Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Microsoft's Security Disclosures Come Under Fire 150

Old Banana writes "Is Microsoft silently fixing security vulnerabilities and deliberately obfuscating details about patches in its monthly security bulletins? Matthew Murphy, a security researcher who has worked closely with the MSRC (Microsoft Security Response Center) in the past, is accusing the software maker of 'misleading' customers by not clearly spelling out exactly what is being patched in the MS06-015 bulletin released on April 11."
This discussion has been archived. No new comments can be posted.

Microsoft's Security Disclosures Come Under Fire

Comments Filter:
  • Patches (Score:5, Funny)

    by dotslashdot ( 694478 ) on Thursday April 13, 2006 @07:49PM (#15126187)
    How would you like a birth control patch that also doubles as a nicotine patch without your knowledge? Sure you can have sex without worrying about getting pregnant, but there would be no cigarette afterwards. What MS has done is taken away the cigarette from the consumer. My Windows sex machine can "interface" all night long without getting pregnant, but it can still get STDs and won't be smoking any more afterwards.
    • Re:Patches (Score:5, Funny)

      by WilliamSChips ( 793741 ) <full.infinity@NOSPam.gmail.com> on Thursday April 13, 2006 @07:52PM (#15126203) Journal
      And I thought car analogies were bad...
    • Re:Patches (Score:1, Redundant)

      by geekoid ( 135745 )
      truly, your logic is dizzing...

    • Here is the problem (Score:5, Interesting)

      by IntelliAdmin ( 941633 ) * on Thursday April 13, 2006 @08:21PM (#15126378) Homepage
      The big problem when they do this is compatibility testing. I work at numerous companies where we need to read through each patch to see what they 'fix'. Now when Microsoft does this we will just have to guess what they might break in a legacy application deployed across the world.
      • by kaiwai ( 765866 )
        The big problem when they do this is compatibility testing. I work at numerous companies where we need to read through each patch to see what they 'fix'. Now when Microsoft does this we will just have to guess what they might break in a legacy application deployed across the world.

        Companies actually testing their software against the latest releases of Windows? thats definately a change from what I normally see; lazy software companies sitting around, rolling naked in money, then running an anti-Microsoft

        • by UncleFluffy ( 164860 ) on Thursday April 13, 2006 @10:58PM (#15127028)

          I'll say it once, and say it again; it isn't Microsofts responsibility to provide backwards compatibility to people

          I'd disagree, partially, with this. Yes, it isn't Microsoft's responsibility to provide backwards compatibility to people who have used undocumented behaviour - but where they have changed the API so that it no longer operates as documented, then it is their responsibility.

          • I'd disagree, partially, with this. Yes, it isn't Microsoft's responsibility to provide backwards compatibility to people who have used undocumented behaviour - but where they have changed the API so that it no longer operates as documented, then it is their responsibility.

            But that isn't the issue; the issue is, they FIX an API so that it works the way its documented, but people expect that they provide compatibility for those who relied on the API when it was broken.

            If something is broken, it needs to be

          • Who says they are only changing undocumented behavior?

            Who also left the behavior undocumented? If I am using MS API's then that would be SUPRISE MS!

        • Well, yes, but not really.

          As a software developer I can tell you that customers are a pain in the arse. I don't know if you know that yet, but most of them expect software to be written within 5 minutes of their first phone call that something is not like they want it. And I Microsoft releases patches, it's just not as easy as you say to simply demand a patch from the developers. I mean, come on, do you think that, especially for large scale enterprise applications, when a patch rolls in, they can deploy
          • by kaiwai ( 765866 )
            As a software developer I can tell you that customers are a pain in the arse. I don't know if you know that yet, but most of them expect software to be written within 5 minutes of their first phone call that something is not like they want it. And I Microsoft releases patches, it's just not as easy as you say to simply demand a patch from the developers. I mean, come on, do you think that, especially for large scale enterprise applications, when a patch rolls in, they can deploy everything in one day, fix,
    • Re:Patches (Score:1, Insightful)

      Aside from the terrible, terrible, sad analogy, do you enjoy Windows vulnerabilities as much as a cigarette after sex? Patching flaws without disclosure (as long as that is indeed what they are doing) is like taking a pill for a cold and having it cure your syphillis while it's at it.
      • Re:Patches (Score:4, Insightful)

        by RollingThunder ( 88952 ) on Thursday April 13, 2006 @10:47PM (#15126977)
        That's all well and good, right up until the point that the syphilis cure also causes a fatal allergic reaction in a small but significant percentage of the population.

        Patches can break things. This is why disclosure of what it's touching is important, so you can properly test that everything it touched still works after the patch.
      • I believe a more apt analogy would be taking a pill for your cold and getting chemo in addition. And then you have to take another pill to fix that problem, but it gives you syphillis. Then you take another pill and it cures your syphillis and gives you the cold - so you're back where you started, just with a lot less time.
    • How would you like a birth control patch that also doubles as a nicotine patch without your knowledge?

      Believe me, you would know. When I tried to quit using nicotine patches, the first thing I noticed was that they irritated my skin. You could tell where the patch had been by the red welt. The other problem I noticed was that, since it delivers a constant dosage of nicotine, I would feel hyper all day and have difficulty sleeping. Finally, if I broke down and had a cigarette anyway, more often than not I
  • If you explain exactly what is being patched, then you give the hackers a pretty clear roadmap of what they need to do to exploit all of the unpatched systems, don't you? The sad truth is that most systems remain unpatched. Granted, Microsofts assumption that it's customers are idiots that couldn't handle the truth is annoying to those of us that do understand the problems, but in the majority of cases there assumption is pretty close to the truth - they are protecting the naive by not giving hints out to t
    • by Anonymous Coward
      No it's not a bad thing.

      Go read up one of the gazillion explanations of "full disclosure".
    • Yes (Score:5, Insightful)

      by WebHostingGuy ( 825421 ) * on Thursday April 13, 2006 @08:02PM (#15126270) Homepage Journal
      This brings up the age old debate which I will not revive. However, my spin is that if you are patching a vulnerability you should disclose that. Otherwise the end user might not apply the patch. This very same situation happened with Cisco at Blackhat and ended up in the Courts and Cisco ended up with a public black-eye. Based upon the IT reaction to that I would venture the assumption that we want to know.
      • Re:Yes (Score:3, Interesting)

        by TheSHAD0W ( 258774 )
        Well, it's one thing if Microsoft says "this is an update", as opposed to "this eliminates a security flaw". I don't think Cisco was explicitly stating that patches were for security, and I don't think Microsoft could be expected to be responsible if it issues a patch labeled as a security fix and a user doesn't apply it.
      • Otherwise the end user might not apply the patch

        Quite frankly I don't think the end users are so selective about their patching. If you see a critical patch, you apply it and that's that. In a corporate setting they may be more selective, but the average Joe goes all the way.

        • The average Joe is not the customer who loses twenty million dollars when a patch unexpectedly breaks a legacy app three months after it was installed, leading to downtimes as a suitable old version of Windows has to be found and redeployed.
          • But what if the supposedly wise guy that had decided not to install the patch because it might break something gets bitten by an attack because the patch wasn't installed?
            In hindsight it is always easy to say "you should not have installed the patch without 3 months of testing you dumbo", but in practice you can hardly test the full functionality of a system before deciding that a patch is OK to release. See the article about breaking Word 2002 on this page. Who would guarantee that this would be found, m
            • That makes sense, but my point is that even though the majority of users (would) install every single patch and thus don't need detailed information about what it does to which parts of the system some very large customers need this very information to identify potentially harmful updates - and while Joe Sixpack might lose a couple dollars worth of data when his system goes haywire a company with a large datacenter might lose much more money and might want it back from Microsoft when it turns out that they
      • You obviously aren't that familiar with the subject matter.

        By default windows update doesn't even prompt you to install patches. You can opt to be prompted before installing patches.

        However Windows Update categorises its patches. All patches automatically downloaded or presented to the user are categorised and represented as critical patches. Non-critical patches can only be downloaded by going to the windows update site and electing to download and install them.

        Consequently you know that all up
    • I believe the following quote from the article better summarizes the dude's argument:

      "As a result, administrators may deploy patches unnecessarily, erring on the side of caution (and risking compatibility problems in the process), or they may choose not to deploy based on incomplete information. Individuals making these kinds of decisions deserve better information"
    • I agree to an extent but someone who's going to exploit whats being patched can easily look at the patch and create their own roadmap, or at least a sketchy pirate map of what was wrong. Better to disclose the information in my opinion and let the naive suffer.
    • by hweimer ( 709734 ) on Thursday April 13, 2006 @08:07PM (#15126300) Homepage
      If you explain exactly what is being patched, then you give the hackers a pretty clear roadmap of what they need to do to exploit all of the unpatched systems, don't you?

      You do that already by providing a patch. The bad guys will simply look at the differences of the binaries and find out what has been patched. So instead of helping the good guys, Microsoft gives an information advantage to the bad guys.
      • by khasim ( 1285 ) <brandioch.conner@gmail.com> on Thursday April 13, 2006 @09:47PM (#15126727)
        The bad guys don't need to spend time with compatibility or regression testing for their software.

        They can download the patch the day it is released and have an exploit ready that same day. You'll still be meeting to discuss the test plan for your servers.

        Attempting to hide information doesn't help anyone except the vendor and the bad guys.

        At least if you have the information, you can determine your own level of exposure and decide what mitigating actions you want to take based upon your environment.
    • Of course it is... (Score:3, Insightful)

      by TheNoxx ( 412624 )
      Microsoft's just trying to save face, they could quite obviously still tell you that your applications and/or operating system had flaws that you needed to be aware of without going into specifics. Regardless of how much they want to disclose, one would imagine that they should have a legal responsibility to their customers to release any knowledge they have about a fault in their product that could compromise the security of their customers financial and private information, particularly in today's age of
    • Microsoft doesn't fully document their system. Most people depend on third party documentation -- some (or much) of which is reverse engineered (against the eula). In any case, people are regularly using methods that are officially undocumented -- no matter how many people use them.

      The problem arises when Microsoft decides that an 'undocumented' capability is the source of a bug. They fix the hole, but this may break your software in unpredictable ways. If you don't know what they fixed, you have no id

      • "If a patch breaks a mission critical piece of software it could cost some companies hundreds of thousands of dollars an hour."

        If you deploy a patch on a mission critical (I cringe to think anything considered "mission critical" would be running on a windows box) machine without testing to see if it breaks anything, then you deserve to lose hundreds of thousands of dollars an hour.
        • ...without testing to see if it breaks anything, then you deserve to lose hundreds of thousands of dollars an hour.

          True, but you can't always do exaustive testing, so you test based on what you think has changed (plus a bit of random testing just to make sure).

          If MS tells you that they've changed A, B and C, then you test to make sure that those changes won't break your system. If you aren't aware that patches X, Y and Z have been included in your patch then you won't know to do extra testing of the

    • Why is it bad? Because when Microsoft claims that Linux is more vulnerable then it is bad. Also, it is bad when Microsoft claims that there have been less bugs in MS than in Linux or any other operating system. It seems more like a marketing attempt than anything else. With MS getting beat up over security, they can look good by simply not telling people that it has been patched.
  • by Ramble ( 940291 ) on Thursday April 13, 2006 @07:52PM (#15126201) Homepage
    As long as Microsoft are fixing them I'm not too bothered about this, but it would be nice to know what exactly they are fixing.
    • Exactly...at least they are trying. As long as they *are* fixing it, who cares what they are hiding. Just fix the damn thing! :)
    • Yeah, who cares about the fact that they are deliberately witholding information that can directly threaten their customers? I'm perfectly happy that my network security matters less to Microsoft than their image does. As long as they get around to fixing whatever the hell the problem was, it's all good, right?

      It appears to me that there are two possibilities here:
      1. The IT community is drinking MS kool-aid.
      2. The IT community is absolutely fucking overrun with astroturfers.
  • by NotQuiteReal ( 608241 ) on Thursday April 13, 2006 @07:52PM (#15126204) Journal
    For most folks, hey, it's all mumbo jumbo anyhow. Closed source, closed patches. "It's an update, Trust us, you want it." - OK, Click.

    For Business users, they might actually want to know what might break if they do the update - especially since many cannot be "un-done".

    • Why is it any different for a MS using business user?

      Look, you do not have the source, so you are already incapable of knowing what is going on. Combine that with MS's lack of veracity, and you have a company that you should not trust. Yet you will.

      For all pratical points, Business users have no more reason to know than does a home user. In fact, I think that MS should put out their releases with simple names on each patch. That is function a, b, c, etc and 0 explaination of what it is. That would enc
      • The problems happen when a business finds that an update causes problems for important software. Given the list of fixes the admins may determine that the problem fixed in the update does not effect the system. e.g. the update is for a bug in telnet, but telnet is blocked by the firewall. So the update is not installed. However unknown to the admins the update also fixes a very serious bug that does affect the system.

        System admins need to know the full details of the updates.
      • For all pratical points, Business users have no more reason to know than does a home user

        For the average business user, they don't need to know details. But I think we are talking about the average business sysadmin. They are the ones that have to explain to a VP why the patch they just installed crashed some critical program or trashed some data. They need to test what the patch specifically does so they can see if it affects anything. With more specificity, it is easier to test. Otherwise, they have

    • Business users, they might actually want to know what might break if they do the update - especially since many cannot be "un-done".

      Too bad you are using software from a company that thinks it's OK to treat people like "consumers". When you think it's OK to treat one person that way, who won't you abuse?

      • Too bad you are using software from a company that thinks it's OK to treat people like "consumers".

        What?

        Every company treats people who use their product as "comsumers". That's what that word means. Or did you mean to use the word "commodity"?
  • by Anonymous Coward
    FTA ...."is accusing the software maker of 'misleading' customers by not clearly spelling out exactly what is being patched in the MS06-015 bulletin released on April 11"

    Other than being nice and helpful, does Microsoft have a duty to advise everyone of product flaws?

    I believe corporations should be responsible but I fail to see any law or EULA where such notifications are required.
    • by walt-sjc ( 145127 ) on Thursday April 13, 2006 @08:45PM (#15126483)
      I would think that corporate "Software Assurance" customers who are paying for continual updates and support, and have to support MANY legacy applications that may be affected by such flaws or patches would be (and ARE) demanding such notifications. Joe Bob Home User does't really care, but Fortune 100 Fred in IT sure does, especially when his job (which is to keep the companies infrastructure up and running) is on the line.
    • by Anonymous Coward
      Virginia Law states that you have to be informed of what the software does to your computer, i.e. they can't sneak stuff in like that legally, if the accusations are true, this could get hairy.
    • >> I fail to see any law or EULA where such notifications are required.

      There are things you do because of the law and then there are things you do because they're right. The issue at stake is the how much you trust MS to not break things with their fixes. What happens if a fix causes a critical application to break?

      Say this was at a paitent records system in a hospital? Say they changed their image handling code and xrays could not be displayed because the fix broke something either in operating syste
  • I would speculate that more people download Windows updates then almost any other piece of software (mostly because they are unaware mostly because this feature comes standard and enabled in Win XP). So why would microsoft want to divulge the security holes it is patching so openly? If I was looking to break into someone elses system the first place I would go is to microsoft.com check to see what security holes it has just patched and then see if my neighboor has patched yet.

    It would be way to easy for pe
    • It would be way to easy for people to learn about the problems that microsoft has riddled the world with.

      Fine, but then wouldn't security/bug comparisons with open operating systems be skewed heavily in Microsoft's favor? I suspect that if they truly are hiding something, it is more about marketing than security.

  • I think the real point of the article was a few paragraphs in when Murphy said that "You simply don't know what the patches are for. It's virtually impossible to make a determination about a deployment time frame if not deploying a patch has the potential to place you at an additional, unknown risk."

    One of my favorite things about open-source systems like Redhat's RHN up2date is that you know exactly what a patch will effect and what code it will be changing. An update to the kernel, or to an individual pro
    • by TubeSteak ( 669689 ) on Thursday April 13, 2006 @08:05PM (#15126283) Journal
      Murphy has not yet tested the patch to determine whether the drag-and-drop issue was actually fixed, but, even without testing, he argues that the way the information was released leaves everyone guessing.
      WTF?

      The guy making all the noise is just shooting his mouth off until he's actually tested the patch.

      Yes, he has a valid gripe that the wording is unclear, but the crux of his complaint balances on the fact that MS allegedly patched something without coming out and saying so.

      It's incredibly stupid to put yourself out on the line like that. One day it'll come back and bite him when he's wrong.
      • Flame on! (Score:3, Interesting)

        by twitter ( 104583 )
        The guy making all the noise is just shooting his mouth off until he's actually tested the patch. ... the crux of his complaint balances on the fact that MS allegedly patched something without coming out and saying so.

        No, the crux of his complaint is that he can't tell what he's supposed to be looking for. How is he supposed to test what M$ does not tell him? For some reason he thinks M$ is going to tell him what their "updates" do. How many hours do you expect him to test every month?

        It's incredibly

        • As this AC points out [slashdot.org] you seem to troll rather often.

          However, I will address your post:
          He has specific complaints about ONE patch. It would have been prudent for him to make some efforts towards testing the ONE patch he has a problem with.

          When someone comes to me with a computer (or other) problem, I ask them 1. what they think is wrong and 2. what did they do to try and solve it. My problem is that he didn't even make a token effort at step 2. He stopped at step 1 (I don't know what this patch is doing) an
          • Re:Flame on! (Score:2, Informative)

            When someone comes to me with a computer (or other) problem, I ask them 1. what they think is wrong and 2. what did they do to try and solve it. My problem is that he didn't even make a token effort at step 2. He stopped at step 1 (I don't know what this patch is doing) and then went complaining.

            The reason he's complaining is because each patch report is supposed to cover a patch that fixes a specific problem, linked to with the bug report. His complaint isn't with the patch. It's with the report about th
          • As this AC points out you seem to troll rather often.

            I make some losers angry by adding signal to their noise and spoiling their astroturfing:

            There's only two or three of these turds, but they brag about all the noise they can make with their botnets. There's plenty more that are not dumb enough to brag.

            However, I will address your post: He has specific complaints about ONE patch. It would have been prudent for him to make some efforts towards testing the ONE patch he has

      • That's what happens when you're out of your element [bluesbrotherscentral.com]
    • I like what you've said and agree. , I work in the aviation industry and aircraft manufacturers release similar 'patches'. One operator of a certain aircraft (say B747) discovers a crack in a certain part of the wing, or a control cable that is jamming. They report this to Boeing, who then release a service buletin to all the users with all the details, inluding the approprite timeframe with which the inspection / modification must take place and steps required for the repair.
      It may be to inspect a part,
      • "Hey Joe! Does the reactor look like it'll be ok for 5 minites? I have to do the weekly scheduled reboot of the emergency shutdown system ........"

        I would have some SEVERE issues with any product or service that was using any windows platform for safety-critical systems.

        Just the fact that they're trying to do "safety" on such an unreliable platform should make you wonder about their compotence
      • I think you've hit the nail on the head, but it seems even worse than that. Without MS providing enough information, we don't know which is going to be worse, the patched or the unpatched system, until exhaustive testing is done or until there is catastrophic failure. So, we're basically screwed either way unless we can just halt all operations, in which case we're basically screwed from a business standpoint.

        This is the basic gist of the complaint as I understand it. I think you were saying roughly the sam
  • To me this looks like MS have patched the flaw they say they have, and maybe seen some other bugs that were in there whilst they were there.

    This is not necessarily a good thing though, as vagueness in what a patch fix implies vagueness in testing that the patch works properly. Microsoft should post exactly what it fixes, so people know what they are putting on their system. For instance, what if the patch breaks third party software? As the third party won't know what was changed, they can't fix it.

    • "This is not necessarily a good thing though, as vagueness in what a patch fix implies vagueness in testing that the patch works properly." You're either kidding, or you've never been part of a software development organization.
      • I'm not kidding at all. Also, I work as a Telecoms software engineer and so I would say I have a fair experience of working with software development.

        We test our patches before they go out. When an application is patched, the entire functionality of the application is re-tested and particular attention is paid to issues which have recently been fixed in the same code, and are outstanding in the code.

        This way, when we write the release notes for the patch, we can provide a list of any known bugs that the

  • Whiner (Score:2, Insightful)

    by numbsafari ( 139135 )
    If I'm getting the gist of the article correct, it sounds like this guy is just whining because he found a variation of a vulnerability that was being fixed and he didn't get his name posted in the headline as finding the main vulnerability.

    So, really, this is just a single guy complaining because he feels like he should have been a headliner but MS felt he was just an extra.
    • this is just a single guy complaining because he feels like he should have been a headliner but MS felt he was just an extra.

      He was pretty clear about it all:

      The bottom line is this: we just dont know [what's being patched].

      Your little smear does nothing to change that fact.

  • MS is pretty well getting in the habit of understating or perhaps blandly stating any problems. I particularly have noticed that with every release of Windows, error messages get more and more vague. I fully expect that by the time Vista makes it to market, all error messages will be replaced by a single pop-up that reads "Something bad happened". Figuring out exactly which bad thing happened will be left as an exercise for the poor techie who gets called in to "Fix this problem right now!".

    • This doesn't really matter. End-users do not read popup messages anyway, because they have developed a semiconsious habit of clicking away any dialog that only has an OK button. Small wonder, because those appear for so many reasons that one cannot afford to spend the time to learn about all of them.

      What an OS should do is to present the "Something bad happened" to the user, and log the real error in the system log with enough detail for the techie to analyze it.
      This is being done in Windows, but not to t
  • Hidden DRM? (Score:5, Interesting)

    by Clazzy ( 958719 ) on Thursday April 13, 2006 @08:08PM (#15126302)
    Remember when there was an update to Windows Media Player that added those DRM module things and there was a big outcry? I may be acting a bit paranoid, but isn't it remotely possible that Microsoft could sneak in other restrictions like this without users ever knowing?
    • Re:Hidden DRM? (Score:3, Interesting)

      by Cheapy ( 809643 )
      Of course, but it's also possible to have MS slip in some monkey porn in those updates too.

      Possible, but not that probable.
      • Possible, but not that probable.

        Monkey porn might be not probable, but as the GP pointed out they already did include restrictions in an update, so its not improbable at all that they will do it again.

  • by MyLongNickName ( 822545 ) on Thursday April 13, 2006 @08:08PM (#15126304) Journal
    New patch advisory: "This patch solves yet another attack vector that can be exploited by a malicious hacker. The fact is, this is like sticking your finger in a dike. Actually, it is more like sticking your finger in a non-existant dike against a tsunami. Tomorrow, five other security holes will be discovered. Odds are, this patch will introduce yet more attack vectors. You are screwed"

    Microsoft: You may use the above for a small fee. TIA. HTH.
  • I think the fear is when they start "patching" the "flaw" where your computer doesn't send Microsoft [insert your sensitive data here].

    Until then, this is fine. (But when is then?)
  • by WillAffleckUW ( 858324 ) on Thursday April 13, 2006 @08:34PM (#15126440) Homepage Journal
    Hello, we'd like to announce a new security patch, that's um, kind of critical. What is it? Well, let's just say when we say it, everyone said "OMFG!" and started running around like people with their hair on fire ...

    Now, we can't tell you what it is, because if we did that, you might clue in that we probably made the same mistake in pretty much all the code we rolled out to give you that latest Feature (Patent Pending), and telling you would mean that lots of script kiddies would be making your copy of Windows Vista turn into a large pr0n server that played Death Metal tunes.

    So, just trust us on this one, and ... well ... it's not optional.

    P.S.: Please ignore the large backdoor we installed to scope your box out to see if you're trying to run some kind of Linux device on your network. It's just there for ... um ... your security ... yeah, that's right ...
  • by NullProg ( 70833 ) on Thursday April 13, 2006 @09:00PM (#15126538) Homepage Journal
    How to find out? MD5 sum your /windows folder including the sub-directories (don't forget the hidden ones) before the patch. MD5 Sum again after the patch and compare the results. bdiff the questionable file differences and dis-assemble. At least thats what I used to do as a prior legitimate Windows license(s) owner (but before being called a thief by Microsoft).

    Like I said earlier today, you either own a Microsoft appliance or a personal computer, these days you can't have both. Switch to something else or stay with Windows.

    Enjoy,
    • Like I said earlier today, you either own a Microsoft appliance or a personal computer, these days you can't have both. Switch to something else or stay with Windows.

      Only if life were that simple; if WINE were 100% reliable and every application worked out of the box, the need to use Windows for many users would be a non-issue; the problem is, people remain with Windows for the very reason that they need applications, they aren't available for *NIX, but at the same time, they're not going to biff out their

  • Not such a big shock (Score:4, Informative)

    by Stephen Samuel ( 106962 ) <samuel&bcgreen,com> on Thursday April 13, 2006 @09:22PM (#15126635) Homepage Journal
    My question wasn't if MS was going to get nailed for doing something like this, it was when.

    The main reason for implementing the monthly patch cycle (AFAICT) was PR. A bad week with 3 critical patches could really kill a sales rep's story that MS 'professional programmers' was the way to go if you wanted a secure system. It was only a matter of time until some PR hack realized that things could look even better if you didn't bother to document every security hole that a monthly patch fixed.

    The upside for the user end (most often touted) of the monthly patch cycle is that a company doesn't sometimes need a full time crew just to go through the sometimes daily critical patches to see if/and what they break. The two downsides are that you don't always know what the monthly patches fix, and a well timed zero-day patch can mean that the black hats have up to a month to stomp on your system before the official fix comes out.

  • by CyberSlugGump ( 609485 ) on Thursday April 13, 2006 @09:37PM (#15126686)
    This site mentions a high-level I/O-processing bug that was present in csrss.exe [tesco.net] in many versions of NT/2K/XP that could be triggered by something as simple as a opening a text file that contains a bunch of backspace characters.

    "On 2002-09-24, Microsoft KnowledgeBase article ID Q311486, promised six months ago, finally appeared. Its publication date is falsified to claim that it appeared on 2001-10-26. It talks about programs that "pass invalid screen size parameters" when the sample program code that it gives for replicating the bug clearly contains nothing at all relating to screen size parameters."
  • by Master of Transhuman ( 597628 ) on Thursday April 13, 2006 @09:54PM (#15126753) Homepage
    You tell people what you're doing to their systems.

    It's that simple.

    Security reasons, or no security reasons, you tell people. Anything else is misleading, which equates to lying.

    They own the systems, not you, regardless of your fucking EULA.

    Then if anybody doesn't care or doesn't want to know, it's on them.
  • This eWeek story is about nothing. Please don't encourage them by posting links to it.

    Every software maker there is will fix bugs or patch holes without disclosing them. The story is obviously some green journalists first attempt.
    • Does your using spaces.msn.com/altitudinous/ (linked from http://www.petesmith.co.nz/ [petesmith.co.nz]) as your web site have anything to do with your astroturfing? I am a bit surprised that your web site didn't go to microsoft.nz.

      What is your source for claiming that "Every software maker there is will fix bugs or patch holes without disclosing them."? I don't believe that this is a true statement.

      The author of the story was Ryan Naraine; Google his name and you will find that he is not a green journalist and it does not
  • by Master of Transhuman ( 597628 ) on Thursday April 13, 2006 @10:01PM (#15126784) Homepage
    Last year when I had my problem with Windows 2000 hosing my system's partition table because installing it with Service Pack 3 on, THEN installing Service Pack 4 was insufficient to prevent it from hosing the partition table on a big disk when the outer portions of the disk eventually ended up being used, I finally dug up a Microsoft Knowledgebase article that admitted that "some disks" geometry wouldn't be read correctly in that situation.

    Nowhere did Microsoft identify WHAT disks, WHY, or HOW. It was a "throwaway line" like that referenced in the present article. Microsoft was happy to say that LBA48 was supported by Windows 2000 Service Pack 4, but NOT that if you installed it first WITHOUT Service Pack 4 and then installed SP4, that Windows 2000 would silently wait until you actually tried to use the larger partitions before trashing your hard drive.

  • by ktakki ( 64573 ) on Thursday April 13, 2006 @10:44PM (#15126959) Homepage Journal
    Yesterday, my office gets a frantic call from one of our clients, a lawyer. She had a filing deadline and was trying to finish a document she needed for this filing. Word 2002 stopped responding to user input every time she tried to save her document. All of my techs were out in the field, so I had to respond to this one (I'm VP Operations).

    True enough, saving a document in Word or trying to open a new one while another document was open would hourglass the cursor. Only Task Mangler could end WINWORD.EXE.

    Sysinternals's PROCEXP showed that every time a document was saved, Word would spawn VERCLSID.EXE as a child process, an executable that was "patched" by KB908531, which was pushed through Windows...err, Microsoft Update the day before.

    I googled "verclsid" [google.com]. Let me tell you that yesterday, this search string returned no results. This morning, it returned exactly one [microsoft.com]. Now, it comes up with 67 web hits and 21 Usenet results [google.com].

    Also, because of this "patch", typing "www.google.com" would return the generic IE "Server Not Found" page. One had to prepend "http://" to the URL. VERCLSID.EXE checks the validity of COM objects, so the damage wasn't confined to Office applications; it affected EXPLORER.EXE and IEXPLORE.EXE.

    The workaround was to rename the current version of VERCLSID.EXE and restore the file from the backup created by KB908531 (a System Restore would have sufficed as well). I expect a patch for the patch to be released by Microsoft Real Soon Now. I guess this one was rushed out the door without sufficient testing.

    Our company policy for patches is this: updates for servers are tested in-house before being deployed on production machines. For workstations, however, Windows Update is set to automatically update, unless the client's workstations run legacy applications, like the Reflection terminal emulator, or if high-end esoteric applications are present, like DataCAD or Design 20-20. As with servers, they're tested on a non-production system first.

    I'd say that 10% of our clients got burned by 908531. Rolling it back wasn't that hard once we identified the problem, but this costs money.

    I don't want to single out MSFT; last year an Apple Mac OS X security update broke Samba for me for about a week until I could figure out a workaround. But let's put this in perspective: how many people using Mac OS X (2 to 5% of the workstation market) also use Samba? Contrast this with the percentage of Windows XP/2K users also using Word (must be in the high 80% range), Internet Explorer, and the GUI, all affected by a buggy 908531 patch.

    k.
    • by Ohreally_factor ( 593551 ) on Friday April 14, 2006 @02:55AM (#15127757) Journal
      [Medium Close Up of Lawyer against a white background. She is wearing a gray hoody. Her eyes are red and she appears stoned.]

      Lawyer: I was writing an appellate brief . . .

      Lawyer: And it was like beep, beep, beep, beep, beep!

      [Lawyer gestures spasctically.]

      Lawyer: And then, like, half my case law cites were gone.

      [Lawyer shrugs]

      Lawyer: And I was like, huh?

      Lawyer: It devoured my appellate brief. And it was a really good appellate brief.

      Lawyer: Then I had to write it again, but I had to write it fast, so it wasn't as good.

      Lawyer: It was kind of a bummer.

      Lawyer: I'm Ellen Feiss, and I'm an appellate lawyer.

"All we are given is possibilities -- to make ourselves one thing or another." -- Ortega y Gasset

Working...