Re: Securing a Windows 2003 server

From: Alun Jones [MS MVP - Security] (alun_at_texis.invalid)
Date: 05/18/04 

Date: Tue, 18 May 2004 14:28:20 GMT

In article <7gcq909h8v0nf7vbufqp7iq92psttocd40@4ax.com>, chris@nospam.com
wrote:
>I don't buy that. I repeatedly see where MS was apprised of a
>vulnerability and takes their sweet time to respond. There is usually
>a big different between when MS learns of the problem and when/if it
>is announced.

Yep - one thing I've learned from running my own company is that any time
you rush a fix to market, you find that for every bug you fixed, you've
introduced one and a half new ones. So, if a bug has been found by one
user, and it's really obscure, and it isn't being exploited, you research
the hell out of it, fix it carefully, beta test the fix, and then release
it.

Note that the most celebrated cases of long delays by Microsoft have a
timescale that roughly corresponds to:
1. Security researcher discovers possible vulnerability and reports it to
Microsoft.
2. Microsoft takes time to develop the patch and release it.
3. Microsoft releases the patch.
4. A week or two later, some cracker releases a "proof of concept", that
eventually mutates into a worm or virus.

Now, you can either say that Microsoft has released those patches in
anticipation of the crackers releasing their code, or you can suggest that
Microsoft (and the security researcher) managed to keep the vulnerability to
themselves, and it was only discovered by the cracker community on
reverse-engineering the patch.

If a vulnerability leads to a worm or virus only after you've released a
patch for it, doesn't it make some sense to hold off releasing the patch and
triggering the development of the worm?

Obviously, I have no idea if this even remotely depicts the internal
processes at Microsoft. But your argument would have more weight if you
could point to a situation where the time between notification and patch was
a factor in infection.

>MS is also guilty of quietly fixing unannounced
>security vulnerabilities and bugs without ever letting the public know
>they should update.

Please cite. I'm having a hard time thinking of examples.

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.] 

-- 
Texas Imperial Software   | Find us at http://www.wftpd.com or email
1602 Harvest Moon Place   | alun@texis.com.
Cedar Park TX 78613-1419  | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(512)258-9858 | Try our NEW client software, WFTPD Explorer.

Relevant Pages

  • Re: [Full-disclosure] Security Alert: Unofficial IE patches appear on internet
    ... created by a vulnerability is as serious as this case and the available ... Microsoft will be inclined strongly against holding on to this patch. ... Microsoft often have patches ready but wait for the corporate known ...
    (Full-Disclosure)
  • Re: Why no patch for the .wmf problem?
    ... > Where is the evidence in this article that Microsoft intended to wait ... Microsofts monthly patch update. ... The evidence is that Microsoft had the patch, had tested it but were going ... decided that releasing this early, breaking the monthly cycle was sensible. ...
    (microsoft.public.security)
  • Re: Securing a Windows 2003 server
    ... Security researcher discovers possible vulnerability and reports it to ... Microsoft takes time to develop the patch and release it. ... doesn't it make some sense to hold off releasing the patch and ...
    (microsoft.public.windows.server.networking)
  • Re: Securing a Windows 2003 server
    ... Security researcher discovers possible vulnerability and reports it to ... Microsoft takes time to develop the patch and release it. ... doesn't it make some sense to hold off releasing the patch and ...
    (comp.security.misc)
  • Re: NT4 patch for MS00-084??
    ... there is no such patch to be found on the technet security ... > "Microsoft has released a patch that eliminates a security ... > vulnerability in Microsoft® Indexing Services for Windows 2000. ...
    (microsoft.public.security)