Piffle

[dan dan the dna man]

apt-get or yum is your friend

Re:Piffle

[buysse]

Linus doesn't, weaselnuts, but the 2.0.x kernel is alive and well, maintained by David Weinehall, the 2.2.x kernel is alive and well, being maintained by Marc-Christian Petersen, and the 2.4.x kernels are being maintained by Marcelo Tosatti. The only kernels that Linus maintains are the development kernels. He hasn't handed off 2.6.x yet, AFAIK, since it's not fully cooked and 2.7 hasn't forked. As soon as 2.7 branches, expect to see someone else issuing the 2.6 kernels. I'm not going to touch the Redhat commentary, but I know there are people still maintaining their own copies by patching and creating new packages. In the open source realm, you don't need a vendor to do it for you. In Win 9x, you do. 'Nuff said.

IIS & Internet Explorer

[Florian Weimer]

"A previously unknown vulnerability in Microsoft's Web software allowed an online attacker to take control of a publicly accessible U.S. Department of Defense server last week, the military confirmed late Tuesday."

http://news.com.com/2100-1009-993276.html

(This has been confirmed over more or less independent channels. Nobody was truly independent because of the pending war on Iraq, of course.)

And, as you all know, several holes in Internet Explorer exist which are being exploited actively.

Re:Piffle

[buysse]

Actually, if DCOM was installed (like in some developer or vertical app situations), 9x/ME were (and are) vulnerable to the attack used by Blaster. Fortunately for those otherwise unfortunate souls running such systems, there weren't enough targets around to make it worth the effort to create offsets and shellcode for 9x. </offtopic>

Re:a quick read through thte comments yields.....

[trickofperspective]

Actually, as the comment below that post mentions, it doesn't really counter his claim concerning "exploits." But this post [slashdot.org] does, as does this one [slashdot.org].

-Trick

PLEASE READ THE ARTICLE

[110010001000]

It is NOT only the MS exec who is saying this. In the same article Symantec confirms this:
"It's a myth that hackers find the holes," said Nigel Beighton, who runs a research project for security firm Symantec that attempts to predict which vulnerabilities will be exploited next.

He said in many cases the appearance of a patch was the spur that kicked off activity around a particular vulnerability"

As usual everyone is going off half-cocked.

Re:Piffle

[edgezone]

I realize that you are trying to make a joke, but seriously, how painful is a Linux upgrade compared to a WindowsUpdate(R)(C)TM? Cause that's about the price you pay almost daily to get up-to-date.

Let's see...with debian stable (possibly testing, but I don't recommend with unstable)

crontab -e

* 1 * * * /usr/bin/apt-get update
* 2 * * * /usr/bin/apt-get upgrade

Done.

Or, if you want a daily email of any packages requiring an update....

#!/bin/bash
# ~/bin/getAptList.sh

apt-get -us upgrade | grep ^Conf > ~/.dist-upgrade-list
mail -s AptList mymail@myaddress < ~/.dist-upgrade-list

Change your second crontab to run the shell script, and done. (yes, I don't use variables in 2 line scripts)

Oh, to upgrade to the next release...

apt-get update && apt-get dist-upgrade

for kernels, there's make oldconfig, but I realize there can be complications and a little more technical stuff, but upgrading a debian system for me is very straight forward. Set it and forget it. (I used to do automatic updates with WindowsUpdate, but there is still a patch out there that makes my Athlon laptop freeze up randomly).

Re:Piffle

[Erratio]

I think pretty much every distro has an automatic updater which is no more painful than Windows Update. Also...almost daily?? I'm guessing you're talking about more than just the kernel unless you're obsessed with getting the latest revision. Among all the software on my computer there are only a couple updates a week aside from snapshots and probably some devel releases. And as for updates that are important for security and system integrity, it's probably about one update a month on average and the other updates could just be done in one large batch.

9.x kernel?

[oneiros27]

Um.... Windows 98 isn't 9. anything.

If anything, it's 'Win4.1'. Take a really close look at the installer the next time it runs. [I know I saw 'win4.0' flash by when I installed Windows 95 for the first time.]

In the same way, Win2000 is is 'NT5.0' [earthweb.com] I'm not sure if XP is the fabled 'NT6' or jut considered to be 'NT5.1' as I've never used it.

Re:Mockery aside, how about the counterexamples?

[freeweed]

Windows file sharing.

Back in the original 95 release, MS had a neat little bug. If you shared a folder, it was shared to the outside world by default (as it still is today, but I digress). The only security offered from within Windows was to password-protect the share. Now, the exploit:

Windows 95, and also at least the original 98, both contained a bug in which only the first character of the password had to be guessed. So, if your password was "Slashdot", I could get into your share by simply using "s". Yup, 26 tries and I'm in (iirc windows passwords have to start with a letter, but even if not, the ascii character set isn't that big). Forget dictionary attacks on the password, you were basically in within a second - and of course denied logins didn't count against you.

The patch for this wasn't released until well after 98 was on the market, which meant it sat for at least 3 years unpatched. I know damn well that it was known and being exploited before then, because I used to play jokes on my friends by getting into their supposedly protected folders. This was back in 1996.

Opaserv, among other worms, used this hole to spread through a lot of systems, but I can't find the first date any of these were noticed. So I can't prove large-scale explotation of this hole, but I do know that at least I was using it well before it was patched.

Re:Oh really?

[arrogance]

"We have never had vulnerabilities exploited before the patch was known," he said.

Umm, that WAS in the article. Are you saying there's a difference between "was known" and "appears"?

In the article, it seems quite clear that what they're saying is that most exploits come after the hackers have had a chance to compare patched VS unpatched systems to see what the changes are. But it's not just Microsoft saying this:

"It's a myth that hackers find the holes," said Nigel Beighton, who runs a research project for security firm Symantec.

In other words, I can see the point of view expressed in the article. I disagree with the parent in part (I think the attribution in the Slashdot story is sufficiently accurate) but that the specific (never had vulnerabilities exploited before the patch was known) is probably hyperbole. Hackers might be lazy, but they're not non-existent. There's no way M$ could even KNOW how many exploits have been made.

Re:Logical Consequence

[nukem1999]

Incorrect. The contrapositive of patch->exploit is no exploit->no patch, which is not really a truth. The inverse of patch->exploit is no patch->no exploit, but the inverse of a true statement does not have to be true.

Re:Kernel upgrade...

[Tony Hoyle]

XP SP2 is going to be a bundle of laughs...

I remember NT SP6 where they screwed up the NTFS format somehow and several machines (luckily only test machines) rebooted to the 'couldn't load NTLDR' screen.

Various 'hotfixes' that have cause apps to crash or behave oddly - some of which have been subsequently withdrawn and reissued fixed layer.

Re:Partly right

[m0rph3us0]

How about [safecenter.net]
24 unpatched IE exploits. No patches. Still exploited.

QED.

Re:Oh really?

[Anonymous Coward]

If I remember correctly, the WebDAV exploit that was out about 5 months ago was found because a military webserver was rooted with it. Thats definately an example of a blackhat finding a hole and using it well before there was a patch available.

Drop the affectation

[Anonymous Coward]

Obviously there's way to [sic] many viruses to do a complete list, but say the major 10 virii per calendar year, would be a good sample. Case 1 would identify how many vulnerabilities are discovered by hackers through their own active behaviour,wherease [sic] Case 2 would help narrow down the % of virii related to script kiddies I think. I suspect the number of virii leveraging net-new vulnerabilities vs clones of existing code are at least 10:1.

You had it almost right there, just that once, with 'viruses'. Check it:

There is one more common English -us word borrowed from Latin that doesn't follow any of the rules above: virus. To the Romans a virus was a dangerous or disgusting substance, anything from snake venom to body odor. Ancient grammarians couldn't agree whether the word was a third-declension noun, a fourth-declension noun or in a class by itself, but the one thing they could agree on was that it didn't have a plural form. Ever. To the Romans, it was a mass noun, not a count noun. That hasn't stopped English writers from inventing pseudo-Latin plural forms to cover the modern countable senses of the word. Viri is formed on the false assumption that virus is a second-declension noun. (Viri in fact is the plural of Latin vir, "man".) Virii is an even worse mistake. Only Latin nouns that end in -ius form the plural with -ii. There are no really common English plurals in -ii other than radii. That hasn't stopped people from trying out such atrocious forms as virii and penii. Virii would be the plural of virius, if such a word existed in Latin. Other suggested plurals include virora, vira, virua, and vire. For more on the debate, see http://www.perl.com/language/misc/virus.html. The one inescapable fact is that in classical Latin, there was no plural of the word. In English, the only correct plural is viruses.

You can find the whole article here [straightdope.com]. Now you can just use the word 'viruses' all the time, and not sound like the literary equivalent of an out-of-tune piano.

Post leaves out most important quote

[geekee]

" Instead of working it out for themselves, malicious hackers are reverse engineering the patches to better understand the vulnerabilities, said David Aucsmith, who is in charge of technology at Microsoft's security business and technology unit."

Of course I wouldn't expect a biaed site like /. to bother even considering MS's arguement. The post doesn't even bother to explain the MS position, but instead just continues with the mindless MS bashing that I've come to expect here to insure that no meaningful disscussion ensues and nothing is learned from MS, since of course they can't possibly have anything usefull to teach us about computer use and misuse.

Re:Piffle

[rokzy]

windows update is ABSOLUTELY FUCKING APPALLING.

oh look, several patches available... wtf, not only do I have to close down all my apps and restart my computer, but I have to restart for each patch individually!?

SUSE YOU is infinitely better. I let it run all the time because it doesn't bug me with crap notices (just changes colour), so I get patches straight away, and no restarts. although I'm not running a server or anything it's still very important to me for my work.

thank god windows is too useless for my work anyway so the crapness of windows update isn't an issue.

I sometimes use MS Office via Crossover though. even that's better on linux - can automatically download updates and "simulates windows restarting" instead of the real thing.

Windows updates

[King_TJ]

I hardly call Windows updates for home use "painless", for many people out there.

Just this morning, for example, I helped a guy get his older PC updated from Windows '98 to 2000 Professional. Problem is, he's using AOL dial-up with a 56K modem. Ever try downloading the latest Win2K service pack over a 56K modem? Now, how about the IE 6 service pack 1, not to mention the other misc. update patches MS has out as "critical updates", and then the handful of "recommended updates" which you probably want, also. Did you install MS Office on that machine afterwards? If so, guess what? More critical updates to download (MSDAC objects need a patch after they get added by Office)!

As far as I'm concerned, the average "home user" has the most painful upgrade experience of all. It can take close to an entire day to download everything needed via modem. (You can't even do it all at once, in a big batch, either, because a number of the patches have to be installed individually, followed by a reboot! So that means pretty much babysitting the machine all day, if you want to get everything updated without spreading it over days and days.)

Re:Things that need to be pointed out.

[Anonymous Coward]

But, what if I have just downloaded kernel 2.4.11, and it works great, and oops, we found a problem in 2.4.11. The solution is to upgrade. Not patch. What if going to the new kernel breaks stuff that used to work, while in the process patching an old hole?

This is different, but similar to MS. "You have a problem with 2.2.7? You should try to upgrade to 2.2.26 or 2.4.24." "You have a problem with windows98? You should upgrade to ME or XP."

You're confusing your terminology... The problem with your argument is that going from 2.2.7 to 2.2.26 is a patch, not an upgrade. It's the same as applying a patch to a Microsoft product that modifies the kernel. And, as everyone knows, applying Microsoft patches very frequently breaks old things... you do not need to upgrade just to lose functionality.

And that patch is often even more risky in Microsoft products than open source, because MS typically supplies a whole package of unrelated patches with no way of applying only the individual ones you want.

Re:Oh really?

[akozakie]

I read it quite differently.

If hackers are left uninformed, a security hole is only found by few industrious hackers. Some are white hats, some are not. Some will inform Microsoft, some will exploit the code, few will propagate the knowledge. The system is not secure, but few attacks happen. The few, however, might be very dangerous, as the attacker knows, what he's doing and is probably after something.

After a patch is released, thousands of crackers can find out, what was wrong. The knowledge barrier to writing a successful exploit drops, worms are written... Suddenly everyone's computers are under attack.

He's not saying, that only Microsoftees find exploitable bugs. He's just saying what everyone knows - once a hole is well known, it's a greater danger and soon even script kiddies start using it.

The article mainly says, that in case of a target as popular, as Windows, once a patch is available, you have to get it _quickly_, because the number of attacks grows very rapidly then.

Unknown hole = exploitable by some hackers
Well known and patched = safe
Well known and unpatched = goodbye, sweet data

Re:Gross misquotes there

[MacDaffy]

Man! You had me going there for a moment. I was going to award you the shiniest mod point I had in my quiver until I went back and checked your assertion.

David Aucsmith explicitly states that: "We have never had vulnerabilities exploited before the patch was known," he said.

This statement is false on its face and it is not misquoted. Numerous posters have pointed out why much more completely than I can. Again, CIFS/SMB using ports 137-139 is so irretrievably flawed that they've implemented a workaround rather than fix it (PATIENT: It hurts when I do this. DOCTOR: Don't do that!)

So, thanks for the lofty pronouncements--no mod point for YOU!

No Known Exploits...

[GoodNicsTken]

"The vulnerability was discovered by Eeye Digital Security in July 2003 but no exploits were produced until three days after Microsoft's patch became available."

What this really means is no rapidly expanding virus was created which drew the general publics' attention. That doesn't mean a black hat didn't use it to hack a system steal merchanzse, products, $, or information. Then was able to cover his tracks.

That's why I like to see virus that forces everyone to patch their systems. It scares me to think how many companies have my banking/credit card infrmation. Then take into accout the millions of computers that can access that data, 90% of them running windows.

Either way, this guys is an idiot.

Re:Gross misquotes there

[Temporal]

The following two statements are VERY DIFFERENT:

We have never had vulnerabilities exploited before the patch was known - Actual quote. Maybe not completely true, but mostly true. "Never" should be replaced with "almost never". I consider that an honest mistake.

Windows is never vulnerable until a patch appears - Misquote by Michael. Absurd. Anyone who would make this claim is an idiot.

Re:Oh really?

[teromajusa]

If you read the article, nobody is claiming that only Microsoft finds exploits. They are saying that the people writing the viruses are not finding the exploits on their own - they are reverse engineering patches to find the exploits. They also don't say they should stop issuing patches, despite what people here seem to be assuming. The guy is issuing a caution about how patching quickly is becoming more important. There really isn't that much to get worked up about here.

Re:Piffle

[crumley]

Instead of :

* 1 * * * /usr/bin/apt-get update

* 2 * * * /usr/bin/apt-get upgrade

use:

* 1 * * * /usr/bin/apt-get update && /usr/bin/apt-get upgrade

It saves you a line and it also deals better with failures to update.

Security, what about the CA they use

[bulldog2260]

If you look at the SSL Certs they use, MS signs them themselves. When did MS become a signing authority? CN www.microsoft.com O Microsoft OU mscom Issued By CN Microsoft Secure Sever Authority O OU Issued On 3/37/03 Expires On 3/26/04

Re:9.x kernel?

[Jugalator]

Yup, XP is 5.1. At least their version numbers (still) tell the truth about how much differences there *really* are beneath the "pretty" surface. 3.1 to 4.0 (95) was a pretty huge leap, not only GUI-wise. So was Windows 2000 (5.0), which some consider Microsoft's greatest improvement. Windows Longhorn will be Windows 6.0.

What about these vulnerabilities?

[Ytsejam-03]

Umm... I'd like to know how Microsoft explains these. [eeye.com]

Re:Oh really?

[PainKilleR-CE]

They are saying that the people writing the viruses are not finding the exploits on their own - they are reverse engineering patches to find the exploits.

They don't even have to reverse engineer the patches, since the bulletins released with the patches usually describe the problem being patched well enough for someone to figure out a way to write an exploit. When you have a description available like the following:
Multiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings.

All you really need to do is find more information about how the exploitable code is normally used, then find the limits of the buffer (in the case of a buffer overflow like this) and go to town with it.

What it all comes down to is basically that people need to update as soon as possible when patches are released, because the people writing worms and viruses tend to watch the security bulletins looking for new holes to exploit. It's certainly much easier than actively seeking out undocumented holes.

Re:Oh really?

[Dare nMc]

Is my recent experience prudent here?

Every version of windows, as shipped, now has security holes that will be exploited imediatly upon going on-line. I tried to go online with a new ms install, and was infected with a virus, before I could download a single patch.

The correct way, according to ms is to patch the OS is through the windows update site (it's hard to find the individual files for download, only going to windowsupdate.com with a non IExplore browser directs me to the patches for download otherwise.)

To my knowledge ms doesn't ship a single os that is secure enough to go online to patch it's self. maybe 98sp2, but to my knowledge their is no way to get a patched windows XP box without going online first (any patch CD's shipped from MS????)

Re:It's all about the users

[sqlrob]

Then feel free to enlighten me as I don't quite see your problem here.

In that article, "almost all attacks are against legacy systems". Define legacy. There's plenty of XP and 2003 attacks out there, so that means either a) Non-Longhorn = legacy or b) They're blowing smoke.

On another note, I categorically deny that Linux is more secure an operating system than Windows. If Linux were as popular as Windows, it would have exactly the same security record as the Microsoft product. Windows, XP and the latest version of it in particular, will get the millions-of-eyes treatment the open source community is so proud of. Only in this case, the millions of eyes will make any security features shallow.

Not true. Developers on Linux are more aware of testing under non-root level accounts. That is sorely lacking under Windows.

Many-eyes does *not* make security features shallow. Many encryption algorithms are publicly, including the ones MS uses to sign their code. Kindly release an executable that is signed using an MS certificate.

Microsoft has actually done an admirable job in creating an operating system that your average user has any chance of connecting to the net and with a reasonable amount of security.

Reasonable amount of security? I've had to clean plenty of systems that have been attached to the net, including one that was infected through the XP firewall. And no, the owner *doesn't* run executables from unknown sources or use Outlook/Outlook Express.

Re:Piffle

[barawn]

But then on my notebook I have to recompile my display drivers every fourth of fifth update, and I still haven't figured out why or when... heck, if I weren't a reasonably experienced user I probably never would've gotten the drivers going in the first place.


Pin the xserver-xfree86 release. Instructions on how are in the Debian User's Guide. That way it won't get upgraded, but everything else will. It should be noted that notebook video is *terribly* supported, but there are *plenty* of guides out there as to how to do it - tuxmobil has them.

(You also then should do the trick above which emails you changes specifically for the xserver-xfree86 release coming from the security dist.)

And as related to previous discussions, the reason that apt's better than Windows Update is that it allows you to customize in this way. With Microsoft, it's "You want to install these updates. Really you do. Trust in Microsoft. Believe Microsoft. Microsoft is good. Watch the spinning lights."

Re:Let's start a list of counterexamples

[Doc Scratchnsniff]

While both of those are obviously bad and wrong behavior, I don't think either would fall into the category of unpatchable exploit.
1) Patchable by changing Outlook settings.
2) Not an exploit. It is incorrect behavior, which leads to user confusion and trust where it doesn't belong, but it does not directly give an attacker any power over the machine.

Re:Post leaves out most important quote

[Helvick]

OK then speaking as an admin in a large outfit that is predominantly MS this guys approach is typical of MS management. They (the MS suits) do their damnedest to imply that it's someone elses fault and even though they must understand this stuff they pile on the FUD in order to avoid taking the rap when they should.

Take the SQL patch that remedied the vulnerability used by Slammer\Sapphire. While this was available for >6 months before being widely exploited it was so poor on release by MS that it had never been widely deployed. In fact most people who needed to apply it would never be able to tell they needed it (it was labelled a patch for SQL Server only but was needed by Age of Empires among hundreds of other home user apps). So they made it available for a fraction of the systems that were vulnerable (Pure SQL only, not clustered, not MSDE, not Visual Studio) and you needed a lot of Windows and SQL architecture expertise to be certain you had actually installed it correctly and comprehensively on even the small fraction of systems you actually had a patch for.

So they released their non-patch and promptly forgot about it until Slammer appeared (despite a growing body of evidence prior to Slammer that it was not an adequate fix). Once Slammer was released they reworked the patch and their information on it repeatedly - to the point that they eventually had at least a dozen variations and pages of instructions\guidelines on using it.

I had the wonderful experience of being in a teleconference with MS engineering support during the peak of the Slammer outbreak (well +-12 hours after the peak) and I am certain that they had a bunch of MS legal heads in the room constantly putting them on mute and telling them not to answer our questions. They did not give us anything like a realistic picture of the scope of the problem at that time, would not confirm or deny that the patches were being reworked. And I know the engineers in question had a fair idea of all of the correct answers.

Re:Oh really?

[SpaceLifeForm]

Yes, they are now shipping CD's [google.com] so you can patch your system without going on the Internet.

Re:Piffle

[drinkypoo]

There is no part on any automobile that can't be made by a competent machinist in a decently equipped shop. Some items might require the creation of jigs or tooling, but you can do that kind of stuff, because you're in a machine shop. A prime example is a cam for valve actuation. The cam is ground, not milled, and it's eccentric and usually (!) not cylindrical. So how the hell do you machine it? You make a machine that rotates two or more wheels in order to rotate and move the cam, and pass it against a grinder.

Crankshafts are similar, except anything on a car that old can be replaced with a differently-made part which will meet or exceed the original specifications. For example, a forged crankshaft on a car that old could be replaced with a press-fit crank made out of a better alloy, to more exacting tolerances.

A machinist who tells you "I can't make you one of those" either doesn't want to invest in tooling for a particular material (like if you want something made out of titanium, you have to go to a specialist) or just doesn't want to take the job, they can make the same amount of money or more doing something easier. If I were posessed of that many old cars, personally, I'd build a machine shop and learn machining. Anyone can do it, I mean they even have blind machinists, some of whom do amazing work. (It's hard to imagine working with machines which can effortlessly maim or kill you without being able to see them.)

Re:Windows updates

[LMacG]

I just had a two week experience dealing with the Windows Update "support team." The code was downloading OK, but something was preventing the updates from installing. After reporting my problem, the first guy had me check a bunch of settings, reboot, try to update (failed), go into safe mode, do some other stuff, reboot, try to update (failed), send him some files, download the patches direct from some links he sent me, etc.

Then I got "escalated." The second guy had me try some more stuff, send some more files, etc. Then he tried to tell me that WU wouldn't work because I had an OEM/pre-installed version of XP. Ummm, yeah, OK "Dustin." First of all, just about every copy of XP out there is an OEM version, since you can't hardly buy a mass market PC without XP being pre-installed. Therefore, if your little story was true, don't you think there'd be some mention of it on the web? Little weasel just wanted to get the ticket closed so he could get a gold star or something. Oh yeah, he also told me I'd have to order a CD that had the updates on it. OK, so the CD was free, but according to the order page, it only included updates through October 2003. Nice. What about the hugely critical flaw that was just patched at the beginning of this month?

I called "bullshit" on his answer and requested further "escalation." Luckily, the next guy sent me an updated copy of some system file or other and it seems to have resolved the problem.

I just have to wait until the next time there's a patch for a critical flaw in XP to see if that's true. And we know there's going to be a next time.

Re:Things that need to be pointed out.

[Anonymous Coward]

If it was any other MS bashing article, you would have a point. But did you really read the article?

The logic that that article clearly asinine.

Pleas read it and find out for yourself.

Re:Oh really?

[dwave]

You mean this article, right? http://support.microsoft.com:80/support/kb/article s/q276/3/04.asp This is my all time favorite: http://support.microsoft.com/?kbid=161129 ("Kitchen: Known Content Errors"). What were they thinking?

An example: C code exploit for ASN.1 vuln

[SysKoll]

Riclewis, I don't know if this fits your definition, but here is a piece of C code [k-otik.com] that crashes a Windows server by exploiting the ASN.1 vuln. Similar pieces of code have been floating for quite a while since at least October 2003. Some of them are rumored to give you a remote shell, which is not unbelievable.

Was this what you wanted?

And another example: IIS

[SysKoll]

/.er Florian Weimer supplies another example [slashdot.org]: a military IIS server cracked before the flaw was known [com.com].

This, I believe, fits your description.

Re:Criminal tools like "diff"?

[wfberg]

"The guys who write the tools would not consider themselves to be criminals by any measure," he said, "but the tools are also being picked up by people with criminal intent."

I guess that explains why Windows doesn't include a "diff" function...

Sysdiff.exe: Automated Installation Tool [microsoft.com]...

Re:Oh really?

[Ytsejam-03]

Microsoft got lucky and they were white hats that found them.

Are you sure about that? If some black hats found something like the Blaster hole, then they're going to keep it to themselves. I doubt that most of those guys would use it to create a worm that would get Microsoft's attention and therefore get the problem fixed. Blaster goes all the way back to NT4 [microsoft.com]. I doubt that the white hats were the first ones to find it.

Re:Oh really?

[AtomicBomb]

I think MS tries to mix up two facts. It may be true to claim that some high profile but not that damaging malicious code (e.g. those wild spread internet worms in the last few years) are created in this reverse engineering way... A good enough but not the most elite cracker probably wants to most publicity. Their aim is to compromise the largest number of machine.

But, I can imagine some of the best crackers in fact targets specific systems. In this case, they don't even want other people to know their technique....

Re:An article disproving this...

[Mr.Zuka]

Here is one that CNET [com.com] just announced today. Microsoft admits it has been vulnerable this whole year and they are working on a patch yet to be released.

Gawd, how embarassing

[bratmobile]

I'm a former 'softie, and I hate to see people without half a neuron speaking for the company. Microsoft has a lot of good people, and a lot of good products. I just can't figure out why they let IDIOTS speak for the company so often.