MS Security Chief: Windows Never Exploited Until Patch Available 1040
BenBenBen writes "The head of Microsoft's security business and technology unit states that Windows is never vulnerable until a patch appears, and that releasing patches is what causes exploits to be developed. Good quotes: 'We have never had vulnerabilities exploited before the patch was known', and '[he] could only think of one instance when a vulnerability was exploited before a patch was available'. Erm..."
To be fair if I were to write an exploit.... (Score:3, Informative)
With all the script-kiddies out there, would they know how to patch microsoft to protect themselves? They probably use code from security sites which show the exploit in action, and don't understand the underlying code.
Of course for the others, they probably realise that many people are forced to use Windows, and there only protection is Windows with a decent firewall and up to date WindowsUpdates.
Which one is next? (Score:2, Informative)
So Symantec has a full list of all vulenrabilities and is keeping that a secret. Then why does it take 3 days to get a Outlook patch to fix the latest vulnerability?
Yes... upgrade (Score:4, Informative)
I concur! :) Upgrade [linux.org] today!
Just one?? Really?! (Score:5, Informative)
How I read it (Score:3, Informative)
Given that they're binary patches, it seems to me that it'd be a whole lot less effort to look at the details of the advisory (and example 'sploit) than to go reverse-engineering the patches. Particularly since they're accusing the h4x0rZ of being lazy.
Re:Piffle (Score:5, Informative)
Re:Piffle (Score:5, Informative)
This in my opinion is one of the greatest benefits of the open source community. You see with both Windows and OS X, if you want all the security patches you need to pay for the latest version of the software. The linux community (note I didn't say RedHat but community) will continue to support prior software so long as there are enough users out there. Just look to the linux kernel or apache for examples. Just my $0.02.
Then explain this. (Score:5, Informative)
Re:Piffle (Score:5, Informative)
This isn't to say that it's reasonable to expect a commercial company to support software indefinitely, but one of the benefits of open source is that you CAN find/hire someone to support your old software and backport bugfixes as appropriate.
One of the nice things about MS is that they DO backport bugfixes to old software. Patches are almost always provided for free for all supported versions of Windows. Windows is supported for an established number of years (5, I believe) and at that point the user is reasonably expected to upgrade.
The Linux kernel has a better reputation than MS, but there are plenty of companies that have worse reputations. Even Redhat only supports its products for about 3 years before expecting an upgrade.
Re:Criminal tools like "diff"? (Score:5, Informative)
Re:Piffle (Score:1, Informative)
It affected XP, NT 4 and win 2k3. Win 98 and 95 were immune.
Re:Piffle (Score:3, Informative)
If you don't want to read the article all the way through, here are the last two paragraphs:
Yup (Score:3, Informative)
Good news fellow criminals its still there. I checked on WinNT and Win2k and its located in the System32 folder. Its listed as the Dos 5 File Compare Utility I did a fc
Here, I've been using Windiff all this time... Dang
Re:Piffle (Score:5, Informative)
IE unpatched bugs (with exploits) (Score:3, Informative)
Let's start a list of counterexamples (Score:5, Informative)
I'll give 2:
1) The original Melissa email virus (enabled by idiotic default settings in OE)
2) The one recently where remote web sites could hijack your address bar while redirecting you and doing nasty shit - that MS didn't patch for 6 months.
Someone might say those weren't strictly "Windows," but both OE and IE come installed by default, so it counts for me.
Others?
Re:Oh really? (Score:5, Informative)
print "this already exists\n" if ($usingPerl);
This vuln wasn't found in a patch! (Score:5, Informative)
As for real security experts, they routinely find vulnerabilities in Windows [eeye.com] beforesending a description to MS which would then, a few months later, issue a patch. Maybe.
There is a fine line between marketing and outrageous lying. I'm glad to see that MS gleefully steps over it every single time. Any other conduct would actually be unsettling. You see, we geeks revel in a binary vision of the world, and we cannot thank MS enough for consistently being a caricature of evil villain. It makes working against them so much more rewarding.
I have an acquaintance.. (Score:3, Informative)
From what i could see, it was very tight C code which compiled and worked on the winxp test machine (his own), so I guess it was authentic.
Re:a quick read through thte comments yields..... (Score:2, Informative)
http://slashdot.org/comments.pl?sid=98387&cid=8
Quick Link to Post [slashdot.org]
Re:Piffle (Score:3, Informative)
Re:Piffle (Score:5, Informative)
IIS & Internet Explorer (Score:5, Informative)
http://news.com.com/2100-1009-993276.html
(This has been confirmed over more or less independent channels. Nobody was truly independent because of the pending war on Iraq, of course.)
And, as you all know, several holes in Internet Explorer exist which are being exploited actively.
Re:Piffle (Score:3, Informative)
Re:a quick read through thte comments yields..... (Score:2, Informative)
-Trick
PLEASE READ THE ARTICLE (Score:3, Informative)
"It's a myth that hackers find the holes," said Nigel Beighton, who runs a research project for security firm Symantec that attempts to predict which vulnerabilities will be exploited next.
He said in many cases the appearance of a patch was the spur that kicked off activity around a particular vulnerability"
As usual everyone is going off half-cocked.
Re:Piffle (Score:5, Informative)
Let's see...with debian stable (possibly testing, but I don't recommend with unstable) Done.
Or, if you want a daily email of any packages requiring an update....
Oh, to upgrade to the next release...
for kernels, there's make oldconfig, but I realize there can be complications and a little more technical stuff, but upgrading a debian system for me is very straight forward. Set it and forget it. (I used to do automatic updates with WindowsUpdate, but there is still a patch out there that makes my Athlon laptop freeze up randomly).
Re:Piffle (Score:3, Informative)
9.x kernel? (Score:4, Informative)
If anything, it's 'Win4.1'. Take a really close look at the installer the next time it runs. [I know I saw 'win4.0' flash by when I installed Windows 95 for the first time.]
In the same way, Win2000 is is 'NT5.0' [earthweb.com] I'm not sure if XP is the fabled 'NT6' or jut considered to be 'NT5.1' as I've never used it.
Re:Mockery aside, how about the counterexamples? (Score:5, Informative)
Back in the original 95 release, MS had a neat little bug. If you shared a folder, it was shared to the outside world by default (as it still is today, but I digress). The only security offered from within Windows was to password-protect the share. Now, the exploit:
Windows 95, and also at least the original 98, both contained a bug in which only the first character of the password had to be guessed. So, if your password was "Slashdot", I could get into your share by simply using "s". Yup, 26 tries and I'm in (iirc windows passwords have to start with a letter, but even if not, the ascii character set isn't that big). Forget dictionary attacks on the password, you were basically in within a second - and of course denied logins didn't count against you.
The patch for this wasn't released until well after 98 was on the market, which meant it sat for at least 3 years unpatched. I know damn well that it was known and being exploited before then, because I used to play jokes on my friends by getting into their supposedly protected folders. This was back in 1996.
Opaserv, among other worms, used this hole to spread through a lot of systems, but I can't find the first date any of these were noticed. So I can't prove large-scale explotation of this hole, but I do know that at least I was using it well before it was patched.
Re:Oh really? (Score:5, Informative)
In the article, it seems quite clear that what they're saying is that most exploits come after the hackers have had a chance to compare patched VS unpatched systems to see what the changes are. But it's not just Microsoft saying this: In other words, I can see the point of view expressed in the article. I disagree with the parent in part (I think the attribution in the Slashdot story is sufficiently accurate) but that the specific (never had vulnerabilities exploited before the patch was known) is probably hyperbole. Hackers might be lazy, but they're not non-existent. There's no way M$ could even KNOW how many exploits have been made.
Re:Logical Consequence (Score:3, Informative)
Re:Kernel upgrade... (Score:3, Informative)
I remember NT SP6 where they screwed up the NTFS format somehow and several machines (luckily only test machines) rebooted to the 'couldn't load NTLDR' screen.
Various 'hotfixes' that have cause apps to crash or behave oddly - some of which have been subsequently withdrawn and reissued fixed layer.
Re:Partly right (Score:5, Informative)
24 unpatched IE exploits. No patches. Still exploited.
QED.
Re:Oh really? (Score:5, Informative)
Drop the affectation (Score:1, Informative)
You had it almost right there, just that once, with 'viruses'. Check it:
You can find the whole article here [straightdope.com]. Now you can just use the word 'viruses' all the time, and not sound like the literary equivalent of an out-of-tune piano.
Post leaves out most important quote (Score:5, Informative)
Of course I wouldn't expect a biaed site like
Re:Piffle (Score:4, Informative)
oh look, several patches available... wtf, not only do I have to close down all my apps and restart my computer, but I have to restart for each patch individually!?
SUSE YOU is infinitely better. I let it run all the time because it doesn't bug me with crap notices (just changes colour), so I get patches straight away, and no restarts. although I'm not running a server or anything it's still very important to me for my work.
thank god windows is too useless for my work anyway so the crapness of windows update isn't an issue.
I sometimes use MS Office via Crossover though. even that's better on linux - can automatically download updates and "simulates windows restarting" instead of the real thing.
Windows updates (Score:5, Informative)
Just this morning, for example, I helped a guy get his older PC updated from Windows '98 to 2000 Professional. Problem is, he's using AOL dial-up with a 56K modem. Ever try downloading the latest Win2K service pack over a 56K modem? Now, how about the IE 6 service pack 1, not to mention the other misc. update patches MS has out as "critical updates", and then the handful of "recommended updates" which you probably want, also. Did you install MS Office on that machine afterwards? If so, guess what? More critical updates to download (MSDAC objects need a patch after they get added by Office)!
As far as I'm concerned, the average "home user" has the most painful upgrade experience of all. It can take close to an entire day to download everything needed via modem. (You can't even do it all at once, in a big batch, either, because a number of the patches have to be installed individually, followed by a reboot! So that means pretty much babysitting the machine all day, if you want to get everything updated without spreading it over days and days.)
Re:Things that need to be pointed out. (Score:1, Informative)
This is different, but similar to MS. "You have a problem with 2.2.7? You should try to upgrade to 2.2.26 or 2.4.24." "You have a problem with windows98? You should upgrade to ME or XP."
You're confusing your terminology... The problem with your argument is that going from 2.2.7 to 2.2.26 is a patch, not an upgrade. It's the same as applying a patch to a Microsoft product that modifies the kernel. And, as everyone knows, applying Microsoft patches very frequently breaks old things... you do not need to upgrade just to lose functionality.
And that patch is often even more risky in Microsoft products than open source, because MS typically supplies a whole package of unrelated patches with no way of applying only the individual ones you want.
Re:Oh really? (Score:5, Informative)
If hackers are left uninformed, a security hole is only found by few industrious hackers. Some are white hats, some are not. Some will inform Microsoft, some will exploit the code, few will propagate the knowledge. The system is not secure, but few attacks happen. The few, however, might be very dangerous, as the attacker knows, what he's doing and is probably after something.
After a patch is released, thousands of crackers can find out, what was wrong. The knowledge barrier to writing a successful exploit drops, worms are written... Suddenly everyone's computers are under attack.
He's not saying, that only Microsoftees find exploitable bugs. He's just saying what everyone knows - once a hole is well known, it's a greater danger and soon even script kiddies start using it.
The article mainly says, that in case of a target as popular, as Windows, once a patch is available, you have to get it _quickly_, because the number of attacks grows very rapidly then.
Unknown hole = exploitable by some hackers
Well known and patched = safe
Well known and unpatched = goodbye, sweet data
Re:Gross misquotes there (Score:5, Informative)
David Aucsmith explicitly states that: "We have never had vulnerabilities exploited before the patch was known," he said.
This statement is false on its face and it is not misquoted. Numerous posters have pointed out why much more completely than I can. Again, CIFS/SMB using ports 137-139 is so irretrievably flawed that they've implemented a workaround rather than fix it (PATIENT: It hurts when I do this. DOCTOR: Don't do that!)
So, thanks for the lofty pronouncements--no mod point for YOU!
No Known Exploits... (Score:5, Informative)
What this really means is no rapidly expanding virus was created which drew the general publics' attention. That doesn't mean a black hat didn't use it to hack a system steal merchanzse, products, $, or information. Then was able to cover his tracks.
That's why I like to see virus that forces everyone to patch their systems. It scares me to think how many companies have my banking/credit card infrmation. Then take into accout the millions of computers that can access that data, 90% of them running windows.
Either way, this guys is an idiot.
Re:Gross misquotes there (Score:4, Informative)
We have never had vulnerabilities exploited before the patch was known - Actual quote. Maybe not completely true, but mostly true. "Never" should be replaced with "almost never". I consider that an honest mistake.
Windows is never vulnerable until a patch appears - Misquote by Michael. Absurd. Anyone who would make this claim is an idiot.
Re:Oh really? (Score:5, Informative)
Re:Piffle (Score:5, Informative)
Security, what about the CA they use (Score:2, Informative)
Re:9.x kernel? (Score:4, Informative)
What about these vulnerabilities? (Score:4, Informative)
Re:Oh really? (Score:5, Informative)
They don't even have to reverse engineer the patches, since the bulletins released with the patches usually describe the problem being patched well enough for someone to figure out a way to write an exploit. When you have a description available like the following:
Multiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings.
All you really need to do is find more information about how the exploitable code is normally used, then find the limits of the buffer (in the case of a buffer overflow like this) and go to town with it.
What it all comes down to is basically that people need to update as soon as possible when patches are released, because the people writing worms and viruses tend to watch the security bulletins looking for new holes to exploit. It's certainly much easier than actively seeking out undocumented holes.
Re:Oh really? (Score:5, Informative)
Every version of windows, as shipped, now has security holes that will be exploited imediatly upon going on-line. I tried to go online with a new ms install, and was infected with a virus, before I could download a single patch.
The correct way, according to ms is to patch the OS is through the windows update site (it's hard to find the individual files for download, only going to windowsupdate.com with a non IExplore browser directs me to the patches for download otherwise.)
To my knowledge ms doesn't ship a single os that is secure enough to go online to patch it's self. maybe 98sp2, but to my knowledge their is no way to get a patched windows XP box without going online first (any patch CD's shipped from MS????)
Re:It's all about the users (Score:3, Informative)
In that article, "almost all attacks are against legacy systems". Define legacy. There's plenty of XP and 2003 attacks out there, so that means either a) Non-Longhorn = legacy or b) They're blowing smoke.
On another note, I categorically deny that Linux is more secure an operating system than Windows. If Linux were as popular as Windows, it would have exactly the same security record as the Microsoft product. Windows, XP and the latest version of it in particular, will get the millions-of-eyes treatment the open source community is so proud of. Only in this case, the millions of eyes will make any security features shallow.
Not true. Developers on Linux are more aware of testing under non-root level accounts. That is sorely lacking under Windows.
Many-eyes does *not* make security features shallow. Many encryption algorithms are publicly, including the ones MS uses to sign their code. Kindly release an executable that is signed using an MS certificate.
Microsoft has actually done an admirable job in creating an operating system that your average user has any chance of connecting to the net and with a reasonable amount of security.
Reasonable amount of security? I've had to clean plenty of systems that have been attached to the net, including one that was infected through the XP firewall. And no, the owner *doesn't* run executables from unknown sources or use Outlook/Outlook Express.
Re:Piffle (Score:3, Informative)
But then on my notebook I have to recompile my display drivers every fourth of fifth update, and I still haven't figured out why or when... heck, if I weren't a reasonably experienced user I probably never would've gotten the drivers going in the first place.
Pin the xserver-xfree86 release. Instructions on how are in the Debian User's Guide. That way it won't get upgraded, but everything else will. It should be noted that notebook video is *terribly* supported, but there are *plenty* of guides out there as to how to do it - tuxmobil has them.
(You also then should do the trick above which emails you changes specifically for the xserver-xfree86 release coming from the security dist.)
And as related to previous discussions, the reason that apt's better than Windows Update is that it allows you to customize in this way. With Microsoft, it's "You want to install these updates. Really you do. Trust in Microsoft. Believe Microsoft. Microsoft is good. Watch the spinning lights."
Re:Let's start a list of counterexamples (Score:2, Informative)
1) Patchable by changing Outlook settings.
2) Not an exploit. It is incorrect behavior, which leads to user confusion and trust where it doesn't belong, but it does not directly give an attacker any power over the machine.
Re:Post leaves out most important quote (Score:4, Informative)
Take the SQL patch that remedied the vulnerability used by Slammer\Sapphire. While this was available for >6 months before being widely exploited it was so poor on release by MS that it had never been widely deployed. In fact most people who needed to apply it would never be able to tell they needed it (it was labelled a patch for SQL Server only but was needed by Age of Empires among hundreds of other home user apps). So they made it available for a fraction of the systems that were vulnerable (Pure SQL only, not clustered, not MSDE, not Visual Studio) and you needed a lot of Windows and SQL architecture expertise to be certain you had actually installed it correctly and comprehensively on even the small fraction of systems you actually had a patch for.
So they released their non-patch and promptly forgot about it until Slammer appeared (despite a growing body of evidence prior to Slammer that it was not an adequate fix). Once Slammer was released they reworked the patch and their information on it repeatedly - to the point that they eventually had at least a dozen variations and pages of instructions\guidelines on using it.
I had the wonderful experience of being in a teleconference with MS engineering support during the peak of the Slammer outbreak (well +-12 hours after the peak) and I am certain that they had a bunch of MS legal heads in the room constantly putting them on mute and telling them not to answer our questions. They did not give us anything like a realistic picture of the scope of the problem at that time, would not confirm or deny that the patches were being reworked. And I know the engineers in question had a fair idea of all of the correct answers.
Re:Oh really? (Score:5, Informative)
Re:Piffle (Score:4, Informative)
Crankshafts are similar, except anything on a car that old can be replaced with a differently-made part which will meet or exceed the original specifications. For example, a forged crankshaft on a car that old could be replaced with a press-fit crank made out of a better alloy, to more exacting tolerances.
A machinist who tells you "I can't make you one of those" either doesn't want to invest in tooling for a particular material (like if you want something made out of titanium, you have to go to a specialist) or just doesn't want to take the job, they can make the same amount of money or more doing something easier. If I were posessed of that many old cars, personally, I'd build a machine shop and learn machining. Anyone can do it, I mean they even have blind machinists, some of whom do amazing work. (It's hard to imagine working with machines which can effortlessly maim or kill you without being able to see them.)
Re:Windows updates (Score:4, Informative)
Then I got "escalated." The second guy had me try some more stuff, send some more files, etc. Then he tried to tell me that WU wouldn't work because I had an OEM/pre-installed version of XP. Ummm, yeah, OK "Dustin." First of all, just about every copy of XP out there is an OEM version, since you can't hardly buy a mass market PC without XP being pre-installed. Therefore, if your little story was true, don't you think there'd be some mention of it on the web? Little weasel just wanted to get the ticket closed so he could get a gold star or something. Oh yeah, he also told me I'd have to order a CD that had the updates on it. OK, so the CD was free, but according to the order page, it only included updates through October 2003. Nice. What about the hugely critical flaw that was just patched at the beginning of this month?
I called "bullshit" on his answer and requested further "escalation." Luckily, the next guy sent me an updated copy of some system file or other and it seems to have resolved the problem.
I just have to wait until the next time there's a patch for a critical flaw in XP to see if that's true. And we know there's going to be a next time.
Re:Things that need to be pointed out. (Score:1, Informative)
The logic that that article clearly asinine.
Pleas read it and find out for yourself.
Re:Oh really? (Score:5, Informative)
An example: C code exploit for ASN.1 vuln (Score:3, Informative)
Was this what you wanted?
And another example: IIS (Score:3, Informative)
This, I believe, fits your description.
Re:Criminal tools like "diff"? (Score:3, Informative)
I guess that explains why Windows doesn't include a "diff" function...
Sysdiff.exe: Automated Installation Tool [microsoft.com]...
Re:Oh really? (Score:3, Informative)
Re:Oh really? (Score:4, Informative)
But, I can imagine some of the best crackers in fact targets specific systems. In this case, they don't even want other people to know their technique....
Re:An article disproving this... (Score:2, Informative)
Gawd, how embarassing (Score:2, Informative)