Microsoft's Security Disclosures Come Under Fire 150
Old Banana writes "Is Microsoft silently fixing security vulnerabilities and deliberately obfuscating details about patches in its monthly security bulletins? Matthew Murphy, a security researcher who has worked closely with the MSRC (Microsoft Security Response Center) in the past, is accusing the software maker of 'misleading' customers by not clearly spelling out exactly what is being patched in the MS06-015 bulletin released on April 11."
Patches (Score:5, Funny)
Re:Patches (Score:5, Funny)
A problem of audience. (Score:2, Funny)
Re:A problem of audience. (Score:2)
Re:A problem of audience. (Score:2)
Re:A problem of audience. (Score:2)
Re:A problem of audience. (Score:2)
Re:A problem of audience. (Score:1)
Re:Undeniable proof (Score:2)
Re:Undeniable proof (Score:1)
Re:Patches (Score:1, Redundant)
Re:Patches (Score:3, Funny)
Here is the problem (Score:5, Interesting)
Re:Here is the problem (Score:1, Insightful)
Companies actually testing their software against the latest releases of Windows? thats definately a change from what I normally see; lazy software companies sitting around, rolling naked in money, then running an anti-Microsoft
Re:Here is the problem (Score:4, Insightful)
I'll say it once, and say it again; it isn't Microsofts responsibility to provide backwards compatibility to people
I'd disagree, partially, with this. Yes, it isn't Microsoft's responsibility to provide backwards compatibility to people who have used undocumented behaviour - but where they have changed the API so that it no longer operates as documented, then it is their responsibility.
Re:Here is the problem (Score:1)
But that isn't the issue; the issue is, they FIX an API so that it works the way its documented, but people expect that they provide compatibility for those who relied on the API when it was broken.
If something is broken, it needs to be
Re:Here is the problem (Score:2)
Who says they are only changing undocumented behavior?
Who also left the behavior undocumented? If I am using MS API's then that would be SUPRISE MS!
Re:Here is the problem (Score:1)
As a software developer I can tell you that customers are a pain in the arse. I don't know if you know that yet, but most of them expect software to be written within 5 minutes of their first phone call that something is not like they want it. And I Microsoft releases patches, it's just not as easy as you say to simply demand a patch from the developers. I mean, come on, do you think that, especially for large scale enterprise applications, when a patch rolls in, they can deploy
Re:Here is the problem (Score:1, Interesting)
Re:Patches (Score:1, Insightful)
Re:Patches (Score:4, Insightful)
Patches can break things. This is why disclosure of what it's touching is important, so you can properly test that everything it touched still works after the patch.
Re:Patches (Score:2)
Re:Patches (Score:1)
Believe me, you would know. When I tried to quit using nicotine patches, the first thing I noticed was that they irritated my skin. You could tell where the patch had been by the red welt. The other problem I noticed was that, since it delivers a constant dosage of nicotine, I would feel hyper all day and have difficulty sleeping. Finally, if I broke down and had a cigarette anyway, more often than not I
Re:Patches (Score:2)
As in: "Here, try this nice PC with the built-in Windows OS - won't cost you anything for a hit!"
As in: 'Here, just pony up two million bucks for our Software Assurance Contract - guaranteed new OS in three years!"
As in: "Whatdayamean, you didn't get no new OS in three years! It's coming out this November! Shut the fuck up and pay up!"
Re:Patches (Score:2)
Is this really a bad thing? (Score:2, Insightful)
Re:Is this really a bad thing? (Score:2, Interesting)
Go read up one of the gazillion explanations of "full disclosure".
Re:Is this really a bad thing? (Score:1, Interesting)
Yes (Score:5, Insightful)
Re:Yes (Score:3, Interesting)
Re:Yes (Score:2)
Quite frankly I don't think the end users are so selective about their patching. If you see a critical patch, you apply it and that's that. In a corporate setting they may be more selective, but the average Joe goes all the way.
Re:Yes (Score:2)
Re:Yes (Score:2)
In hindsight it is always easy to say "you should not have installed the patch without 3 months of testing you dumbo", but in practice you can hardly test the full functionality of a system before deciding that a patch is OK to release. See the article about breaking Word 2002 on this page. Who would guarantee that this would be found, m
Re:Yes (Score:2)
Re:Yes (Score:2)
By default windows update doesn't even prompt you to install patches. You can opt to be prompted before installing patches.
However Windows Update categorises its patches. All patches automatically downloaded or presented to the user are categorised and represented as critical patches. Non-critical patches can only be downloaded by going to the windows update site and electing to download and install them.
Consequently you know that all up
Re:Is this really a bad thing? (Score:2)
"As a result, administrators may deploy patches unnecessarily, erring on the side of caution (and risking compatibility problems in the process), or they may choose not to deploy based on incomplete information. Individuals making these kinds of decisions deserve better information"
Re:Is this really a bad thing? (Score:2)
Security by obscurity at its best (Score:5, Insightful)
You do that already by providing a patch. The bad guys will simply look at the differences of the binaries and find out what has been patched. So instead of helping the good guys, Microsoft gives an information advantage to the bad guys.
Remember, boys and girls. (Score:5, Insightful)
They can download the patch the day it is released and have an exploit ready that same day. You'll still be meeting to discuss the test plan for your servers.
Attempting to hide information doesn't help anyone except the vendor and the bad guys.
At least if you have the information, you can determine your own level of exposure and decide what mitigating actions you want to take based upon your environment.
Of course it is... (Score:3, Insightful)
Re:Of course it is... all your responsibility... (Score:2, Informative)
Re:Is this really a bad thing? (Score:3, Interesting)
The problem arises when Microsoft decides that an 'undocumented' capability is the source of a bug. They fix the hole, but this may break your software in unpredictable ways. If you don't know what they fixed, you have no id
Re:Is this really a bad thing? (Score:1)
If you deploy a patch on a mission critical (I cringe to think anything considered "mission critical" would be running on a windows box) machine without testing to see if it breaks anything, then you deserve to lose hundreds of thousands of dollars an hour.
Re:Is this really a bad thing? (Score:2)
True, but you can't always do exaustive testing, so you test based on what you think has changed (plus a bit of random testing just to make sure).
If MS tells you that they've changed A, B and C, then you test to make sure that those changes won't break your system. If you aren't aware that patches X, Y and Z have been included in your patch then you won't know to do extra testing of the
Re:Is this really a bad thing? (Score:2)
Does it really matter? (Score:3, Insightful)
Re:Does it really matter? (Score:1)
Re:Does it really matter? (Score:2)
It appears to me that there are two possibilities here:
For "users" it is fine... For biz - no. (Score:5, Insightful)
For Business users, they might actually want to know what might break if they do the update - especially since many cannot be "un-done".
Re:For "users" it is fine... For biz - no. (Score:2, Interesting)
Look, you do not have the source, so you are already incapable of knowing what is going on. Combine that with MS's lack of veracity, and you have a company that you should not trust. Yet you will.
For all pratical points, Business users have no more reason to know than does a home user. In fact, I think that MS should put out their releases with simple names on each patch. That is function a, b, c, etc and 0 explaination of what it is. That would enc
Re:For "users" it is fine... For biz - no. (Score:2)
System admins need to know the full details of the updates.
Re:For "users" it is fine... For biz - no. (Score:2)
and without source they never will.
Re:For "users" it is fine... For biz - no. (Score:2)
For the average business user, they don't need to know details. But I think we are talking about the average business sysadmin. They are the ones that have to explain to a VP why the patch they just installed crashed some critical program or trashed some data. They need to test what the patch specifically does so they can see if it affects anything. With more specificity, it is easier to test. Otherwise, they have
Sucks to be you. (Score:2)
Too bad you are using software from a company that thinks it's OK to treat people like "consumers". When you think it's OK to treat one person that way, who won't you abuse?
Re:Sucks to be you. (Score:2)
What?
Every company treats people who use their product as "comsumers". That's what that word means. Or did you mean to use the word "commodity"?
Re:For "users" it is fine... For biz - no. (Score:1)
Corporate responsibility? (Score:1, Interesting)
Other than being nice and helpful, does Microsoft have a duty to advise everyone of product flaws?
I believe corporations should be responsible but I fail to see any law or EULA where such notifications are required.
Re:Corporate responsibility? (Score:5, Insightful)
Re:Corporate responsibility? (Score:1, Interesting)
Re:Corporate responsibility? (Score:3, Interesting)
There are things you do because of the law and then there are things you do because they're right. The issue at stake is the how much you trust MS to not break things with their fixes. What happens if a fix causes a critical application to break?
Say this was at a paitent records system in a hospital? Say they changed their image handling code and xrays could not be displayed because the fix broke something either in operating syste
Re:Corporate responsibility? (Score:2)
Yeah, we know. Right down that slippery slope.
Microsoft being vague... (Score:2, Insightful)
It would be way to easy for pe
Re:Microsoft being vague... (Score:3, Insightful)
Fine, but then wouldn't security/bug comparisons with open operating systems be skewed heavily in Microsoft's favor? I suspect that if they truly are hiding something, it is more about marketing than security.
Real truth of the article (Score:2, Insightful)
One of my favorite things about open-source systems like Redhat's RHN up2date is that you know exactly what a patch will effect and what code it will be changing. An update to the kernel, or to an individual pro
Re:Real truth of the article (Score:4, Insightful)
The guy making all the noise is just shooting his mouth off until he's actually tested the patch.
Yes, he has a valid gripe that the wording is unclear, but the crux of his complaint balances on the fact that MS allegedly patched something without coming out and saying so.
It's incredibly stupid to put yourself out on the line like that. One day it'll come back and bite him when he's wrong.
Flame on! (Score:3, Interesting)
No, the crux of his complaint is that he can't tell what he's supposed to be looking for. How is he supposed to test what M$ does not tell him? For some reason he thinks M$ is going to tell him what their "updates" do. How many hours do you expect him to test every month?
It's incredibly
Re:Flame on! (Score:1)
However, I will address your post:
He has specific complaints about ONE patch. It would have been prudent for him to make some efforts towards testing the ONE patch he has a problem with.
When someone comes to me with a computer (or other) problem, I ask them 1. what they think is wrong and 2. what did they do to try and solve it. My problem is that he didn't even make a token effort at step 2. He stopped at step 1 (I don't know what this patch is doing) an
Re:Flame on! (Score:2, Informative)
The reason he's complaining is because each patch report is supposed to cover a patch that fixes a specific problem, linked to with the bug report. His complaint isn't with the patch. It's with the report about th
Re:Flame on! (Score:2)
I make some losers angry by adding signal to their noise and spoiling their astroturfing:
There's only two or three of these turds, but they brag about all the noise they can make with their botnets. There's plenty more that are not dumb enough to brag.
However, I will address your post: He has specific complaints about ONE patch. It would have been prudent for him to make some efforts towards testing the ONE patch he has
Re:Real truth of the article (Score:2)
Re:Real truth of the article (Score:3, Insightful)
It may be to inspect a part,
Re:Real truth of the article (Score:1)
I would have some SEVERE issues with any product or service that was using any windows platform for safety-critical systems.
Just the fact that they're trying to do "safety" on such an unreliable platform should make you wonder about their compotence
Re:Real truth of the article (Score:2)
This is the basic gist of the complaint as I understand it. I think you were saying roughly the sam
Code changes fixed some other bugs? (Score:2, Insightful)
To me this looks like MS have patched the flaw they say they have, and maybe seen some other bugs that were in there whilst they were there.
This is not necessarily a good thing though, as vagueness in what a patch fix implies vagueness in testing that the patch works properly. Microsoft should post exactly what it fixes, so people know what they are putting on their system. For instance, what if the patch breaks third party software? As the third party won't know what was changed, they can't fix it.
Re:Code changes fixed some other bugs? (Score:1)
Re:Code changes fixed some other bugs? (Score:1)
I'm not kidding at all. Also, I work as a Telecoms software engineer and so I would say I have a fair experience of working with software development.
We test our patches before they go out. When an application is patched, the entire functionality of the application is re-tested and particular attention is paid to issues which have recently been fixed in the same code, and are outstanding in the code.
This way, when we write the release notes for the patch, we can provide a list of any known bugs that the
Whiner (Score:2, Insightful)
So, really, this is just a single guy complaining because he feels like he should have been a headliner but MS felt he was just an extra.
Is that some kind of insult? (Score:2)
He was pretty clear about it all:
The bottom line is this: we just dont know [what's being patched].
Your little smear does nothing to change that fact.
Not just patches (Score:2)
MS is pretty well getting in the habit of understating or perhaps blandly stating any problems. I particularly have noticed that with every release of Windows, error messages get more and more vague. I fully expect that by the time Vista makes it to market, all error messages will be replaced by a single pop-up that reads "Something bad happened". Figuring out exactly which bad thing happened will be left as an exercise for the poor techie who gets called in to "Fix this problem right now!".
Re:Not just patches (Score:2)
What an OS should do is to present the "Something bad happened" to the user, and log the real error in the system log with enough detail for the techie to analyze it.
This is being done in Windows, but not to t
Hidden DRM? (Score:5, Interesting)
Re:Hidden DRM? (Score:3, Interesting)
Possible, but not that probable.
Re:Hidden DRM? (Score:2)
Monkey porn might be not probable, but as the GP pointed out they already did include restrictions in an update, so its not improbable at all that they will do it again.
Truth in Adveritizing (Score:3, Insightful)
Microsoft: You may use the above for a small fee. TIA. HTH.
I think the fear is... (Score:1)
Until then, this is fine. (But when is then?)
New MSFT Security Alert Level OMFG! (Score:3, Funny)
Now, we can't tell you what it is, because if we did that, you might clue in that we probably made the same mistake in pretty much all the code we rolled out to give you that latest Feature (Patent Pending), and telling you would mean that lots of script kiddies would be making your copy of Windows Vista turn into a large pr0n server that played Death Metal tunes.
So, just trust us on this one, and
P.S.: Please ignore the large backdoor we installed to scope your box out to see if you're trying to run some kind of Linux device on your network. It's just there for
Microsoft patching without consent? Maybe (Score:5, Insightful)
Like I said earlier today, you either own a Microsoft appliance or a personal computer, these days you can't have both. Switch to something else or stay with Windows.
Enjoy,
Re:Microsoft patching without consent? Maybe (Score:1)
Only if life were that simple; if WINE were 100% reliable and every application worked out of the box, the need to use Windows for many users would be a non-issue; the problem is, people remain with Windows for the very reason that they need applications, they aren't available for *NIX, but at the same time, they're not going to biff out their
Re:Microsoft patching without consent? Maybe (Score:1)
Hey, I'm not the one who uses 'anonymous coward' because of fear of karma going through the floor
So whilst you're living in your mum and dads basement, twiddling with your doodle whilst playing Quake or some other damn game, I'm
Not such a big shock (Score:4, Informative)
The main reason for implementing the monthly patch cycle (AFAICT) was PR. A bad week with 3 critical patches could really kill a sales rep's story that MS 'professional programmers' was the way to go if you wanted a secure system. It was only a matter of time until some PR hack realized that things could look even better if you didn't bother to document every security hole that a monthly patch fixed.
The upside for the user end (most often touted) of the monthly patch cycle is that a company doesn't sometimes need a full time crew just to go through the sometimes daily critical patches to see if/and what they break. The two downsides are that you don't always know what the monthly patches fix, and a well timed zero-day patch can mean that the black hats have up to a month to stomp on your system before the official fix comes out.
Re:The developers have to fight back. (Score:1)
AFAICT, the marketing drones have (almost) always been in charge of Microsoft. In this case, it hasn't been all that bad for the company -- just bad for the users (and , to a lesser extent, the engineers -- but at least they got good stock options before MS stock flattened out.).
It would not be the first time info is misleading (Score:3, Interesting)
"On 2002-09-24, Microsoft KnowledgeBase article ID Q311486, promised six months ago, finally appeared. Its publication date is falsified to claim that it appeared on 2001-10-26. It talks about programs that "pass invalid screen size parameters" when the sample program code that it gives for replicating the bug clearly contains nothing at all relating to screen size parameters."
There's No Middle Ground (Score:3, Insightful)
It's that simple.
Security reasons, or no security reasons, you tell people. Anything else is misleading, which equates to lying.
They own the systems, not you, regardless of your fucking EULA.
Then if anybody doesn't care or doesn't want to know, it's on them.
Journalism standards dropping. (Score:2)
Every software maker there is will fix bugs or patch holes without disclosing them. The story is obviously some green journalists first attempt.
Re:Journalism standards dropping. (Score:2)
What is your source for claiming that "Every software maker there is will fix bugs or patch holes without disclosing them."? I don't believe that this is a true statement.
The author of the story was Ryan Naraine; Google his name and you will find that he is not a green journalist and it does not
Microsoft also lies in its Knowlegebase Articles (Score:3, Informative)
Nowhere did Microsoft identify WHAT disks, WHY, or HOW. It was a "throwaway line" like that referenced in the present article. Microsoft was happy to say that LBA48 was supported by Windows 2000 Service Pack 4, but NOT that if you installed it first WITHOUT Service Pack 4 and then installed SP4, that Windows 2000 would silently wait until you actually tried to use the larger partitions before trashing your hard drive.
KB908531 Broke Word 2002 (Score:5, Interesting)
True enough, saving a document in Word or trying to open a new one while another document was open would hourglass the cursor. Only Task Mangler could end WINWORD.EXE.
Sysinternals's PROCEXP showed that every time a document was saved, Word would spawn VERCLSID.EXE as a child process, an executable that was "patched" by KB908531, which was pushed through Windows...err, Microsoft Update the day before.
I googled "verclsid" [google.com]. Let me tell you that yesterday, this search string returned no results. This morning, it returned exactly one [microsoft.com]. Now, it comes up with 67 web hits and 21 Usenet results [google.com].
Also, because of this "patch", typing "www.google.com" would return the generic IE "Server Not Found" page. One had to prepend "http://" to the URL. VERCLSID.EXE checks the validity of COM objects, so the damage wasn't confined to Office applications; it affected EXPLORER.EXE and IEXPLORE.EXE.
The workaround was to rename the current version of VERCLSID.EXE and restore the file from the backup created by KB908531 (a System Restore would have sufficed as well). I expect a patch for the patch to be released by Microsoft Real Soon Now. I guess this one was rushed out the door without sufficient testing.
Our company policy for patches is this: updates for servers are tested in-house before being deployed on production machines. For workstations, however, Windows Update is set to automatically update, unless the client's workstations run legacy applications, like the Reflection terminal emulator, or if high-end esoteric applications are present, like DataCAD or Design 20-20. As with servers, they're tested on a non-production system first.
I'd say that 10% of our clients got burned by 908531. Rolling it back wasn't that hard once we identified the problem, but this costs money.
I don't want to single out MSFT; last year an Apple Mac OS X security update broke Samba for me for about a week until I could figure out a workaround. But let's put this in perspective: how many people using Mac OS X (2 to 5% of the workstation market) also use Samba? Contrast this with the percentage of Windows XP/2K users also using Word (must be in the high 80% range), Internet Explorer, and the GUI, all affected by a buggy 908531 patch.
k.
Re:KB908531 Broke Word 2002 (Score:4, Funny)
Lawyer: I was writing an appellate brief . . .
Lawyer: And it was like beep, beep, beep, beep, beep!
[Lawyer gestures spasctically.]
Lawyer: And then, like, half my case law cites were gone.
[Lawyer shrugs]
Lawyer: And I was like, huh?
Lawyer: It devoured my appellate brief. And it was a really good appellate brief.
Lawyer: Then I had to write it again, but I had to write it fast, so it wasn't as good.
Lawyer: It was kind of a bummer.
Lawyer: I'm Ellen Feiss, and I'm an appellate lawyer.
Re:Is Anyone is Surprised? (Score:2, Interesting)
Re:Truly shocking (Score:1)