Microsoft Opens Access to Vulnerability Notifications 104
joseph schmo writes "Microsoft has announced that it will throw open the floodgates of vulnerability notifications for everyone who wants them. Previously, it was only offering early notifications to 'Premier and other 'representative' customers,' or those customers who would sign a Non-disclosure statement."
no posts and already /.'d (Score:3, Funny)
Re:no posts and already /.'d (Score:2, Funny)
Re:no posts and already /.'d (Score:2, Informative)
http://www.computerweekly.com/articles/article.asp ?liArticleID=134810&liArticleTypeID=1&liCategoryID =1&liChannelID=13&liFlavourID=1&sSearch=&nPage =1 [computerweekly.com] is a brand new article about MS giving advance notice of security updates, I guess it's the same piece of news.
So? (Score:5, Funny)
Re:So? (Score:2)
Just finally? (Score:3, Insightful)
I guess this is their way of saying... (Score:3, Funny)
Re:I guess this is their way of saying... (Score:1)
Re:I guess this is their way of saying... (Score:1)
It's a cool trick (Score:3, Funny)
Slashdotted (Score:5, Informative)
Re:Karmawhore (Score:1, Funny)
Big deal, how is posting useful information Karmawhoring?
I'm sure that when everyone started out, they've tried to getting their karma atleast a few times.
Atleast he's helping everyone out -- it sure as hell beats posting pointless AC comments and adding nothing worthwhile to the discussion.
Re:Karmawhore (Score:1)
If you are unwilling to abide by that CONTRACT you signed, then DON'T SIGN IT!!!!!
The company you work for, if they find out you were the person who broke that contract, can go after the person who broke said contract for among other things, breach of contract.
Other charges can include theft of information, and god forbid
Re:Slashdotted (Score:2, Funny)
bullet in advance -hehe
Re:Slashdotted (Score:1)
'bull etinad vance' is latin...
move along now, nothing to see here.
Self Discipline? (Score:5, Insightful)
Whether it's actually this open, and whether they do end up fixing more problems because of it still has to be seen. Past behaviour has me cynical.
Re:Self Discipline? (Score:5, Insightful)
MS will be forcing itself not to become complacent and hide behind the obscurity of a vulnerability that may not be known, but instead will have to deal with the vulnerability in the correct way - fixing the thing.
Hold on. By giving a summary of fixes coming up, thus indicating the fix is already there does not change anything, or do what you suggest. This is not full disclosure of unfixed problems.
All that's happening is you'll get advanced summaries of what the monthly security updates will contain. They've already fixed it when this happens.
Working links (Score:5, Informative)
Get your early warnings here:
Microsoft Security Bulletin Advance Notification [microsoft.com]
Another news story about it:
More links.... (Score:2, Informative)
Re:Working links (Score:2, Interesting)
Me thinks an update to the firewall... Block all outbound access for process firefox.exe...
They were just jealous (Score:5, Funny)
Re:They were just jealous (Score:2)
Re:They were just jealous (Score:2)
Re:They were just jealous (Score:2)
Who cares? (Score:3, Interesting)
I'm fine with the automatic Windows update!
Re:Who cares? (Score:3, Insightful)
I suspect that they came under a lot of fire for not having opened it up to everyone, especially since it would help alleviate a lot of the issues due to vulnerabilities, particularly worms.
Good thing, atleast they listen
Re:Who cares? (Score:5, Interesting)
That's what I thought until it stopped downloading patches for me without notification or error message (turns out I had failed to download an update that was labelled as non-critical which included a patch for BITS, which automatic update relies on, and it therefore stopped working... apply that patch and suddenly I had about two months' worth of critical updates coming down all at at once).
Re:Who cares? (Score:1)
Re:Who cares? (Score:2, Insightful)
Hmmm (Score:3, Funny)
Re:Hmmm (Score:2, Funny)
Well, look at the bright side - atleast they won't be asking you to grow new boobies.
Re:Who The Hell Uses Microsoft Products Anymore? (Score:1, Funny)
Re:Who The Hell Uses Microsoft Products Anymore? (Score:3, Informative)
About 90% of the world's home/office computer users. No stop asking stupid questions.
Re:Who The Hell Uses Microsoft Products Anymore? (Score:2)
What, are you saying you need to run both to get an improvement over Windows?
Anyway, yeah I'll switch to OS X. Just hand me the damn hardware.
Re:Who The Hell Uses Microsoft Products Anymore? (Score:4, Insightful)
Compared to what? My PC cost ten times what I can buy XP Pro for. I've personally used software costing hundreds of thousands of pounds.
buggy
Show me a complex piece of software that doesn't suffer from bugs. Linux distributors and Apple also release buggy software (and no, pointing out that most of the software that comes with a Linux distro is written by third parties is not an excuse - the distributor has the source and chooses to include the app. They assume some responsibility for it)
insecure
Put it behind a firewall, keep it up to date with patches, and don't be an idiot about using it - just as you should be doing with any network-aware piece of software.
Hasn't everyone moved on to OS X and Linux?
Actuall, I've moved back to Windows having used Linux for a couple of years. No real complaints, it just doesn't run some software I need to use, and most of the things that bugged the shit out of me about Windows have been fixed. The right tool for the right job; in my case, that's currently Windows.
Re:Who The Hell Uses Microsoft Products Anymore? (Score:2)
I personally find an OS X/Windows XP Pro/Linux combination come in quite handy. Run Linux as the server (storage and security), Windows XP Pro as the desktop (gaming and multimedia) and OS X on a portable (basic apps). All of them can talk to each other just fine, and each excels at what it does.
Re:Who The Hell Uses Microsoft Products Anymore? (Score:1)
US$300K for PC software? (Score:2)
Did you mean this literally? Hundreds (plural) OF thousands?
I presume you're not referring to something like "five thousand pounds per single-PC license, multiplied across 40+ seats" --
because, if that's what you meant, then it would be somewhat misleading.
Just out of curiosity, what PC-based software do you personally use which costs a minimum of 200K *GBP* for a SINGLE user?
Linux costs 699.00!!! (Score:4, Funny)
That's Good... (Score:5, Funny)
I donno (Score:1, Funny)
Re:I donno (Score:1, Funny)
Well, not that interesting (Score:5, Informative)
So, on saturdays, every 3 months, you'll get something like : Next tuesday, there will be 5 new vulnerabilities, 2 of them being critical.
As If (Score:1)
Watch network traffic go up (Score:3, Interesting)
Anyways, yes, I'm being facetious. This is a good announcement for everyone. I could never understand what the logic was by trying to hide what vulnerabilities were fixed in an update. This should allow those in charge of admin to reasonably evaluate the state and impact of the updates and vulnerability.
Dayly vulnerability (Score:1)
No real difference (Score:5, Insightful)
The problem with the new MS regime of patching cycle is that they did not release information as it became available to them. Microsoft should release patches as soon as they are available, not on a monthly cycle. The current MS situation means that you arr vulernable for up to a month (if not more).
Microsoft's initial assumtion that virus's & scripts are released only when the patch is release is largely flawed.
Re:No real difference (Score:3, Insightful)
What's to be gained from that? "There's a critical IIS vulnerability that allows remote attackers to take complete control of your computer. Sorry, no patch yet. We recommend firewalling ports 80 and 443 or disabling IIS on your web server."
Recently, at least, MS has been telling us in a
Half Of The Problem (Score:2)
I do realize the importance of getting fixes, especially vulnerability in a very timely manner but because of
Re:Half Of The Problem (Score:2)
Most MS patches for non-Kernel things (although the "kernel" does tend to touch a lot more than the *nix ones.) can deal with a service restart too.
from the open-doors dept. (Score:4, Funny)
Scripted Updates (Score:1)
Re: (Score:3, Informative)
Comment removed (Score:5, Informative)
Re:Scripted Updates (Score:1)
Whilst it's not what you ask for, how about a Windows solution.
Ok, have you stopped laughing? Windows SUS [microsoft.com] (software update services) will pull down all those nice updates.
Re:Scripted Updates (Score:2)
Re:Scripted Updates (Score:2, Informative)
Updates have always been available for download through http://support.microsoft.com [microsoft.com], but they are not stored in any central area that you can get to programatically. But this is why Microsoft only releases updates once a month. You know exactly what day you'll get the security newsletter on, and all you have to do is follow the link and do
Comment removed (Score:3, Funny)
Re:But what happens if.... (Score:2, Funny)
It took this long... (Score:2, Funny)
For MS to open up Access to vulnerabilities? I mean, what gives? They did so well in opening Outlook to vulnerabilities years ago. I hope someone got fired for this blatant slacking off.
Oh wait...
The page ad says (Score:2, Funny)
Sure, sure. And if you don't like it, you can fucking reformat your drive to get rid of it. That's like testing a rocket engine on your car, and you just run the thing into a brick wall to get it stopped. Awesome.
Anyway, I don't see how this is going to help anyone. Telling Goatse man that his anus is gaping wide open doesn't address the actual gaping anus. It just makes him aware of the gaping anus, and he's likely to tell yo
Just a non disclosure agreements? *BOGGLE* (Score:1)
You mean, spammers and spyware makers get notified of vulnerabilities *first* and if they abuse the vulnerabilities while keeping their mouth shut they can get away with it?
That's worse than I thought... Microsoft is handing the malware people the backdoor of the week on a silvery plate *before we know it exists*.
I'm visualizing a malware server doing its evil job, and getting a "backd
very troubling (Score:2, Insightful)
It's very troubling that they haven't been disclosing these vulnerabilities all along.
MS clearly has a culture that encouraged secrecy (or semi-secrecy) for many years about this. A sudden change in policy does not mean that the underlying culture has changed. It just means that there's now a certain amout of internal grumbling within MS about this new "reckless policy of airing our dirty laundry in public".
The true problem at MS is a poisonous culture that places a premium on secrecy: Closed source.
MS Access is a flaw in itself (Score:1)
Re:MS Access is a flaw in itself (Score:1)
I do stand by the parent post however!
so... (Score:1)