Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Windows Operating Systems Software Security

Early Warning For Microsoft Premium Customers 454

techmuse writes "According to internetnews.com, Microsoft is giving its premium customers early warning about vulnerabilities and patches. Those of us who aren't lucky enough to have such a relationship with Microsoft may find ourselves at greater risk than premium customers as a result."
This discussion has been archived. No new comments can be posted.

Early Warning For Microsoft Premium Customers

Comments Filter:
  • by Anonymous Coward on Tuesday September 14, 2004 @10:25AM (#10246265)
    Kindof like the paid customers using slashdot who get a chance to read the clicky links before it dies.
    • by jrod2027 ( 809997 ) on Tuesday September 14, 2004 @11:54AM (#10247375)
      ...The National Weather Service has announced it will offer early warnings for natural
      disasters such as tornadoes and earthquakes to subscribers of its new "Stay Alive Platinum" service.
  • by Davak ( 526912 ) on Tuesday September 14, 2004 @10:25AM (#10246267) Homepage
    The U.S. government's Computer Emergency Readiness Team (US-CERT) has also been heavily criticized for providing security advisories to paying customers ahead of coordinated public release.

    Microsoft and the government using the same strategy! I am shocked! (sarcasm mode off)

    Other juicy information from the article:

    There won't be a patch this month for a "highly critical" bug in Internet Explorer browser's drag-and-drop feature. [tech-recipes.com]


    So we are suppose to buy access to problems that won't be patched in a timely fashion? You've got to be kidding me.

    The only justification that I can see to this might be that microsoft wants to release it to their "elite" first... so that work-arounds and patches might be generated by the community instead of within microsoft. Thus, trying to get one of the open source benefits...

    While that's a good theory... I bet it's really just microsoft praying on the security worries of companies. Considering I run a Microsoft network... that's a sad conclusion for me to have to make.
      • by jpetts ( 208163 ) on Tuesday September 14, 2004 @11:25AM (#10247075)
        just came in his own pants

        Better in his own than in mine...
      • Re:Craig Mundie... (Score:3, Informative)

        by notasheep ( 220779 )
        Nice link and quote. It points to an article from 2002. The quote leaves out some important follow-up information as well - "Admitting this was a flippant answer to a flippant question, Mundie said that chief information officers had only recently begun to demand security, and it is only in the last ten years that Microsoft has attempted to play in the security-requiring worlds of banking payroll and networked systems."

        Still not a great response from Mundie, but at least Slashdotters have the whole picture
    • Gee, how about if we have two levels of support from police and firemen? The paying customers get immediate 911 support, and the regular citizens, well, we'll get to you when we can. You're not important.

      The old citizen fire brigades, where people in small towns pitched in, in mutual support, makes me think of a civic Open Source.

      • (ob Family guy)

        We....we call you "normies".
      • by FortKnox ( 169099 ) on Tuesday September 14, 2004 @10:46AM (#10246592) Homepage Journal
        Wow, you are compairing computer bugs to life and death situations.

        What's worse is someone marked you 'insightful.'

        Sometimes slashdot think truely amazes me.
        • by Munra ( 580414 ) <[slashdot] [at] [jonathanlove.co.uk]> on Tuesday September 14, 2004 @10:50AM (#10246655) Homepage
          To be fair, and I'm not necessarily agreeing with the grandparent, a computer bug can cause a life/death situation...airports, hospitals, etc... all use computers. Granted, they're unlikely to use untested/insecure systems (no specific OSes mentioned), and unlikely to be vulnerable through public facing ports/etc, but it is still a risk.

          Secondly, even if a situation is not life/death, it can be very serious - think about business impact if every trader at a financial institution was unable to trade due to a virus/vulnerability.
          Millions could be wiped off the economy of major countries.

          Manta
          • Any situation where it could cause a life or death issue is already backed by some serious security.

            And you obviously have never worked for a financial institution. I'm a contractor who is regularly contracted to banks and insurance agencies. There isn't any way someone is hacking into something like that.

            Even so, do you really think there is a solid link between MS Security Support and 911? Honestly, is there a real comparison there? What you gave me was a reach.
            • Even so, do you really think there is a solid link between MS Security Support and 911?

              Umm... 90+% of 911 dispatch software runs only on Microsoft Windows...
            • by Martin Blank ( 154261 ) on Tuesday September 14, 2004 @11:25AM (#10247074) Homepage Journal
              Even so, do you really think there is a solid link between MS Security Support and 911? Honestly, is there a real comparison there?

              There just [securityfocus.com] might be. [com.com]
            • I have 4 issues with your post:

              1) Not every bug/hole has to be 'hacked into' - email worms, and worms that spread through cross-site scripting and browser exploits can do just as much damage, and can be caused by OS/app bugs/holes.
              2) There is no way to that a company has never been hacked in to. Just becuase a company may find out that it has, there's no proof that it hasn't been. Go ask any good security consultancy.
              3) Where did I draw a link between MS security and 911 (and do you mean 911 as in the emer
            • Wow, "There isn't *ANY* way someone is hacking into something like that." Please say you are *NOT* part of the security team for these banks and insurance agencies. The first rule of security is that there is no such thing as perfect security. You can only mitigate risks. Banks tend to mitigate them fairly well, but I seem to remember a few banks trying to hush up compromises last year.

              On the other side of the coin, when I work with insurance agencies, I can say truthfully they make a valiant effort at sec
      • by Max Barry

        http://www.maxbarry.com/jennifergovernment/

        It gives an interesting look at a hypercapitalist world. It's also a highly entertaining read.

      • To some extent you already get this. If you want extra security, you can pay for a security guard, otherwise you fall back on the regular police service.

        And how about health service - in the UK (and I suspect many other places in the world), if you want immediate treatment, you pay (or get your insurance to pay) to go private. If you don't pay, you end up at the back of the NHS waiting list.

        Not saying whether it's a good or a bad thing, but this is pretty much how a market economy is meant to work - you g
  • by InfoHighwayRoadkill ( 454730 ) on Tuesday September 14, 2004 @10:26AM (#10246276) Homepage
    Let me guess another potential revenue stream for MS?

    Security through $$$
    • Well of course. I mean you wouldn't expect a software vendor to tell you about its vulnerabilities before there are exploits without paying for such a service would you?
      All kidding aside, if MS knows of vulnerabilities in their software, they should be forced to do one of two things, tell everyone, or tell no one. Why? Well if they tell everyone, then at least there's a fighting chance. Tell no one, well, its an option I don't agree with, but if someone points out a vulnerability to a software vendor,
    • I wonder if this might backfire. Microsoft already has a rep amongst techies for its slowness to respond to its numerous security holes. Now maybe it'll get a rep with the PHBs as the company that charges its users to fix its own mistakes.
    • by wideBlueSkies ( 618979 ) * on Tuesday September 14, 2004 @10:35AM (#10246428) Journal
      >>Security through $$$

      You mean "a false sense of security through $$$", right?

      wbs.
    • by JudgeFurious ( 455868 ) on Tuesday September 14, 2004 @10:39AM (#10246498)
      Security through $$$ might even work for them to except for the fact that to date Microsoft has shown almost zero ability to produce anything that's actually "secure".

      Even if I were so inclined to pay someone for security Microsoft would be the last company on the face of the earth I'd go to to get that.

      Their pile of cash is legendary and no matter how much they have (or can figure out how to get) they seem unable to incorporate this "security" thing into their products. What would make anyone think that throwing more money at them is going to change that?
  • Newsflash! (Score:3, Insightful)

    by strictfoo ( 805322 ) <strictfoo-signup.yahoo@com> on Tuesday September 14, 2004 @10:26AM (#10246282) Journal
    Company gives preferntial treatment to its higher profit customers!
  • by Control Group ( 105494 ) * on Tuesday September 14, 2004 @10:26AM (#10246284) Homepage
    At the risk of sounding like a Microsoft apologist, I really don't see the big deal, here. It's not like they're releasing patches only to premium subscribers, they're providing earlier notice of what's going to be covered in the next security bulletin. This doesn't affect the timetable for the release of vulnerability information or the release of patches. This is just MS saying "heads up, we're going to have a patch for a vulnerability in Office XP rolling out in three days."

    *shrug*

    Doesn't sound like it affects overall computer security, really. It's nice for the organizations that sign on, so they have a couple more days to plan outages as necessary. It doesn't affect the vast majority of home users at all (I certainly don't plan my downtime, it just happens when I feel like it).

    I can see this being irritating to customers who are unwilling to pay yet another Microsoft tax for early notification, but I don't see that it's some kind of horrible, evil practice, either.

    • It is similar to reading about bugs in forums for *nix based products. You know they exist....and they aren't fixed yet....same thing.
    • by slaad ( 589282 )
      I think the concern is that by releasing any information early, they somehow risk the wrong person getting information that can cause a threat. I guess it really depends on how much/what kind of information they release. I have to agree though. The part of me that hates big business smells troube. The part of me that is more of an economist thinks the whole thing makes sense. The plain old user side of me doesn't see anything that will affect him.
  • by Anonymous Coward on Tuesday September 14, 2004 @10:26AM (#10246285)
    I would re-write one sentence in the summary as:
    "Those of us who aren't lucky enough to have such a relationship with Microsoft may find ourselves at greater risk FROM premium customers as a result."
    (changed "than" to "FROM")

  • by Portigui ( 651730 ) * on Tuesday September 14, 2004 @10:27AM (#10246289)
    This is a quote from Gartner security analyst John Pescatore and it pretty much sums up my thoughts on this:
    If Ford decided to issue recall notices for faulty brakes only to people who paid for extended warranty, that won't fly. That would be a horrible thing to do.

    In a nutshell, is this not what MS is doing?
    • Except for with faulty brakes, you could end up killing someone. Has there been a case where faulty software killed someone? (Other than by sheer annoyance, that is.)

    • Not really (Score:4, Informative)

      by TheHonestTruth ( 759975 ) on Tuesday September 14, 2004 @10:30AM (#10246357) Journal
      Though this is a crummy thing to do, your/their example is not entirely accurate. It's not that Ford would not issue recalls to everyone, they would just let their premium customers know about the recall (that will be for everyone) in advance. People can then plan better when they will have their car serviced.

      -truth

    • by Chess_the_cat ( 653159 ) on Tuesday September 14, 2004 @10:32AM (#10246384) Homepage
      In a nutshell, is this not what MS is doing?

      No. Everyone on the list finds out the same information. This is just a way to sort the list. No biggie.

    • by MikeMacK ( 788889 ) on Tuesday September 14, 2004 @10:32AM (#10246394)
      Actually, if you have faulty brakes, you may fly. It's kinda like what MS is doing. It's more like, they are telling the people with the extended warranty about the faulty brakes before other customers, but they all will eventually get new brakes. I guess the point would be that if you knew you had faulty brakes, perhaps you wouldn't drive.
    • Not exactly. What MS is doing is telling their customers (with extended warranty) in advance, that in a few days they will be issuing a recall.

      But, in a few days when the issue it, it will be issued to all of their customers, not just the higher paying ones.
    • by Anonymous Coward
      If you RTFA you'd know this is NOT what they are doing. You are implying that they're only releasing patches to premium subscribers. This is ENTIRELY false. They are simply letting *ANYONE* who wants to know in advance that a security patch is coming. That's it. Simple. Now go jump back on your FUD-wagon
    • Microsoft isn't issuing patches to Premium Customers first. They're just letting them know when a patch is coming out and what's in it. You get an early warning. Your analogy assumes Microsoft isn't issuing patches to regular users simultaneously, which isn't true. But, this is Slashdot, therefore such is implied in the article summary for maximum bash-Microsoft effect in the discussion threads.
    • No, they're just telling those people SOONER.

      And I'll bet someone who has the extended warranty is finding out about a recall sooner than say, someone who bought a Ford used at a Honda dealership.

  • an animated gif saying "Feeling deceived by your database vendor?"

    Why, no, I'm feeling less than special to M$.

  • Perfectly Valid (Score:2, Insightful)

    by domselvon ( 588072 )
    This seems perfectly valid practice to me. People who pay more should get better service. Think of the subscribers to /. they get better service than the rest...
    • to quote the guy a few posts up

      If Ford decided to issue recall notices for faulty brakes only to people who paid for extended warranty, that won't fly. That would be a horrible thing to do.
  • by Anonymous Coward
    You pay more, you get more.
  • Extortion (Score:3, Interesting)

    by Quasar1999 ( 520073 ) on Tuesday September 14, 2004 @10:28AM (#10246317) Journal
    This is extortion! You cannot force me to pay you more money to provide a warranty that I'm entitled to under law. Just try this logic in any other industry... Oh, you're car's got a major issue that could cause injury, but we won't tell you about it, until we tell our wealthy customers first.
    • Re:Extortion (Score:5, Insightful)

      by Control Group ( 105494 ) * on Tuesday September 14, 2004 @10:34AM (#10246416) Homepage
      Oh, for crying out loud.

      Always with the car analogies. This isn't Pontiac only recalling and replacing a defective part if you pay more. This is Pontiac recalling and replacing a defective part on exactly the same schedule for everyone, but telling premium customers three days earlier "hey, we're going to be recalling something on the 2005 GTO in three days. Get ready."

      This just isn't a big deal.

    • Re:Extortion (Score:4, Informative)

      by boredMDer ( 640516 ) <pmohr+slashdot@boredmder.com> on Tuesday September 14, 2004 @10:36AM (#10246443)
      They're not forcing you to pay.

      You'll still get your patches in the usual Microsoft timely manner (weeks, likely), but these so called 'premium' members will get them a lot sooner.

      Things will still appear the same to you, but premium members will get a heads-up before everyone else.
  • except... (Score:5, Insightful)

    by Ignignot ( 782335 ) on Tuesday September 14, 2004 @10:28AM (#10246318) Journal
    Bugtraq is almost always ahead of microsoft where it comes to vulnerabilities in their software. Why in the world would I pay Microsoft to tell me what might be wrong tomorrow when bugtraq will tell me what's wrong today? Does anyone have an experience where MS came out with vulnerabilities first?
    • by Black Parrot ( 19622 ) on Tuesday September 14, 2004 @10:31AM (#10246383)


      > Bugtraq is almost always ahead of microsoft where it comes to vulnerabilities in their software. Why in the world would I pay Microsoft to tell me what might be wrong tomorrow when bugtraq will tell me what's wrong today? Does anyone have an experience where MS came out with vulnerabilities first?

      Maybe their Premium customers get to hear the excuses first.

    • Re:except... (Score:4, Interesting)

      by Rust Martialis ( 690903 ) on Tuesday September 14, 2004 @11:14AM (#10246936)
      Actually MS has a decent record of getting 0-day patches out. Mostly because the people who find them keep quiet. I didn't believe it so I scanned a bunch of MS Alerts from 2004, and tried to figure out when the vulnerabilities that they fixed were announced. Looking at MS04-011, there were 14 vulnerabilities listed (CAN-2003-0533,CAN-2003-0663, CAN-2003-0719, CAN-2003-0806, CAN-2003-0906, CAN-2003-0907, CAN-2003-0908, CAN-2003-0909, CAN-2003-0910, CAN-2004-0117, CAN-2004-0118, CAN-2004-0119, CAN-2004-0120, and CAN-2004-0123).

      Now, I didn't look very hard, but as far as I can see, no mention of prior announcements of any of these 14 vulnerabilities on Bugtraq.

      Now, compare that to MS04-019 (CAN-2004-0213) where a vulnerability was announced 124 days prior to patch, or MS04-025 where the three vulnerabilities (CAN-2003-1048, CAN-2004-549, and CAN-2004-566) were announced 332 days, 58 days and 166 days prior to patch. *Much* less impressive, Microsoft!

      I gave up on this analysis after it was evident that for 2004, so far, MS does actually get a lot of patches out in sync with the announced vulnerabilities. They miss some, when people release them without sending them to MS (which is their right). But I looked at 37 vulnerabilities (MS04-001 to -011 and MS04-018 to -025) before I gave up, and of those, 27 were 0-day patches, and 10 were released in advance of patches.

      So MS does actually seem to be getting a lot of researchers to keep vulnerabilities under wraps . I noted iDefense, Shatter, eEye, and @Stake listed as credited with some of these discoveries, others were uncredited and may be internal MS discoveries. So, sorry for your illusions, but of the above patches, about 2/3 were NOT announced on Bugtraq prior to patches coming out.

      Disclaimer: I didn't scour the Internet for announcements, just looked on Bugtraq, Mitre and a couple places, so I may have missed some.

      --R.

  • Equal? (Score:4, Funny)

    by Anonymous Coward on Tuesday September 14, 2004 @10:28AM (#10246324)
    We are all equal, just some of us are more equal than others.
  • Hmmm (Score:2, Funny)

    by Anonymous Coward
    1. Become premium customer
    2. Get early notification of new vulnerability
    3. Write exploit to target non-premium customers
    4. Profit!
  • Not So Bad (Score:5, Funny)

    by blueZhift ( 652272 ) on Tuesday September 14, 2004 @10:28AM (#10246326) Homepage Journal
    This isn't so bad, it just means that the premium customers get to beta test the patches for the rest of us!
  • by mdpowell ( 256664 ) on Tuesday September 14, 2004 @10:28AM (#10246328)
    That is silly. Are "premium customers" going to be bound by some NDA not to talk about the vulnerabilities? What's to prevent some news outlet from becoming a "premium customer" and then publishing everything they hear five minutes later. But now MSFT will look bad (worse) because the press is announcing there flaws instead of them.

    • by Araneas ( 175181 ) <pgilliland@noSPAm.rogers.com> on Tuesday September 14, 2004 @10:50AM (#10246652)
      Yup the Microsoft Security Response Center Bulletin Releases are covered by an NDA.

      What they give is a heads up of what will be affected by the upcoming patches or updates. This allows very large organisations with thousands or even tens of thousands of boxes to do some pre-release planning. Updates and patches may need to be tested against other critical applications to make sure nothing breaks. Overtime may need to be planned out etc etc. Huge amounts of time and money may be involved so a few days extra time can be invaluable.

      Patch one XP box is a far far simpler thing to do than patching 10k machines of varying Windows versions and functions.

  • Well... (Score:2, Insightful)

    by bert.cl ( 787057 )
    I know this is slashdot and we're not supposed to even remotely like MS & stuff.

    But just maybe, this might be logical, if you have to update everyone about a glitch in your software then that would take time*. If everyone starts to download patches at the same time you just might get slow downloads

    It would be a Bad Thing for MS if their premium customers were the last ones to be notified (as in, turn the story around) or had to wait just as long as some John Doe who copied Windows, to get a patch or d

  • Maybee I'm reading it wrong but I never read anything about having to pay for this "service" when they say Premium... do they just mean people who buy alot more of M$'s programs? i.e. Large Corprations, and is this just a notice to them because in a Large Corparation its alot harder to update 1000s of machines vs lets say a office of 15? They just send a e-mail stating that there will be a update, its not like it actually contains the update.
  • by trilks ( 794531 ) on Tuesday September 14, 2004 @10:29AM (#10246342)
    M$ says they are focusing on security, but how does giving advance warning only to subscribers support security? It's the average user who doesn't know how to patch their computer that is at the most risk (and can also propogate the most damage to the rest of us). And the average user won't be a premium customer.

    Does it seem like M$ is saying one thing and doing another?
  • Virus Writers (Score:4, Interesting)

    by Anonymous Coward on Tuesday September 14, 2004 @10:30AM (#10246352)
    It wouldn't take much for virus writer to sign up for this premium service to obtain and potentially exploit vulnerabilities that they didn't already know about.

    Then again, if all that Microsoft is worried about is their bottom dollar then I suppose they don't care who's paying for their premium service.
  • by Garabito ( 720521 ) on Tuesday September 14, 2004 @10:30AM (#10246356)
    Those of us who are lucky enough to have no relationship with Microsoft may find ourselves at even lower risk than premium customers
  • Or we could all just read slashdot and get the advisories about 1-2 hours later....
  • by asdfasdfasdfasdf ( 211581 ) on Tuesday September 14, 2004 @10:30AM (#10246363)
    I can see there's some genuine reasoning behind this: When they announce an exploit potential, they're serving warning to those who can actually generate the exploit. If they control WHO gets the information first, they can keep their "worst case scenario" customers happy.

    Script kiddies aren't likely to subscribe, and if they were, it might make it easier to track them down or trap them.

    I can see the logic in it. I don't know if it's a "good" solution, but it must be difficult when they become aware of a problem that has not been exploited yet. It's open season on the security hole thanks to reverse-engineering the patch, but if they don't announce it then their at fault for a "known hole"

    I think anything where there's a working exploit out should be released immidiately to everyone, but non-exploited holes might be well served by slowly releasing it to clients that pay to have that information-- and therefore are more likely to listen up and patch their systems.

  • Why, I hear that even a major Internet news organ is giving early warning of changes in the IT environment, including information about bugs and patches, to a shadowy elite of privileged 'subscribers'.

  • shhhhhh (Score:2, Funny)

    by dcordeiro ( 703625 )
    don't tell this to ./ crew.

    they may think it's a good idea and provide news first for subscribers..
  • ... doesn't seem all that unreasonable. The anti-virus subscriptions are much the same way -- pay more money, get more frequent updates/better tools.

    The only question is what it takes to become a "premium cusomter". Is it simply a matter of giving MS a few bucks, or is it up to them to choose their friends? MS has a monopoly on the ability to patch their operating systems; if they don't market it openly and fairly then perhaps they'll get another visit from the DoJ (well, I guess this depends on wha

  • by Feneric ( 765069 ) on Tuesday September 14, 2004 @10:32AM (#10246385) Homepage

    Imagine if companies in the car industry worked the same way:

    Gee, we found this safety problem in our latest line of cars; let's inform our premium customers now, and wait an arbitrary amount of time to inform our other customers.

    People wouldn't stand for it. Why do they hold software companies to such lower standards?

  • I'd never heard such a thing (and wouldn't have believed it) until SANS mentioned it in their Security Consensus newsletter last week.

    Good grief. First Microsoft starts releasing security patches on a monthly basis because the "release as needed" policy was bad for their image; and now we non-premium customers have even longer delays, having to wait until MS decides to release patches to the Teeming Hordes. What's next?
  • In terms of the 'badness factor' of this practice. My tax dollars funding cert should insure that Cert never does this, that is the big issue. Cert shooting itself in the foot with reliable bug submitters is ignorant.
  • uh... (Score:3, Interesting)

    by 2MuchC0ffeeMan ( 201987 ) on Tuesday September 14, 2004 @10:32AM (#10246396) Homepage
    let me get this straight.

    They put out a crappy product, them make you pay for the knowledge of knowing it's crappy?

    I already knew that! I should sell this knowledge on ebay, if there's already paying customers out there, there's bound to be millions of other idiots who will bid on it.

    seriously though, we already get the updates before microsoft, from symantec and buqtraq. This is very sad for whoever is dishing out money to them.
  • by Anonymous Coward on Tuesday September 14, 2004 @10:36AM (#10246440)
    No lie. Can't remember for which patch. It was right after they got burned on one of the many virus outbreaks.

    At first I thought, cool, they are really taking this seriously. But then, I thought, what does he really think I'm going to do? go into the office and patch 1000 machines before morning?

    Since then, we've just been getting these 'pre-warnings' via email. Which of course are marked as confidential.

    For the record, we are an enterprise customer.
  • My company gets the premium support advanced warnings.

    Honestly, they are vague to the point of useless...other than "don't make any plans on this day" when the notices to everyone are released.
  • such a relationship with Microsoft..."

    In other words those people you didn't actually buy the OS they believe they have the "right" to use for free.

  • by Mr.Surly ( 253217 ) on Tuesday September 14, 2004 @10:39AM (#10246494)
    ... GM announced today that a new "premium" warranty is available for it's vehicles. Vehicle owners who purchase this new warranty (Only $500, NDA required) will receive recall notices regarding vehicle roll-overs and potential explosions a full month before vehicle owners that do not have the new warranty option.
  • RTFA (Score:3, Informative)

    by Mark Hood ( 1630 ) on Tuesday September 14, 2004 @10:53AM (#10246686) Homepage
    "The information is purposely not specific and does not disclose any vulnerability details or other information that could put customers at risk."
    All they are providing is a 'heads-up' - we're going to release a patch with severity X on date Y. Vulnerabilities in products A, B, C will be fixed.

    They are not giving patches away early, nor details of the vulnerabilities. So this won't mean we'find ourselves at greater risk than premium customers'. I don't expect most people to read the article before posting, and it is apparant that the editors stopped reading them ages ago too, but now even the guy submitting it hasn't read it?

    Posts claiming it's extortion [slashdot.org]are way off-base.

    If you need advance notice that a patch might be coming for, say, Outlook, pay for it. It sounds like a service of dubious value, as you won't be able to test the patch any sooner. I guess you can make sure your crack team of roll-out testers aren't all on vacation that day, but that's about it :) And lo and behold, that's all they claim:
    Microsoft said the program is designed to provide very limited information in a brief e-mail three business days before the anticipated release of monthly security bulletins. It also said the notification is to assist customers with resource planning for the monthly security bulletin release.
    RTFA!

    Mark
  • by east coast ( 590680 ) on Tuesday September 14, 2004 @10:55AM (#10246710)
    How does one become a "premium customer"?
  • by Rust Martialis ( 690903 ) on Tuesday September 14, 2004 @10:57AM (#10246731)
    Look, I know you all hate MS for being evil and all that, but sorry, the 'advance warning' is basically nothing.

    All you get is an email from MS saying 'oh, next Tuesday we're going to release X patches, with Y rated critical, and Z rated serious'.

    There are ZERO details on what the patch is going to fix, personally, I consider the advance notice almost useless except to tell you you need to have resources ready to roll out critical patches.

    You get *no* details, *no* access to patches, and I have several emails from MS Security people who always include ' sorry, I can't give you any details about Tuesday's patch'.

    Please, hate MS all you want, but at least hate them for a reason, not the typical /. drooling paranoia I see here.

    --R.

    • by 0x0d0a ( 568518 ) on Tuesday September 14, 2004 @11:27AM (#10247095) Journal
      Please, hate MS all you want, but at least hate them for a reason, not the typical /. drooling paranoia I see here.

      The drooling paranoia was built because of years of times when Microsoft really *did* screw over customers or competition in quite an unethical manner, like the DR-DOS application compatibility, or the IIS Netscape Navigator deprioritization. Microsoft generally didn't get in trouble for its misdeeds, so now IT folk angry after years of poor treatment have simply started attacking Microsoft for all sorts of things that really aren't very bad at all. Microsoft is simply paying back in installments for earlier nasty deeds.
  • by nv5 ( 697631 ) on Tuesday September 14, 2004 @11:03AM (#10246798) Homepage Journal
    I can only wonder: MS really is in quite deep trouble with their customers, especially those, who have paid big bucks to have the right to upgrades of their products. Since Longhorn is a long way out, and any upgrades (OS or Office) seem not hugely attractive, why is anyone paying the maintenance fees, which were designed to save you money on product upgrades?

    MS has made their staunchest customers (i.e. the executives and managers having talked their companies into spending the extra money on maintenance) look absolutely foolish. So now, they desprately need to give those folks a story to tell their bosses, why they should not get fired for such a wanton waste of their companies' money.

    Playing this security card shows an amazing act of desparation by a wounded giant. If even Gartner starts to critisize MS, there is a lot going wrong in the belly of the beast.

  • by DoubleDownOnEleven ( 690607 ) on Tuesday September 14, 2004 @11:06AM (#10246833)
    Then I could have commented on this article earlier on, and got a better score!

    That's not fair, slashdot should give their information out freely to everyone...

    Oh wait, they do, they just treat their paying customers a little better...

    I really don't see this as much of an issue. The "premier" customers don't get the patches any sooner. They get an advance heads-up on what the patches will contain. Why will this affect anybody?

    According to the article: Microsoft insisted the information provided in the notice was "very basic in nature" and intended only to provide general guidelines concerning the maximum number of bulletins that may be released, the anticipated severity ratings, and an overview of products that may be affected.

  • by emtboy9 ( 99534 ) <jeff.jefflane@org> on Tuesday September 14, 2004 @11:11AM (#10246891) Homepage
    Pay us lots of money and we will give you advanced warning of vulnerabilities to protect you from the rest of our customers and their owned boxen?
  • by http101 ( 522275 ) on Tuesday September 14, 2004 @11:23AM (#10247048) Homepage
    you, being a 16-year old over-achiever, register yourself with Microsoft as a preferred customer using your daddy's company credit card. At that point, you learn of the impending vulnerabilities and release one hell of a worm virus on the net. Stick a fork in me, I'm done...
  • by tod_miller ( 792541 ) on Tuesday September 14, 2004 @11:59AM (#10247430) Journal
    So Microsoft is profiting out of:

    1. Building a necessity to be informed because of failuires in thier software

    2. Making these failuires so deadly that quick action must be taken to save money

    3. Screw up all thier patching, and take time to patch vunerabilities they do patch

    So, the more they do the above, the more money they can take from those companies now learning the meaning of being 'tied to a large metamorphic rock plunging happily down into the Mariana trench'.

    Microsoft - a monopoly in profiting from failiure, fear, and fraud.
  • Old stuff (Score:3, Interesting)

    by Florian Weimer ( 88405 ) <fw@deneb.enyo.de> on Tuesday September 14, 2004 @12:02PM (#10247455) Homepage
    Microsoft has been releasing early warnings for months, and they have regularly leaked to the press. The contents of the warning includes very little information: the number of vulnerabilities, the severity level, and the products affected. You might be able to infer which people you have to force to do overtime (Microsoft patches aren't released during business hours in all parts of the world), but apart from that, the information is not very useful.

    Less well known is Microsoft's Patch Validation Program. Basically, you get patches a week or so in advance (without any further information about the scope of the patch), and you can test it in a production-like environment. This way, you can alert Microsoft about unexpected incompatibilities, but I'm not sure how helpful this is in practice. The patches surely make an interesting BinDiff target, so this program probably isn't available to all premium customers.

    All in all, it appears to be a poor replacement for the vendor-sec community on the free software side of security, where distributors (which would be Microsoft's OEMs) can openly discuss security issues and resolve them in colaboration.
  • by reverendslappy ( 672515 ) on Tuesday September 14, 2004 @01:42PM (#10248558)
    The poster clearly doesn't know what s/he's talking about, and is obviously just looking for something to cry about. Same old /. FUD.

    The notifications sent to Premium customers are just that: notifications. We don't get the patches any earlier; the advance notice we receive simply gives us a general overview of the vulnerabilities and what they affect so as to help us plan the patch rollout.

    And there's something wrong with that? Please... It's the responsible thing for Microsoft to do. And the poster thinks that leaves others "at a greater risk" than Premium customers? Please, explain to me how that could possibly be, given the fact that the patches are released to all customers (Premium and not) at the same time. Totally ridiculous FUD. You get the patches at the same time we do (unless you count betas, which... come on). We get advance notice because we have to plan for rolling out patches to tens of thousands of workstations and servers. We need to know in advance. Those of you who only have to worry about your PC (or maybe even 5 or 10 additional) don't. Simple as that.

    Most of the anti-MS FUD on /. is at least informed and grounded in reality. This is totally reactionary, underinformed cry-babyism.

Someday somebody has got to decide whether the typewriter is the machine, or the person who operates it.

Working...