Forgot your password?
typodupeerror
Security Microsoft IT

Microsoft to Introduce Faster Security Disclosures 101

Posted by timothy
from the mistakes-were-made dept.
Starwax writes "Here's a very interesting strategy by Microsoft. After years of complaining about irresponsible disclosure of security alerts by grey hats, Microsoft will now confirm and discuss the vulnerabilities in a new pilot project launching on Tuesday. Advisories will be issued within one business day of a publicly reported security hole along with guidance and mitigation."
This discussion has been archived. No new comments can be posted.

Microsoft to Introduce Faster Security Disclosures

Comments Filter:
  • Business Day? (Score:4, Interesting)

    by republican gourd (879711) on Saturday May 07, 2005 @05:23PM (#12464069)
    Microsoft isn't open on weekends? Is that too much to ask a multi-billion dollar company?

    Waiting until monday (especially as weekend time is usually the best to schedule downtime) strikes me as a silly idea.
    • Re:Business Day? (Score:5, Insightful)

      by 0x461FAB0BD7D2 (812236) on Saturday May 07, 2005 @05:34PM (#12464117) Journal
      Would IT technicians come back on weekends to fix their systems? If not, then making vulnerabilities public at that time only helps script kiddies.

      Waiting until Monday ensures that IT guys get a rest too.
      • Re:Business Day? (Score:3, Insightful)

        by Gabey (18874)
        Would IT technicians come back on weekends to fix their systems?

        A good IT technician would do what it takes to keep their systems secure. Coming in on a weekend isn't asking too much. Too bad good IT technicians are tough to find.
        • Re:Business Day? (Score:5, Insightful)

          by 0x461FAB0BD7D2 (812236) on Saturday May 07, 2005 @06:06PM (#12464255) Journal
          Good IT technicians do what it takes to keep their systems secure, given their resources. But expecting them to slave over their systems, testing and rolling out every new patch as soon as it's out is ludicrous.

          If coming in on a weekend isn't asking too much, where do you draw the line?
          • by SnprBoB86 (576143) on Saturday May 07, 2005 @06:23PM (#12464325) Homepage
            "where do you draw the line?"

            I'm not sure where you draw the line, but I can tell you that if you would take a bullet for a server... you've crossed it, wherever it is...
          • If coming in on a weekend isn't asking too much, where do you draw the line?

            Major releases of business-related (not e-business) software are usually done on weekends, and (in my experience) the coders as well as the admins are there to iron out the kinks. It makes for a solid rollout. It's part of being an IT professional, and I've been there a number of times. Would you like some cheese to go with your whine about missing the Saturday morning cartoons?

          • Depends (Score:3, Insightful)

            by Craig Ringer (302899)
            I'll head in on a weekend for really critical problems - for example, an OpenSSH vunerability that I know will affect work's firewall. No way do I want to clean up the mess if I leave that unfixed - it sucks much less to go in on a weekend and fix it.

            Most security holes are trivially fixed by remote admin anyway. "apt-get update; apt-get upgrade" and you're done in my case, usually. Windows admins have to use RDP/VNC/ICA and Windows Update, but can still get the job done pretty easily.

            Of course, if the pa
          • where do you draw the line?

            I can tell you where not to draw the line

            *thinks of Simpsons* [jahozafat.com]

            Homer: I'm drawing a line down the center of the house ala. I Love Lucy. You stay on your side and I'll stay on my side.... D'oh!
      • I agree partly ,however .The weekend is also a peak time for skript kiddies what with no school/work and the servers being perhaps unatended .
        A critical vunerability in a server needs to be seen to as soon as possible , waiting till monday may mean that we get a couple of days rest , It also means that our server is vunerable for those days .
        • Re:Business Day? (Score:3, Insightful)

          Perhaps. However, this is the downside of people making their discoveries public at inappropriate times.

          If a system was created where people who discovered the vulnerabilities were credited in the advisories, which would be made public after a solution was found, it would solve pretty much everything.

          Then again, Orwell taught me that utopia isn't all it's cracked up to be.
          • Indeed , I look at it like this though .
            I would rather spend at most a couple of hours at the weekend securing my systems , than spending a very stressfull monday(perhaps a few other days aswell) restoring a comprimised system or systems ...then having to deal with the PHBs.

            Alot of the time these vunerabilitys are discoverd by Black-hats , so there is no real way of containing the info as it will slip into the community. So imediate disclosure of known vunerabilitys really does help.
      • Would IT technicians come back on weekends to fix their systems?

        A good sys admin -- properly appreciated by management $$$ -- would or at a minimum lock the systems down so that this isn't an issue.

      • Waiting until Monday ensures that IT guys get a rest too.

        Our sysadmins usually schedule upgrades, patches, etc., for the weekends so as not to disrupt normal business. Then, they get to take a day off during the week. What's wrong with your company?

        • If they get time off for their work, that's great. However, the question is what if a vulnerability is made public on a day the admins have off?

          It's not so much about the weekend itself as it is about time off for admins and techies.

          Also, many managers don't like giving admins time off during business days in case business is disrupted. They also have to minimize costs so they can't hire a shift team.
          • However, the question is what if a vulnerability is made public on a day the admins have off?

            If it was critical, some or all of our admins, being the professionals they are, would come in (or do the work from home) and take time off another day.

            Also, many managers don't like giving admins time off during business days in case business is disrupted.

            It sounds like you work for a pretty short-sighted company. They won't get the best results that way. It makes me happier about the place I work at. I ho

      • Cracktastic!

        I don't know where you live, but around here anybody who admins machines that are exposed to script kiddies tend to have things like cellphones and 24-7 coverage as part of their job description. Your line of reasoning just strikes me as weird, since security problems are one of the main reasons for nighttime visits and weekend upgrades (along with badly coded daemons/services that have to be babysat). I just don't get it.
      • If you really have to "come back on weekends" to patch your systems then you're not much of a admin.

        I can test and roll out a patch from the comfort of my armchair at home. Why can't you?
      • Now if we could only implement a policy so that hackers only operate during normal business hours. Also, it would be helpful if they stick to Eastern Daylight time, rather than Russia Standard Time or whatever.
      • When it's the week-end in Seattle, it doesn't mean it's the same everywhere else due to different timezones, religions, working times. IIRC, the normal work week begins on Saturday at 2300PST.

        Moreover, big companies can afford having a 24/7 security team and many actually do it.

    • = all 7 of them.

      It's a connected globe.
      If they think mon-fri is going to work. they will learn some new feelings about the weekends.

    • I think the easiest way to deal with this would be to just put one of those lamp timers on your Windows box to cut AC power on Friday 5 pm and switch it back on Monday at 9 am, saves on unnecessary tape usage too.
    • If you're an IT admin and are actually vulnerable to most of the security holes in their OS's, I would have a hard time sleeping ANY weekend. Make users just that, USERS, and you remove several attack vector's and might, just might, be able to wait until Monday. Or Tuesday... Or sometime else down the road.
  • but what is a grey hat?
  • by Doc Ruby (173196) on Saturday May 07, 2005 @05:29PM (#12464093) Homepage Journal
    Microsoft will now announce that Microsoft will announce security alerts within one business day of their reporting to Microsoft. Microsoft announces that any security holes not announced by Microsoft must therefore not exist. It's the industry standard: "We [wired.com] have a policy that we are not being hacked."
    • While a lot of mods modded you up Funny, this is exactly what will happen. MS will just announce the exploits they want. Those exploits will be the ones they have a quick-fix for. MS is all about marketing. MS wants to be able to say, "See, we fixed XXX number of bugs/holes this past year and we fixed each one in 24 hours of "notification"" or less.

      MS will just overlook any 'exploit" they cant fix in a timely fashion and say that those exploits/bugs were never reported to them "correctly".

      Give me a

      • ... the fact that there will always be bugs in code. As a Senior Programmer for a fortune 500, I can back up that statement. Bugs/exploits happen and there is nothing anyone including MS can do about it.

        Very subtle. Admit that M$ junk is full of holes. Admit that M$ will never be able to fix them and that this announcement is just another PR stunt from the kings of marketing BS. Then, slip - o - change - o, spout that other M$ company line, "no software is better than ours."

        Not all bugs are created eq

    • the alternative is that they'd just issue a weekly announcement that a buffer overflow was found, and then within hours they'd be proven correct. disclosures don't come faster than that
    • I think it is a PR move. With a Paul Thurott review of the most recent Longhorn build leaving him unimpressed and saying that OS X Tiger is far superior, what better way for MS to rebuild its image than to announce faster security resonses.

      It is true, in fairness, that MS left a lot out of the most recent public Longhorn build. Still, it must have struck a chord for more PR.
      • It's interesting that MS has been unable to address so many longstanding, and critically serious, problems with Windows. Big ones like security holes/notices/patches, and little ones like "DB filesystem". And all manner between. With their huge financial and labor resources, so comfortably insulated from really compelling competitive pressure, they'd probably solve (or at least meaningfully address) those problems with real action by now, rather than mere marketing prattle, if they could. If they haven't, t
  • by lecithin (745575) on Saturday May 07, 2005 @05:37PM (#12464135)
    "Advisories will be issued within one business day of a publicly reported security hole"

    If it is already public, does it matter? So, does this mean that if they know of something, they are going to wait until somebody else finds the problem and makes it public before letting their customers (and the rest of the world) know?

    I'm missing the interesting strategy on this one. Just sounds like they want us to think that they are being proactive. I dunno. Perhaps I am the only one that thinks that Microsoft is evil.
    • by Eberlin (570874)
      Here's the general idea: first be adamantly pissed off when people release bug information publicly (not telling the story that the same folks notified MS about it eons ago only to find Microsoft ignoring them)

      Then once enough people catch on to this, create a press-release saying "we're on the ball, we're looking into this, and we're doing all of this because that's what customers want and we do what our customers ask for."

      Sounds like standard "Trustworthy Computing" practice to me.

    • "I'm missing the interesting strategy on this one. Just sounds like they want us to think that they are being proactive."

      Exactly. Hasn't MS in the past tried to get people to sign NDAs re: bugs that a person has discovered? If they can succeed in keeping the knowledge out of the public eye, then by this policy they could bottle it up, avoid announcing it, and still claim they're being proactive.

      "Perhaps I am the only one that thinks that Microsoft is evil."

      Not by a long shot.

    • If it is already public, does it matter?

      Yes, for people that don't read the article that publishes the problem. Granted, news of the problem will be spread all over the net very rapidly, but Microsoft admitting that it is a flaw and not a feature carries a little more weight than joe hacker posting on some blog.

    • Perhaps I am the only one that thinks that Microsoft is evil.

      You've got to be kidding. New poll topic:
      Microsoft is:

      • The best thing since white bread (pablum is good also)
      • The only way to protect our IP (hand over heart)
      • The capitalist software of choice (no dirty pinkos allowed)
      • The only secure way to use a computer (obscurity is very good)
      • Evil incarnate (The courts have to be right occassionally)
    • Microsoft would of course prefer people who find vulns to contact them directly, then they can work on a patch, and people can release the information after the patch is out. Read full-disclosure the week after Microsoft's monthly patch-release day, and you'll see that a great deal of that happens.

      For a vulnerability to be "public" it needn't be all that public - most admins don't read bugtraq and FD on a daily basis, so they don't find out about the vulnerabilities when they become "public". They hear

    • No, I have the same issue, and I've worked for a microsoft partner recently. They do way too much PR and lie entirely too much. I hate M$ and their lies with a passion, even if, beforehand, I had thought people were unjustly hateful of microsoft. Now I know why, firsthand.

      And no, you did not misread my statement. I "hate" them. Passionately. And I feel entirely justified. If you dealt with some of the internal mail I've dealt with, any of you with a conscience would never get another hour of sleep.
      • Ummm....why do you say acquitted?

        The impression I had was that they were found guilty, but ninjas came in the night and removed the spines of the entire Justice Department....so MS was never properly punished.

  • Advisories will be issued within one business day of a publicly reported security hole along with guidance and mitigation.

    So, Microsoft only will do something if inaction stands to bring them negative attention. What I would like to see from Microsoft (and other commercial and/or closed source vendors) is a commitment to treat the security holes their own developers discover in the same way.

    I just don't think it is right to withhold the information, espcially if admins can use it so secure their sites, until the threat of public disclosure by a third party is imminent or past.

    • Once a security flaw is detected u never know how much time it'll take to address it. That is to release the necessary patch for it. So if a threat is detected by MS's own engineers it makes sense to not make it public coz it might not be possible to counter that flaw without a patch rather than making it public and falling prey to the hackers who might try to abuse that flaw.
      • So if a threat is detected by MS's own engineers it makes sense to not make it public

        I couldn't disagree more.

        Who's to say that a flaw discovered by MS employees wasn't discovered months ago by the bad guys who have been running rampant over MS-powered sites lo these many months?

        If there is a flaw, tell me about it. Then I can make an informed decision to deal with it, which could include shutting down some services, installing patches, doing stuff in a different way that is less exposed to the flaw
    • Why not treat opensource the same way too. Most opensource projects have similar rules like closed source vendors.
      It information cuts both ways, it protects those who know how to secure, and sacrifices those who do not know how to secure.

      There is no one good way to release vulnerability information, no matter what you will sacrifice someones needs. The best you can do is to keep the majority in mind.
      • Why not treat opensource the same way too. Most opensource projects have similar rules like closed source vendors. It information cuts both ways, it protects those who know how to secure, and sacrifices those who do not know how to secure.

        Can you give an example? I can't think of one OSS project that handles security issues like Microsoft -- either in the past or if there is any meat to this new proposal.

  • My favorite line (Score:5, Insightful)

    by portwojc (201398) on Saturday May 07, 2005 @05:51PM (#12464197) Homepage
    when researchers jump the gun and release vulnerability details before a patch is available.

    Jump the gun? Oh that's right telling Microsoft there's a security flaw and waiting months before going public is jumping the gun after all.

    Gotta love these articles. Nice spin make the researchers look like the bad guys...

    At least now we'll get to hear about flaws quicker and that they don't have a patch or a work around.

  • I discussed this with the MS Head of UK security (during a MS/ISSA conference) and he nearly bit my head off. Mostly because I wouldn't back down, saying "You only confirm a problem, and release a fix when you know bad press is on the way." and followed up with "What is the point of announcing 'There is a big windows but out on Tuesday', whithout aenough information to judge impact - either before or after the announcement...

    I seriously doubt that this will make any difference, except to CTOs who are gett
  • Wow! (Score:1, Funny)

    by Primal_theory (859040)
    So we'll have them in under 5 years?!?! NO WAY!
  • by Anonymous Coward
    That could be nothing more than moving up from snail races to tortoise races. It's not like Microsoft is fast about these things to begin with anyway.

    Woo hoo.

    I can hardly contain my excitement.
  • by craXORjack (726120) on Saturday May 07, 2005 @08:25PM (#12464946)
    At a Microsoft press conference today, aging software tycoon William Gates III touted his company's new "Accessible Code" policy whereby developers may examine the uncompiled routines which make up the Windows operating system and modify it to suit their needs provided they publicly release their changes under the same MSAC license.

    Gates also outlined several points which he says gives Microsoft an advantage over "Open Source Software" such as the ubiquitous Linux operating system and the Apache web server which runs more than 92% of all internet sites. Among these points were: advisories addressing publicly reported security vulnerablities within one business day, free usage of Microsoft software by anyone (the Microsoft patented Pay-only-for-support model), and remarkable stability since there is no pressure from Marketing to release an unready version just to realize a revenue stream.

    'These policies combine synergistically to leverage Microsoft over Open Sores Software', said Gates. 'The American system of patents and copyright clearly works. It gives people the freedom to choose. Because of this, almost half of all computer owners choose Microsoft Windows to be their desktop operating system. And the American jobs it creates may be yours. Recently after hiring 58,000 Bangledeshi software engineers, we created over 100 new jobs for Americans to proofread those engineer's milestone reports.'

    'And if it weren't for our trusted copyright system, the Walt Disney Corporation would have had to lay off many of the foreigners they import from third world countries to sell snow-cones and wear that suit that makes them look like a certain mouse character whose name I'm not currently licensed to say in public, Gates continued nervously, 'but you know the one I'm talking about.'

    Investors reacted positively to the news as Microsoft shares rose fifty cents breaking the five dollar barrier which had kept Microsft in danger of being delisted from the NASDAQ as a penny stock. Only a 3 for 1 reverse split had kept it listed since the company was warned last September. The former billionairre left the building in a hail of applause stopping briefly only to ask the time since his MS WinWatch had blue-screened and to ask several bystanders for a ride to the bus station.
  • by poor_boi (548340) on Saturday May 07, 2005 @10:00PM (#12465376)
    Does anyone else get a sinking feeling in their tummy every time Microsoft does something right, something better, or something intelligent? I like hating them. If I can't hate them, I'll have to hate something else. And I haven't been paying much attention to worthy targets over the past few years. I'm afraid I might have to turn my hate inwards if they improving. And that can't be good.
  • Hell freezes over.
  • Give it up. If I kept up with all the friggin updates and service packs and hotfixes and reinstalling of software that I already do, that's all I would spend my time doing all day.
  • "Microsoft to Introduce Faster Security Flaws"?

    I did...

Are you having fun yet?

Working...