Early Warning For Microsoft Premium Customers 454
techmuse writes "According to internetnews.com, Microsoft is giving its premium customers early warning about vulnerabilities and patches. Those of us who aren't lucky enough to have such a relationship with Microsoft may find ourselves at greater risk than premium customers as a result."
Early Warning For Slashdot (Score:5, Funny)
In other news... (Score:5, Funny)
disasters such as tornadoes and earthquakes to subscribers of its new "Stay Alive Platinum" service.
Re:Early Warning For Slashdot (Score:5, Informative)
-d
Microsoft early warning service for $5 per user (Score:5, Funny)
WARNING -- Your product is riddled with security holes!
There, now people can be warned.
Hurry, send in your money now! Otherwise you won't receive notice that Microsoft products are vulnerable!
Re:Early Warning For Slashdot (Score:3, Funny)
the patches could be tested on a large scale.
I would welcome MS handing patches to large corporate customers and breaking their computers before they break mine.
Re:Early Warning For Slashdot (Score:5, Funny)
Slashdot. News for Nerds. Stuff that Matters. Failed Car Analogies.
Elite.. microsoft and govt (Score:4, Insightful)
Microsoft and the government using the same strategy! I am shocked! (sarcasm mode off)
Other juicy information from the article:
There won't be a patch this month for a "highly critical" bug in Internet Explorer browser's drag-and-drop feature. [tech-recipes.com]
So we are suppose to buy access to problems that won't be patched in a timely fashion? You've got to be kidding me.
The only justification that I can see to this might be that microsoft wants to release it to their "elite" first... so that work-arounds and patches might be generated by the community instead of within microsoft. Thus, trying to get one of the open source benefits...
While that's a good theory... I bet it's really just microsoft praying on the security worries of companies. Considering I run a Microsoft network... that's a sad conclusion for me to have to make.
Craig Mundie... (Score:4, Interesting)
Asked why it has taken Microsoft 25 years to get trustworthy computing into the forefront of its efforts, he said: "Because customers wouldn't pay for it until recently." [zdnet.com]
Assholes.
Re:Craig Mundie... (Score:4, Funny)
Better in his own than in mine...
Re:Craig Mundie... (Score:3, Informative)
Still not a great response from Mundie, but at least Slashdotters have the whole picture
Re:Elite.. microsoft and govt (Score:2, Insightful)
The old citizen fire brigades, where people in small towns pitched in, in mutual support, makes me think of a civic Open Source.
Re:Elite.. microsoft and govt (Score:3, Insightful)
We....we call you "normies".
Re:Elite.. microsoft and govt (Score:4, Interesting)
What's worse is someone marked you 'insightful.'
Sometimes slashdot think truely amazes me.
Re:Elite.. microsoft and govt (Score:5, Interesting)
Secondly, even if a situation is not life/death, it can be very serious - think about business impact if every trader at a financial institution was unable to trade due to a virus/vulnerability.
Millions could be wiped off the economy of major countries.
Manta
Re:Elite.. microsoft and govt (Score:3, Insightful)
And you obviously have never worked for a financial institution. I'm a contractor who is regularly contracted to banks and insurance agencies. There isn't any way someone is hacking into something like that.
Even so, do you really think there is a solid link between MS Security Support and 911? Honestly, is there a real comparison there? What you gave me was a reach.
Re:Elite.. microsoft and govt (Score:3, Interesting)
Umm... 90+% of 911 dispatch software runs only on Microsoft Windows...
Re:Elite.. microsoft and govt (Score:4, Informative)
There just [securityfocus.com] might be. [com.com]
Re:Elite.. microsoft and govt (Score:3, Interesting)
1) Not every bug/hole has to be 'hacked into' - email worms, and worms that spread through cross-site scripting and browser exploits can do just as much damage, and can be caused by OS/app bugs/holes.
2) There is no way to that a company has never been hacked in to. Just becuase a company may find out that it has, there's no proof that it hasn't been. Go ask any good security consultancy.
3) Where did I draw a link between MS security and 911 (and do you mean 911 as in the emer
Re:Elite.. microsoft and govt (Score:3, Interesting)
On the other side of the coin, when I work with insurance agencies, I can say truthfully they make a valiant effort at sec
Re:Elite.. microsoft and govt (Score:5, Informative)
RTFA
Not getting patches or fixes sooner. Being told that there is a flaw sooner. In this case not even what the flaw is... just that there is one, and that in a day or so we'll tell the world what it is -- heads up, somethings coming. That's it.
No "protection," no early patches, no nothing. Just a nice little note saying "we're working on a couple of security flaws, details forthcoming"
Calm yourself please. If you want to hate Microsoft, please do it for a valid reason, not some bullshit like this.
Thanks.
-- Fareq
Re:Elite.. microsoft and govt (Score:3, Interesting)
When the best solution is to take care of the problem yourself, then I want to know what needs to be done, so
Check out the book "Jennifer Government" (Score:3, Interesting)
http://www.maxbarry.com/jennifergovernment/
It gives an interesting look at a hypercapitalist world. It's also a highly entertaining read.
Re:Elite.. microsoft and govt (Score:3, Interesting)
And how about health service - in the UK (and I suspect many other places in the world), if you want immediate treatment, you pay (or get your insurance to pay) to go private. If you don't pay, you end up at the back of the NHS waiting list.
Not saying whether it's a good or a bad thing, but this is pretty much how a market economy is meant to work - you g
Re:911 is a joke (Score:5, Informative)
You can ask my man right here with the broken neck
He's a witness to the job never bein' done
He would've been in full in 8 9-11
Was a joke 'cause they always jokin'
They the token to your life when it's croakin'
They need to be in a pawn shop on a
911 is a joke we don't want 'em
I call a cab 'cause a cab will come quicker
The doctors huddle up and call a flea flicker
The reason that I say that 'cause they
Flick you off like fleas
They be laughin' at ya while you're crawlin' on your knees
And to the strength so go the length
Thinkin' you are first when you really are tenth
You better wake up and smell the real flavor
Cause 911 is a fake life saver
So get up, get, get get down
911 is a joke in yo town
Get up, get, get, get down
Late 911 wears the late crown
- Public Enemy
so how do it get this status (Score:3, Funny)
Security through $$$
Re:so how do it get this status (Score:3, Interesting)
All kidding aside, if MS knows of vulnerabilities in their software, they should be forced to do one of two things, tell everyone, or tell no one. Why? Well if they tell everyone, then at least there's a fighting chance. Tell no one, well, its an option I don't agree with, but if someone points out a vulnerability to a software vendor,
Re:so how do it get this status (Score:3, Insightful)
Re:so how do it get this status (Score:5, Insightful)
You mean "a false sense of security through $$$", right?
wbs.
Re:so how do it get this status (Score:4, Funny)
No, "$$$ through security."
Re:so how do it get this status (Score:4, Insightful)
Even if I were so inclined to pay someone for security Microsoft would be the last company on the face of the earth I'd go to to get that.
Their pile of cash is legendary and no matter how much they have (or can figure out how to get) they seem unable to incorporate this "security" thing into their products. What would make anyone think that throwing more money at them is going to change that?
Newsflash! (Score:3, Insightful)
This is a big deal? (Score:5, Insightful)
*shrug*
Doesn't sound like it affects overall computer security, really. It's nice for the organizations that sign on, so they have a couple more days to plan outages as necessary. It doesn't affect the vast majority of home users at all (I certainly don't plan my downtime, it just happens when I feel like it).
I can see this being irritating to customers who are unwilling to pay yet another Microsoft tax for early notification, but I don't see that it's some kind of horrible, evil practice, either.
Re:This is a big deal? (Score:2)
Re:This is a big deal? (Score:3, Insightful)
Re:This is a big deal? (Score:4, Funny)
Exactly. It's not like they were telling us about the holes in a timely manner before.
Re:This is a big deal? (Score:3, Insightful)
The practice of withholding information on vulnerabilities at all is questionable, but I was coming from the standpoint that such withholding is a given in the software industry today.
Given that such information will be withheld, allowing people to pay to get notice that some information regarding an unspecified vulnerability in a particular application three days before other people (along with the paying subscribers) get the detailed information doesn't seem to be a
Re:Yes,This is a big deal! (Score:3, Insightful)
If you can show me a virus writer who can take advantage of a hole by reading about it in a very generalised security bulletin, then I'd hire him on the spot.
(From the article: "The information is purposely not specific and does not disclose any vulnerability details or other information that could put customers at risk." )
Change one sentence in the summary... (Score:5, Insightful)
"Those of us who aren't lucky enough to have such a relationship with Microsoft may find ourselves at greater risk FROM premium customers as a result."
(changed "than" to "FROM")
Re:Change one sentence in the summary... (Score:2)
uhh. Never mind.
Best quote from article (Score:4, Insightful)
In a nutshell, is this not what MS is doing?
Re:Best quote from article (Score:3, Insightful)
Except for with faulty brakes, you could end up killing someone. Has there been a case where faulty software killed someone? (Other than by sheer annoyance, that is.)
Re:Best quote from article (Score:5, Insightful)
However, anyone who uses and relys on software to keep someone alive, or keep something from killing someone should not be waiting for the latest IE patch to make sure their shit works.
think about it (Score:3, Informative)
Yes. (Score:3, Informative)
http://www.mtholyoke.edu/~rzdalea/cs100/software_
http://www.baselinemag.com/article2/0,1397,154440
Also google for Therac-25
Re:Best quote from article (Score:3, Informative)
Yes. [mit.edu]
Not really (Score:4, Informative)
-truth
Re:Best quote from article (Score:5, Insightful)
No. Everyone on the list finds out the same information. This is just a way to sort the list. No biggie.
Re:Best quote from article (Score:4, Informative)
Re:Best quote from article (Score:5, Insightful)
Re:Best quote from article (Score:3, Informative)
But, in a few days when the issue it, it will be issued to all of their customers, not just the higher paying ones.
Re:Best quote from article (Score:2, Informative)
No, it's not...here's why (Score:3, Interesting)
Re:Best quote from article (Score:3, Interesting)
And I'll bet someone who has the extended warranty is finding out about a recall sooner than say, someone who bought a Ford used at a Honda dealership.
That's a funny ad placement (Score:2)
Why, no, I'm feeling less than special to M$.
Perfectly Valid (Score:2, Insightful)
Re:Perfectly Valid (Score:2)
MS is a business afterall (Score:2, Insightful)
Extortion (Score:3, Interesting)
Re:Extortion (Score:5, Insightful)
Always with the car analogies. This isn't Pontiac only recalling and replacing a defective part if you pay more. This is Pontiac recalling and replacing a defective part on exactly the same schedule for everyone, but telling premium customers three days earlier "hey, we're going to be recalling something on the 2005 GTO in three days. Get ready."
This just isn't a big deal.
Re:Extortion (Score:4, Informative)
You'll still get your patches in the usual Microsoft timely manner (weeks, likely), but these so called 'premium' members will get them a lot sooner.
Things will still appear the same to you, but premium members will get a heads-up before everyone else.
except... (Score:5, Insightful)
Re: except... (Score:4, Funny)
> Bugtraq is almost always ahead of microsoft where it comes to vulnerabilities in their software. Why in the world would I pay Microsoft to tell me what might be wrong tomorrow when bugtraq will tell me what's wrong today? Does anyone have an experience where MS came out with vulnerabilities first?
Maybe their Premium customers get to hear the excuses first.
Re:except... (Score:4, Interesting)
Now, I didn't look very hard, but as far as I can see, no mention of prior announcements of any of these 14 vulnerabilities on Bugtraq.
Now, compare that to MS04-019 (CAN-2004-0213) where a vulnerability was announced 124 days prior to patch, or MS04-025 where the three vulnerabilities (CAN-2003-1048, CAN-2004-549, and CAN-2004-566) were announced 332 days, 58 days and 166 days prior to patch. *Much* less impressive, Microsoft!
I gave up on this analysis after it was evident that for 2004, so far, MS does actually get a lot of patches out in sync with the announced vulnerabilities. They miss some, when people release them without sending them to MS (which is their right). But I looked at 37 vulnerabilities (MS04-001 to -011 and MS04-018 to -025) before I gave up, and of those, 27 were 0-day patches, and 10 were released in advance of patches.
So MS does actually seem to be getting a lot of researchers to keep vulnerabilities under wraps . I noted iDefense, Shatter, eEye, and @Stake listed as credited with some of these discoveries, others were uncredited and may be internal MS discoveries. So, sorry for your illusions, but of the above patches, about 2/3 were NOT announced on Bugtraq prior to patches coming out.
Disclaimer: I didn't scour the Internet for announcements, just looked on Bugtraq, Mitre and a couple places, so I may have missed some.
--R.
Equal? (Score:4, Funny)
Hmmm (Score:2, Funny)
2. Get early notification of new vulnerability
3. Write exploit to target non-premium customers
4. Profit!
Not So Bad (Score:5, Funny)
So what? News will still spread quickly (Score:4, Insightful)
Re:So what? News will still spread quickly (Score:4, Interesting)
What they give is a heads up of what will be affected by the upcoming patches or updates. This allows very large organisations with thousands or even tens of thousands of boxes to do some pre-release planning. Updates and patches may need to be tested against other critical applications to make sure nothing breaks. Overtime may need to be planned out etc etc. Huge amounts of time and money may be involved so a few days extra time can be invaluable.
Patch one XP box is a far far simpler thing to do than patching 10k machines of varying Windows versions and functions.
Well... (Score:2, Insightful)
But just maybe, this might be logical, if you have to update everyone about a glitch in your software then that would take time*. If everyone starts to download patches at the same time you just might get slow downloads
It would be a Bad Thing for MS if their premium customers were the last ones to be notified (as in, turn the story around) or had to wait just as long as some John Doe who copied Windows, to get a patch or d
maybee i'm reading it wrong... (Score:2, Insightful)
This is a security focus? (Score:4, Insightful)
Does it seem like M$ is saying one thing and doing another?
Virus Writers (Score:4, Interesting)
Then again, if all that Microsoft is worried about is their bottom dollar then I suppose they don't care who's paying for their premium service.
even better yet... (Score:5, Funny)
Or... (Score:2)
It's sort of a lose/lose situation for them. (Score:3, Insightful)
Script kiddies aren't likely to subscribe, and if they were, it might make it easier to track them down or trap them.
I can see the logic in it. I don't know if it's a "good" solution, but it must be difficult when they become aware of a problem that has not been exploited yet. It's open season on the security hole thanks to reverse-engineering the patch, but if they don't announce it then their at fault for a "known hole"
I think anything where there's a working exploit out should be released immidiately to everyone, but non-exploited holes might be well served by slowly releasing it to clients that pay to have that information-- and therefore are more likely to listen up and patch their systems.
Not a unique practise (Score:2)
Why, I hear that even a major Internet news organ is giving early warning of changes in the IT environment, including information about bugs and patches, to a shadowy elite of privileged 'subscribers'.
shhhhhh (Score:2, Funny)
they may think it's a good idea and provide news first for subscribers..
Service in exchange for money... (Score:2, Insightful)
The only question is what it takes to become a "premium cusomter". Is it simply a matter of giving MS a few bucks, or is it up to them to choose their friends? MS has a monopoly on the ability to patch their operating systems; if they don't market it openly and fairly then perhaps they'll get another visit from the DoJ (well, I guess this depends on wha
Car Industry Comparison (Score:3, Insightful)
Imagine if companies in the car industry worked the same way:
People wouldn't stand for it. Why do they hold software companies to such lower standards?
SANS mentioned this (Score:2)
Good grief. First Microsoft starts releasing security patches on a monthly basis because the "release as needed" policy was bad for their image; and now we non-premium customers have even longer delays, having to wait until MS decides to release patches to the Teeming Hordes. What's next?
Microsoft is small potatoes (Score:2)
uh... (Score:3, Interesting)
They put out a crappy product, them make you pay for the knowledge of knowing it's crappy?
I already knew that! I should sell this knowledge on ebay, if there's already paying customers out there, there's bound to be millions of other idiots who will bid on it.
seriously though, we already get the updates before microsoft, from symantec and buqtraq. This is very sad for whoever is dishing out money to them.
My MS Rep woke me up in the middle of the night (Score:5, Interesting)
At first I thought, cool, they are really taking this seriously. But then, I thought, what does he really think I'm going to do? go into the office and patch 1000 machines before morning?
Since then, we've just been getting these 'pre-warnings' via email. Which of course are marked as confidential.
For the record, we are an enterprise customer.
premium support notices are not very informative (Score:2, Interesting)
Honestly, they are vague to the point of useless...other than "don't make any plans on this day" when the notices to everyone are released.
"Those of us who aren't lucky enough to have (Score:2)
In other words those people you didn't actually buy the OS they believe they have the "right" to use for free.
In related news ... (Score:3, Funny)
RTFA (Score:3, Informative)
They are not giving patches away early, nor details of the vulnerabilities. So this won't mean we'find ourselves at greater risk than premium customers'. I don't expect most people to read the article before posting, and it is apparant that the editors stopped reading them ages ago too, but now even the guy submitting it hasn't read it?
Posts claiming it's extortion [slashdot.org]are way off-base.
If you need advance notice that a patch might be coming for, say, Outlook, pay for it. It sounds like a service of dubious value, as you won't be able to test the patch any sooner. I guess you can make sure your crack team of roll-out testers aren't all on vacation that day, but that's about it
RTFA!
Mark
A serious question... (Score:4, Insightful)
As a Premium Customer Who Sees The Advance Notice (Score:5, Informative)
All you get is an email from MS saying 'oh, next Tuesday we're going to release X patches, with Y rated critical, and Z rated serious'.
There are ZERO details on what the patch is going to fix, personally, I consider the advance notice almost useless except to tell you you need to have resources ready to roll out critical patches.
You get *no* details, *no* access to patches, and I have several emails from MS Security people who always include ' sorry, I can't give you any details about Tuesday's patch'.
Please, hate MS all you want, but at least hate them for a reason, not the typical /. drooling paranoia I see here.
--R.
Why Microsoft gets attacked on Slashdot (Score:5, Insightful)
The drooling paranoia was built because of years of times when Microsoft really *did* screw over customers or competition in quite an unethical manner, like the DR-DOS application compatibility, or the IIS Netscape Navigator deprioritization. Microsoft generally didn't get in trouble for its misdeeds, so now IT folk angry after years of poor treatment have simply started attacking Microsoft for all sorts of things that really aren't very bad at all. Microsoft is simply paying back in installments for earlier nasty deeds.
An act of desparation? (Score:3, Insightful)
MS has made their staunchest customers (i.e. the executives and managers having talked their companies into spending the extra money on maintenance) look absolutely foolish. So now, they desprately need to give those folks a story to tell their bosses, why they should not get fired for such a wanton waste of their companies' money.
Playing this security card shows an amazing act of desparation by a wounded giant. If even Gartner starts to critisize MS, there is a lot going wrong in the belly of the beast.
If only I was a slashdot subscriber... (Score:5, Insightful)
That's not fair, slashdot should give their information out freely to everyone...
Oh wait, they do, they just treat their paying customers a little better...
I really don't see this as much of an issue. The "premier" customers don't get the patches any sooner. They get an advance heads-up on what the patches will contain. Why will this affect anybody?
According to the article: Microsoft insisted the information provided in the notice was "very basic in nature" and intended only to provide general guidelines concerning the maximum number of bulletins that may be released, the anticipated severity ratings, and an overview of products that may be affected.
So... what they are saying is. . . (Score:3, Insightful)
So here's what you do... (Score:3, Insightful)
Conflict of Interests (Score:3, Insightful)
1. Building a necessity to be informed because of failuires in thier software
2. Making these failuires so deadly that quick action must be taken to save money
3. Screw up all thier patching, and take time to patch vunerabilities they do patch
So, the more they do the above, the more money they can take from those companies now learning the meaning of being 'tied to a large metamorphic rock plunging happily down into the Mariana trench'.
Microsoft - a monopoly in profiting from failiure, fear, and fraud.
Old stuff (Score:3, Interesting)
Less well known is Microsoft's Patch Validation Program. Basically, you get patches a week or so in advance (without any further information about the scope of the patch), and you can test it in a production-like environment. This way, you can alert Microsoft about unexpected incompatibilities, but I'm not sure how helpful this is in practice. The patches surely make an interesting BinDiff target, so this program probably isn't available to all premium customers.
All in all, it appears to be a poor replacement for the vendor-sec community on the free software side of security, where distributors (which would be Microsoft's OEMs) can openly discuss security issues and resolve them in colaboration.
Typically baseless /. FUD (Score:3, Informative)
The notifications sent to Premium customers are just that: notifications. We don't get the patches any earlier; the advance notice we receive simply gives us a general overview of the vulnerabilities and what they affect so as to help us plan the patch rollout.
And there's something wrong with that? Please... It's the responsible thing for Microsoft to do. And the poster thinks that leaves others "at a greater risk" than Premium customers? Please, explain to me how that could possibly be, given the fact that the patches are released to all customers (Premium and not) at the same time. Totally ridiculous FUD. You get the patches at the same time we do (unless you count betas, which... come on). We get advance notice because we have to plan for rolling out patches to tens of thousands of workstations and servers. We need to know in advance. Those of you who only have to worry about your PC (or maybe even 5 or 10 additional) don't. Simple as that.
Most of the anti-MS FUD on
Re:We get these (Score:2)
"Yes, we have three known open vulnerabilities this month, but we're not going to tell you where or what they are".
Re:So? (Score:3, Funny)
We don't have a monopoly. We have market share. There's a difference. - Steve Ballmer
Re:Nerds Socialsts (Score:3, Insightful)
That depends on what side you are. If you are the one who pays, or the one to whom the info leaked to, regardless of the color of your hat, you have an advantage against the ones who aren't.
Which puts to disadvantage all the ones who aren't members of (or friendly with) big corporations or e-crime rings. For a small admin of a small network it means j