Page 1 of 3 123 LastLast
Results 1 to 10 of 30

Thread: How long before MS deals with these issues?

  1. #1
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323

    How long before MS deals with these issues?

    I found this link to eEye's Upcoming Advisories on Full Disclosure. This highlights the issue of patch mechanisms and releasing info on known exploits. Certainly the present patch system isn't working (and MS' particular method of announcing a week beforehand that a patch will be released strikes me as nothing more than marketing).

    To me, there are two issues here: disclosure of known problems and the patch process. I personally believe in full disclosure (the concept) as it makes admins more aware of problems and should, for the most part, help them pay attention to risks. The second issue is one that I truly don't know what the answer is other than perhaps expanding MS patch team. Evidentally, they do not have enough power if it takes more than 3 months (6 months for the most recent ASN vuln) for them to put out solutions to help secure/fix systems.

    Maybe it's just me.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  2. #2
    Senior Member
    Join Date
    Nov 2003
    Posts
    247
    Microsoft's major problem is that they no longer think like customer's. In doing this, they have made the mistake of assuming that what they offer to people, they will automatically want. Marketing is only half-doing its job: That is, it is just finding out what people want NOW.

    What they SHOULD be doing is finding out what people need, and what they'll want and need before they need it. As long as Microsoft plays defense in this way, and always reacts instead of acting, they will never achieve their full potential.

    That is one of the main reasons that Linux and other open source OS's/software is doing as well as it is. It is directed fully by the people's needs and desires, with no real concern for marketing, with the occasional exception. (Although even Red Hat is somewhat returning to Open Source, with the release of Fedora.)

    But what do I know? I'm just an under-grad CS student.
    www.ADigitalPimp.com
    There is a ghost in the machine, and he is my friend.

  3. #3
    Let's look at this logically for a moment. Microsoft is a company. Okay, with that being said we really should give them enough credit to know what needs to be done properly. Why? Because customer service isn't a trade sercret, it is an accepted standard.


    Thus, I'm betting MS knows full well what is going on and could in fact release patches MUCH sooner, but there is something internal going on. It isn't external and dealing with us, I would bet money on it. We can't preassume that the MS coders are dumb, because look at the windows OS, thus I bet it is quite possible they could fix a patch in a heartbeat.... if it wasn't for internal affairs, permissions, manager setbacks.

    In short, what I am trying to say is that I am quite sure MS is well aware of it's situation and of customer appreciation. But that there are internal affairs at work hindering the process the employees are doing to fix and release patches. Tons of hoops to jump through I'm sure that only come from internal bad management.

    I mean, let's be serious here. It isn't like their patches being slow are a secret, I'm sure they know but something we can't grasp or take into consideration is that something may be hindering them unseen to us.

  4. #4
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    Imho, the subject of full disclosure will always be a difficult subject. On the one hand i believe what msmittens say's is a very powerfull argument for full disclosure. On the other. Releasing known vulnerabilities goes against one of the main security related ethos's of need to now . Does Joe public need to no every issue that is found. Anouncing a problem must put dangerous information in to the hands of dangerous people. Who otherwise may have to go look for this information, thus giving the people whos job it is to fix these problems time to find a fix.

    To give you an example of the need to no ethos. I was a miltary radio opperator for some years, one of the pieces of equipment i used was known by three letters. As i did not need to no what those three letters stood for and only how to use the kit i was never told what those three letters stood for. I did find out in the end but it took nearly six years.

    Ok so that shows a level of paranioa but does show how effective need to no can be. I also exept that this type of ethos can hinder investigation when problems are found. But then i did say it was a difficult subject in the begining.

    Just a few thoughts.

    Jinxy.

  5. #5
    Senior Member
    Join Date
    Nov 2003
    Posts
    247
    Joe Public? Joe Public is no threat if he gets his hands on information that is already available to everyone else.

    Let's be honest here, sysadmins will be paying MUCH closer attention to this information that Joe Average will be, and occasionally we might get another MSBlaster. When we do, the vulernability has been known about for quite some time, the then old patches are in place, and there's nothing to worry about, except for a few minor exceptions.

    The real problem is when Microsoft acknowledges these problems in a very minor way that is rarely recognized largely, but just picked up by a few admins and the occasional worm writer. THAT's where the problem comes in, IMHO.

    Also, while it WILL increase the danger because more vulnerabilities are known, I am sure that it will also make things much more secure by the same token. I believe that over-all, life would be safer. There'd atleast be the "I told you so stance."

    Sun Tzu, I see your point, but that's still a short-coming of Microsoft that they could have, and should have, over-come by now. Exchanging one short-coming for another doesn't really matter, there's still the flaw.

    "Just because its better doesn't mean its perfect."
    www.ADigitalPimp.com
    There is a ghost in the machine, and he is my friend.

  6. #6
    Junior Member
    Join Date
    Dec 2003
    Posts
    7
    Hello,

    I am extremely frustrated by the vagueness of the language "may allow an attacker to execute code remotely".

    So what kind of "code execution" are we talking about? How far into my PC could someone penetrate when exploiting a hole like this? I mean could these holes offer the ability to someone to read all my files? Create user accounts and gain remote access? Or are we talking stuff more on the level of annoyances, such as the NTAUTHORITY restart glitch, msblast, etc? Things like that?

    I can't seem to find a clear and straight answer on exactly what capabilities or access - at a user, program, or file level - this kind of a hole gives a potential attacker.

    Could someone clear this up or point me to a URL with info?

    Thanks!

  7. #7
    I disagree SonofGalen. And allow me to explain.

    1. Exploit is find by MS and published

    2. Thousands of kiddies boot up VB and write the next worm/exploit automagic script

    3. ???

    4. Hell breaks loose again

    Or, perhaps they see it like this, which actuall works:


    1. MS finds an exploit (or bugtraq) but doesn't publish full information. And since they are the only ones with full information, the finer details are left out.

    2. Kiddies sit back and continue using old programs for older exploits out a few years ago.

    3 ???

    4. No one gets hurt because the finer points are removed from the scripties accessable toolkit.

    See what I am saying? While yes there will be people out there that can penetrate and make use of the exploit because of their skill level, they are not the majority. Script kiddies are. Thus, by eliminating that extra bit of information until a good patch is released they can ward off the kiddies. I see your point as well, but sometimes will call for STRAIGHT foward information while others need to be kept away from public's view. And I agree, it is an MS flaw, but we should at least be aware of the correct flaw

    Originally posted here by vibronic

    I am extremely frustrated by the vagueness of the language "may allow an attacker to execute code remotely".

    So what kind of "code execution" are we talking about? [/B]
    When patches are released, there is an option to read about the entire patch just to the left of "add to list". It will give a full summary of what is wrong, how it is an exploit, and how the patch fixes that. Finding information on specifics before the patch is usually difficult because MS holds those finer details, as I explained above.

  8. #8
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Pooh, I have to disagree with this:

    1. MS finds an exploit (or bugtraq) but doesn't publish full information. And since they are the only ones with full information, the finer details are left out.

    2. Kiddies sit back and continue using old programs for older exploits out a few years ago.

    3 ???

    4. No one gets hurt because the finer points are removed from the scripties accessable toolkit.
    This kind of logic is flawed because it assumes that ONLY MS found the exploit. What about the ones that do know and use it? Why not state what the particular flaw is and suggest a work-around until the patch is released? At least address it for those that will need to fix it because someone will get hurt. They don't need to release POC but at least state where the problem is so that if I want to defend myself I can. It's not Joe Public that has millions of dollars to protect (although Joe Public may be worth that as a group). It's the administrators who have to protect company image to the stockholders.

    *shrug* Maybe it's just me. There is, however, still a flaw with the particular patch system (the Sapphire worm certainly brought that out when MS hadn't even patched their systems). And perhaps that is part of MS' problem.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  9. #9
    Senior Member
    Join Date
    Nov 2003
    Posts
    247
    1. MS finds an exploit (or bugtraq) but doesn't publish full information. And since they are the only ones with full information, the finer details are left out.

    2. Kiddies sit back and continue using old programs for older exploits out a few years ago.

    3 ???

    4. No one gets hurt because the finer points are removed from the scripties accessable toolkit.
    It sounds to me like you're saying this is what they're doing now, and defending it. If this is the case, then it seems rather flawed to me. It seems fairly obvious that people are getting hurt, and "all hell" breaks loose anyway.

    If they release all of the code, here's what I see as happening:

    1. MS finds an exploit and fully publishes all of the information.

    2.1. Thousands of script kiddies find it and write VB code for it.

    2.2 At the same time, hundreds of thousands of admins find it, patch for it and take precautions.

    3. ???

    4. Thousands of programs are released, and almost all of them are impotent. The ones that aren't are coupled with something else (not yet discovered), so it would have been dangerous anyway, OR they wouldn't really be a script kiddie.
    If I'm missing something, please point it out. This is just my opinion.
    www.ADigitalPimp.com
    There is a ghost in the machine, and he is my friend.

  10. #10
    It sounds to me like you're saying this is what they're doing now, and defending it.

    That is correct. The reason why is because despite the information being publically figured out, there are no major side effects going on. Sure, the info and the notices and whathave you, but no large scale interruption to the system because of that exploit. Yes, there is a virus or two running around rampant but that only began once MS released their full security advisory on it.

    So while I do see your point, I still see a valid "On an need to know basis". If the full details are withheld (and trust me, I dare someone to even try all of these scary exploits on me) then the kiddies can't get to it until a patch is released. Because if an exploit is fully published and a patch not released soon afterwards then of course the exploit will be taken advantage of. What does this mean? As in your above example you are assuming that by publishing their information that means they are also releasing a patch, and thus the admins patch while the scripties script. But that isn't how it works. MS holds information and does't release full exploit information until the patch is released. IF, in fact, they released all exploit information and then went to work on the patch.... the exploit would be across the board.

    They learned this with their OOB on XP and 95. Don't disclose full information until a patch is ready, because it is *that* many less scripties trying to exploit a hole not yet fixed and fully understandable. Good conversation by the way. So while I agree with you on making it public information and releasing a patch, don't forget that MS won't release information until they release a patch. Good, Bad? Seems to be working, even if that means it is coming in slow

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •