Re: A 6% fix from Microsoft Security Bulletin MS03-040 - 828750

From: Me2 (nospam_at_nospam.com)
Date: 10/07/03 

Date: Mon, 6 Oct 2003 23:42:38 -0700

George,

You know what? My companies assets were protected be cause we knew about
the RPC vulnerability - a lot of others had problems - but we did not.
Sorry to hear that some did not take appropriate steps to protect their
assests when the information was released. If there was not enough time to
install the patch, they could have been ready to pull the ISP plug.

If there is no active virus/worm/Trojan, then it's ok for Microsoft to say
nothing. The minute a critter starts ripping into your assets - YOU will
want to know all that Microsoft can tell you, unless you let them off the
hook...

Me out

"George (Bindar Dundat)" <JustMe@nothome.net> wrote in message
news:%2312jKsJjDHA.1964@TK2MSFTNGP12.phx.gbl...
> From the moment Microsoft published the details of the RPC vulnerability
we
> could have started a pool on what date there would be an actual attack.
From
> that moment on it was a "given" that there would be one. Many operations
need a
> considerable lead time to institute patches to the company system. In
large
> organizations, they can not simply install the patch. It has to go
through
> testing within the company itself and in this particular case there were
further
> delay while the legal departments studied the EULA. Making too many
details
> public are making a big issue of it simply means that these companies do
not
> have time to institute the patches quickly enough to avoid the problem.
As we
> have been trying to say, publicity can have some undesirable side effects.
They
> would be better off to say that there was a security patch available and
not
> give any details.
>
> --
> George (Bindar Dundat ©) MS-MVP
> This information is provided "AS IS"
> It may even be wrong!
> For Windows Troubleshooting Tips see;
> 9x/ME http://aumha.org/win4/a/tshoot.htm
> 2000/XP http://aumha.org/win5/a/tshoot.htm
> "Me2" <nospam@nospam.com> wrote in message
> news:e7P$0fJjDHA.1668@TK2MSFTNGP12.phx.gbl...
> | Whoever, Jim,
> |
> | Your arguments are biased to protect Microsoft's assets, not yours or
the
> | company you work for.
> |
> | "Jim Eshelman" wrote:
> | > Within the company for which I work -- about 6,000 end-users that we
> | > service -- the moment a new Critical Update appears there is a rapid
move
> | to
> | > deploy it on the servers, and then turn to the question of whether or
to
> | > inform the end-users. By that time there is pretty much always an
updated
> | > virus definition file from our AV provider, and therefore there is no
> | reason
> | > to say anything further to the end-users. We've already set up the
> | mechanism
> | > whereby the AV software is in place and the definition files are
> | > automatically updated every time the machine hits the Internet.
> |
> | If a new worm/virus is starting to infect machines across the world -
> | spewing out your personal documents as spam or deleting hard drives -
and
> | your company happens to be one of the first to be targeted. What do you
do?
> | Jim might say: "...the moment a new Critical Update appears there is a
rapid
> | move to deploy it on the servers, and then turn to the question of
whether
> | or to inform the end-users. By that time there is pretty much always an
> | updated virus definition file from our AV provider..." Excuse me?
> | What? --- No, that's not what you would do. You would want to know
RIGHT
> | NOW how to prevent infection/replication, pull the plug on the servers,
or
> | get the fire ax and cut the ISP cable.
> |
> | And if we have this drummed in "Microsoft is special - they should say
> | nothing" convention - Microsoft will be telling you - nothing. How
nice.
> |
> | In the mean time you are scrambling to get information from your AV
> | provider - who does not have a scan for the bug yet - in fact you are
one of
> | the first to report the bug. What do you do? There are some
newsgroups...
> |
> | Whoever wrote:
> | > > If the worm/virus is _ALREADY IN THE WILD_, then there's no sense in
> | > > refusing to alert the general public - as long as there are specific
> | > > steps that can be taken to mitigate the risk.
> |
> | There are ALWAYS specific steps that can be taken to mitigate the risk!
> | Pull the plug for one. Shutdown the ISP connection. Stop using program
> | xyz. Block feature X, etc.
> |
> | In one hour, 10% of Jim's 6000 machines have already been infected.
(You
> | may have 200 offices around the country or world connected via different
> | ISPs). Jim's managers say "Stop this thing now!" The AV vendor is
working
> | on a scan/repair tool. So you call Microsoft, who says "we know
nothing"
> | (and we won't tell if we did), "sorry, it's not our problem" - "call
your AV
> | vendor" (dam, you already did that.), "you can post on
> | microsoft.public.security if you like". "Have a nice day..."
> |
> | Worse case scenario: The infection spreads. You had to shutdown ISP
> | connections, servers and what not. Eventually you get the thing under
> | control. The next day the AV vendor releases a scan/repair tool. You
got
> | it mostly under control. There are some nagging problem sites. But
then
> | the bomb shell hits - many of you company documents and employee SSNs
and
> | stuff start showing up on the Internet.
> |
> | Other organizations around the globe were spared most of the damage
because
> | security folks and AV vendors figured out how to block it (possibly with
the
> | help of Microsoft - behind the seines of course, because they can't be
seen
> | involving them self's in anti virus issues affecting their products).
> |
> | At this time Microsoft chimes publicly - "We have a patch for a new
> | vulnerability. We knew about the problem for months and were working on
a
> | patch. We worked real hard to get the patch out today (three days after
> | Jim's company was hit)." "Oh by the way, if you can't apply the patch
right
> | away, just shutdown the browser service." Microsoft says nothing about
the
> | worm. In fact, since only 10,000 machines were hit - they don't even
post
> | the fact that the patch was rushed out to address the worm that hit
Jim's
> | company. "You know how bad it would be if Microsoft talked directly
about a
> | specific bug on their security pages..." Customers should just find out
> | about the worm from the hundreds of news articles (the news articles all
use
> | the worm name in their head lines).
> |
> | At this point Jim is saying "WHAT! Microsoft knew about the
vulnerability
> | and how to mitigate it by shutting down the browser service and did not
tell
> | us that!!! What gall!!" Jim louses his job - But Microsoft did the
right
> | thing by saying nothing. How nice for Microsoft sales...
> |
> | The managers at Jim's old company are hopping mad at Microsoft. What is
> | this crap. Why didn't Microsoft tell us about the problem with the
browser
> | service when we called? Let's sue...
> |
> | [... he, he, he, we have that license agreement protection...]
> |
> | * * * *
> |
> | Sorry, the whole security thing is getting to me. I don't know where
it's
> | all going. Some thoughts: It seems to me that the guys and gals who
help
> | the hapless users in these security/virus newsgroups are like angels
working
> | in a kind of hell. Every other post is from a user complaining about a
> | broken computer with a virus, spam, hijack, or virus infected message to
fix
> | the virus that brings on another virus. There is no end in sight. When
> | will the posts slow down? Will it get worse? This must only be the
very
> | tip of the iceberg...
> |
> | Me out
> |
> | "Jim Eshelman" <newsgroups@aumha.org> wrote in message
> | news:%23tM$YXGjDHA.2704@TK2MSFTNGP10.phx.gbl...
> | > whoever wrote:
> | > > If the worm/virus is _ALREADY IN THE WILD_, then there's no sense in
> | > > refusing to alert the general public - as long as there are specific
> | > > steps that can be taken to mitigate the risk.
> | >
> | > The last phrase is, I think, the main one. There are two
considerations,
> | > though, that I think it's just possible some folks aren't getting:
> | >
> | > (1) The existence of a single exploit already in the wild doesn't mean
> | that
> | > other exploits couldn't be launched. The fact that there is a single
worm
> | > out there doesn't mean that, given sufficient resources, there
wouldn't be
> | > others. The risk is still quite high, therefore, that publishing
> | information
> | > about an exploit would invite more exploitations. For that reason, it
> | seems
> | > like a very bad idea.
> | >
> | > (2) If it is only the single worm that concerns you -- the one already
"in
> | > the wild" -- then this should be handled by the AV companies. That's
the
> | > correct way to protect against a single known agent and its variants,
and
> | to
> | > clean them if they're already present.
> | >
> | > Within the company for which I work -- about 6,000 end-users that we
> | > service -- the moment a new Critical Update appears there is a rapid
move
> | to
> | > deploy it on the servers, and then turn to the question of whether or
to
> | > inform the end-users. By that time there is pretty much always an
updated
> | > virus definition file from our AV provider, and therefore there is no
> | reason
> | > to say anything further to the end-users. We've already set up the
> | mechanism
> | > whereby the AV software is in place and the definition files are
> | > automatically updated every time the machine hits the Internet.
> | >
> | > And that's the way it should be on *everyone's* system -- a good AV
> | product
> | > installed that updates itself automatically and frequently and checks
in
> | > real-time as you are working. With that in place, why is it necessary
for
> | MS
> | > to duplicate what the AV companies are doing, and possibly increase
the
> | risk
> | > of further exploits?
> | >
> | > > It seems to me that at least some (if not all) of the high-profile
> | > > attacks in the last 12 months came _AFTER_ the public anouncement of
> | > > the vulnerability. In other words, the "white hats" that unearth a 5
> | > > year old buffer overflow exploit and announce it to the world are
> | > > doing far more good for the "black hats" than for rest of us
ordinary
> | > > mortals.
> | >
> | > Yup. That's the problem. It's "damned if we do, damned if we don't."
This
> | > has led to serious discussions in newsgroups and elsewhere of whether
MS
> | > should *ever* announce such things. The consensus is that yes, they
> | should,
> | > and that's the path they've taken (and I agree with the path) -- but
it is
> | > at least a valid question.
> | >
> | > --
> | > Jim Eshelman, MS-MVP Windows
> | > http://aumha.org/
> | > http://WinSupportCenter.com/
> | >
> | > Did you find this newsgroup on the web? A newsreader like Outlook
Express
> | > will make your online life a lot easier. Get better help! See:
> | > http://aumha.org/win4/supp1b.htm and
> | > http://support.microsoft.com/support/news/howto/default.asp
> | >
> | >
> |
> |
>

Relevant Pages

  • Re: A 6% fix from Microsoft Security Bulletin MS03-040 - 828750
    ... the RPC vulnerability - a lot of others had problems - but we did not. ... Sorry to hear that some did not take appropriate steps to protect their ... If there is no active virus/worm/Trojan, then it's ok for Microsoft to say ... > | involving them self's in anti virus issues affecting their products). ...
    (microsoft.public.security.virus)
  • Re: A 6% fix from Microsoft Security Bulletin MS03-040 - 828750
    ... the RPC vulnerability - a lot of others had problems - but we did not. ... Sorry to hear that some did not take appropriate steps to protect their ... If there is no active virus/worm/Trojan, then it's ok for Microsoft to say ... > | involving them self's in anti virus issues affecting their products). ...
    (microsoft.public.security)
  • Re: A 6% fix from Microsoft Security Bulletin MS03-040 - 828750
    ... My companies assets were protected be cause we knew ... > about the RPC vulnerability ... If Microsoft had told you about the vulnerability as ... > protect their assests when the information was released. ...
    (microsoft.public.security)
  • Re: A 6% fix from Microsoft Security Bulletin MS03-040 - 828750
    ... My companies assets were protected be cause we knew ... > about the RPC vulnerability ... If Microsoft had told you about the vulnerability as ... > protect their assests when the information was released. ...
    (microsoft.public.security.virus)
  • Re: A 6% fix from Microsoft Security Bulletin MS03-040 - 828750
    ... My companies assets were protected be cause we knew ... > about the RPC vulnerability ... If Microsoft had told you about the vulnerability as ... > protect their assests when the information was released. ...
    (microsoft.public.win2000.security)
Quantcast