Microsoft Won't Offer Patch Before Worm Strikes?

techmuse writes "According to an article in Information Week, Microsoft is aware that the 'Kama Sutra/Blackworm/MyWife' worm will hit on Friday, overwriting office documents, but will not release a patch until its regular monthly patch release on February 14th. Unless, that is, you subscribe to one of Microsoft's pay security services, in which case your machine will have the worm removed in advance." From the article: "The blog offered no explanation why the tool wouldn't be updated earlier, nor did Microsoft immediately respond to questions. Each month, Microsoft pushes a revised tool to Windows users who have Automatic Update enabled for Windows Update or Microsoft Update. The Redmond, Wash.-based company has released the Malicious Software Removal Tool off-schedule once before, in August 2005, shortly after the Zotob worm began striking Windows 2000 systems."

Prior art for this MS business plan.

[Ph33r th3 g(O)at]

Nice Windows machine you've got there. Wouldn't want anything to, um, happen to it. You need insurance, and we happen to sell insurance. Capiche?

A simple word for it...

[sterno]

Unless, that is, you subscribe to one of Microsoft's pay security services, in which case your machine will have the worm removed in advance.

This is what is commonly referred to as "extortion". Pay them now or something bad might happen. You wouldn't want something bad to happen would you?

Re:A simple word for it...

[CXI]

Wrong. The entire content of this story is that Microsoft isn't releasing a malicious software removal tool until the 14th, as usual. So, go use any virus checker on the planet instead, including Microsoft's, to solve the problem now.

Honestly...

[JFlex]

... Why would they hold back on the patch? If they have it available and ready to push out, why not just do it? I don't understand, its as if this is their way of raising their right hand and flipping everyone off.

You get what you pay for

[analog_line]

Check the license agreement for Windows XP. Nothing in there says that Microsoft will ever provide fixes, period. If you don't like their service-after-the-sale, get off the upgrade treadmill and stop buying licenses from them or buy an expanded service agreement from them. They aren't

Software licenses are agreements that should have the full weight of contract law. There is no other way that the licenses I prefer, like the GPL, BSD, Mozilla, MIT, etc, get any legal weight. If you can't abide by the terms, take a stand, show some guts, and click "Cancel" on the install. Find some software that is licensed under terms you can accept. Don't be a sheep and agree just because it would be too hard, or make you go look for other software if you disagree.

THIS STUFF IS IMPORTANT.

Re:Prior art for this MS business plan.

[ZachPruckowski]

That's nice, but it still doesn't address the primary issue: If MS has a patch that they know works, they should release it. Period. There is no reason to have to pay to avoid the hassle of going to their sites to get the worm cleaned (and letting it do it's initial damage in the process).

Re:Or if you don't want to pay

[ZachPruckowski]

Your argument reminds me of something a friend said. We all have seen those "hardest American football hits ever" sports reels, right? Now they look nice and pretty, and they knock the ball carrier down, right? Now here's the problem: in almost every case, the guy had already caught the ball and picked up yards.

Do you see what I'm getting at? All those viruses and spywares and worms on your computer have already done damage when you get them removed. The goal is to keep them from getting on your computer or at least keep them from running. And MS is deliberately charging for that feature. Their online virus-removal thing is nice, and can mitigate some damage, but the horse already left the barn.

A few more facts to throw water on the fire

[sixpaw]

• Despite the eagerness to imply that this is something roaming the net randomly looking for computers to infect, it's pretty much your run-of-the-mill e-mail worm that actively requires opening an executable (.scr) attachment to infect a system. Under normal circumstances (i.e., without the free opportunity to bash Microsoft attached), how many IT pros would say that anyone opening a random attachment e-mailed to them deserved what they got?
• McAfee rates this one as low-risk [mcafee.com] for both home and corporate users.
• Symantec gives it a run-of-the-mill threat assessment [symantec.com] (low geographical distribution, easy containment).

AFAICT this is as run-of-the-mill as virus threats get, and I'm grateful that MS is maintaining a level of software discipline and not jumping all over themselves to instantly respond to every stupid little worm that crosses the net. I'd much rather see meaningful updates once a month than frantic, possibly-buggy scramble fixes three times a week.

Bad title

[pjbgravely]

Microsoft Won't Offer Patch Before Worm Strikes?

This is not a worm, but a virus, and MS is not releasing a patch, but an updated virus definition.
Viruses are not caused by a system flaw but by user intervention, that is unless it is installed without user intervention, then it is a system flaw. I am not a Microsoft user but I see no fault they are doing.

Re:Try to be a little fair

[nologin]

Unfortunately, the effort here by Microsoft here won't save the users most likely affected by the virus. Those users who don't know how to protect themselves adequately probably rely on Windows Update to keep their computer safe. How many of them will be informed in time to use Live Safety, or for that matter, how many of them know that it exists?

At least I know how to protect my computers. So the impact to me would be none regardless of what Microsoft does. It is those users that don't even know the definition of malware that are most at risk, and will be the least likely to use Microsoft's proposed remedy.

Re:A simple word for it...

[RyoShin]

Not quite.

Extortion [wikipedia.org] is when someone says "pay or do this, or something bad could happen later", and the person saying that is the one that will make the bad happen later.

In this case, it's Microsoft saying "We'll take care of this problem sooner for a little money", but someone else will make the bad thing happen regardless. Microsoft is just offering clean up/prevention, not "assured safety". Your lack of acceptance will not make the problem better or worse; it will stay exactly the same.

An analogy might be that there's a gang of kids going around defacing houses, and Company XYZ says "We'll stick a security guard in front of your house for a little extra money, so you'll be ready when those kids show up, and won't have to wait for the police to show up when you do get hit." XYZ is offering an enhanced service; if you turn them down, your house will likely get defaced, but not because of anything XYZ did.

(If you can show that XYZ/Micrsoft is in cohorts with the kids/virus writer, then that is indeed extortion, but at face it's mislabeling.)

Re:All should not be lost...

[BkBen7]

Or maybe they should sue their brain for non-support after being told hundreds upon hundreds of times.

Attachments from unknown people? Delete!

Scan Attachments before clicking!

Ask sender if they meant to send attachment!



Microsoft has no responsibility to cover a users idiocy.


Ok, bring the bad karma.

Re:A simple word for it...

[mlheur]

While I agree with you, and it is Microsoft's right to not provide any fixes based on the existing license agreement, there's still two things that I'd like to put out as food for thought.

1. What if Microsoft intentionally wrote bad code, and conspired with worm authors to agree on a worm release date, then said "You can pay to have the fix before this day, or get it for free after this day". Well, it's just a thought, I'm not making any accusations.

2. What if all security product vendors took the same stand as Microsoft: McAfee, Symantec, TrendMicro, etc and said "Hey, we think we have a way to prevent tomorrow's catastrophe, you can have a defenition update in a few weeks." Of course you'd have the option to not purchase their products, but if they *ALL* did it, who would you turn to then?

At the risk of being branded a MS apologist....

[buddyglass]

I don't consider it Microsoft's responsibility to ensure that every Windows user gets just-in-time virus removal for free. It might be different if the virus exploited an OS flaw, but to my knowledge this one doesn't. This is why people pay money for AV software. That said, it would be nice if they'd schedule an out-of-cycle release of the malicious software removal tool, but doing so could create a precedent they don't wish to establish.

Re:All should not be lost...

[ShamusYoung]

How hard is it to not run software mailed to you by a stranger? If I mailed you a syringe labeled "everlasting life", would you jam it in your arm and shoot it? No? Did I mention it's FREE and that you are our LUCKY WINNAR? Cuz you are.

What we really need is for MS to release a patch to repair the stupid and irresponsible users out there. Why haven't they fixed this obvious security loophole?

The problem with these viruses is that they do not kill the victims. If they did, then at least we could look forward to the point when Darwinisim fixed the problem for us. :)

Re:Prior art for this MS business plan.

[BorkBorkBork6000]

The problem with emergency patches is that they usually don't undergo the same quality assurance testing that regular releases do. Sure, they could, but QA is expensive. If something has a low vulnerability but it might increase the risk of failures, it should be put off until the next scheduled release.

Re:More like this

[ivan256]

Your analogy is more accurate than the parent, but still faulty. The problem is with this part:

Our car is as car bomb proof as we were able to make it

I'm fairly certain that Microsoft engineers were fully capable of making Windows more secure. They have smart people working there. Reality is that they made it as secure as they were willing to make it. It's like cars in the '60s. Safety didn't sell if it was an inconvienience. Adding more security to Windows would have meant less ease of use and less backwards compatability. Both are important to maintain the customer base and prevent people from considering alternatives. Were they right or wrong? That depends on how you look at it, but you certainly can't say they implemented security to the limits of their ability.

Patch timing not the problem...

[slackmaster2000]

The problem is the Malicious Software Removal Tool itself. It's a half-assed product that just sort of does "some stuff." I'm not sure who it's intended for. As someone in IT I certainly have never once used it professionally. There's no point because we're already using better tools. As a PC user at home I have never bothered to use it because, again, there are already better (& free) tools out there.

A program that removes some stuff that Microsoft decides is significant enought to be called "malicious" isn't much of a tool to begin with, and then to factor in that it's only updated once per month makes it even less valuable. Oh, I might also mention that the program only detects an underwhelming 54 "malicious programs?" Wow, gimme summa that.

There's really no issue with Microsoft not releasing an update for the removal tool. It's expected, standard behavior. It's right there in the documentation, second paragraph. This is not an anti-virus program that updates daily, this is some kind of other tool that exists in an awkward dimension all of its own.

Missing something?

[SComps]

Microsoft is aware that the 'Kama Sutra/Blackworm/MyWife' worm will hit on Friday, overwriting office documents,

Realizing this is ./ I fully expect to be laughed at here, but why do these submitters feel a need to place half-truths in their writeups to make MS look worse than it already does? This particular worm affects MANY files by extension, not just office documents. Writeups such as this only attract the anti-ms zealots and lull the uninformed into thinking they're just fine as long as they don't use Office. Even the link referred to in the article stated that it affected many files *including* office documents. Not exclusively office documents.

*pop!* That was my karma. It was good karma but it's gone now. I've offended the fanboys.

Re:Simple fix

[afidel]

Setting up your own server is not the same as using a public store and forward delivery system. In fact the two are quite distinct. Email and ftp both have their places. If I am going to widely distribute something, or if I am sending out large files (>10MB) I use ftp, otherwise I use email. Hell I have my email client open all the time, I almost never have an ftp client open.

Re:All should not be lost...

[LurkerXXX]

It shouldn't be, but apparently it is. People keep coming to me after they've trashed their systems. I ask way they opened an unknown attachment and they always say the same thing "But it was from my co-worker/friend/family member X. They wouldn't send me anything bad!". That's after I've told them literally dozens of times that modern viruses spoof the name of the sender and that person X's machine may be infected, or someone who has both person X and them in their address book may be infected. Don't ever open any attachment unless you know what it is. If your not sure what it is it only takes 2 seconds to hit the reply button and ask "What's this".... It never sinks in. Even after the "I love you" virus, etc. They just can't be educated.

And no, I don't think that moving to *nix is the answer either. I've had users follow instructions included with an email virus to type in a password required to unzip the payload, then run it. Those users will certainly be willing to type in "rm *" or whatever instructions come along with a virus. Their user files, the only thing of value on the machine, are toast either way. These are the same folks that will never back up their data either, so they really are toast.

Re:Simple fix

[Dare nMc]

> You want to give someone a file, send them a link to your ftp server.
get with the times, should be a tracking link to your torrent.
ftp works for the 2% of people who have their own non nat, static ip address with a ftp server that hasn't been blasted off the face of the internet. I am even in the small percent that do have a static ip, but the people I send files to don't have VPN access to any of my servers, and having ftp openly accesable to the net would just be stupid (and which windows users have sftp client installed? ok I do have port 80 access to a webserver that could serve the file, but thats probably not average or easier than attach either.)

mmkay

[everphilski]

(1) it is a trojan, not a worm. If you have 100 stupid users then you have bigger problems.

(2) there is a standalone patch available from Microsoft. Download it, put it on a network share or push it using SMS.

Re:Try to be a little fair

[ocbwilg]

Unfortunately, the effort here by Microsoft here won't save the users most likely affected by the virus. Those users who don't know how to protect themselves adequately probably rely on Windows Update to keep their computer safe. How many of them will be informed in time to use Live Safety, or for that matter, how many of them know that it exists?

Dude, what are you smoking? Those users who don't know how to protect themselves adequately probably don't even know what Windows Update is, let alone rely on it to keep their PC safe.

Re:Simple fix

[diersing]

Haven't you ever heard of iptables and port knocking for friends with dynamic IPs? --reject-with tcp-reset is your friend

Clearly a solution for the unwashed masses. We can't seem to get people from double clicking every email attachment, I'm sure their ready to setup, configure and tweak their own IPTables.

Does it destroy files on connected computers?

[tinpan]

What worries me is files on my servers being destroyed by Windows machines connected to them.

Does this payload destroy files only on the local drives? On mounted drives, too? How about on mapped drives?

How can I protect my Mac, Windows and Linux servers from infected clients?