MS To Share Vulnerability Details Ahead of Patches 27
Bridge to Nowhere writes "ZDNet is reporting that Microsoft will start sharing details on software vulnerabilities with security vendors ahead of Patch Tuesday under a daring new program aimed at reducing the window of exposure to hacker attacks. The new Microsoft Active Protections Program (MAPP) will give anti-virus, intrusion prevention/detection and corporate network security vendors a head-start to add signatures and filters to protect against Microsoft software vulnerabilities."
I sure hope... (Score:3, Funny)
the Metasploit project gets into this deal!
Re: (Score:1)
Leaks guaranteed (Score:5, Insightful)
I foresee disasters.
Think game theory (Score:4, Interesting)
The truly evil ones who wouldn't fall for a red herring are likely diabolical enough to have infiltrated the information source in the first place.
Or you could just boot something else.
Wait a minute... (Score:1)
This doesn't make sense (Score:4, Insightful)
Why would MS, if they know about the problem and are planning a patch for it, let the security vendors know. Essentially that would make the vendors a stopgap until the patch is released a few days later.
Why the hell doesn't MS simply release a stop-gap patch themselves and then finalize it on Tuesday. All this does is shift the blame for a bad fix to the security vendor who has a much smaller understanding of the problem's cause and potential effects.
I am so tired of shoddy software from the richest company in the world, there is absolutely no excuse for it! With their resources they could develop the OS using the same practices used in medical equipment software and be able to guarantee a neigh 99.9999% uptime... but instead they release crappy code and milk the public for cash.
I am not a big fan of regulation, however I believe that any company that creates an unsafe product needs to be penalized, even if that product is software. Microsoft has indirectly caused trillions of dollars in lost productivity, theft, vandalisim, security management costs etc... Almost all of which could have been prevented using the resources available to them.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
You're almost right. It's not that there's less money to be made, but more money to be lost. Many people will install the early version of the patches, but compatibility problems may not have been found by Microsoft's labs, and they'll be faced with increased calls and further bad press about how a "bad" patch was released, when in fact it was still a QA-level patch and not really ready for release.
Re: (Score:2, Interesting)
Do you understand why they are doing this? Many malware creations out there, time and time again, the biggest ones have been a result of unpatched systems and vulnerabilities released by the vendor. *EVERYONE* watches these vulnerability reports, including malware writers.
And when I say "malware writers", I don't mean the geeky kid sitting at his computer finding holes in software. I mean the guys that are out there to do it for a profit and are farther down the food chain.
The way this chain works in
Re:This doesn't make sense (Score:4, Interesting)
I do understand the why... but your explaining the why in the current situation that was created by MS's... failures?
Had MS spent more time developing good software with sane security there would be a far lower amount of risk.
Besides that, what makes you think that a machine that is unpatched will have current virus definitions. If MS hadn't convinced people that viruses are not the fault of the software vendor and convinced them that they needed special virus protection, people would be much more in the habit of keeping systems patched. If MS didn't force unnecessary and unwanted patches along with the highly important security patches, people would be much more in the habit of keeping systems patched.
Essentially what MS is doing is suggesting that their patch system is inadequate and instead of fixing it they are going to leave it up to AV vendors to ensure that windows user's operating systems are secure. If you ask me it's absolute bull shit!
A good system for distributing security patches is not that difficult. A method of ranking patches by risk to operational stability vs risk of attack is not that difficult. A way for an administrator to choose how much risk they are willing to accept is not that difficult.
So why not have a system where my server can check for new patches every few hours, and those patches include risk scores dependant upon the function of the system... if I want to get all patches and keep myself secure but risk instability I can... if I would rather wait until the patch has been widely deployed and is considered low risk, I can configure that too. Why involve a third party? Why should the security of my operating system be the responsibility of someone who has no control of the internal working of my OS.
It's easy to justify what MS does, after all Windows is one hell of a complex peice of software. But we are talking about a company that has more resources than many small countries and has their software deployed on Billions of computers world wide. They can do better, and they should!
Re: (Score:1)
It has helped a bunch of people to develop open source OSes and communities, which I think are fantastic.
Aside: I would love to see MS eat Yahoo - I think it would be poison pill.
Re: (Score:2, Interesting)
Medical software usually does one thing, and one thing only. The software powering those huge, big tin medical components will only ever need to do that one thing. You're not going to use an X-Ray scanner machine to monitor someone's heart rate and pulse.
On the contrary, the average desktop computer is used for everything from gaming, to video editing, photo editing, film production, office applications, etc. And rather than a focus being on "closed-source, hyper security
Re: (Score:2)
Medical equipment software, space shuttle navigation software, and other robust software though very narrow in scope is no different than Windows. It's all the same stuff at it's core... it's just the quantity that differs. I realize that to create something on the scale of Windows following the development practices used in the medical, aviation, and similar industries, would be very time consuming and expensive. But like anything else these days, Windows is modular, and as such this type of work could
Re: (Score:2)
Then multiply the cost of the OS by a factor anywhere from 10 to 1000.
The cost of development... not the cost to the consumer.
It would take a chunk out of their immediate profits but make them far more secure in their market. Right now MS is slowly losing it advantage in the market place... more and more alternatives are getting attention that don't suffer the same issues as MS products do, and eventually MS's unwillingness to make their core products the best they can be will be their downfall.
Re: (Score:2, Informative)
If you are ready to have a fairly limited in scope operating system running on "state of the art" hardware(read: created somewhere in the 1970) there are some option for you if you have the cash.
But of course you probably don't and you expect your operating system to run your crappy non fault-tolerant hard
Re: (Score:3, Interesting)
Your simply justifing Microsoft's incompetence.
I realize that I'm being a bit of an idealist... but seriously, when did it become OK for anyone to just do the bare minimum necessary to make a buck. Microsoft has repeatedly failed to go beyond what was required to keep them ahead of the competition, and they didn't do it by creating a better product than the competition in most cases.
I am sure you have heard "WITH GREAT POWER THERE MUST ALSO COME - - GREAT RESPONSIBILITY" (Stan Lee). It's a bit cliche, but
Re: (Score:3, Interesting)
I dont think you have a realistic view of the software world.
Why the hell doesn't MS simply release a stop-gap patch themselves and then finalize it on Tuesday.
Because in most cases, this causes more problems than it solves. Huge huge numbers of people blindly apply (or fast-track minimal testing) of critical security patches. If they make 'stop-gap' patches, they will have a high failure rate (since they're rushed).
So as the software vendor, you're faced with a cost-benefit judgement call. How serious is the exploit? How active is active exploits occurring in the wild? Compare that against the cost
Re: (Score:2)
I have posted a ton of replies, so I'm not gonna respond to everything you said... but there is one area that I can see things improved.
As far as patching risk analysis is concerned... why couldn't MS do this for us.
For example, they score each and every patch based upon several factors successful installations, Exploit Risk, stability risk, etc. Additionally, they assess the risk based upon the function of the target system so that patches to IIS score higher for machines that are primarily a web server a
So where do I sign up? (Score:2)
I'm an admin, I have lots of boxes to look after as well as my own and I need to know about potential vulnerabilities before they hit my machines. Where do I sign up?
Re: (Score:2)
As an end user, Microsoft does not recognize you as an audience, unless you're also a reseller.