Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Microsoft Operating Systems Security Software Windows

MS Security Chief: Windows Never Exploited Until Patch Available 1040

BenBenBen writes "The head of Microsoft's security business and technology unit states that Windows is never vulnerable until a patch appears, and that releasing patches is what causes exploits to be developed. Good quotes: 'We have never had vulnerabilities exploited before the patch was known', and '[he] could only think of one instance when a vulnerability was exploited before a patch was available'. Erm..."
This discussion has been archived. No new comments can be posted.

MS Security Chief: Windows Never Exploited Until Patch Available

Comments Filter:
  • Oh really? (Score:5, Funny)

    by ChaoticChaos ( 603248 ) * <l3sr-v4cf@spam e x .com> on Thursday February 26, 2004 @01:21PM (#8398670)
    "The Earth is flat."
    "The Sky is green."
    "Earth is the center of the universe."

    Other ridiculous statements that have also been proven false.

    So, let me get this straight, Windows will become more secure if Microsoft stops issuing patches? :-)

    Sakes alive, the Microsoft spin machine has been well oiled this morning!

    ChaoticChaos
    "If Windows wasn't vulnerable until the patch was released, why was the patch released in the first place???"
    • Re:Oh really? (Score:5, Interesting)

      by Jotaigna ( 749859 ) <jotaigna@yahoo.com> on Thursday February 26, 2004 @01:24PM (#8398712) Homepage Journal
      the simplest method used to detect a lie is to cross question the subject until it gets confused and contradict itself. This guys have security departaments, management, developing, sales, etc. They should build a "Lie Tracking" departament, then, they'll have at least something consistent. I think this post should have been published in "its funny, laugh" category.
    • Re:Oh really? (Score:5, Insightful)

      by vandegraff ( 461064 ) on Thursday February 26, 2004 @01:25PM (#8398718)
      Sounds like a simple belief security through obscurity. That is really sad.
    • by dingbatdr ( 702519 ) on Thursday February 26, 2004 @01:26PM (#8398739) Homepage
      In other news, Microsoft announce that cause and effect are reversed when it comes to their software.

      "We think it is due to our patented time-traveling module," quips Steve Balmer.

    • Re:Oh really? (Score:5, Insightful)

      by Anonymous Coward on Thursday February 26, 2004 @01:45PM (#8399028)
      This means that Microsoft has *NEVER*, I repeat, *NEVER*, has been subject to a 0-day exploit. Wow...this guy is smoking some serious crack. What about the recent exploit that they sat on for 6 months? Doesnt that count? How about the new one that X-Force has contacted them about and MS has 30 days to fix? Is that from a patch too?
      • Re:Oh really? (Score:5, Informative)

        by Anonymous Coward on Thursday February 26, 2004 @02:24PM (#8399649)
        If I remember correctly, the WebDAV exploit that was out about 5 months ago was found because a military webserver was rooted with it. Thats definately an example of a blackhat finding a hole and using it well before there was a patch available.
    • by armb ( 5151 ) on Thursday February 26, 2004 @01:47PM (#8399052) Homepage
      > Other ridiculous statements that have also been proven false.

      Slashdot stories always accurately summarize the content of the linked story, and wouldn't ever misrepresent vulnerabilities are hardly ever exploited before patches are released as "is never vulnerable until a patch appears".
      • Re:Oh really? (Score:5, Informative)

        by arrogance ( 590092 ) on Thursday February 26, 2004 @02:17PM (#8399540)
        "We have never had vulnerabilities exploited before the patch was known," he said.
        Umm, that WAS in the article. Are you saying there's a difference between "was known" and "appears"?

        In the article, it seems quite clear that what they're saying is that most exploits come after the hackers have had a chance to compare patched VS unpatched systems to see what the changes are. But it's not just Microsoft saying this:
        "It's a myth that hackers find the holes," said Nigel Beighton, who runs a research project for security firm Symantec.
        In other words, I can see the point of view expressed in the article. I disagree with the parent in part (I think the attribution in the Slashdot story is sufficiently accurate) but that the specific (never had vulnerabilities exploited before the patch was known) is probably hyperbole. Hackers might be lazy, but they're not non-existent. There's no way M$ could even KNOW how many exploits have been made.
    • Re:Oh really? (Score:5, Insightful)

      by rseuhs ( 322520 ) on Thursday February 26, 2004 @01:50PM (#8399102)
      Windows will become more secure if Microsoft stops issuing patches?

      The really scary part is that this wasn't said by some marketing guy like Gates or Ballmer, it was said by the Microsoft Security Chief.

    • by ssbljk ( 450611 ) on Thursday February 26, 2004 @01:58PM (#8399222) Homepage Journal
      in the beginning there was Windows ... and it was secure ....

      then we downloaded damn patch :(
    • by jellomizer ( 103300 ) on Thursday February 26, 2004 @02:00PM (#8399238)
      Could the mean that Microsoft as a Business exists moving in time backward. This explains Microsoft quick profits and good business decisions back in the 80's and over now in the 2000's a younger and less experience Microsoft is making more mistakes. and having a little more competition to deal with.

      I don't know about you but I confused myself.
    • by mpe ( 36238 ) on Thursday February 26, 2004 @02:10PM (#8399409)
      Sakes alive, the Microsoft spin machine has been well oiled this morning!

      They must have had a delivery of snake oil :)
    • by Zixia ( 534893 ) <biteme AT clu DOT org DOT uk> on Thursday February 26, 2004 @02:26PM (#8399676) Homepage
      There has never been an expoit without a patch. Just the one.

      One! One exploit without a patch, and that other one against Internet Explorer.

      Okay, two exploits without a patch. Unless you count the many against Outlook Express.

      AMONGST THE EXPLOITS WITHOUT A PATCH ARE... Can we start the interview again?
  • Logic??? (Score:5, Insightful)

    by BWJones ( 18351 ) * on Thursday February 26, 2004 @01:22PM (#8398679) Homepage Journal
    Meh.......The last statement in the article: "If you want more secure software, upgrade." pretty much sums up Microsoft's position. With this kind of logic, it's a wonder that any coding gets done at all there. So, by extension, if everybody were to leave their doors open and unlocked at night, there would be no crime? :-) Seriously though, if you actually read the article, what it says describes reverse engineering of patches to explore and exploit vulnerabilities. So, the statement if confused might be technically correct, but that does not mean that the security vulnerabilities are not there in the first place. What happens mostly is that the lazy are exploiting the patches, whereas the more experienced (perhaps more dangerous) hackers will do their own work. Furthermore, the more experienced hacker might not be as likely to release their attack into the wild promiscuously. Rather they are doing what they do for a likely monetary payoff.

    The real question though is: If the patch can be exploited, is it a patch? Yes, I know that they are analyzing the patch to attack unpatched machines, but to claim that vulnerabilities are not present before patches are released is circular logic.

  • by Waab ( 620192 ) * on Thursday February 26, 2004 @01:22PM (#8398682) Homepage

    At best, the notion that patches are the source of all exploits is a logical fallacy [datanation.com]. However, I'm sure I'd not be in the minority of /. readers if I opined that Mr. Aucsmith is either lying outright or simply delusional.

    I say that since Microsoft has a policy of "eating their own dog food", they should be forced to stand by this ridiculous proclamation and henceforth cease and desist all efforts to patch their code. Thus, all exploitations of buggy MS code will also halt.

    • by jruschme ( 76180 ) on Thursday February 26, 2004 @01:32PM (#8398830) Journal
      Actually, I think it has a sort of perverse logic (albeit a nearsighted one). If I understand it correctly, the idea is that when a patch is released, it opens up knowledge of a hole. This is similar to the whole argument about when to release info on a security hole.

      The problem with this reasoning is that it assumes the only people writing exploits are lazy/clueless enough to wait for someone to tell them what to exploit. It ignores the fact that there is a community of hackers out there actively looking for the holes.
    • by frankthechicken ( 607647 ) on Thursday February 26, 2004 @01:45PM (#8399026) Journal
      Indeed, if this was Microsofts thinking, then they wouldn't release patches at all, creating the most secure Operating System available.

      I somehow think the quote might have been taking out of context, especially when he states that:-

      "Many people reverse engineer the patch and then build the exploit code,"

      I have a feeling that the main point of his statement, was that the majority of attacks are on unpatched systems. Certainly when you consider Symantec's Mr Beighton's statement:-

      "It's a myth that hackers find the holes,"

      He said in many cases the appearance of a patch was the spur that kicked off activity around a particular vulnerability.


      Which would probably be true, once the problem is widely known, then there is more likliehood for an exploit to be devised. Hence the more devasting attacks such as Code Red were centred around a previously patched exploit.
  • Simple solution (Score:5, Insightful)

    by shystershep ( 643874 ) * <bdshepherd.gmail@com> on Thursday February 26, 2004 @01:22PM (#8398685) Homepage Journal
    If crackers never find exploits except for by comparing patched and unpatched versions, why the hell do they release security patches then? Seems like they've got their security problems licked -- no patches, no exploits. What could be simpler.

    Also liked this quote, from the end of the article:
    "Almost all attacks against our software are against the legacy systems," he said.
    "If you want more secure software, upgrade."

    Hmmm.
  • by RobertB-DC ( 622190 ) * on Thursday February 26, 2004 @01:23PM (#8398693) Homepage Journal
    He said tools were available that compared patched and unpatched versions of Windows to help vandals and criminals work out what was different.

    "The guys who write the tools would not consider themselves to be criminals by any measure," he said, "but the tools are also being picked up by people with criminal intent."


    I guess that explains why Windows doesn't include a "diff" function...
  • by daeley ( 126313 ) * on Thursday February 26, 2004 @01:23PM (#8398695) Homepage
    In related news, the Mayo Clinic has announced that if we eliminated cancer treatments, we would eliminate cancer.
  • So... (Score:5, Funny)

    by Niles_Stonne ( 105949 ) on Thursday February 26, 2004 @01:24PM (#8398705) Homepage

    So, instead of poor programming it's incompetent management?
  • by millahtime ( 710421 ) on Thursday February 26, 2004 @01:24PM (#8398706) Homepage Journal
    If a politician said something like this it would get torn apart by the media. If a scientist said something he would loose his credibility and there would be articles written to counter this in major publications. Why does that not happen with M$??? It's almost like they are "above the law" and what thsy say happens. Kind of like when God speaks.
  • by ackthpt ( 218170 ) * on Thursday February 26, 2004 @01:24PM (#8398709) Homepage Journal
    Malicious hackers and vandals are lazy and wait for Microsoft to issue patches before they produce tools to work out how to exploit loopholes in Windows, say experts.

    I love how people with vested interests are called 'experts'

    thhhhhhhhhtttt *choke* *gag* "ahhhhhhh" So as I was saying, hackers haven't found any of these flaws and exploited them before they were patched. Man, this is some strong crack, I almost believe what I said, myself"

    And how do these fine experts actually know there aren't, at this moment, flaws being exploited left and right? Ah, they're experts, of course!

  • by andreMA ( 643885 ) on Thursday February 26, 2004 @01:25PM (#8398716)
    ... we seem to have skipped directly to April 1st...
  • Iraq (Score:5, Funny)

    by LittleLebowskiUrbanA ( 619114 ) on Thursday February 26, 2004 @01:25PM (#8398725) Homepage Journal
    This ranks right up there w/ the Information Minister... Looks like the corporate world is just as bad about propaganda as the gov'ts of the world.
  • by chaoskitty ( 11449 ) <johnNO@SPAMsixgirls.org> on Thursday February 26, 2004 @01:26PM (#8398734) Homepage
    MS' problem is clearly that they have too many managers and businesspeople, and not enough technical people (or perhaps their technical people have no voice). That a MS employee can say such things that everyone else in the world clearly knows is wrong says something about their concern for real security...
  • Spin, spun, spend (Score:5, Interesting)

    by Space cowboy ( 13680 ) on Thursday February 26, 2004 @01:26PM (#8398736) Journal
    This is a fabulous marketing manouvre. It's completely ludicrous of course, but it makes the connection between not-upgrading and being-vulnerable in the pointy-haired heads.

    There *must* however be laws against making statements *that* outrageous...

    Simon.
    • Re:Spin, spun, spend (Score:5, Interesting)

      by prgrmr ( 568806 ) on Thursday February 26, 2004 @01:39PM (#8398943) Journal
      There *must* however be laws against making statements *that* outrageous...

      If the truth in advertising laws don't cover this, I would think that there are SEC regulations that do, particularly regarding an officer of a publically held company knowingly making false statements to the public. Anyone know when the next insider trading window for Microsoft is scheduled?
  • Assume for me... (Score:5, Insightful)

    by lacrymology.com ( 583077 ) <nospam@@@minotaurcomputing...com> on Thursday February 26, 2004 @01:26PM (#8398744) Homepage
    ... just assume for a moment that what he says IS true (for argument's sake). Would you feel better as an M$ customer having heard it? That is, do you feel better knowing that there are many holes in the system that no one outside of M$ knows about? Does security through obscurity make you feel better?
    -m
    • by Mr. Sketch ( 111112 ) * <mister DOT sketch AT gmail DOT com> on Thursday February 26, 2004 @01:47PM (#8399051)
      In all honesty it does. Not me personally, but I have yet to convince my coworkers that security through obscurity doesn't work, and I'm sure they would use this article as proof. To the layman, this makes perfect sense: If the hackers can't see the code or haven't heard of the vulnerability, they can't hack the system. It's as simple as that to them. I keep trying to explain that hackers are resourceful and can still find vulnerabilities without source code and before it's known to the public, but they deem that to be 'near impossible' and far too time consuming.

      Sigh, it's a losing battle arguing with them, and I've pretty much given up.
  • On the same logic (Score:5, Insightful)

    by EulerX07 ( 314098 ) on Thursday February 26, 2004 @01:27PM (#8398761)
    An unlocked door is safe until someone sees you lock it. Therefore everybody just leave all your door unlocked, since we do not know that they're unlocked there is no danger.

    Reply to this post with your street adress and your usual work hours, thanks!
    • by e-Motion ( 126926 ) on Thursday February 26, 2004 @01:45PM (#8399031)
      An unlocked door is safe until someone sees you lock it. Therefore everybody just leave all your door unlocked, since we do not know that they're unlocked there is no danger.

      A better analogy: It's more likely that a robber will be able to break into your home if he heard you explain how the lock on your door doesn't work terribly well. This sounds more reasonable, and is more like the point he was trying to make.
      • by EulerX07 ( 314098 ) on Thursday February 26, 2004 @02:13PM (#8399479)
        Correction on your analogy : If you don't tell anyone that you lock doesn't work terribly well it's just as safe as it was working fine, and you can get around fixing it 6 months from now, because it's not really a problem since nobody knows.

        Until someone tries to open the door to see if it is actually properly locked, or gets a tip that it isn't.

        Therein lies the flaw of "security through obscurity".

        I know exactly the point that he wants to make, it's that if no one talks or reports the security holes it's not a problem. But it IS!
  • Partly right (Score:5, Insightful)

    by Anonymous Coward on Thursday February 26, 2004 @01:27PM (#8398768)
    I must admit that they are partly right on this statement. As long as they don't publish a patch, most the world doesn't even know there is a hole. A few security specialist firms know, but they are not dangerous.

    As soon as they release the patch, every hacker knows 99% of the systems won't be patched for a while, and Microsoft just about gave out what is the problem and how to exploit it.

    So I say yes, it is dangerous to say out loud "hey, there is a hole in our system, but we have a patch". I would prefer if they just shut up, and release a "cumulative patch" once in a while.

    Just my opinion.
    • Re:Partly right (Score:5, Insightful)

      by Ubergrendle ( 531719 ) on Thursday February 26, 2004 @01:41PM (#8398979) Journal
      I think what the slashdot community needs to do is provide some factual evidence. Specifically:

      1) Identify known, 'in the wild' virii, that took advantage of a Microsoft vulnerability before MS announced a patch.

      2) Identify how many virii were developed/released using knowledge derived after announcement, or release of, a patch.

      Obviously there's way to many viruses to do a complete list, but say the major 10 virii per calendar year, would be a good sample. Case 1 would identify how many vulnerabilities are discovered by hackers through their own active behaviour,wherease Case 2 would help narrow down the % of virii related to script kiddies I think. I suspect the number of virii leveraging net-new vulnerabilities vs clones of existing code are at least 10:1.

      In the end, I unforutnately fear that there's alot of truth in Microsoft's statements. It doesn't absolve them of being responsible for developing poor code in the first place, but the correlation they've identified is probably valid.
    • Re:Partly right (Score:5, Informative)

      by m0rph3us0 ( 549631 ) on Thursday February 26, 2004 @02:23PM (#8399627)
      How about [safecenter.net]
      24 unpatched IE exploits. No patches. Still exploited.

      QED.
  • by Tackhead ( 54550 ) on Thursday February 26, 2004 @01:28PM (#8398784)
    > 'We have never had vulnerabilities exploited before the patch was known'

    "Bullshit" doesn't begin to do justice of the level of falsehood present here. We're talking about taking the very essence of falsity, distilling it over the flames of ignorance, condensing it within intestinal walls of monumentally bovine intellectual apathy and sponsoring a college kegger with the elixir-excremento obtained therefrom.

  • Just one?? Really?! (Score:5, Informative)

    by thesolo ( 131008 ) * <slap@fighttheriaa.org> on Thursday February 26, 2004 @01:30PM (#8398802) Homepage
    I think [slashdot.org] he might [slashdot.org] be wrong [infoworld.com].
  • by La Camiseta ( 59684 ) <me@nathanclayton.com> on Thursday February 26, 2004 @01:30PM (#8398808) Homepage Journal
    "Almost all attacks against our software are against the legacy systems," he said.

    So is that what they're calling WindowsXP now?
  • by chill ( 34294 ) on Thursday February 26, 2004 @01:31PM (#8398822) Journal
    Who is it that finds all the exploits and reports them to Microsoft in the first place? It sure as hell isn't Microsoft employees!

    This means, known holes and exploits are available to certain people BEFORE patches exist. Are you willing to bet your business that those "certain people" are ALWAYS good, ethical and honest? There are no intelligent "bad guys" who can do this?

    Where are all the "hackers" and "black hats" the media is always screaming about! Please, don't tell me they are ALL script kiddies.

    -Charles

    P.S. -- How can I ever get "first post" if the damn artitle quotes make me laugh so hard I can't type?
  • by ageoffri ( 723674 ) on Thursday February 26, 2004 @01:32PM (#8398832)
    Wow looks like Microsoft has hired the Former Iraqi Informaiton Minister.

    "The infidels packets are slaughtering themselves at the ports to our OS"

    "There are no exploits against windows, they are all lies from the so called Open Source community"

    "We removed the Windows Update site to better serve our loyal followers."

  • by stratjakt ( 596332 ) on Thursday February 26, 2004 @01:34PM (#8398868) Journal
    The guy does have a point. The description of the patches gives malicious coders a good detail of what to exploit.

    There are no doubt circumstances where the super-1337 h4x0r finds an exploit all on his own, I'd imagine through trial and error, but for the most part, they look at windows update and see "This patch resolves a vulnerability in WMP which could allow arbitrary code execution", and they write an exploit for the unpatched boxes.

    The MSDN knowledge base is a great source for folks looking for exploits, they very often have step-by-step directions to reproduce the problems.

    That's how you get root on linux boxes too, you find people still running an older kernel version, or an old sendmail, ssh, whatever, and hit the known exploits for that version.

    And if you want a more secure system, yeah, upgrade. It works that way no matter what your personal philosopy behind your OS choice.
  • Logic? (Score:5, Funny)

    by CaptainBaz ( 621098 ) on Thursday February 26, 2004 @01:35PM (#8398880) Homepage Journal
    Mr Aucsmith went on to prove that 1=2, that black is white, and promptly got himself killed on the next zebra crossing...
  • by dre23 ( 703594 ) * <slashdot@andre.operations.net> on Thursday February 26, 2004 @01:37PM (#8398909)
    Any bug is a potential security hole. And Windows has a lot of bugs. Fix the bugs, not the security holes, and your code will be more secure.

    Patching is great. Patch Management is great. But it doesn't keep the bad guys out, it just stops some worms. But then variants of worms come out.

    Clearly worms are a security threat. But there are many other security threats.

    Windows is not secure. NT NULL session, NetBIOS attacks (SAM and AD come to mind quickly), and even simple buffer overflows, format string attacks, etc ... these are POPULAR attacks against Windows that attackers are utilizing right now. Even when patched, some of these attacks still work. Why? Inherent network protocol design is part of it. But bugs are a huge part also.

    Reverse engineering patches... who needs to even go that far? Any engineer at Microsoft can just query their internal bug tracking system. An attacker could have a friend inside Microsoft who sends her/him a bug report. That friend could also be the target of social engineering. You saw the movie "Sneakers", right?

    Others can simply "grep" or "slint" the code. By reading the code, anyone can find a bug and make an exploit out of it. This has been widely done for a long time. It's not an uncommon practice, and it's not difficult.

    If coders want to fix security holes in their code, the only real place to start is by fixing the bugs. When Windows runs so smoothly and never app fails or hangs on me, When I no longer hear or see a BSOD, When hell freezes over -- Then Windows will be truly secure.

  • by u-235-sentinel ( 594077 ) on Thursday February 26, 2004 @01:37PM (#8398919) Homepage Journal
    "We have never had vulnerabilities exploited before the patch was known', and '[he] could only think of one instance when a vulnerability was exploited before a patch was available'. "

    I've had my Windows XP system comprimised a couple of times in the most interesting way. Fully patched and running SP1. I've even tightened up IE security to high and restricted what sites can do and firewalled. Despite my best efforts, somehow I must have hit a web site which they downloaded spyware onto my system. I couldn't see it running in the task bar but it was there.

    I found it by accident. From download.com I pulled several programs to scan for running processes. I noticed some weird stuff that Bill didn't put there. I didn't put it there also. Took a bit of work but it was eventually killed and I remove the programs from the system.

    Microsoft has no explaination for this other than "practice safe browsing". Great. So how is that accomplished using IE?

    BTW, Netscape in the same environment and same web sites hasn't given me the same headaches. Oh I"m sure there are problems. At least they are not as blatant as what Microsoft has been shelling out.
  • ROFLMAO (Score:5, Interesting)

    by RAMMS+EIN ( 578166 ) on Thursday February 26, 2004 @01:37PM (#8398923) Homepage Journal
    I didn't get past the first paragraph for fear of laughing myself to death:

    Instead of working it out for themselves, malicious hackers are reverse engineering the patches to better understand the vulnerabilities, said David Aucsmith, who is in charge of technology at Microsoft's security business and technology unit.


    How about they read and follow instructions to write exploits, or download and modify proof of concept code? Sounds a whole lot easier and lazier to me than reverse engineering the patches. And given that many of the script kiddies don't even understand the code that they themselves use...

    And that's the head of MS security dept. speaking? Now it all makes sense! At least the BBC had the decency to call them malicious hackers.
  • Then explain this. (Score:5, Informative)

    by gr ( 4059 ) on Thursday February 26, 2004 @01:38PM (#8398939) Journal
    Perhaps David Aucsmith would care to explain this [eeye.com] then? Though eEye (purposely) doesn't describe the vulnerabilities that they list there, it's been indicated (on mailing lists like Full-Disclosure) that several of them are being actively exploited.
  • by djh101010 ( 656795 ) on Thursday February 26, 2004 @01:40PM (#8398953) Homepage Journal
    It's lots of fun to bash an asinine statement from Microsoft such as this. However, how about we come up with a list of actual counterexamples? Which specific patches did they release in response to a real security problem that existed before the patch?

    I'll start. KB832894 "fixed" the exploits which used the user:password in the URL to authenticate to websites. It was there long, long before the patch (years, in fact).

    What other counterexamples do we have to show precisely how wrong Microsoft's statements are?
    • by freeweed ( 309734 ) on Thursday February 26, 2004 @02:16PM (#8399518)
      Windows file sharing.

      Back in the original 95 release, MS had a neat little bug. If you shared a folder, it was shared to the outside world by default (as it still is today, but I digress). The only security offered from within Windows was to password-protect the share. Now, the exploit:

      Windows 95, and also at least the original 98, both contained a bug in which only the first character of the password had to be guessed. So, if your password was "Slashdot", I could get into your share by simply using "s". Yup, 26 tries and I'm in (iirc windows passwords have to start with a letter, but even if not, the ascii character set isn't that big). Forget dictionary attacks on the password, you were basically in within a second - and of course denied logins didn't count against you.

      The patch for this wasn't released until well after 98 was on the market, which meant it sat for at least 3 years unpatched. I know damn well that it was known and being exploited before then, because I used to play jokes on my friends by getting into their supposedly protected folders. This was back in 1996.

      Opaserv, among other worms, used this hole to spread through a lot of systems, but I can't find the first date any of these were noticed. So I can't prove large-scale explotation of this hole, but I do know that at least I was using it well before it was patched.
  • by richardbowers ( 143034 ) on Thursday February 26, 2004 @01:42PM (#8398987)
    A few weeks ago, we were treated to the BBC claiming that the Linux community was behind MyDoom, even after it had become clear to everyone else in the world that it was written by Spammers. This article isn't any better/worse - its another thinly-disguised and apparently unresearched document, with no supporting statistics. Is there a reason to read this trash anymore, or should we switch to something more reliable, like the tabloids?
  • by Mr. Underbridge ( 666784 ) on Thursday February 26, 2004 @01:52PM (#8399127)
    OK, so let's get a list going of examples to the contrary of what this dipshit says.

    I'll give 2:

    1) The original Melissa email virus (enabled by idiotic default settings in OE)

    2) The one recently where remote web sites could hijack your address bar while redirecting you and doing nasty shit - that MS didn't patch for 6 months.

    Someone might say those weren't strictly "Windows," but both OE and IE come installed by default, so it counts for me.

    Others?

  • by AtariAmarok ( 451306 ) on Thursday February 26, 2004 @01:54PM (#8399155)
    In related stories, it has been revealed that firemen cause fires, policeman cause crime, and the good folks at Symantec have written all the viruses.

    Film at 11:00 (just after the anchorman tells us about all of the muggings he committed).
  • by SysKoll ( 48967 ) on Thursday February 26, 2004 @01:55PM (#8399164)
    This is marketing BS in the purest form. Here is a nice juicy MS vulnerability [infoworld.com]that wasn't found by reverse engineering a patch.

    As for real security experts, they routinely find vulnerabilities in Windows [eeye.com] beforesending a description to MS which would then, a few months later, issue a patch. Maybe.

    There is a fine line between marketing and outrageous lying. I'm glad to see that MS gleefully steps over it every single time. Any other conduct would actually be unsettling. You see, we geeks revel in a binary vision of the world, and we cannot thank MS enough for consistently being a caricature of evil villain. It makes working against them so much more rewarding.

  • by ophix ( 680455 ) on Thursday February 26, 2004 @01:57PM (#8399202) Homepage
    i can tell you for a fact that the RPC hole was being exploited for at least 9 months before a patch was out. I know a few script kiddies in RL who were pissed off when the patch came out as they lost their doorway. I watched them do it a couple of times as proof. I pretty much will not put a windows box directly touching the outside world in any way shape or form now.
  • A crackers mind? (Score:5, Insightful)

    by miffo.swe ( 547642 ) <daniel.hedblom@g ... om minus painter> on Thursday February 26, 2004 @01:58PM (#8399206) Homepage Journal
    Maybe MS is mixing things up? If you count worms and viruses as exploits in the same category as real breakins then by far those and script kiddies who uses ready made exploits account for most breakins.

    Any sane cracker wont report his latest exploit to bugtraq. He will continue to use it until someone else finds out about it. When it hits MS and they patch it the cracker will have found another hole to use. The most dangerous breakins is ofcourse corporate espionage and i think the ones doing those have a field day on Windows right now. They dont use common exploits that intrusion detection systems detect since they want in and out unnoticed, even if the systems in the target is unpatched.
  • by rmpotter ( 177221 ) on Thursday February 26, 2004 @02:01PM (#8399258) Homepage
    From the article:

    "It's a myth that hackers find the holes," said Nigel Beighton, who runs a research project for security firm Symantec that attempts to predict which vulnerabilities will be exploited next.
    He said in many cases the appearance of a patch was the spur that kicked off activity around a particular vulnerability.


    For the most part, I think this is true. Most Windows exploits DO "magically" appear a few days or weeks after a patch is available. Of course, hundreds of thousands of users never patch, or never patch in time. The "magic" lies in the symbiotic relationship between anti-virus software producers and malware creators.

    None of this excuses MS from releasing Swiss cheese code, but it looks like a lot of malware gets created after a "proof of concept" has been released by "security researchers".

  • Counterexamples? (Score:5, Insightful)

    by gmuslera ( 3436 ) * on Thursday February 26, 2004 @02:02PM (#8399262) Homepage Journal
    So never was an exploit before a patch available? I remember last year when there was a lot of exploited IIS with the WebDAV enabled by default like 2 or 3 days before Microsoft releases the patch.

    Maybe they knew about the vulnerability for a week at that moment, maybe they were testing the patch, but the patch was not yet available, existing systems were being actively exploited, and site owners had no clue about that vulnerability because the "will be no exploit till we release this patch" policy.

    I'm not sure if that is the best example, but at least is one that is enough to show how much bullshit they used to tell in public.

  • by Florian Weimer ( 88405 ) <fw@deneb.enyo.de> on Thursday February 26, 2004 @02:03PM (#8399294) Homepage
    "A previously unknown vulnerability in Microsoft's Web software allowed an online attacker to take control of a publicly accessible U.S. Department of Defense server last week, the military confirmed late Tuesday."

    http://news.com.com/2100-1009-993276.html

    (This has been confirmed over more or less independent channels. Nobody was truly independent because of the pending war on Iraq, of course.)

    And, as you all know, several holes in Internet Explorer exist which are being exploited actively.
  • by zerocool^ ( 112121 ) on Thursday February 26, 2004 @02:15PM (#8399506) Homepage Journal

    Few quick observations...

    1.) Microsoft end of lifed windows98 on Jan 16th of 2004. That's 6 years of supporting an operating system, folks. That's impressive. $100, and you got downloadable updates for 6 years? RHN subscriptions or enterprise linux don't touch that. So, if they don't provide security updates for it anymore, it's only because, in terms of software, it's ancient and it should be phased out. Upgrading to get security sux, but who'd buy a new computer and willingly want to use their old win98 on it (i know slashdotters can always come up with whatever reasons for anything, but in the general public).

    Yes the Linux kernel, even back to 2.2, is still being updated. And yes, linux updates don't cost money. But, what if I have just downloaded kernel 2.4.11, and it works great, and oops, we found a problem in 2.4.11. The solution is to upgrade. Not patch. What if going to the new kernel breaks stuff that used to work, while in the process patching an old hole?
    This is different, but similar to MS. "You have a problem with 2.2.7? You should try to upgrade to 2.2.26 or 2.4.24." "You have a problem with windows98? You should upgrade to ME or XP."

    2.) The article claims windows has not had security holes that were exploited before a patch was available. I don't think this was true, but keep in mind, the VAST VAST majority of Microsoft problems are with outlook, internet explorer, office, IIS, exchange, etc. Technically, these are not windows problems. It's like saying that wu-ftpd has an exploit that gives a user root access (which is almost always true), and then blaiming that on the kernel dev team.

    Or, it's like OpenBSD. "Only one remote hole in the default install, in 7 years". My ass. The default install is unusable as an OS. How do they accomplish their security claim? Partially through well-written systems. Partially through turning off every freaking useful service known to man that you would want to run on a server. And yet, people hold them up as a paragon of security. The holes in OpenBSD are from other programs, the masses cry. But no one thinks about the same thing in terms of microsoft.

    3.) The time warp thing is confusing me. Everyone is saying that it's a logical fallacy that Microsoft could have released patches for security bugs that are not yet discovered? Or, what, i'm not following. The have the code, they test it, they find a bug, they try to release a patch before it gets exploited. This involves, as has been discussed, not mentioning that there is a bug, but i suppose security through obscurity is still security.

    How many times have we seen a story on slashdot that exclaims how microsoft has yet another hole (!!!!1!) and then, 40 minutes after the bashers have played their part, someone comes on and says "people should have applied this patch (link) which is discussed in MS Knowledge base 7498923298232"? I see it all the time.

    The average linux user is smarter than the average windows user. Therefore, we tend to keep our shit up to date. Microsoft tries to make it as easy as they can, but there's no such thing as idiot proof (i mean, in windows XP, the windows update service pops up on the first run of the OS and asks you if it can run in the background, checking for updates, and downloading / installing them automatically for you!).

    I'm not trying to defend microsoft here, all I'm saying is that, before you bash them, think.

    ~Will
  • by geekee ( 591277 ) on Thursday February 26, 2004 @02:20PM (#8399591)
    "'[he] could only think of one instance when a vulnerability was exploited before a patch was available'. Erm..."

    Although the MS guy overstates his case, it isn't always a good idea to release a patch for a system after an exploit is discovered internally that is not well known. The problem is that releasing the patch also alerts malicious individuals of the vulnerability. The real problem that must be solved first is figuring out a way to deploy a patch at a level near 100% so that releasing the patch does more good than harm.
  • Poor analogies (Score:5, Insightful)

    by ratpick ( 649064 ) on Thursday February 26, 2004 @02:21PM (#8399601)
    The analogies in previous posts (locked doors/crime, cancer/treatment, etc) are entirely inaccurate. A more proper analogy might be the fixing of a defective door/window in an apartment building, where the fix is observed and the problem exploited before all units are updated.

    Why is this phenomenon so hard to accept? When I first played around with Linux, I put up a server on multiple T1's of bandwidth to experiment. After pointing a domain to the system, it was attacked and compromised regularly, but only after a patch was released. Yes, that's right, Linux suffers the same problem. Now, I'm certainly not advocating the cessation of security patch development. The people reverse-engineering patches for exploits are small potatoes--the real threat is the person capable of ascertaining and exploiting holes on their own. However, releasing patches does facilitate the development of exploits by those who would otherwise be unable.

    I hate Microsloth as much as the next geek, but the issue here is not whether patches facilitate attacks (of course they do). Exploits will occur regardless, and I for one would rather have the opportunity to pro-actively patch my systems instead of hiding in a Saddam summer home. The issue is half-assed buggy software that requires so many patches, and security holes that totally compromise systems.

    Oh, and I don't buy the 'logical fallacy' BS either--I've seen it happen, so obviously their argument is invalid, or the premises false, or both.

    "Even logic must give way to physics."
  • by sootman ( 158191 ) on Thursday February 26, 2004 @02:26PM (#8399675) Homepage Journal
    "If you want more secure software, upgrade."

    OK, I'll take you up on this. Starting today, release no more patches for XP and 2003 Server (or IE or IIS or OE or MS-SQL or any other component.) We should see no new exploits from this day forward. We'll give it a year. If an explot is found, I get your house and car. If no exploits are found, you get mine. Deal?

    PS: If you release another patch, I win. Any "feature upgrades" must be thoroughly examined by a 3rd party to make sure you aren't sneaking any patches in. I promise I will not actively look for exploits myself.

The means-and-ends moralists, or non-doers, always end up on their ends without any means. -- Saul Alinsky

Working...