Re: A 6% fix from Microsoft Security Bulletin MS03-040 - 828750

From: George \(Bindar Dundat\) (JustMe_at_nothome.net)
Date: 10/07/03 

Date: Tue, 7 Oct 2003 00:33:25 -0700

The fact remains that there was no active exploit until AFTER the announcement. 

-- 
George (Bindar Dundat ©) MS-MVP
This information is provided "AS IS"
It may even be wrong!
For Windows Troubleshooting Tips see;
9x/ME http://aumha.org/win4/a/tshoot.htm
2000/XP http://aumha.org/win5/a/tshoot.htm
"Me2" <nospam@nospam.com> wrote in message
news:eQik14JjDHA.220@tk2msftngp13.phx.gbl...
| George,
|
| You know what?  My companies assets were protected be cause we knew about
| the RPC vulnerability - a lot of others had problems - but we did not.
| Sorry to hear that some did not take appropriate steps to protect their
| assests when the information was released.  If there was not enough time to
| install the patch, they could have been ready to pull the ISP plug.
|
| If there is no active virus/worm/Trojan, then it's ok for Microsoft to say
| nothing.  The minute a critter starts ripping into your assets - YOU will
| want to know all that Microsoft can tell you, unless you let them off the
| hook...
|
| Me out
|
|
| "George (Bindar Dundat)" <JustMe@nothome.net> wrote in message
| news:%2312jKsJjDHA.1964@TK2MSFTNGP12.phx.gbl...
| > From the moment Microsoft published the details of the RPC vulnerability
| we
| > could have started a pool on what date there would be an actual attack.
| From
| > that moment on it was a "given" that there would be one.  Many operations
| need a
| > considerable lead time to institute patches to the company system.  In
| large
| > organizations, they can not simply install the patch.  It has to go
| through
| > testing within the company itself and in this particular case there were
| further
| > delay while the legal departments studied the EULA.  Making too many
| details
| > public are making a big issue of it simply means that these companies do
| not
| > have time to institute the patches quickly enough to avoid the problem.
| As we
| > have been trying to say, publicity can have some undesirable side effects.
| They
| > would be better off to say that there was a security patch available and
| not
| > give any details.
| >
| > -- 
| > George (Bindar Dundat ©) MS-MVP
| > This information is provided "AS IS"
| > It may even be wrong!
| > For Windows Troubleshooting Tips see;
| > 9x/ME http://aumha.org/win4/a/tshoot.htm
| > 2000/XP http://aumha.org/win5/a/tshoot.htm
| > "Me2" <nospam@nospam.com> wrote in message
| > news:e7P$0fJjDHA.1668@TK2MSFTNGP12.phx.gbl...
| > | Whoever, Jim,
| > |
| > | Your arguments are biased to protect Microsoft's assets, not yours or
| the
| > | company you work for.
| > |
| > | "Jim Eshelman" wrote:
| > | > Within the company for which I work -- about 6,000 end-users that we
| > | > service -- the moment a new Critical Update appears there is a rapid
| move
| > | to
| > | > deploy it on the servers, and then turn to the question of whether or
| to
| > | > inform the end-users. By that time there is pretty much always an
| updated
| > | > virus definition file from our AV provider, and therefore there is no
| > | reason
| > | > to say anything further to the end-users. We've already set up the
| > | mechanism
| > | > whereby the AV software is in place and the definition files are
| > | > automatically updated every time the machine hits the Internet.
| > |
| > | If a new worm/virus is starting to infect machines across the world -
| > | spewing out your personal documents as spam or deleting hard drives -
| and
| > | your company happens to be one of the first to be targeted.  What do you
| do?
| > | Jim might say: "...the moment a new Critical Update appears there is a
| rapid
| > | move to deploy it on the servers, and then turn to the question of
| whether
| > | or to inform the end-users.  By that time there is pretty much always an
| > | updated virus definition file from our AV provider..."  Excuse me?
| > |  What? --- No, that's not what you would do.  You would want to know
| RIGHT
| > | NOW how to prevent infection/replication, pull the plug on the servers,
| or
| > | get the fire ax and cut the ISP cable.
| > |
| > | And if we have this drummed in "Microsoft is special - they should say
| > | nothing" convention - Microsoft will be telling you - nothing.  How
| nice.
| > |
| > | In the mean time you are scrambling to get information from your AV
| > | provider - who does not have a scan for the bug yet - in fact you are
| one of
| > | the first to report the bug.  What do you do?  There are some
| newsgroups...
| > |
| > | Whoever wrote:
| > | > > If the worm/virus is _ALREADY IN THE WILD_, then there's no sense in
| > | > > refusing to alert the general public - as long as there are specific
| > | > > steps that can be taken to mitigate the risk.
| > |
| > | There are ALWAYS specific steps that can be taken to mitigate the risk!
| > | Pull the plug for one.  Shutdown the ISP connection.  Stop using program
| > | xyz.  Block feature X, etc.
| > |
| > | In one hour, 10% of Jim's 6000 machines have already been infected.
| (You
| > | may have 200 offices around the country or world connected via different
| > | ISPs).  Jim's managers say "Stop this thing now!"  The AV vendor is
| working
| > | on a scan/repair tool.  So you call Microsoft, who says "we know
| nothing"
| > | (and we won't tell if we did), "sorry, it's not our problem" - "call
| your AV
| > | vendor" (dam, you already did that.), "you can post on
| > | microsoft.public.security if you like".  "Have a nice day..."
| > |
| > | Worse case scenario:  The infection spreads.  You had to shutdown ISP
| > | connections, servers and what not.  Eventually you get the thing under
| > | control.  The next day the AV vendor releases a scan/repair tool.  You
| got
| > | it mostly under control.  There are some nagging problem sites.  But
| then
| > | the bomb shell hits - many of you company documents and employee SSNs
| and
| > | stuff start showing up on the Internet.
| > |
| > | Other organizations around the globe were spared most of the damage
| because
| > | security folks and AV vendors figured out how to block it (possibly with
| the
| > | help of Microsoft - behind the seines of course, because they can't be
| seen
| > | involving them self's in anti virus issues affecting their products).
| > |
| > | At this time Microsoft chimes publicly - "We have a patch for a new
| > | vulnerability.  We knew about the problem for months and were working on
| a
| > | patch.  We worked real hard to get the patch out today (three days after
| > | Jim's company was hit)."  "Oh by the way, if you can't apply the patch
| right
| > | away, just shutdown the browser service."  Microsoft says nothing about
| the
| > | worm.  In fact, since only 10,000 machines were hit - they don't even
| post
| > | the fact that the patch was rushed out to address the worm that hit
| Jim's
| > | company.  "You know how bad it would be if Microsoft talked directly
| about a
| > | specific bug on their security pages..."  Customers should just find out
| > | about the worm from the hundreds of news articles (the news articles all
| use
| > | the worm name in their head lines).
| > |
| > | At this point Jim is saying "WHAT!  Microsoft knew about the
| vulnerability
| > | and how to mitigate it by shutting down the browser service and did not
| tell
| > | us that!!!  What gall!!"  Jim louses his job - But Microsoft did the
| right
| > | thing by saying nothing.  How nice for Microsoft sales...
| > |
| > | The managers at Jim's old company are hopping mad at Microsoft.  What is
| > | this crap.  Why didn't Microsoft tell us about the problem with the
| browser
| > | service when we called?  Let's sue...
| > |
| > | [... he, he, he, we have that license agreement protection...]
| > |
| > |   * * * *
| > |
| > | Sorry, the whole security thing is getting to me.  I don't know where
| it's
| > | all going.  Some thoughts:  It seems to me that the guys and gals who
| help
| > | the hapless users in these security/virus newsgroups are like angels
| working
| > | in a kind of hell.  Every other post is from a user complaining about a
| > | broken computer with a virus, spam, hijack, or virus infected message to
| fix
| > | the virus that brings on another virus.  There is no end in sight.  When
| > | will the posts slow down?  Will it get worse?  This must only be the
| very
| > | tip of the iceberg...
| > |
| > | Me out
| > |
| > | "Jim Eshelman" <newsgroups@aumha.org> wrote in message
| > | news:%23tM$YXGjDHA.2704@TK2MSFTNGP10.phx.gbl...
| > | > whoever wrote:
| > | > > If the worm/virus is _ALREADY IN THE WILD_, then there's no sense in
| > | > > refusing to alert the general public - as long as there are specific
| > | > > steps that can be taken to mitigate the risk.
| > | >
| > | > The last phrase is, I think, the main one. There are two
| considerations,
| > | > though, that I think it's just possible some folks aren't getting:
| > | >
| > | > (1) The existence of a single exploit already in the wild doesn't mean
| > | that
| > | > other exploits couldn't be launched. The fact that there is a single
| worm
| > | > out there doesn't mean that, given sufficient resources, there
| wouldn't be
| > | > others. The risk is still quite high, therefore, that publishing
| > | information
| > | > about an exploit would invite more exploitations. For that reason, it
| > | seems
| > | > like a very bad idea.
| > | >
| > | > (2) If it is only the single worm that concerns you -- the one already
| "in
| > | > the wild" -- then this should be handled by the AV companies. That's
| the
| > | > correct way to protect against a single known agent and its variants,
| and
| > | to
| > | > clean them if they're already present.
| > | >
| > | > Within the company for which I work -- about 6,000 end-users that we
| > | > service -- the moment a new Critical Update appears there is a rapid
| move
| > | to
| > | > deploy it on the servers, and then turn to the question of whether or
| to
| > | > inform the end-users. By that time there is pretty much always an
| updated
| > | > virus definition file from our AV provider, and therefore there is no
| > | reason
| > | > to say anything further to the end-users. We've already set up the
| > | mechanism
| > | > whereby the AV software is in place and the definition files are
| > | > automatically updated every time the machine hits the Internet.
| > | >
| > | > And that's the way it should be on *everyone's* system -- a good AV
| > | product
| > | > installed that updates itself automatically and frequently and checks
| in
| > | > real-time as you are working. With that in place, why is it necessary
| for
| > | MS
| > | > to duplicate what the AV companies are doing, and possibly increase
| the
| > | risk
| > | > of further exploits?
| > | >
| > | > > It seems to me that at least some (if not all) of the high-profile
| > | > > attacks in the last 12 months came _AFTER_ the public anouncement of
| > | > > the vulnerability. In other words, the "white hats" that unearth a 5
| > | > > year old buffer overflow exploit and announce it to the world are
| > | > > doing far more good for the "black hats" than for rest of us
| ordinary
| > | > > mortals.
| > | >
| > | > Yup. That's the problem. It's "damned if we do, damned if we don't."
| This
| > | > has led to serious discussions in newsgroups and elsewhere of whether
| MS
| > | > should *ever* announce such things. The consensus is that yes, they
| > | should,
| > | > and that's the path they've taken (and I agree with the path) -- but
| it is
| > | > at least a valid question.
| > | >
| > | > -- 
| > | > Jim Eshelman, MS-MVP Windows
| > | > http://aumha.org/
| > | > http://WinSupportCenter.com/
| > | >
| > | > Did you find this newsgroup on the web? A newsreader like Outlook
| Express
| > | > will make your online life a lot easier. Get better help! See:
| > | > http://aumha.org/win4/supp1b.htm and
| > | > http://support.microsoft.com/support/news/howto/default.asp
| > | >
| > | >
| > |
| > |
| >
|
|

Relevant Pages

  • Re: A 6% fix from Microsoft Security Bulletin MS03-040 - 828750
    ... | install the patch, they could have been ready to pull the ISP plug. ... | If there is no active virus/worm/Trojan, then it's ok for Microsoft to say ... |> | involving them self's in anti virus issues affecting their products). ...
    (microsoft.public.security)
  • Re: A 6% fix from Microsoft Security Bulletin MS03-040 - 828750
    ... | install the patch, they could have been ready to pull the ISP plug. ... | If there is no active virus/worm/Trojan, then it's ok for Microsoft to say ... |> | involving them self's in anti virus issues affecting their products). ...
    (microsoft.public.security.virus)
  • Re: SECURITY PATCH SENT BY EMAIL ?
    ... There are dangerous virus in the Internet ... >try to install the patch. ... >MS patch email messages. ... >Microsoft never sends patches in unsolicited mails, ...
    (microsoft.public.security)
  • Re: Virus Patch
    ... Microsoft never sends unsolicited files by email. ... REPEAT:Microsoft NEVER sends unsolicited files by email. ... It is a virus masquerading as MS security. ... > Patch from, what says, Microsoft. ...
    (microsoft.public.security.virus)
  • Re: worried about W32.Bugbear or I-Worm
    ... This virus uses a previously announced vulnerability as part of its ... are patched for the vulnerability that is identified in Microsoft Security ... To obtain the most recent cumulative security patch for Microsoft ... contain the functionality that is contained in the Outlook E-mail Security ...
    (microsoft.public.security)