Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Microsoft Security IT

Microsoft Opens Access to Vulnerability Notifications 104

joseph schmo writes "Microsoft has announced that it will throw open the floodgates of vulnerability notifications for everyone who wants them. Previously, it was only offering early notifications to 'Premier and other 'representative' customers,' or those customers who would sign a Non-disclosure statement."
This discussion has been archived. No new comments can be posted.

Microsoft Opens Access to Vulnerability Notifications

Comments Filter:
  • by sf ( 23345 ) on Friday November 05, 2004 @07:10AM (#10733095)
    A pre-emptive strike perhaps ?
  • So? (Score:5, Funny)

    by Anonymous Coward on Friday November 05, 2004 @07:11AM (#10733098)
    Just set a Slashdot RSS up? Does the same thing!
  • Just finally? (Score:3, Insightful)

    by Anonymous Coward on Friday November 05, 2004 @07:11AM (#10733099)
    About 5 years too late I think.
  • by AlexanderYoshi ( 750291 ) on Friday November 05, 2004 @07:13AM (#10733105)
    I guess this is their way of saying... "We don't understand these things either!"
  • by Anonymous Coward on Friday November 05, 2004 @07:13AM (#10733106)
    You still won't be able to learn about vurnerabilities due to overflooded mailbox.
  • Slashdotted (Score:5, Informative)

    by PhrostyMcByte ( 589271 ) <phrosty@gmail.com> on Friday November 05, 2004 @07:13AM (#10733107) Homepage
    It was probably talking about this [microsoft.com].
    • Its amazing that they dont see the irony 'bulletinadvance.mspx'

      bullet in advance -hehe

  • Self Discipline? (Score:5, Insightful)

    by Amiga Lover ( 708890 ) on Friday November 05, 2004 @07:16AM (#10733120)
    If this is indeed as open as it sounds, then it's a massive step forward. MS will be forcing itself not to become complacent and hide behind the obscurity of a vulnerability that may not be known, but instead will have to deal with the vulnerability in the correct way - fixing the thing.

    Whether it's actually this open, and whether they do end up fixing more problems because of it still has to be seen. Past behaviour has me cynical.
    • by blowdart ( 31458 ) on Friday November 05, 2004 @07:28AM (#10733152) Homepage

      MS will be forcing itself not to become complacent and hide behind the obscurity of a vulnerability that may not be known, but instead will have to deal with the vulnerability in the correct way - fixing the thing.

      Hold on. By giving a summary of fixes coming up, thus indicating the fix is already there does not change anything, or do what you suggest. This is not full disclosure of unfixed problems.

      All that's happening is you'll get advanced summaries of what the monthly security updates will contain. They've already fixed it when this happens.

    • More links.... (Score:2, Informative)

      by Anonymous Coward
      Computer Weekly [computerweekly.com]
    • Re:Working links (Score:2, Interesting)

      by ppz003 ( 797487 )
      Does it bother anyone else that the first advisory they post is set for November 9th, the same day as the Firefox [mozilla.org] release, and is for the Microsoft Internet Security and Acceleration (ISA) Server?

      Me thinks an update to the firewall... Block all outbound access for process firefox.exe...
  • by thewonderllama.com ( 828359 ) on Friday November 05, 2004 @07:18AM (#10733126) Homepage Journal
    BitTorrent traffic down to 33% of all internet traffic.... 28%... 22%... ~BS
    • Expect to see Microsoft's own proprietary, Media company friendly, extension to Bittorrent to be included with next update to IE or MP... they want to control the traffic... to just those torrents officially published by the Media companies with access to them paid for and fully DRM'd...
  • Who cares? (Score:3, Interesting)

    by sridev ( 663490 ) on Friday November 05, 2004 @07:22AM (#10733137)
    Was anyone really waiting for this to happen?

    I'm fine with the automatic Windows update!
    • Re:Who cares? (Score:3, Insightful)

      by metlin ( 258108 ) *
      Well, it had to happen eventually.

      I suspect that they came under a lot of fire for not having opened it up to everyone, especially since it would help alleviate a lot of the issues due to vulnerabilities, particularly worms.

      Good thing, atleast they listen :-)
    • Re:Who cares? (Score:5, Interesting)

      by julesh ( 229690 ) on Friday November 05, 2004 @07:52AM (#10733214)
      I'm fine with the automatic Windows update!

      That's what I thought until it stopped downloading patches for me without notification or error message (turns out I had failed to download an update that was labelled as non-critical which included a patch for BITS, which automatic update relies on, and it therefore stopped working... apply that patch and suddenly I had about two months' worth of critical updates coming down all at at once).
      • Wow. You have it a lot better than me. I have automatic updates on and haven't noticed anything different. When it does try to download patches, it takes forever and I finally have to go download it myself. I think it would be nice if Microsoft secured their OS before they shipped it so we didn't have to worry about this.
    • Re:Who cares? (Score:2, Insightful)

      by Anonymous Coward
      Corporate sysadmins care. If you have three days warning of a really urgent patch, then you get to plan the patching better: notify users, set up testing, arrange overtime etc.
  • Hmmm (Score:3, Funny)

    by pmc255 ( 828453 ) on Friday November 05, 2004 @07:27AM (#10733151)
    Considering the high amount, this could be considered a new form of spam ;)
  • by gowen ( 141411 ) <gwowen@gmail.com> on Friday November 05, 2004 @07:30AM (#10733159) Homepage Journal
    ... because before I was having to use an unpatched backdoor in IIS in order to access the webpages detailing the latest vulnerabilities.
  • I donno (Score:1, Funny)

    by lakiolen ( 785856 )
    ... that I would want to sign up for that. I don't think my mail server would be able to handle the strain.
  • by dago ( 25724 ) on Friday November 05, 2004 @07:45AM (#10733197)
    What they will do is pre-announce the forecoming security bulletings 3 days in advance, and without details.

    So, on saturdays, every 3 months, you'll get something like : Next tuesday, there will be 5 new vulnerabilities, 2 of them being critical.

  • I don't already get enough email.
  • by supercytro ( 527265 ) on Friday November 05, 2004 @07:56AM (#10733224)
    "Microsoft has announced that it will throw open the floodgates of vulnerability notifications for everyone who wants them"
    ...and people thought spam was bad. Prepare to find mail-bombed by MS:-)

    Anyways, yes, I'm being facetious. This is a good announcement for everyone. I could never understand what the logic was by trying to hide what vulnerabilities were fixed in an update. This should allow those in charge of admin to reasonably evaluate the state and impact of the updates and vulnerability.
  • When I get up in the morning, I always drink my coffee over the Dayly Vulnerability Report.
  • No real difference (Score:5, Insightful)

    by dcam ( 615646 ) <david&uberconcept,com> on Friday November 05, 2004 @08:14AM (#10733264) Homepage
    From the Article all this means that you get an extra 3 days notice before the monthly release of security bulletins. What is the point of that?

    The problem with the new MS regime of patching cycle is that they did not release information as it became available to them. Microsoft should release patches as soon as they are available, not on a monthly cycle. The current MS situation means that you arr vulernable for up to a month (if not more).

    Microsoft's initial assumtion that virus's & scripts are released only when the patch is release is largely flawed.
    • The problem with the new MS regime of patching cycle is that they did not release information as it became available to them. Microsoft should release patches as soon as they are available, not on a monthly cycle.

      What's to be gained from that? "There's a critical IIS vulnerability that allows remote attackers to take complete control of your computer. Sorry, no patch yet. We recommend firewalling ports 80 and 443 or disabling IIS on your web server."

      Recently, at least, MS has been telling us in a

    • You are correct: all vendors should release fixes and patches as soon as they've been internally "blessed". The problem with Windows however is that patching is such a pain. Almost none of their server technology can be "conditionally restarted". Almost none of their kernel modifications are actually put "installed" until the reboot. What is just as bad is you have to reboot again to roll back.

      I do realize the importance of getting fixes, especially vulnerability in a very timely manner but because of
      • If you update your Linux kernel, you have to reboot too.

        Most MS patches for non-Kernel things (although the "kernel" does tend to touch a lot more than the *nix ones.) can deal with a service restart too.
  • by neko9 ( 743554 ) on Friday November 05, 2004 @08:18AM (#10733274)
    more like form the open-doors-closed-windows dept.
  • Does this mean i should be able to get a program/script soon to download updates automatically to a directory on my linux serveer for distribution at my pleasure? or can i get that already. Basically I'm just wanting a way to download the new updates for certain versions of windows, then maybe some form of notification that i have a new update sitting around. This is mostly to help with servicing alot of customer PCs
    • Assuming this is a serious question, I don't play around with Windows much but I do recall that the Windows updates were available as standard HTTP/FTP downloads somewhere on Microsoft's web site, outside of Windows Update.

      Assuming that's still the case and you can find out where they are, you could always use a program like wget on the BASH command-line to retrieve them (or any HTTP/FTP document or file).

      Writing a script around that to determine what's available and what's been updated, as well as emai

    • Re:Scripted Updates (Score:5, Informative)

      by pandrijeczko ( 588093 ) on Friday November 05, 2004 @09:11AM (#10733423)
      PS. If you're new to shell-scripting or if you just want a collection of good useful scripts, you cannot IMHO do better than Wicked Cool Shell Scripts [intuitive.com] which has about 100 example scripts, a couple of which show how to do neat stuff with wget and the Lynx browser in command-line mode.
    • Whilst it's not what you ask for, how about a Windows solution.

      Ok, have you stopped laughing? Windows SUS [microsoft.com] (software update services) will pull down all those nice updates.

    • It's a little different from what you're talking about, but check out Daisy [vt.edu]. It's basically an Open Source version of MS' Windows Update program (SUS, I think?) -- it runs on a Windows computer, and periodically checks an archive you maintain of patches to apply. It'll do the right thing -- apply 'em at once, reboot, email you the results and so on. I have yet to set it up at work, but that's lack of time, not not lack of interest.

    • Re:Scripted Updates (Score:2, Informative)

      by HydrusZ ( 539461 )
      You've been able to do this for a long time using SUS [microsoft.com]. It's a personal, configurable Windows Update server. Of course, you need a Windows server with IIS to use it.

      Updates have always been available for download through http://support.microsoft.com [microsoft.com], but they are not stored in any central area that you can get to programatically. But this is why Microsoft only releases updates once a month. You know exactly what day you'll get the security newsletter on, and all you have to do is follow the link and do
  • by pandrijeczko ( 588093 ) on Friday November 05, 2004 @09:31AM (#10733516)
    ...there's a vulnerability in Microsoft Vulnerability Notification that causes Microsoft Vulnerability Notification to send out spurious vulnerability notifications?
    • Then vulnerability notifications regarding vulnerable vulnerability notifications won't get out, leading to more vulnerabilities in the vulnerability notification service, leading to more false vulnerabilities, causing vulnerabilities to be vulnerable?
  • For MS to open up Access to vulnerabilities? I mean, what gives? They did so well in opening Outlook to vulnerabilities years ago. I hope someone got fired for this blatant slacking off.

    Oh wait...

  • by Anonymous Coward
    "Windows XP Service Pack 2 can help. Download and evaluate it for free TODAY."

    Sure, sure. And if you don't like it, you can fucking reformat your drive to get rid of it. That's like testing a rocket engine on your car, and you just run the thing into a brick wall to get it stopped. Awesome.

    Anyway, I don't see how this is going to help anyone. Telling Goatse man that his anus is gaping wide open doesn't address the actual gaping anus. It just makes him aware of the gaping anus, and he's likely to tell yo
  • You just have to sign a non disclosure agreements to know about vulnerabilities first? Or pay some token fee??? *BOGGLE*

    You mean, spammers and spyware makers get notified of vulnerabilities *first* and if they abuse the vulnerabilities while keeping their mouth shut they can get away with it?

    That's worse than I thought... Microsoft is handing the malware people the backdoor of the week on a silvery plate *before we know it exists*.

    I'm visualizing a malware server doing its evil job, and getting a "backd
  • very troubling (Score:2, Insightful)

    by Anonymous Coward

    It's very troubling that they haven't been disclosing these vulnerabilities all along.

    MS clearly has a culture that encouraged secrecy (or semi-secrecy) for many years about this. A sudden change in policy does not mean that the underlying culture has changed. It just means that there's now a certain amout of internal grumbling within MS about this new "reckless policy of airing our dirty laundry in public".

    The true problem at MS is a poisonous culture that places a premium on secrecy: Closed source.
  • We already know about the Diebold issues, we're just to lethargic to demand a better democracy.
  • instead of fixing the flaws that are made public by hackers faster they're goint to tell us and those who have malicious intent about more problems more often?

news: gotcha

Working...