Re: A 6% fix from Microsoft Security Bulletin MS03-040 - 828750
From: Me2 (nospam_at_nospam.com)
Date: 10/07/03
- Next message: Lou Rosse: "Re: OE blocks MS Security patches"
- Previous message: Mow Green: "Re: Ad-aware Update 01R224 06.10.2003"
- In reply to: George \(Bindar Dundat\): "Re: A 6% fix from Microsoft Security Bulletin MS03-040 - 828750"
- Next in thread: whoever: "Re: A 6% fix from Microsoft Security Bulletin MS03-040 - 828750"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 7 Oct 2003 01:13:02 -0700
Yes, it was educational for many. Do we expect a blaster or swen II from
the latest MS03-040 to hit any day now? The patch must be released (a
chicken and egg kind of thing will always happen) - exploits will follow.
Is there some secret way to get the patch out - to all system?
Considering the number of "I have a virus/spam problem" posts on this
newsgroup, I wonder what exactly is the installation percentage of MS03-039
or MS03-040? I know at least two home users who are scared to install ANY
updates - the AV subscription update screens and popups are all too
confusing... Just two in the ocean PCs on the net.
I'm sure Microsoft has an idea. But they wont tell.
* * * *
I remember - - - - The cigarette companies kind did a similar thing to
Microsoft's current actions. At first they said nothing about cancer.
[It's better for sales to not even mentions the word cancer.] Then the
public caught on, and they had to say something like "well its a minor
problem and we are working on - research..." and "we hold our customers in
the highest regards..." something like that.
Me out
"George (Bindar Dundat)" <JustMe@nothome.net> wrote in message
news:u8FdHVKjDHA.1964@TK2MSFTNGP12.phx.gbl...
> The fact remains that there was no active exploit until AFTER the
announcement.
>
> --
> George (Bindar Dundat ©) MS-MVP
> This information is provided "AS IS"
> It may even be wrong!
> For Windows Troubleshooting Tips see;
> 9x/ME http://aumha.org/win4/a/tshoot.htm
> 2000/XP http://aumha.org/win5/a/tshoot.htm
> "Me2" <nospam@nospam.com> wrote in message
> news:eQik14JjDHA.220@tk2msftngp13.phx.gbl...
> | George,
> |
> | You know what? My companies assets were protected be cause we knew
about
> | the RPC vulnerability - a lot of others had problems - but we did not.
> | Sorry to hear that some did not take appropriate steps to protect their
> | assests when the information was released. If there was not enough time
to
> | install the patch, they could have been ready to pull the ISP plug.
> |
> | If there is no active virus/worm/Trojan, then it's ok for Microsoft to
say
> | nothing. The minute a critter starts ripping into your assets - YOU
will
> | want to know all that Microsoft can tell you, unless you let them off
the
> | hook...
> |
> | Me out
> |
> |
> | "George (Bindar Dundat)" <JustMe@nothome.net> wrote in message
> | news:%2312jKsJjDHA.1964@TK2MSFTNGP12.phx.gbl...
> | > From the moment Microsoft published the details of the RPC
vulnerability
> | we
> | > could have started a pool on what date there would be an actual
attack.
> | From
> | > that moment on it was a "given" that there would be one. Many
operations
> | need a
> | > considerable lead time to institute patches to the company system. In
> | large
> | > organizations, they can not simply install the patch. It has to go
> | through
> | > testing within the company itself and in this particular case there
were
> | further
> | > delay while the legal departments studied the EULA. Making too many
> | details
> | > public are making a big issue of it simply means that these companies
do
> | not
> | > have time to institute the patches quickly enough to avoid the
problem.
> | As we
> | > have been trying to say, publicity can have some undesirable side
effects.
> | They
> | > would be better off to say that there was a security patch available
and
> | not
> | > give any details.
> | >
> | > --
> | > George (Bindar Dundat ©) MS-MVP
> | > This information is provided "AS IS"
> | > It may even be wrong!
> | > For Windows Troubleshooting Tips see;
> | > 9x/ME http://aumha.org/win4/a/tshoot.htm
> | > 2000/XP http://aumha.org/win5/a/tshoot.htm
> | > "Me2" <nospam@nospam.com> wrote in message
> | > news:e7P$0fJjDHA.1668@TK2MSFTNGP12.phx.gbl...
> | > | Whoever, Jim,
> | > |
> | > | Your arguments are biased to protect Microsoft's assets, not yours
or
> | the
> | > | company you work for.
> | > |
> | > | "Jim Eshelman" wrote:
> | > | > Within the company for which I work -- about 6,000 end-users that
we
> | > | > service -- the moment a new Critical Update appears there is a
rapid
> | move
> | > | to
> | > | > deploy it on the servers, and then turn to the question of whether
or
> | to
> | > | > inform the end-users. By that time there is pretty much always an
> | updated
> | > | > virus definition file from our AV provider, and therefore there is
no
> | > | reason
> | > | > to say anything further to the end-users. We've already set up the
> | > | mechanism
> | > | > whereby the AV software is in place and the definition files are
> | > | > automatically updated every time the machine hits the Internet.
> | > |
> | > | If a new worm/virus is starting to infect machines across the
world -
> | > | spewing out your personal documents as spam or deleting hard
drives -
> | and
> | > | your company happens to be one of the first to be targeted. What do
you
> | do?
> | > | Jim might say: "...the moment a new Critical Update appears there is
a
> | rapid
> | > | move to deploy it on the servers, and then turn to the question of
> | whether
> | > | or to inform the end-users. By that time there is pretty much
always an
> | > | updated virus definition file from our AV provider..." Excuse me?
> | > | What? --- No, that's not what you would do. You would want to know
> | RIGHT
> | > | NOW how to prevent infection/replication, pull the plug on the
servers,
> | or
> | > | get the fire ax and cut the ISP cable.
> | > |
> | > | And if we have this drummed in "Microsoft is special - they should
say
> | > | nothing" convention - Microsoft will be telling you - nothing. How
> | nice.
> | > |
> | > | In the mean time you are scrambling to get information from your AV
> | > | provider - who does not have a scan for the bug yet - in fact you
are
> | one of
> | > | the first to report the bug. What do you do? There are some
> | newsgroups...
> | > |
> | > | Whoever wrote:
> | > | > > If the worm/virus is _ALREADY IN THE WILD_, then there's no
sense in
> | > | > > refusing to alert the general public - as long as there are
specific
> | > | > > steps that can be taken to mitigate the risk.
> | > |
> | > | There are ALWAYS specific steps that can be taken to mitigate the
risk!
> | > | Pull the plug for one. Shutdown the ISP connection. Stop using
program
> | > | xyz. Block feature X, etc.
> | > |
> | > | In one hour, 10% of Jim's 6000 machines have already been infected.
> | (You
> | > | may have 200 offices around the country or world connected via
different
> | > | ISPs). Jim's managers say "Stop this thing now!" The AV vendor is
> | working
> | > | on a scan/repair tool. So you call Microsoft, who says "we know
> | nothing"
> | > | (and we won't tell if we did), "sorry, it's not our problem" - "call
> | your AV
> | > | vendor" (dam, you already did that.), "you can post on
> | > | microsoft.public.security if you like". "Have a nice day..."
> | > |
> | > | Worse case scenario: The infection spreads. You had to shutdown
ISP
> | > | connections, servers and what not. Eventually you get the thing
under
> | > | control. The next day the AV vendor releases a scan/repair tool.
You
> | got
> | > | it mostly under control. There are some nagging problem sites. But
> | then
> | > | the bomb shell hits - many of you company documents and employee
SSNs
> | and
> | > | stuff start showing up on the Internet.
> | > |
> | > | Other organizations around the globe were spared most of the damage
> | because
> | > | security folks and AV vendors figured out how to block it (possibly
with
> | the
> | > | help of Microsoft - behind the seines of course, because they can't
be
> | seen
> | > | involving them self's in anti virus issues affecting their
products).
> | > |
> | > | At this time Microsoft chimes publicly - "We have a patch for a new
> | > | vulnerability. We knew about the problem for months and were
working on
> | a
> | > | patch. We worked real hard to get the patch out today (three days
after
> | > | Jim's company was hit)." "Oh by the way, if you can't apply the
patch
> | right
> | > | away, just shutdown the browser service." Microsoft says nothing
about
> | the
> | > | worm. In fact, since only 10,000 machines were hit - they don't
even
> | post
> | > | the fact that the patch was rushed out to address the worm that hit
> | Jim's
> | > | company. "You know how bad it would be if Microsoft talked directly
> | about a
> | > | specific bug on their security pages..." Customers should just find
out
> | > | about the worm from the hundreds of news articles (the news articles
all
> | use
> | > | the worm name in their head lines).
> | > |
> | > | At this point Jim is saying "WHAT! Microsoft knew about the
> | vulnerability
> | > | and how to mitigate it by shutting down the browser service and did
not
> | tell
> | > | us that!!! What gall!!" Jim louses his job - But Microsoft did the
> | right
> | > | thing by saying nothing. How nice for Microsoft sales...
> | > |
> | > | The managers at Jim's old company are hopping mad at Microsoft.
What is
> | > | this crap. Why didn't Microsoft tell us about the problem with the
> | browser
> | > | service when we called? Let's sue...
> | > |
> | > | [... he, he, he, we have that license agreement protection...]
> | > |
> | > | * * * *
> | > |
> | > | Sorry, the whole security thing is getting to me. I don't know
where
> | it's
> | > | all going. Some thoughts: It seems to me that the guys and gals
who
> | help
> | > | the hapless users in these security/virus newsgroups are like angels
> | working
> | > | in a kind of hell. Every other post is from a user complaining
about a
> | > | broken computer with a virus, spam, hijack, or virus infected
message to
> | fix
> | > | the virus that brings on another virus. There is no end in sight.
When
> | > | will the posts slow down? Will it get worse? This must only be the
> | very
> | > | tip of the iceberg...
> | > |
> | > | Me out
> | > |
> | > | "Jim Eshelman" <newsgroups@aumha.org> wrote in message
> | > | news:%23tM$YXGjDHA.2704@TK2MSFTNGP10.phx.gbl...
> | > | > whoever wrote:
> | > | > > If the worm/virus is _ALREADY IN THE WILD_, then there's no
sense in
> | > | > > refusing to alert the general public - as long as there are
specific
> | > | > > steps that can be taken to mitigate the risk.
> | > | >
> | > | > The last phrase is, I think, the main one. There are two
> | considerations,
> | > | > though, that I think it's just possible some folks aren't getting:
> | > | >
> | > | > (1) The existence of a single exploit already in the wild doesn't
mean
> | > | that
> | > | > other exploits couldn't be launched. The fact that there is a
single
> | worm
> | > | > out there doesn't mean that, given sufficient resources, there
> | wouldn't be
> | > | > others. The risk is still quite high, therefore, that publishing
> | > | information
> | > | > about an exploit would invite more exploitations. For that reason,
it
> | > | seems
> | > | > like a very bad idea.
> | > | >
> | > | > (2) If it is only the single worm that concerns you -- the one
already
> | "in
> | > | > the wild" -- then this should be handled by the AV companies.
That's
> | the
> | > | > correct way to protect against a single known agent and its
variants,
> | and
> | > | to
> | > | > clean them if they're already present.
> | > | >
> | > | > Within the company for which I work -- about 6,000 end-users that
we
> | > | > service -- the moment a new Critical Update appears there is a
rapid
> | move
> | > | to
> | > | > deploy it on the servers, and then turn to the question of whether
or
> | to
> | > | > inform the end-users. By that time there is pretty much always an
> | updated
> | > | > virus definition file from our AV provider, and therefore there is
no
> | > | reason
> | > | > to say anything further to the end-users. We've already set up the
> | > | mechanism
> | > | > whereby the AV software is in place and the definition files are
> | > | > automatically updated every time the machine hits the Internet.
> | > | >
> | > | > And that's the way it should be on *everyone's* system -- a good
AV
> | > | product
> | > | > installed that updates itself automatically and frequently and
checks
> | in
> | > | > real-time as you are working. With that in place, why is it
necessary
> | for
> | > | MS
> | > | > to duplicate what the AV companies are doing, and possibly
increase
> | the
> | > | risk
> | > | > of further exploits?
> | > | >
> | > | > > It seems to me that at least some (if not all) of the
high-profile
> | > | > > attacks in the last 12 months came _AFTER_ the public
anouncement of
> | > | > > the vulnerability. In other words, the "white hats" that unearth
a 5
> | > | > > year old buffer overflow exploit and announce it to the world
are
> | > | > > doing far more good for the "black hats" than for rest of us
> | ordinary
> | > | > > mortals.
> | > | >
> | > | > Yup. That's the problem. It's "damned if we do, damned if we
don't."
> | This
> | > | > has led to serious discussions in newsgroups and elsewhere of
whether
> | MS
> | > | > should *ever* announce such things. The consensus is that yes,
they
> | > | should,
> | > | > and that's the path they've taken (and I agree with the path) --
but
> | it is
> | > | > at least a valid question.
> | > | >
> | > | > --
> | > | > Jim Eshelman, MS-MVP Windows
> | > | > http://aumha.org/
> | > | > http://WinSupportCenter.com/
> | > | >
> | > | > Did you find this newsgroup on the web? A newsreader like Outlook
> | Express
> | > | > will make your online life a lot easier. Get better help! See:
> | > | > http://aumha.org/win4/supp1b.htm and
> | > | > http://support.microsoft.com/support/news/howto/default.asp
> | > | >
> | > | >
> | > |
> | > |
> | >
> |
> |
>
- Next message: Lou Rosse: "Re: OE blocks MS Security patches"
- Previous message: Mow Green: "Re: Ad-aware Update 01R224 06.10.2003"
- In reply to: George \(Bindar Dundat\): "Re: A 6% fix from Microsoft Security Bulletin MS03-040 - 828750"
- Next in thread: whoever: "Re: A 6% fix from Microsoft Security Bulletin MS03-040 - 828750"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
