MS Security Chief: Windows Never Exploited Until Patch Available

BenBenBen writes "The head of Microsoft's security business and technology unit states that Windows is never vulnerable until a patch appears, and that releasing patches is what causes exploits to be developed. Good quotes: 'We have never had vulnerabilities exploited before the patch was known', and '[he] could only think of one instance when a vulnerability was exploited before a patch was available'. Erm..."

Interesting stock photos

[Anonymous Coward]

Doesn't the BBC have any better stock photos to place in this article. I mean come on, a picture of an old clock and a close of zoom of the shift and return key (with the caption of "Exploits get written once patches appear").

Beware the evil shift and return keys! They should be removed from the keyboard as they clearly are used to write exploits.

Logic???

[BWJones]

Meh.......The last statement in the article: "If you want more secure software, upgrade." pretty much sums up Microsoft's position. With this kind of logic, it's a wonder that any coding gets done at all there. So, by extension, if everybody were to leave their doors open and unlocked at night, there would be no crime? :-) Seriously though, if you actually read the article, what it says describes reverse engineering of patches to explore and exploit vulnerabilities. So, the statement if confused might be technically correct, but that does not mean that the security vulnerabilities are not there in the first place. What happens mostly is that the lazy are exploiting the patches, whereas the more experienced (perhaps more dangerous) hackers will do their own work. Furthermore, the more experienced hacker might not be as likely to release their attack into the wild promiscuously. Rather they are doing what they do for a likely monetary payoff.

The real question though is: If the patch can be exploited, is it a patch? Yes, I know that they are analyzing the patch to attack unpatched machines, but to claim that vulnerabilities are not present before patches are released is circular logic.

Post hoc, ergo propter hoc

[Waab]

At best, the notion that patches are the source of all exploits is a logical fallacy [datanation.com]. However, I'm sure I'd not be in the minority of /. readers if I opined that Mr. Aucsmith is either lying outright or simply delusional.

I say that since Microsoft has a policy of "eating their own dog food", they should be forced to stand by this ridiculous proclamation and henceforth cease and desist all efforts to patch their code. Thus, all exploitations of buggy MS code will also halt.

Simple solution

[shystershep]

If crackers never find exploits except for by comparing patched and unpatched versions, why the hell do they release security patches then? Seems like they've got their security problems licked -- no patches, no exploits. What could be simpler.

Also liked this quote, from the end of the article:
"Almost all attacks against our software are against the legacy systems," he said.
"If you want more secure software, upgrade."
Hmmm.

An article disproving this...

[millahtime]

If a politician said something like this it would get torn apart by the media. If a scientist said something he would loose his credibility and there would be articles written to counter this in major publications. Why does that not happen with M$??? It's almost like they are "above the law" and what thsy say happens. Kind of like when God speaks.

Re:Oh really?

[vandegraff]

Sounds like a simple belief security through obscurity. That is really sad.

Assume for me...

[lacrymology.com]

... just assume for a moment that what he says IS true (for argument's sake). Would you feel better as an M$ customer having heard it? That is, do you feel better knowing that there are many holes in the system that no one outside of M$ knows about? Does security through obscurity make you feel better?
-m

Riiight...

[bendelo]

"Almost all attacks against our software are against the legacy systems," he said.

"If you want more secure software, upgrade."

Should I start laughing now or later? David Aucsmith seems to be missing a clue.

Re:Piffle

[sputnikid]

"If you want more secure software, upgrade."

That quote goes for Linux as well as MS. How many people do you know that are still running 2.0.34

On the same logic

[EulerX07]

An unlocked door is safe until someone sees you lock it. Therefore everybody just leave all your door unlocked, since we do not know that they're unlocked there is no danger.

Reply to this post with your street adress and your usual work hours, thanks!

Re:Piffle

[millahtime]

"deliberately leaving old OS's insecure to force upgrades to me."

This isn't a deliberate thing. Not all old software is supported. If Linux 2.2.XX had security holes they would say upgrade. There aren't new fixes being written. If there was an old version of Lotus Notes that had a security hole, they would say upgrade. This isn't unusual or M$ forcing on people.

Partly right

[Anonymous Coward]

I must admit that they are partly right on this statement. As long as they don't publish a patch, most the world doesn't even know there is a hole. A few security specialist firms know, but they are not dangerous.

As soon as they release the patch, every hacker knows 99% of the systems won't be patched for a while, and Microsoft just about gave out what is the problem and how to exploit it.

So I say yes, it is dangerous to say out loud "hey, there is a hole in our system, but we have a patch". I would prefer if they just shut up, and release a "cumulative patch" once in a while.

Just my opinion.

Re:Post hoc, ergo propter hoc

[jruschme]

Actually, I think it has a sort of perverse logic (albeit a nearsighted one). If I understand it correctly, the idea is that when a patch is released, it opens up knowledge of a hole. This is similar to the whole argument about when to release info on a security hole.

The problem with this reasoning is that it assumes the only people writing exploits are lazy/clueless enough to wait for someone to tell them what to exploit. It ignores the fact that there is a community of hackers out there actively looking for the holes.

Possible Reason

[KJE]

Could this possibly be because people who find flaws in the system might go to Microsoft first and say "look what we found", and then give MS a chance to fix it?

Then, when MS does release the patch, the people who found the flaw throw up the details on their website for all the "hackers" to get their hands on.

hence the exploits coming after the patch is released

Re:Piffle

[xeaxes]

If Linux 2.2.XX had security holes they would say upgrade. There aren't new fixes being written.

But, you are wrong about this. In fact, a new Kernel update to 2.2 was released. Version 2.2.26. It's been a year, but they were still released.

Here's a quote from the release: "Marc-Christian Petersen announced the release of the 2.2.26 Linux kernel. This release includes several security fixes, including a fix for the latest mremap() bug." See the Linux 2.2.26 Release Notes [kerneltrap.org]

So, really, MS is forcing users to upgrade by not releasing patches to old version.

MSFT mentioned!! Slashbot tantrum time!!!

[stratjakt]

The guy does have a point. The description of the patches gives malicious coders a good detail of what to exploit.

There are no doubt circumstances where the super-1337 h4x0r finds an exploit all on his own, I'd imagine through trial and error, but for the most part, they look at windows update and see "This patch resolves a vulnerability in WMP which could allow arbitrary code execution", and they write an exploit for the unpatched boxes.

The MSDN knowledge base is a great source for folks looking for exploits, they very often have step-by-step directions to reproduce the problems.

That's how you get root on linux boxes too, you find people still running an older kernel version, or an old sendmail, ssh, whatever, and hit the known exploits for that version.

And if you want a more secure system, yeah, upgrade. It works that way no matter what your personal philosopy behind your OS choice.

Upgrade sales?

[ls-lta]

I can't help wondering if they're anticipating a sales problem. If a CEO sees an upgrade request and "knows" that upgrading helps security issues, they're sure to say yes. Unless, of course the CEO thinks that the upgrade is really just another type of patch or realizes that they will get forced into a costly upgrade spiral. But, I wouldn't want to give anyone any ideas.

shouldn't this be on bbspot?

[hellraizr]

sure this wasn't ripped from bbspot.com?

Re:Oh really?

[Anonymous Coward]

> Another way to look at this is that I should be able to remove every patch from my Windows PC and it would be totally secure?

Um, no, since his point was that exploits are only found when a patch is released. By removing the patches from your system, you'll be vulnerable to those patches that were found. The parent's statement was more correct and humorous:

So, let me get this straight, Windows will become more secure if Microsoft stops issuing patches?

Of Course, this is now moot

[instantkarma1]

since so much source code was leaked out. I bet they can no longer make the claim that exploits are not released until after the patch.

Welcome to a whole new ballgame, Microsoft.

Re:OK

[symbolic]

There's still one major difference - M$ is driven by the almighty dollar, while Linux is driven by people who want to do what's right. Further, with Microsoft, you not only upgrade your software, but most likely, your EULA as well (and no telling what kind of nastiness). With Linux, you have no such worries.

Re:Oh really?

[Erratio]

The patch would be released to fix the possibility of an exploit. The arguement is still horribly flawed though. MS is saying that they instigate exploits. Maybe they're trying to prove they control everything, including the stuff that screws them over. If it's an attempt to cover their asses it's a really odd one. I'd think if this is really the case, maybe a while ago they should come up with a solution that allows the patch to be applied before what it's patching is known. Maybe have Windows Update download the patch automatically without a nice description alongside it which reads "Gaping security hole, enter here". And then release a descriptive patch later for the people who care about what's being done (who are also for the most part the people who would patch before being expoited), allowing the people who don't know what any of it means time to get it fixed before the secret is out.

Engage Brain, Think About It

[Anonymous Coward]

"It's a myth that hackers find the holes," said Nigel Beighton, who runs a research project for security firm Symantec that attempts to predict which vulnerabilities will be exploited next.

Makes sense to me. Hackers and crackers are losers by definition, so it seems a reasonable explanation that they don't have the smarts to find the holes themselves.

They're scavengers; a slightly higher form of script kiddie, who looks for knowledge won by other people and then exploits it.

By the way, no one suggested that companies should stop looking for vulnerabilities that need patching. That spin is just the standard /.-hate-Microsoft nonsense.

Re:Partly right

[Ubergrendle]

I think what the slashdot community needs to do is provide some factual evidence. Specifically:

1) Identify known, 'in the wild' virii, that took advantage of a Microsoft vulnerability before MS announced a patch.

2) Identify how many virii were developed/released using knowledge derived after announcement, or release of, a patch.

Obviously there's way to many viruses to do a complete list, but say the major 10 virii per calendar year, would be a good sample. Case 1 would identify how many vulnerabilities are discovered by hackers through their own active behaviour,wherease Case 2 would help narrow down the % of virii related to script kiddies I think. I suspect the number of virii leveraging net-new vulnerabilities vs clones of existing code are at least 10:1.

In the end, I unforutnately fear that there's alot of truth in Microsoft's statements. It doesn't absolve them of being responsible for developing poor code in the first place, but the correlation they've identified is probably valid.

Why read the BBC anymore?

[richardbowers]

A few weeks ago, we were treated to the BBC claiming that the Linux community was behind MyDoom, even after it had become clear to everyone else in the world that it was written by Spammers. This article isn't any better/worse - its another thinly-disguised and apparently unresearched document, with no supporting statistics. Is there a reason to read this trash anymore, or should we switch to something more reliable, like the tabloids?

Kernel upgrade...

[Tmack]

is the key, not OS upgrade which is what MS requires. There is a big difference. In linux, you upgrade the kernel without (normally, unless you jump major releases, ie: 2.4.x->2.6.x)having to upgrade every peice of software...just recompile and reboot. In MS's OS products, you either apply a servicepack (which might update its kernel), patch, hotfix, or other bugfix; or upgrade by buying a whole new OS that replaces all the main OS software, and pray the upgrade doesnt f*ck your already installed stuff (good luck with the registry) if its even compatible (NT/2k/XP from 98/95 anyone?). This is what that quote is reffering to, and what they expect you to do, buy the latest gratest buggiest OS they have to offer, to keep yourself secure, or dont complain to them when a bug comes out that exploits a "non-existant" vulnerability (since it cant exist until they have a patch, and since they arent patching your OS anymore, there must be no more vulnerabilities). Add to that that MS tends to End Of Life software after only a few years, where as the 2.0.x,2.2.x and 2.4.x kernel trees are still actively maintained even tho they have been around a while. So rather than an "upgrade" per Microsloth, keeping Linux "up to date" with kernel upgrades is more like their servicepacks/bugfixes (how many reboots when using Windows AutoUpdate??).

Tm

Re:Post hoc, ergo propter hoc

[frankthechicken]

Indeed, if this was Microsofts thinking, then they wouldn't release patches at all, creating the most secure Operating System available.

I somehow think the quote might have been taking out of context, especially when he states that:-

"Many people reverse engineer the patch and then build the exploit code,"

I have a feeling that the main point of his statement, was that the majority of attacks are on unpatched systems. Certainly when you consider Symantec's Mr Beighton's statement:-

"It's a myth that hackers find the holes,"

He said in many cases the appearance of a patch was the spur that kicked off activity around a particular vulnerability.

Which would probably be true, once the problem is widely known, then there is more likliehood for an exploit to be devised. Hence the more devasting attacks such as Code Red were centred around a previously patched exploit.

Re:Oh really?

[Anonymous Coward]

This means that Microsoft has *NEVER*, I repeat, *NEVER*, has been subject to a 0-day exploit. Wow...this guy is smoking some serious crack. What about the recent exploit that they sat on for 6 months? Doesnt that count? How about the new one that X-Force has contacted them about and MS has 30 days to fix? Is that from a patch too?

Re:On the same logic

[e-Motion]

An unlocked door is safe until someone sees you lock it. Therefore everybody just leave all your door unlocked, since we do not know that they're unlocked there is no danger.

A better analogy: It's more likely that a robber will be able to break into your home if he heard you explain how the lock on your door doesn't work terribly well. This sounds more reasonable, and is more like the point he was trying to make.

Re:An article disproving this...

[hchaos]

If a politician said something like this it would get torn apart by the media. If a scientist said something he would loose his credibility and there would be articles written to counter this in major publications. Why does that not happen with M$??? It's almost like they are "above the law" and what thsy say happens. Kind of like when God speaks.

From a single story you are concluding that no one is questioning these statements?

Politicians get torn apart in the media only because other politicians and opinion column writers get involved. It almost never happens in the original story.

When a science story appears, it is invariably presented by the journalist as gospel truth, and it's only after the rebuttals are published that there is a chance of credibility loss.

I saw nothing in the article to suggest that this was "like when God speaks". I simply saw an account of what a MS executive stated in a keynote speech. In this situation, there are no questions, no rebuttal, and no excuse for a journalist to impose his own opinions into the story. Instead, it is an opportunity for the readers to for their own opinions. And, quite frankly, as the story develops, this won't be good for Microsoft. It never is when the head of a security technology unit makes ludicrous statements like these.

Re:Oh really?

[Rooktoven]

The implication there is that only Microsoft finds exploits. Forgive me if I'm skeptical.

Re:Assume for me...

[Mr. Sketch]

In all honesty it does. Not me personally, but I have yet to convince my coworkers that security through obscurity doesn't work, and I'm sure they would use this article as proof. To the layman, this makes perfect sense: If the hackers can't see the code or haven't heard of the vulnerability, they can't hack the system. It's as simple as that to them. I keep trying to explain that hackers are resourceful and can still find vulnerabilities without source code and before it's known to the public, but they deem that to be 'near impossible' and far too time consuming.

Sigh, it's a losing battle arguing with them, and I've pretty much given up.

Wrong

[ShecoDu]

Their point is that when they patch they announce they HAD a problem and the hackers can see what the patch fixed and try to exploit UNpatched machines... its security through obscurity, if I don't release a patch... hopefully the hackers won't notice the hole.

But now that the patch is out, you can expect hackers to know about the vulnerability and attack you if you don't have the patch.

They are dumb, dont try to play dumber. :)

Re:Oh really?

[rblancarte]

Exactly how obsure is Windows?

What this is is security through hiding problems you find and hoping that no one else finds them.

RonB

Bad patches

[morgandelra]

The way I read this was "No exploits happen until we release a patch" meaning that the patch that was released to fix the exploit sucked, or even better opened up new holes to be exploited...... the article almost makes sense that way.

Re:Piffle

[Kombat]

Why do you speak as though this "conundrum" were unique to Microsoft, or even closed-source software in general? If I buy a '57 Chevy Bel-Air convertible, and the top has a tear in it, should GM be obligated to provide me with a replacement part, if I'm willing to pay for it? Does the fact that they won't indicate that GM is a bad company for not supporting its "legacy" products?

Just how long should a company be obligated to support its older products? And why are you coming down so hard on Microsoft while ignoring the fact that this is simply standard practice, in every industry?

Well...

[AbbyNormal]

I've read a lot of these comments here and I do think the claims are a little far reaching...but, HAS there ever been a worm that has exploited a previously unknown flaw in the operating system?

Re:Oh really?

[rseuhs]

Windows will become more secure if Microsoft stops issuing patches?

The really scary part is that this wasn't said by some marketing guy like Gates or Ballmer, it was said by the Microsoft Security Chief.

Re:Never, util...

[MichaelKaiserProScri]

My Grandfather, God rest his soul, was 100% convinced until the day he died that he would not have gotten lung cancer had he not gone to the doctor about the pain in his chest and his shortness of breath.

Re:Piffle

[Pieroxy]

I realize that you are trying to make a joke, but seriously, how painful is a Linux upgrade compared to a WindowsUpdate(R)(C)TM? Cause that's about the price you pay almost daily to get up-to-date.

Re:Piffle

[elmegil]

So does Linus go back and apply security patches to the 2.0 or 2.2 Kernel any more? Does RedHat fix security vulnerabilities in ancient versions (say RH 5.0 or 6.0)? Give me a break. Every vendor defines what support levels they provide for what versions of the OS, and as the OS gets older and older it gets less attention than the newer versions. This is just freaking common sense. You want prompt patches? Use what is most likely to get the prompt patches!

Re:Piffle

[kfg]

Quite a few people use various flavors of the 2.0 kernel for various reasons. The 2.2 installed base is huge, and not going anyplace fast. Larger minor version number (or even major version number) does not even vaguely imply greater security. You are buying the myth.

In fact, quite the opposite is often the case if older versions remain maintained, because they are more thoroughly debugged and locked down. And they are maintained because there is no profit motive to not do so.

KFG

How did MS find out they needed a patch?

[MichaelKaiserProScri]

How did MS discover that they needed a patch? 1) Somebody hacked it. or 2) They poured over the souce code and found a flaw. I suspect at least half of them were found by method 1.

"If you want more secure software, upgrade."

[NSAnonymousCoward]

Translation: What we gave you the first time sucked, so give us more money and we'll give you something that sucks a little less.

Did anyone read the article?

[dougthonus]

Hah! I know microsoft is evil and all, so you have to twist anything microsoft related in the worst possible way, but still I think most of you read way more into this then was there. It clearly looks like the quotes are taken completely out of context, and you guys are all implying meaning that is clearly not intended.

All they are trying to say is that patching your machine is a good idea because many exploits are created from reverse engineering. I don't think there's anything revolutionary about that statement, and I think it's a pretty accurate one.

Seeking examples... or Flamebait if you will

[riclewis]

I'm going to play devil's advocate for a minute here, because most the comments so far have seemed to be just as lacking in substance as the Microsoft comments.

So let's really hash this out.

Just for kicks, let's make a list of examples in the last three years where a virus/explot happened on any kind of wide scale before the patch was available. If we really disagree with his comments, let's make an intelligent attempt at rebuttal.

I'll take first shot: the first major incident that comes to mind for me is the COM+ bug of this last summer.

Re:Just one?? Really?!

[thesolo]

The article states "We have never had vulnerabilities exploited before the patch was known"

However, in the cases I cited, people were absolutely exploiting those bugs in the wild before Microsoft released a patch for them. While the articles I linked don't explicitly state "this is already being exploited", the fact of the matter is that exploits did happen before Microsoft finally put out a patch. A friend of mine was hit with the domain-spoofing bug while surfing pr0n, seriously.

Re:Piffle

[ComradeX13]

You could fabricate a new top/machine parts/etc for a car. Not so for a closed source software product (or at least, it would be much harder.)

Re:Oh really?

[tbannist]

No, the point is terribly obvious to those with pointy-hair:

It's not Microsoft's fault your Windows servers have been hacked, infected and your entire system is down, it's the fault of your IT department for not keeping up to date on the Windows patches. You see Microsoft software is 100% secure as long as you keep up to date on the patches.

I'm not sure whether this is uncertainty or doubt, though.

If you want more secure software upgrade...

[plopez]

to Linux or *BSD or OSX or OS/390

Seriously, to me it sounds more and more like they knowingly shipped a defective product (remember, it wasn't until class action suits that the ar industry started to clean up thier act). Then they are using fear of security issues to force upgrades. It almost sounds like racketeering to me.

"Ya got a nice server there, it would be a shame if something happened to it... for just $bignum dollars we can protect you..."

Hey! That sort of sounds like the AV "industry" as well... :)

A crackers mind?

[miffo.swe]

Maybe MS is mixing things up? If you count worms and viruses as exploits in the same category as real breakins then by far those and script kiddies who uses ready made exploits account for most breakins.

Any sane cracker wont report his latest exploit to bugtraq. He will continue to use it until someone else finds out about it. When it hits MS and they patch it the cracker will have found another hole to use. The most dangerous breakins is ofcourse corporate espionage and i think the ones doing those have a field day on Windows right now. They dont use common exploits that intrusion detection systems detect since they want in and out unnoticed, even if the systems in the target is unpatched.

only Microsoft finds exploits

[da5idnetlimit.com]

Or is it the other way around ?

say [pun]"Only Microsoft exploits exploits"[/pun]...

from the article :

"Almost all attacks against our software are against the legacy systems," he said.

"If you want more secure software, upgrade."

Here you are. They said it, officially.

I seem to remember that my debian stable is composed of 1-2 years old software, and, regularly patched, will say secure without even have to reboot...

PEOPLE !!! "If you want more secure software, upgrade." ... to Debian 8)

Symantec partly agrees...

[rmpotter]

From the article:

"It's a myth that hackers find the holes," said Nigel Beighton, who runs a research project for security firm Symantec that attempts to predict which vulnerabilities will be exploited next.
He said in many cases the appearance of a patch was the spur that kicked off activity around a particular vulnerability.

For the most part, I think this is true. Most Windows exploits DO "magically" appear a few days or weeks after a patch is available. Of course, hundreds of thousands of users never patch, or never patch in time. The "magic" lies in the symbiotic relationship between anti-virus software producers and malware creators.

None of this excuses MS from releasing Swiss cheese code, but it looks like a lot of malware gets created after a "proof of concept" has been released by "security researchers".

Counterexamples?

[gmuslera]

So never was an exploit before a patch available? I remember last year when there was a lot of exploited IIS with the WebDAV enabled by default like 2 or 3 days before Microsoft releases the patch.

Maybe they knew about the vulnerability for a week at that moment, maybe they were testing the patch, but the patch was not yet available, existing systems were being actively exploited, and site owners had no clue about that vulnerability because the "will be no exploit till we release this patch" policy.

I'm not sure if that is the best example, but at least is one that is enough to show how much bullshit they used to tell in public.

Re:Logic???

[pantycrickets]

Meh.......The last statement in the article: "If you want more secure software, upgrade." pretty much sums up Microsoft's position.

Or any other commercial software developer for that matter.

The real question though is: If the patch can be exploited, is it a patch?

Well, yeah. If I released a patch today for SSH, along with the notification that it fixes a bug in some buffer overflow for instance, you would have tons of people looking for and eventually finding the bug. Then it's only a simple matter of rushing to find all of the machines with that vulnerable version still installed. Me releasing the patch, or the patch itself wouldn't be to blame in that instance.. but the people who don't bother to install those patches.

Of course, this guy saying that Microsoft products are never exploited until a patch is released is total bullshit and everyone at Microsoft surely knows this. Maybe this guy is the only one who doesn't? Who knows.

Can I sue?

[zippyRRB]

"It's a myth that hackers find the holes," said Nigel Beighton, who runs a research project for security firm Symantec that attempts to predict which vulnerabilities will be exploited next.

So can I sue Microsoft for providing hackers the information they need to hack my machine. Sounds like they're aiding and abetting according to that logic.

Instead of usual slashdot antics..

[Bill, Shooter of Bul]

Wouldn't it be nice if someone here were to engage in a groklaw like effort of documenting the cases in which an exploit occured before the patch. That would be the mature approach. Who knows, maybe he's right.

Re:Piffle

[October_30th]

The article mentions that you should upgrade

Yeah, so a product has a definite lifetime.

So? You don't have to upgrade an antiquated software but if you keep using Win95 today it's up to you to accept the risks.

I don't see what's wrong with this.

Re:Piffle

[Anonymous Coward]

"
They can pull that crap on the business market and get away with it, but joe sixpack can always go try that linux thingie he heard about.
"

no, joe sixpack can always say "I won't get a virus." and just go on running win98. Joe sixpack doesn't switch to linux. Joe sixpack accepts the problem as unfixable voodoo and just lives with it.

Re:Piffle

[the_mad_poster]

It depends if you run updates through regression testing on a series of "standard" machines in the office and all goes well until you actually try to patch the systems. Then, some obscure third party app that you completely forgot even existed clashes with the freshly updated machine and fucks the whole thing but good because of some bizarre bug that prevents the machine from even getting to first stage boot. On 350 desktops. In the middle of the night. On the weekend.

As compared to the boxes that kernel-upgraded flawlessly even though we didn't list out half the stuff being used on said boxes.

Windows update for home use? (Usually) painless. Windows update for wide deployments. Potentially, the most painful fucking nightmare you will ever experience unless you have a completely homogenous environment.

Re:Piffle

[fwitness]

So Microsoft has two available plans for dealing with those old and outmoded '98 boxes.

Plan A:
1. Issue security patch for 98 (COSTS MS $)
2. Fix issues caused by hackers examining patches and determining new exploits. (COST MS TIME AND $)
3. Goto 1

Or, there is another way...

Plan B:
1. Issue bulletins telling those 25% of the home user base that their systems are insecure.
2. Sell new copies of an OS to those 25% peoples.
3. PROFIT!!!!
4. Issue new bulletins telling those that upgraded that their *new* replacement OS is insecure.
5. Goto 2

Yep, Plan B has a few more steps, but in the end I think even the silliest would choose that route, provided they could get away with it.

Re:Piffle

[tbannist]

The difference is GM won't sue you for measuring the size of the top and making your own replacement. Hell if you found out a lot of people had similar problems you could even go into business making replacement tops for others without any type of lawsuit even appearing on the horizon.

It's not about how long a company is obligated to support it's products, it's about having a company that refuses to fix their products and has the legal right to sue you if you try to do it yourself.

That's the real problem.

Re:Simple solution

[KrispyKringle]

The point seems to be that exploits, as in easy-to-use bits of software that any kiddie can download and use, tend not to be released until after the patches come out. Doesn't mean that the holes shouldn't be patched, since the more adept attackers don't need a VisualBasic-built GUI to launch an attack.

In this respect, the claim might be largely valid. It's just a really, really stupid thing to say, and has no bearing on absolutely anything at all. You'd still want to release patches, you'd still be responsible for writing buggy software, and you'd just be wasting your time saying things like this. I think the point was just, ``we never see massive outbreaks of this in the wild until after the patch is released.'' But that doesn't mean your software is any more secure.

Re:On the same logic

[EulerX07]

Correction on your analogy : If you don't tell anyone that you lock doesn't work terribly well it's just as safe as it was working fine, and you can get around fixing it 6 months from now, because it's not really a problem since nobody knows.

Until someone tries to open the door to see if it is actually properly locked, or gets a tip that it isn't.

Therein lies the flaw of "security through obscurity".

I know exactly the point that he wants to make, it's that if no one talks or reports the security holes it's not a problem. But it IS!

Re:Piffle

[Anonymous Coward]

Yeah, but on a '57 Chevy Bel Air convertible, I can most likely take the top off myself and either a) buy an aftermarket equivalent, b) put a piece of patch fabric over the hole, or c) fabricate my own top and then install it. To be analogous to the Microsoft situation, the existing top would have to be nonremovable without killing the engine, and coated with some substance so only GM-made patch material would have a chance of sticking.

ie... on a car, even when the manufacturer's warranty runs out, it's still possible to either fix it yourself or find somebody who knows how. not exactly possible with Windows.

Things that need to be pointed out.

[zerocool^]

Few quick observations...

1.) Microsoft end of lifed windows98 on Jan 16th of 2004. That's 6 years of supporting an operating system, folks. That's impressive. $100, and you got downloadable updates for 6 years? RHN subscriptions or enterprise linux don't touch that. So, if they don't provide security updates for it anymore, it's only because, in terms of software, it's ancient and it should be phased out. Upgrading to get security sux, but who'd buy a new computer and willingly want to use their old win98 on it (i know slashdotters can always come up with whatever reasons for anything, but in the general public).

Yes the Linux kernel, even back to 2.2, is still being updated. And yes, linux updates don't cost money. But, what if I have just downloaded kernel 2.4.11, and it works great, and oops, we found a problem in 2.4.11. The solution is to upgrade. Not patch. What if going to the new kernel breaks stuff that used to work, while in the process patching an old hole?
This is different, but similar to MS. "You have a problem with 2.2.7? You should try to upgrade to 2.2.26 or 2.4.24." "You have a problem with windows98? You should upgrade to ME or XP."

2.) The article claims windows has not had security holes that were exploited before a patch was available. I don't think this was true, but keep in mind, the VAST VAST majority of Microsoft problems are with outlook, internet explorer, office, IIS, exchange, etc. Technically, these are not windows problems. It's like saying that wu-ftpd has an exploit that gives a user root access (which is almost always true), and then blaiming that on the kernel dev team.

Or, it's like OpenBSD. "Only one remote hole in the default install, in 7 years". My ass. The default install is unusable as an OS. How do they accomplish their security claim? Partially through well-written systems. Partially through turning off every freaking useful service known to man that you would want to run on a server. And yet, people hold them up as a paragon of security. The holes in OpenBSD are from other programs, the masses cry. But no one thinks about the same thing in terms of microsoft.

3.) The time warp thing is confusing me. Everyone is saying that it's a logical fallacy that Microsoft could have released patches for security bugs that are not yet discovered? Or, what, i'm not following. The have the code, they test it, they find a bug, they try to release a patch before it gets exploited. This involves, as has been discussed, not mentioning that there is a bug, but i suppose security through obscurity is still security.

How many times have we seen a story on slashdot that exclaims how microsoft has yet another hole (!!!!1!) and then, 40 minutes after the bashers have played their part, someone comes on and says "people should have applied this patch (link) which is discussed in MS Knowledge base 7498923298232"? I see it all the time.

The average linux user is smarter than the average windows user. Therefore, we tend to keep our shit up to date. Microsoft tries to make it as easy as they can, but there's no such thing as idiot proof (i mean, in windows XP, the windows update service pops up on the first run of the OS and asks you if it can run in the background, checking for updates, and downloading / installing them automatically for you!).

I'm not trying to defend microsoft here, all I'm saying is that, before you bash them, think.

~Will

Actually

[Mycroft_514]

The viruses that are making the rounds now, many of them won't work on Win 9x.

The older systems are growing more secure, because the virus writers are going after the newere ones.

Coupled with running any e-mail program besides Outlook and you are pretty secure.

Re:Kernel upgrade...

[dougmc]

I don't remember ever applying a MS patch that messed up another piece of software.

You must not have applied many MS patches then.

Here [microsoft.com] is the big example that I can think of -- SP6 broke all kinds of stuff. So much stuff that MS released SP6a shortly after. And that's hardly the only example.

Re:Piffle

[Spoing]

1. The older versions of the Linux kernel seem to be alive, well, and still being patched for security flaws. In fact, the most recent kernel release is 2.2.26.

The reason for this is simple: Motivation.

Microsoft isn't motivated to patch software they are not making money on. They are motivated *not* to make changes since that can push users to upgrade. Since the code is closed, they are the only group that can act on this motivation effectively.

Linux 2.0.x and 2.2.x are maintained by people and corporations who use those kernels and are motivated to keep them secure. Since the code is open, anyone with this motivation can make corrections even if the changes are not widely distributed or placed in the main branch.

He makes a good point

[geekee]

"'[he] could only think of one instance when a vulnerability was exploited before a patch was available'. Erm..."

Although the MS guy overstates his case, it isn't always a good idea to release a patch for a system after an exploit is discovered internally that is not well known. The problem is that releasing the patch also alerts malicious individuals of the vulnerability. The real problem that must be solved first is figuring out a way to deploy a patch at a level near 100% so that releasing the patch does more good than harm.

Poor analogies

[ratpick]

The analogies in previous posts (locked doors/crime, cancer/treatment, etc) are entirely inaccurate. A more proper analogy might be the fixing of a defective door/window in an apartment building, where the fix is observed and the problem exploited before all units are updated.

Why is this phenomenon so hard to accept? When I first played around with Linux, I put up a server on multiple T1's of bandwidth to experiment. After pointing a domain to the system, it was attacked and compromised regularly, but only after a patch was released. Yes, that's right, Linux suffers the same problem. Now, I'm certainly not advocating the cessation of security patch development. The people reverse-engineering patches for exploits are small potatoes--the real threat is the person capable of ascertaining and exploiting holes on their own. However, releasing patches does facilitate the development of exploits by those who would otherwise be unable.

I hate Microsloth as much as the next geek, but the issue here is not whether patches facilitate attacks (of course they do). Exploits will occur regardless, and I for one would rather have the opportunity to pro-actively patch my systems instead of hiding in a Saddam summer home. The issue is half-assed buggy software that requires so many patches, and security holes that totally compromise systems.

Oh, and I don't buy the 'logical fallacy' BS either--I've seen it happen, so obviously their argument is invalid, or the premises false, or both.

"Even logic must give way to physics."

Re:Piffle

[duffbeer703]

You would think so.

Jay Leno owns a fleet of a hundred or so rare classic cars. In a column a few years ago he talked about how some part for one of his Packards broke, so he went to find a machinist.

Guess what? There aren't any. The one guy that he eventually found to fabricate the part was like 75 and could only do the job because he bought out some surplus tooling from a Packard factory years ago.

We live in a disposable society.

Thousands of Dollars - Thanks For Asking

[HopeOS]

Given the number of Windows machines in my office that have required complete reinstallation after a bad Windows Update, I'd say we've spent many thousands of dollars in lost development time. Think developers not working * average wage * hours twiddling thumbs waiting for reinstallation for the bigger picture.

My desktop XP is on its fifth install. I have compressed images of the XP partitions saved on the network so I can restore the entire system state rather than reinstall from scratch.

-Hope

Compare this to the car industry

[MiniChaz]

This is exactly the same as a car manufacturer saying "we never had an accident caused by this fault until we told people about it".

Well of course you didn't. The defect still caused accidents but other factors were blamed.

This disgusts me.

Re:Must have a good source for that stuff...

[dasmegabyte]

I wrote the programs my company sells. Doesn't that make me an expert in them, even if I have a vested interest? Or are companies only supposed to employ people who have no idea what they're doing?

As pompous (not to mention unlikely) as this article sounds, I can't remember a time when a working trojan was going around, exploiting an unpatched feature. And I'd remember that, because there would be an uproar. Waiting for microsoft to release a patch while a worm attacked system after system via an unpatchable bug? It'd be a coffin nail.

Is what this guy saying -- that if you had kept your patches current, and your version (reasonably )current, you would have been unaffected by every major trojan or worm released in the past two years? In my experience, yes. So in what way is the guy not an expert? Is it because, according to OSS theory that "open source == secuirty," you'd expect him to be wrong? Or is it just because you don't like the alternate theory he presents?

Me, I don't care. As long as there's a way to keep the machines that I have to use secure, I'll do what it takes...and a $200 OS upgrade every three years or so isn't much compared to some of the support plans I've seen...

Absolutely

[Tony]

The guy does have a point. The description of the patches gives malicious coders a good detail of what to exploit.

This is completely true. Publishing the details of a hole certainly draws attention to that hole.

However, it doesn't change either the facts or history: many holes were exploited long before MS either published a description, or a patch. If MS did not publish patches, crackers would *still* discover holes, and exploit those holes.

There are several levels of cracker. There's the script kiddie, which accounts for the largest number; there's the typical malicious coder, who can create a new exploit based on the description of a hole; and there are the true malicious hackers (the ones that deserve the term, bastards as they are), who can find a hole and write an exploit.

Many security firms find holes in MS-Windows. This is without code or anything else. If good guys can find holes, why would you assume the bad guys sit around waiting for patch descriptions? That's very poor logic.

Yes, upgrading and patching will make you more secure. But, security is also dependent on the quality of the OS you run, and no amount of MS-Spin (tm) or outright lieing can change that.

Re:Piffle

[the_mad_poster]

Each time Microsoft comes out with a new OS or product upgrade, it usually IS the most secure and state-of-the-art example of WINDOWS.

Microsoft is twenty years behind the development curve on stability and security because they spent the early years building up something that's usable. Linux is playing catch up on the usability side and Microsoft is playing catch up on the security and stability side. Each is making good ground, but IMHO, Linux is going to be the winner in the race because Microsoft has to figure out how to keep things usable AND make them secure. Linux just has to add a usability layer on top of things and make sure the new layer is secure while trusting the guts of the machine.

Heh.. then there's BSD out there actually pretending to be UNIX and not giving a crap about either of those two nutjobs.

True, but

[Bill, Shooter of Bul]

Unlike Open BSD, Windows Installs many obscure features into the the default install of the desktop. So although it wasn't a bug in the kernel, it was in Ie or windows messaging or RPS or something else. I sort of prefer the OpenBSD idea that the end user has to decide what to put on their computer besides the shell and basic utilities.

Re:Wrong

[Stonent1]

What a tangled web that they weave when the practice to deceive. Since you have very few people looking at the code compared to Linux/BSD you miss a lot of things. I've heard Microsoft VPs say that open source is bad because you have a lot of "unqualified" individuals submitting patches, so that "brings down the quality". I'd hardly call Linus or Alan Cox, unqualified people. Or patches from *@ibm.com, *@sgi.com or *@novell.com

Re:Upgrade sales?

[AxelBoldt]

Best bet: Get a firewall and not one running the stupid OS you're trying to shield from the outside.

The best firewall doesn't protect you if you have a stupid OS sitting behind it. The most common exploits nowadays attack javascript/activeX/VBasic in IE and Outlook. Your firewall doesn't help against a remote controlled machine inside your network.

Not Necassarily. With no released patch...

[gral]

Admins just didn't realize that was how there box was hacked until after they saw the symptoms.

With the patch in hand, people can say, "Oh THAT was how they did it."

Re:Actually

[Spoing]

1. The older systems are growing more secure, because the virus writers are going after the newere ones.

Win9x;

Good: Less complex, so fewer places to exploit.

Bad: All programs run as 'root'/'administrator' and no architectural protections at all beyond the system crashing (intentionally) after a priv. operation has occured (usually a program bug).

WinNT/Win2000/WinXP/...;

Good: System enforces 'root'/'administrator' access.

Bad: Most configurations and users do not respect this separation.

While these are not complete reasons, they do cover the major areas.

Security has little to do with popularity or attention. Win9x can't be hardened, and many of the older attacks still work against it as it is actually used...so why bother inventing more?

Re:Oh really?

[shotfeel]

The arguement is still horribly flawed though.

Its flawed alright.

First off, MS is making a statement they can't possibly know to be true. "We have never had vulnerabilities exploited before the patch was known." At best all they can say is never that they know of. Then we find out its a lie anyway because the article later says that "he could only think of one instance when a vulnerability was exploited before a patch was available".

Which is it, never or one? Or do they just not know?

Maybe I'm just paranoid, but its not the script kiddies MS is talking about that I'm worried about. Its the professional crackers who are willing to take the time to find a new exploit because they're after something more specific than bragging rights on some IRC channel. They are the ones MS isn't going to hear about because they don't go around submitting vulnerabilities or bragging about their escapades. They are the ones who are going to do real damage, and they are not the ones who are going to be stopped if MS stops issuing patches.

MS just doesn't get it.

Re:Oh really?

[fitten]

No... I think what they are trying to say is that *after* a patch is released and a description of the exploit is given, mal-ware writers then run off and use this description to write mal-ware to take advantage of folks who haven't applied the provided patches.

I don't care either way, just providing interpretation.

Gross misquotes there

[Temporal]

The head of Microsoft's security business and technology unit states that Windows is never vulnerable until a patch appears

He said no such thing. Not only does he say no such thing, but you (Michael) are clearly aware of it. To claim that the vulnerability doesn't exist until a patch appears would certainly be absurd, which is probably why no one made that claim.

The article is simply making an observation: That most vulnerabilities are not actually exploited until after a patch is released. This is an observation, not an assertion. It seems like a very reasonable one, too, since most evil crackers are not smart or patient enough to go though Windows binaries instruction-by-instruction looking for bugs. Instead, they just wait until a patch is released, and see what was patched. That way, they know where to look.

No one is claiming that a bug can't be exploited before the patch is released. They are simply pointing out that they usually aren't.

Michael, you can't just misquote people like that. It is obvious from looking at the comments here than most people did not read the article. Most people believe what you write, and don't realize that it is a gross exaggeration of what was acutally said. Even if it is Microsoft (and mind you I'm no fan of Microsoft), it's still not ok. Don't stoop to Microsoft's level; lying about your enemy is not the right way to win any battle.

It's posts like this that made me give up on Slashdot as a source of anything other than humor long ago (see the sig).

Known != Available

[RockModeNick]

As these words mean different things, there is no contradiction. You just didn't pay attention. I'm not batting for microsoft here, just trying to keep the griping at their statement legitimate.

I get a different message from this

[erroneus]

While most people are hearing affirmation that they only care about the newest versions of the Windows OS and that this is how they hope to keep people buying upgrades, I hear something a little different.

This could easily be a prelude to Microsoft releasing OS upgrades without a description of what is being done to the system. Consider how scary it will be to do your daily upgrade/update/reboot only to find that along with new fixes, they've done other nasty things like change the EULA again... of course not agreeing would mean you can no longer use the system. Or maybe they decide to do some other trashy thing like forcing an upgrade of (Insert Program Here) that you prefer not to have upgraded for some reason.

I have a feeling they might be trying to give out updates and patches without telling us what they are.

Re:Engage Brain, Think About It

[AragornSonOfArathorn]

Hackers and crackers are losers by definition, so it seems a reasonable explanation that they don't have the smarts to find the holes themselves.

They're scavengers; a slightly higher form of script kiddie, who looks for knowledge won by other people and then exploits it.

Um, who do you think finds security holes in the first place? Hackers. Whether they are "evil hackers" out in the wild, white-hat hackers, or working for Symantec (or whoever), they're still hackers.

True, most people who actually exploit the holes are script kiddies, but script kiddies are not hackers.

Re:Oh really?

[Erratio]

I may be wrong, but one thing I never hear talked about in the relationship between open source and closed source is the sharing of bugs. I'd think it would be safe to assume that when a bug is discovered in an open-source project (or anywhere else for that matter) it can be assumed that it may be present in other similar applications, just because humans think similarly and a lack of foresight on the part of one programmer could have been made by another. And so a bug fixed in one network service may still be present in others, maybe unnoticed by the maintainer. Obviously there are a lot of variables which could eliminate even the possiblity (and some like shared technologies which could support the possibility), but I'd think that if one were to look at all the past bugs that may be easily examined in other projects, sooner or later an exploit could be found which would work on other servers, maybe with a little tweaking.

Re:Wrong

[Moeses]

You've got part of it, but you're missing the big picture.

It's true that SOMETIMES a patch is released before the potential exploit was publicly known. But to imply that this ALWAYS happens, or to even imply that this is how it USUALLY happens is an outright and calculated attempt to deceive. That's also known as lying, as in one of those things that parents almost universally indoctrinate their children against from the time they can converse. You know why? Because lying is despicable, especially for someone in a position of responsibility.

Re:Which ignores the point..

[Anonymous Coward]

Excuse me, but have you ever heard of eEye?

You know, the guys that were sitting on the latest IIS hole for 6+ months waiting for MS to patch it before releasing the details?

The same guys that said they were sitting on at least two other holes?

So, what was that about the 'community of hackers' that has never found a single hole ever? Sure, the eEye guys aren't on the same level as a bunch of script kiddie worm writers.. But who are you to say that there isn't a single person out there who wants to write a worm and just happens to know enough to find one of these holes?

The holes are already there, thanks to bad coding/auditing/testing/QA/whatever. This is the point that every Slashdotter is trying to get across.

MS is almost making it sound like noone should be looking for these holes, noone should be fixing them. They want us to believe that by never disclosing vulnerabilities, they will never be exploited. Which is all well and good, if you can completely ignore the fact that the holes are already there.

Not *that* outrageous statement

[Jugalator]

I don't think that's a too outrageous statement. I can't really recall a wide spread exploit made before MS knew about the flaw at least. Maybe some minor things, but nothing too big. The horrible Blaster worm was for example extremely well spread at its worst, but it wasn't because Microsoft hadn't got a patch for the flaw.

Re:Piffle

[Waffle Iron]

Quite frankly: what a colossal waste of resources.

Every once in a while you hear stories about a company running a dedicated-purpose machine with a fixed set of software for decades because it does the job it's supposed to.

For these people, the real waste of resources would be requalifying their system after an upgrade.

When a vendor provides support for crusty old architectures like VAX or HP minicomputers for years and years, people say that that's great "enterprise-level" support. When a couple of guys maintain security patches of older Linux kernels, you say it's a "waste".

You people are forgetting something

[CokoBWare]

One of the major things about security is assessing risk. If no one knows about a flaw, how can one exploit it? Risk is minimized by publishing patches in a timely fashion when a flaw exists. The vast majority of people who use and continually try to exploit flaws in Microsoft's software security are exploiting KNOWN issues. To just say "oh well there's Microsoft saying they are very secure" is hogwash, and frankly irresponsible of the poster to make such claims.

The lesson is: practice safe computing. All platforms have flaws, and since 90% of the desktop market is MS, that of course is going to be the target platform for viruses. I bet you anything that if Linux was the defacto standard for desktops in the home and enterprise, that we would see a hell of a lot more security issues arise on that platform.

Re:Oh really?

[strobexii]

Windows will become more secure if Microsoft stops issuing patches?

The really scary part is that this wasn't said by some marketing guy like Gates or Ballmer, it was said by the Microsoft Security Chief.

Actually that was said by ChaoticChaos. According to the article, Mr. Aucsmith urged companies to keep up with patches because the time they had to react before hackers released exploits was shrinking.

What is this, a game of telephone? The further into the thread we go, the more wildly inaccurate the posts have become.

Well, in that case, Bill Gates recently declared "The world is flat. The sky is green. Earth is the center of the universe." That's right. Mod me up, baby!

No, not really

[NineNine]

The implication is that hackers are not smart enough to use an exploit until a patch is released that that notifies them about what the exact exploit could possibly be, and how to use it.

Re:Gross misquotes there

[Anonymous Coward]

"He said no such thing."

Yes he did.

"In a keynote speech to the E-Crime Congress organised by Britain's National Hi-Tech Crime Unit, Mr Aucsmith said the tools that hackers were producing were getting better and shrinking the time between patches being issued and exploits being widely known.

"We have never had vulnerabilities exploited before the patch was known," he said."

There. Does that clear it up for you? He said it, Slashdot reported it, and you tried to spin it.

I can't believe I'm defending them...

[NaugaHunter]

From a certain point of view, they almost have a point.

Stay with me, I'm as surprised as anyone else.

Consider this: you buy a window that says it will stop insects. And it does. But then some nut genetically enhances* an insect to have diamond tip cutters that can cut through the window. Since the window did keep out all know insects when originally sold, the manufacture really isn't liable for the new one and is allowed to say 'the new model fixes it', though they could release a spray the would cover your old model but possibly introduce new problems.

Yes, that's a terrible analogy, but it shows that they have a bit of a point: any business would go out of business if they had to fix problems that were ineffable at the time of the original sale. Where this falls down with Microsoft, of course, is whether the problems were from completely new areas, or flaws in their original work that they just ignored and denied -- similar to how certain problems in cars/children's toy result in recalls, but other problems don't. (e.g. it isn't a problem if a toy breaks after 3 years of continued use, but it's a problem if it breaks in a potentially injurious way - and let's not get started on the liability/lemon laws that Microsoft avoids with EULA.)

* And this isn't intended as an attack on genetic engineering per se. But anyone who does this to insects would be, in my opinion, a nut.

Re:Wrong

[teromajusa]

Nice summary of their position, but you seem to be reaching the same conclusion as alot of other readers - that they want to stop releasing patches. The guy's actual conclusion is that it is increasingly important that you immediately apply security patches since the patches themselves increase the danger posed by the hole. I agree that the way he phrased it suggests a misguided attitude towards the whole thing, aside from the hyperbole, there's nothing dumb about it.

Re:Post leaves out most important quote

[menscher]

Those of us in the computer security industry happen to be well aware of how this works:

A researcher finds a vulnerability. The researcher reports it to Microsoft. The researcher waits up to a year (in the case of the ASN.1 vulnerability) for a patch to be released. Simultaneous with the release of the patch, the researcher posts how to exploit it. So yes, usually the information about the vulnerability comes after the patch... by a few minutes.

Now ask yourself: what if the researcher doesn't contact M$ first?

No S**t!

[_bug_]

Of course we don't hear about exploits being developed until after the patch. Because before that moment, the vulnerability is going to be kept in the dark by those who do know about it so that they can make best use of it.

You're not going to see worms using unknown sploits because the developer woub essentially be giving away a tool that could be used for perhaps more nefarious purposes.

And furthermore, I wonder how people would know to notify MS about unknown an exploit that's been used to crack a system when such exploits either crash the system (which NT admins are very use to experiencing during NORMAL use and will ignore the crash) or are used in a covert manner, not warranting attention from NT admins in the first place.

If this is the kind of logic MS has behind it's security department, then MS is just doomed.

This kind of logic is just so incredibly flawed I can't even comprehend how an educated person could think that way. It's like say "well, whenever I go to sleep, the sun goes down, so if I don't go to sleep the sun will stay up".

Just absolutely ludicrous.

The (not so) recent mass breakdown of basic critical thinking skills among people in powerful positions around the United States just scares the crap out of me.

Re:An article disproving this...

[automaticlarynx]

Because that is the very nature of a monopoly, or a monoculture.

If a Republican says something ludicrous, there is always a Democrat close to a TV camera who will invariably say, "That's ludicrous!"

If a scientist says something ludicrous, there are about one hundred thousand other scientists with access to journal publication and mainstream media to say, "That's ludicrous!"

Who is the opposition to Microsoft? Who does the mainstream world listen to on a regular basis about computing matters other than Microsoft?

Re:You people are forgetting something

[ctid]

I bet you anything that if Linux was the defacto standard for desktops in the home and enterprise, that we would see a hell of a lot more security issues arise on that platform.

But you wouldn't have somebody in authority effectively stating that problems can be addressed by keeping them quiet. If somebody from one of the distributions did say that, users would be able to make a judgement on whether or not it might be better to migrate to a competing supplier. Emphasis on competing. The only reason MS can pay somebody to spout nonsense like this is because they have a monopoly. I hope and believe that that time is coming to an end now.

Re:Assume for me...

[Dalcius]

What you need is a good analogy. This "amazing, magic beige box" is foolproof to some people, especially when they have personal -- albeit uninformed -- opinions in the mix.

Something like a locksmith. Would someone claim that a locksmith can't get into a lock unless he's cracked it before or has seen blueprints of the lock? Rubbish.

I can't think of any others off the top of my head, but that's the type of example you need. Computer programs, like locks, follow patterns and have standard ways of doing things (e.g. reading a string into a buffer). Once you understand the ways of the craft, you can break into any non-perfect system in enough time.

Cheers

Re:Gross misquotes there

[sholden]

Oh well, everyone else understands how English is used in the real world, and that "vulnerable" in that context doesn't mean "there is a bug which is exploitable" but "there is an exploit in the wild".

You might like living in your world of literal interpretation, most of the rest of us are happy with a language where context matters.

Now if that misquote was presented as a quote and not a paraphrase then the author is either a liar, hard of hearing, has trouble reading, or needs to be more careful when using those quote marks. But, for almost everyone the misquote has the same meaning anyway.

patches are not really the problem.

[geoff lane]

If MS believes that blackhats are reverse engineering patches to discover security problems and that their "solution" is to "upgrade" (which may mean replacing hardware as well as software) they have an insurmountable problem.

ANY two OS releases can be compared to detect the changes which can then be reversed engineered. It may be more complex as the security changes are mixed with other changes but blackhats have the time and, it increasingly appears funding, to do the research.

It looks like MS are applying "security through obscurity" as a business policy.

Re:Gross misquotes there

[MacDaffy]

We have never had vulnerabilities exploited before the patch was known - Actual quote. Maybe not completely true, but mostly true. "Never" should be replaced with "almost never". I consider that an honest mistake.

No. Sorry. Not even a little true. If it's not a bald-faced lie, it's so wildly misinformed for someone in Mr. Aucsmith's position that he either ought to be retrained or fired. If he had said "we have rarely had vulnerabilities exploited before the patch was known," I think most of the thinking people here on Slashdot would have scratched their heads, said "Damn! I didn't know that," and moved on. He did not say that. He said never. I've coded CIFS/SMB on Macs. I'm a networking consultant. The vulnerabilities still exist and anyone using the old-style networking method is begging to be owned.

That--to me-- is not "never."

Re:Oh really?

[junklight]

Well, this being the case they are causing a lot of damage by releasing patches and they should stop. If their logic is to be followed there would be no attacks without patches.
Civil Action anyone for M$ causing damge to our machines?

Re:Known != Available

[SillySlashdotName]

Known != available

Right - but irrelevant.

"there is no contradiction."

Wrong.

MS is claiming sequence of events as:

1) Vulnerability discovered.
2) Patch created, distributed.
3) Exploit created (from study of patch).

This MS spokesperson is claiming that "We have never had vulnerabilities exploited before the patch was known." - i.e., EVERY exploit came after the patch was available (AFTER #2 above) but he also states that he could think of at least one instance where "a vulnerability was exploited before a patch was available" (BEFORE #2 above).

As the parent poster stated, it is either never or not never; it can't be both BEFORE and AFTER #2 above at the same time.

Re:Partly right

[ajs]

The problem with security through obsucurity is fairly simple: wide-scale kiddie attacks are just noise in the system. Granted, a lot of noise is annoying, potentially even crippling, but it's not the primary concern.

What you should REALLY worry about is the folks that say, "if I steal corporate secrets from [pick a large tech company] I can make $10 million selling them to the highest bidder in [pick a country that has emerging tech], thus it is worth my time to spend $1 million on security bug discovery." Now you have a whole other ball-game. Here, Microsoft cannot hide behind the veil of publicly reported attacks because these sorts of intrusions will be as stealthy as possbile and if the work, no one will ever know.

Thus, you have to look at how many vulnerabilities there were, say, last year and extrapolate how many people will have available to them to perform such attacks.

Open source on the other hand, contends that not only are the fewer exploits on the whole, but YOU have the source code, and can analyze it yourself and/or fix it if you find problems. When you're a huge corporation that can be a life-or-death difference because you are a very juicy target.

Patch ecomonics

[lub]

Microsoft's practise of patching security holes is a matter of patch economics. Patches will be released if: a. Microsoft will significantly lose customers if they do otherwise; b. legal threads/law enforcement force them to do so. I always compare it to primitive Saudi-style oil-patch economics with West Bank settler-type religion.

William, thou scurvy patch!

"And Where's The Harm?" You Ask...

[MacDaffy]

I was just surfing the net after commenting here and stumbled across the following in Shortnews.com:

David Aucsmith, head of technology for Microsoft stated that hackers are lazy and instead of finding exploits themselves, are instead waiting for patches being released and then hacking them.

Windows is known for having persistent problems regarding malicious hackers, and have a reputation for security problems.

David Aucsmith compared these problems to the recent vulnerabilities discovered by Eeye Digital Security. No exploits were produced until there days after the patch was made available.

Aucsmith and Microsoft have succeeded in misleading the public by giving the impression that no mechanism other than the ill will of a few fiends is responsible for the appalling state of Windows security. It's not Microsoft... it's not the vulnerabilities inherent in their code... it's the bad guys!

I work with users every day. I've been in the industry for twenty years and I know that user ignorance is a powerful force in sales, marketing, design and support of IT products and services. This Aucsmith debacle is a textbook case of a company depending on it. They know that the average user doesn't have--or want--the wherewithal to think critically about statements their representatives make. It's groundwork for Next Generation computing. It stinks.

On a large scale ?

[ladadadada]

So you're limiting exploits to script kiddies who need to recruit hundreds of machines to do their ddos attacks on their favourite target for the week ?

The single professional hacker who exploits MY work server and modifies/steals the data contained is far more devestating than even a ddos directed at me by a script kiddy, but because professional hackers don't brag about their exploits in irc, these vulnerabilities will go largely unnoticed by MS until someone else discovers it and exploits it large scale or posts it to a discussion on security so that MS can fix it.

Large scale exploits are not the only concern here.

On another note, if you discover that you have been hacked, you would try to remove any backdoors that may have been installed and upgrade/re-install all your software but how do you figure out which exploit was used ? Is it a known exploit or is it a new one ?
I visit a website that has been hacked and taken down twice in the last two months. It seems that the maintainer simply didn't know how they got in, so put the box back up with basically the same configuration, plus some security patches from the distro website but it obviously didn't include the right patch, or possibly it was a configuration thing and not buggy software at fault so they got in again and hosed his server again.
So, how do you determine how they got in apart from scanning your own box for vulnerabilities and assuming it was one of those ?

This Statement Says It All

[Master of Transhuman]

"Almost all attacks against our software are against the legacy systems," he said.

"If you want more secure software, upgrade."

They WANT YOU TO SPEND MONEY TO MAKE BILL RICHER!

This is the sole and total purpose of this idiot's comments.

That simple.

No further discussion is necessary.

Re:Oh really?

[Anonymous Coward]

I was speaking to a microsoft developer on this very subject. He explained to me that in 'some' cases after the patch is released, potential virus writers run a decompiler on the patch which gives them some information such as which memory addresses the patch works with. Once knowing where to look they start writing code until they get a hit. When they find the problem the patch was intended to fix they write a virus. He said this is how blaster came to be.

For the record, I am not a developer so I don't know for sure if this is accurate or not.

How to create an exploit from patch

[andika]

I think MS predict cracker's way of thinking:
1. backup current system
2. install security patch
3. compare files
4. reverse engineer differences & refer to the security advisory
5. create an exploit
but:
what if step 3 was made difficult, say, by obsfuscate the new file, so comparation with old file will result in way to much difference?

Just an idea ...

Hmmm...

[Tatarize]

Is it just me or is Microsoft just asking the folks who send them security hole information to bypass that silly part where they send the information to them and wait 6 months for a patch and jump straight to giving the information to malware folks just to show MS up? Somehow this gives me the impression of snubbing their noses at some security folks. I'm sure there are some hackers who have been exploiting certain holes in MS for years and kept it secret. Maybe if MS keeps saying this stuff they will turn it into a virus just to show up. We don't need unpatchable worms. Thank you.