Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Security Firm Reveals Microsoft's "Silent" Patches

timothy posted more than 4 years ago | from the when-md5-sums-won't-help dept.

Security 84

CWmike writes "Microsoft silently patched three vulnerabilities last month, two of them affecting enterprise mission-critical Exchange mail servers, without calling out the bugs in the accompanying advisories, a security expert said on Thursday. Two of the three unannounced vulnerabilities, and the most serious of the trio, were packaged with MS10-024, an update to Exchange and Windows SMTP Service that Microsoft issued April 13 and tagged as 'important,' its second-highest threat ranking. Ivan Arce, CTO of Core Security Technologies, said Microsoft patched the bugs, but failed to disclose that it had done so — which could pose a problem. 'They're more important than the [two vulnerabilities] that Microsoft did disclose,' said Arce. 'That means [system] administrators may end up making the wrong decisions about applying the update. They need that information to assess the risk.'""Secret patches are neither new or rare. 'This has been going on for many years and the action in and of itself is not a huge conspiracy," said Andrew Storms, director of security operations at nCircle Security. What is unusual is that Core took Microsoft's silent updates public. Saying that Microsoft 'misrepresented' and 'underestimated' the criticality of MS10-024 because it didn't reveal the two bugs, Core urged company administrators to 'consider re-assessing patch deployment priorities.' Microsoft confirmed this instance and defends the practice, noting that updates can "be destructive to customer environments." But Storms echoed Arce's concern about possible misuse of the practice, which could result in a false sense of security among users."

cancel ×

84 comments

Sorry! There are no comments related to the filter you selected.

"Silent..." (3, Funny)

gyrogeerloose (849181) | more than 4 years ago | (#32115806)

...but deadly.

How appropriate (4, Funny)

somersault (912633) | more than 4 years ago | (#32115940)

Ivan Arce

I've an arse too, but I don't feel the need to point it out to everyone..

Re:How appropriate (1)

gyrogeerloose (849181) | more than 4 years ago | (#32116068)

Ivan Arce

I've an arse too, but I don't feel the need to point it out to everyone..

You know, I'm embarrassed to admit it but I missed that entirely. Good catch.

Re:How appropriate (2, Funny)

Cro Magnon (467622) | more than 4 years ago | (#32116744)

It's probably just as well that they didn't mention his sister, Imma.

Re:How appropriate (1)

PotatoFiend (1330299) | more than 4 years ago | (#32118362)

He has a wife, you know. You know what she's called? She's called... Incontinentia.

Re:How appropriate (1)

insufflate10mg (1711356) | more than 4 years ago | (#32120340)

You're hilarious, using a tragic disorder as a karma-farming / /.-respect-gaining "joke."

Re:How appropriate (1)

PotatoFiend (1330299) | more than 4 years ago | (#32121440)

You're hilarious, using a tragic disorder as a karma-farming / /.-respect-gaining "joke."

You're serious, there's someone on /. who doesn't recognize a Monty Python reference?

Re:How appropriate (1)

vegiVamp (518171) | more than 4 years ago | (#32123670)

It appears that you would be very surprised indeed about the number of noobs on here. Note the "eternal" part about "eternal september" ? It's not a joke.

Re:How appropriate (0)

Anonymous Coward | more than 4 years ago | (#32116826)

I'm not sure why I find this so amusing, but that's got to be the funniest comment I've seen on Slashdot in a looooooooong time.

Well played, sir. Well played.

/CF

Re:"Silent..." (0)

Anonymous Coward | more than 4 years ago | (#32116168)

Silent.... means not counted? Think about all those surveys that indicate that free software is buggy because the number of disclosed bugs and fixes is high. Does this mean MS is less problematic because their bugs and fixes do not "count."

You're looking at this the wrong way (3, Informative)

spun (1352) | more than 4 years ago | (#32116252)

Microsoft was not fixing a bug, it was removing a remote access feature. They didn't mention it because they didn't want people to complain that this valuable functionality was being removed.

Re:You're looking at this the wrong way (0)

Anonymous Coward | more than 4 years ago | (#32119348)

It's not a bug, it's a feature!

Re:You're looking at this the wrong way (1)

vegiVamp (518171) | more than 4 years ago | (#32123680)

Maybe Sony should've tried that, too.

Re:You're looking at this the wrong way (1)

drinkypoo (153816) | more than 4 years ago | (#32125134)

Maybe Sony should've tried that, too.

You jest, but actually, simply breaking the 'Other OS' feature and never fixing it would have made them look merely incompetent, which they've been through time and time again (remember Minidisc? The market sure doesn't.) But this makes them look Evil (which of course they are) which is a little harder to forget. I'll give incompetents another chance — I keep buying ATI video cards in between every couple nVidia cards, for example. But the truly evil? That's a little tougher. With that said, I have a 360, so I must be a big hypocrite. I did buy it used, though, and I make an effort to buy games used as well.

Tru Dat (2, Informative)

MrTripps (1306469) | more than 4 years ago | (#32115840)

Updates can be destructive to customer environments. Just ask anyone who uses McAfee.

Re:Tru Dat (3, Funny)

bsDaemon (87307) | more than 4 years ago | (#32115904)

yeah, but McAfee is disruptive/destructive by default. Are you sure that's a fair example?

Re:Tru Dat (1)

guruevi (827432) | more than 4 years ago | (#32128042)

Yes because so is Microsoft.

sneaky bastards! (3, Insightful)

Anonymous Coward | more than 4 years ago | (#32115846)

they should tell us about everything they're doing. they can do/undo bugs and we'd never know it.

Simple solution (0)

Anonymous Coward | more than 4 years ago | (#32116026)

Use GNU/Linux.

How so? (3, Interesting)

khasim (1285) | more than 4 years ago | (#32115864)

Saying that Microsoft 'misrepresented' and 'underestimated' the criticality of MS10-024 because it didn't reveal the two bugs, Core urged company administrators to 'consider re-assessing patch deployment priorities.

How so? If it is a patch, it needs to go through your testing process for deployment.

Re:How so? (4, Insightful)

h4rr4r (612664) | more than 4 years ago | (#32115952)

Because the level of the threat may determine how long that testing process is, and such. You may be willing to take more risk from the patch if the issue it cures is very important.

Re:How so? (1)

timeOday (582209) | more than 4 years ago | (#32117182)

Or you can go the other way: cloud computing. Nobody expects google to publicise every security patch they make to the gmail servers. Instead of admins at every company in the world trying to independently evaluate every patch, you trust google to do it correctly.

Re:How so? (1)

h4rr4r (612664) | more than 4 years ago | (#32117422)

Which means when they don't everyone suffers, and you get to pay forever.

Both have tradeoffs.

Re:How so? (1)

vegiVamp (518171) | more than 4 years ago | (#32123722)

Maybe that's because we're a) not paying for b) using their software and machines.

When Google delivers a free service, I can't much complain when they do updates without telling me. If I pay for their services, I expect there to be SLAs and for them to apply patches non-disruptively and without breaking contract.

If I BUY software from Microsoft, run it on my own hardware, pay for their support and have to do the patching myself, I feel they have an obligation to tell me what a patch does in order for me to be able to decide wether or not it's worth applying.

Re:How so? (0)

Anonymous Coward | more than 4 years ago | (#32124422)

That's totally different. Google runs the Gmail servers themselves and they don't distribute the software it runs on. There is absolutely no reason for them to disclose what they do to their own servers unless it will affect their users.

Re:How so? (1)

Bearhouse (1034238) | more than 4 years ago | (#32115976)

Mod up. Beat me to it.
A competent admin, (and if you're running a 'mission critical Exchange server', you'd better be) will be all over this...
Of course, patched or not, Exchange is still a steaming pile IMHO

Re:How so? (0, Offtopic)

Bearhouse (1034238) | more than 4 years ago | (#32116070)

BTW, is that the wind or the car?
(Had one of the cars back in the 80s; amazing, but you needed to be either rich or a great mechanic)

Re:How so? (1)

Tubal-Cain (1289912) | more than 4 years ago | (#32116104)

Because if the patch only says that it corrects a typo in a description somewhere, a good admin will probably not be in a hurry to deploy it. If it closes a bug that allows root access because someone logs in with the username "Joshua", the admin might be more eager to test and apply the patch ASAP.

Re:How so? (2, Informative)

Todd Knarr (15451) | more than 4 years ago | (#32116112)

Because what's in the patch determines the priority for testing/QA. If the patch apparently only addresses low-risk vulnerabilities or ones we've got other mitigation in place for, we may decide to give that patch a low priority and not test and deploy it quickly. If the patch's description doesn't disclose that the patch also addresses a severe high-risk vulnerability that we have no mitigation in place for, then we've given the deployment the wrong priority and don't know that we have. The end result won't be pretty.

Re:How so? (1)

sortius_nod (1080919) | more than 4 years ago | (#32118926)

There's also the effort in getting the patch to play nice. I know if there are mitigations elsewhere for vulnerabilities that most companies won't bother putting much effort into getting it to work, which usually ends up with the patch being canned. If the patch fixes a major vulnerability, more resources are deployed due to the higher priority and/or nature of the bug. If there is no bug/patch information and I'm not able to prioritise, well, you pretty much said it - not pretty. I've yet to come across an IT department that can commit 100% to dev/testing for every patch.

This is just an example of bad customer relationship practices. MS seems to think they know what's best for their customer, which is really why we see Windows turning into the mess it is (both at a consumer & corporate level).

Re:How so? (1)

jim_v2000 (818799) | more than 4 years ago | (#32131064)

You realize that this article is all about some security firm that thinks the patched problems were more important than Microsoft did, right? They think the updates should have been marked "Critical", while Microsoft thinks they were "Important". I'd go with MS on this one instead of some attention whoring security firm.

Phwew, back to status quo... (5, Funny)

hoggoth (414195) | more than 4 years ago | (#32115870)

Phwew! Thank you Microsoft. Just yesterday I posted that I usually find a reason to hate Microsoft each day, but yesterday I loved the new Office 10. Thanks for bringing me back to my comfortable place.

http://slashdot.org/comments.pl?sid=1641038&cid=32102920&art_pos=1 [slashdot.org]

Re:Phwew, back to status quo... (1)

huckamania (533052) | more than 4 years ago | (#32127506)

You hate them because they patched a bug in their software? Something might be wrong with your hardware.

Re:Phwew, back to status quo... (1)

hoggoth (414195) | more than 4 years ago | (#32128370)

I hate them because they silently make changes to MY computer without my permission or knowledge.
They are sneaky and untrustworthy.

Why couldn't they just list these patches along with the ones they DID disclose?

It fits right in with the entire design of their operating systems. Hide information from the owner, "for their own good."
Time and time again I spend hours or days struggling with problems whos root comes down to Microsoft thought I shouldn't know what is really happening inside my computer.
Well, not everything can be fixed by a damn talking paperclip.

Re:Phwew, back to status quo... (1)

jim_v2000 (818799) | more than 4 years ago | (#32131022)

This is such a non-story. MS found a few bugs that they patched and this security company happens to think that they were more critical than Microsoft did.

Re:Phwew, back to status quo... (1)

cant_get_a_good_nick (172131) | more than 4 years ago | (#32128332)

META POST:
RE: your signature
that's a great song, odd to say that the lyrics are better than santana in it (and i love santana)

Most people don't know, everlast didn't start in house of pain, but was solo before it. He was a sorta gangsta-rapper from Ice-T's Rhyme Syndicate

huh huh.... (0)

Anonymous Coward | more than 4 years ago | (#32115910)

he said "asses"s

Nobody ever got fired for lying (5, Insightful)

Aighearach (97333) | more than 4 years ago | (#32115932)

they've got to keep those great security stats they publish about themselves somehow, right?

Quote. (1)

Mekkah (1651935) | more than 4 years ago | (#32115958)

"Secret patches are neither new or rare. "This has been going on for many years and the action in and of itself is not a huge conspiracy," said Andrew Storms, director of security operations at nCircle Security."

What is unusual is that Core took Microsoft's silent updates public.

Not that this should go on anyway, but don't go thinking this is a rare instance and they are stealing your milk money, it happens enough to be of some sort a standard business practice.

Re:Quote. (0)

Anonymous Coward | more than 4 years ago | (#32118060)

So does rape.

Amazing... (-1, Troll)

Anonymous Coward | more than 4 years ago | (#32116006)

What an amazing NON-STORY you have here.
You will NEVER be happy with anything Microsoft does.

Get over yourselves already.

Re:Amazing... (1)

V!NCENT (1105021) | more than 4 years ago | (#32116924)

"You will NEVER be happy with anything Microsoft does."
I know. I figured it wasn't realy my thing, so I jumped onto a different OS bandwagon and absolutelt love it!

Re:Amazing... (0)

Anonymous Coward | more than 4 years ago | (#32122310)

That's great. Now if you could work on not being such a fag, then the rest of us would be happy to.

Re:Amazing... (1)

V!NCENT (1105021) | more than 4 years ago | (#32125782)

You must be mistaking me for a Mac user, coward.

Re:Amazing... (1)

X0563511 (793323) | more than 4 years ago | (#32134090)

I would be quite happy if Microsoft were to die a horrible death involving fire.

Re:Amazing... (1)

V!NCENT (1105021) | more than 4 years ago | (#32156442)

That explosion would be kinda deadly... You know... flying chairs and all...

Re:Amazing... (1)

X0563511 (793323) | more than 4 years ago | (#32166642)

Hmm... so Seattle is sitting on a ticking fuel-chair bomb eh?

Apply all critical patches regardless of platform (5, Insightful)

kervin (64171) | more than 4 years ago | (#32116040)

All vulnerabilities and patch side effects should be described, so I'm not defending the practice,. But until a system administrator has the full source code of the system and is willing and capable of auditing it, they should apply all critical patches.

Regardless of the operating system.

Re:Apply all critical patches regardless of platfo (2, Informative)

petermgreen (876956) | more than 4 years ago | (#32116128)

According to the article some of these patches were only marked as important not critical.

Re:Apply all critical patches regardless of platfo (1)

jonwil (467024) | more than 4 years ago | (#32120626)

Anything that fixes security issues or appears under "high priority" in Windows Update is considered critical by me.

There is a bigger risk to consider... (0)

erroneus (253617) | more than 4 years ago | (#32116216)

... themselves!

Microsoft doesn't need additional bad press. The more bad press they can prevent, the better...for them anyway.

Unsurprising (1)

Todd Knarr (15451) | more than 4 years ago | (#32116226)

No surprise here. Sysadmins need to know exactly what bugs are being fixed in each patch so they can decide on appropriate priorities for deployment. However, vendors need to not disclose exactly what bugs are being fixed in each patch to minimize the damage to their reputations that comes from large numbers of major bugs or having to fix the same bug over and over and over. And since the vendors get to control the patch descriptions, guess who gets their way.

This is one reason I favor full disclosure of security bugs. Vendors can only hide the fact that they're fixing a bug if the world at large doesn't know the bug exists. If the bug's publicly disclosed, the vendor now takes the PR/image hit if they don't say when they've fixed it. This then encourages not only quicker fixes to high-risk vulnerabilities but full and complete disclosure of what's being fixed (so users don't keep asking "Why haven't you fixed this yet?").

Re:Unsurprising (1)

cortesoft (1150075) | more than 4 years ago | (#32116622)

I agree, and would never argue that vendors should hide bugs they find or bugs they fix.

HOWEVER, require all bug fixes be fully publicly disclosed could create some perverse incentives to not patch a bug. If they feel that not many people know about it, it may seem advantageous to a short sighted vendor to just hide the bug and pretend it doesn't exist, since fixing it requires disclosing its existence.

This is a horrible thing of course, but I don't think a vendor being this short sighted would be shocking.

Re:Unsurprising (1)

Todd Knarr (15451) | more than 4 years ago | (#32117234)

Full disclosure of vulnerabilities typically isn't done by the vendor, it's done by the party finding the vulnerability. If the vendor's the first one to find the problem they can, of course, always not say anything about it, but then they've got to fix it before anybody else finds it.

Re:Unsurprising (1)

jim_v2000 (818799) | more than 4 years ago | (#32131136)

>Sysadmins need to know exactly what bugs are being fixed in each patch so they can decide on appropriate priorities for deployment.

If it's a security update, you apply it. If you don't, and you get owned, it's your fault.

"Secret patches are neither new or rare..." (0)

Anonymous Coward | more than 4 years ago | (#32116310)

"Secret patches are neither new or rare..." So counting fixed vulnerabilities of closed software will not count the number of vulnerabilities in said software.

If such secret patches are neither new nor rare, why then are vuln patches used to ascertain whether CSS or FLOSS is better quality???

Re:"Secret patches are neither new or rare..." (1)

V!NCENT (1105021) | more than 4 years ago | (#32116958)

Money

Dr. Egon Spengler, Microsoft Chief Securiy Officer (5, Funny)

RevWaldo (1186281) | more than 4 years ago | (#32116354)

(on conference call)

Dr. Egon Spengler: There's something very important we forgot to tell you.
Ivan Arce: What?
ES: Advise your clients to install security update MS10-024.
IA: Why? What would happen if they didn't?
ES: It would be bad.
IA: I'm fuzzy on the whole good/bad thing. What do you mean, "bad"?
ES: Try to image all their Exchange servers locking up all at once and all their mail traffic being rerouted to parts unknown, effectively bringing about the end of your client's existence as a functioning company.
Dr. Ray Stantz: Total packet reversal!
IA: Right. That's bad. Okay. All right. Important safety tip. Thanks, Egon.

.

Re:Dr. Egon Spengler, Microsoft Chief Securiy Offi (1)

randyleepublic (1286320) | more than 4 years ago | (#32122804)

I get chuckles sometimes from /. ramblings, but this, this is truly funny. Excellent!

security fixes or hacking guidelines (0, Redundant)

Vapon (740778) | more than 4 years ago | (#32116534)

unless the patch breaks something which you should test in a test lab you should apply most patches, and half of the releases that explain what it fixes explain how to take advantage of any computers that don't use this patch, if it's a serious threat then it might be better to let people protect themselves before you tell the hackers how to use that exploit.

Re:security fixes or hacking guidelines (0)

Anonymous Coward | more than 4 years ago | (#32118066)

#1, How will you possibly know if a patch breaks something BEFORE you install it in your environment?
  If you KNEW that you wouldn't need a test environment.

#2, The crackers already know about the exploits. If MS knew about them before they did you might have a point.

You are arguing from false premises and reaching bad conclusions.

Security by obscurity is a PHB fantasy and has no relationship to the real world

Is Microsoft Now (0)

Anonymous Coward | more than 4 years ago | (#32116542)

a botnet?

Yours In Astrakhan,
Kilgore Trout

administrators... wrong decisions (3, Insightful)

Culture20 (968837) | more than 4 years ago | (#32116670)

administrators may end up making the wrong decisions about applying the update.

Decision? Automatically apply updates and reboot? Check.
One year later: BREAK
Well, that's Microsoft, Boss. Whatada gonna do? Sure I'll come in for overtime; you buying pizza? I want Hawaiian.

Makes you wonder... (1)

xlsior (524145) | more than 4 years ago | (#32116812)

...how much the numbers are actually mis-represented in side-by-side vulnerability comparisions between the various platforms (windows/linux, etc.), if there's a bunch of them that being swept under the carpet.

Re:Makes you wonder... (1)

V!NCENT (1105021) | more than 4 years ago | (#32117166)

Side-by-side vulnerability comparisions are bullshit to begin with.

Anyone with a brain larger than a peanut will have noticed that software is created by humans and that there has always been security vulnerabilities in any OS, including remote exploits in OpenBSD, which is basically as secure as an OS can get from a human creation policy perspective.

The point is what security measures are there to prevent such bugs from becoming a remote security hole?
Windows means anti-malware, but this is after the effect basically.
The Mac fanboys (which do not include all Mac users) will tell you that file permissions are the holy grail of why there are no virusses. This is ofcourse wrong because there is also exploitable software running as root.
SELinux gets even further and has security profiles on what a piece of software can actually do, so if your root running browser (for example) is 'hacked' then the hacker/cracker can still only use the bare certain system functionality that, in this case, the browser needs to operate without crashing.
OpenBSD has the same permission policy as Mac OS X but splits its programs up in pieces to get the sort of effect that SELinux has, but less effective, while more effective than Mac OS X's policy.

When a computer is capable of doing something and it is in the range of a hacker/cracker to touch it (say... the internet) then it can always be hacked/cracked, no matter what you do. Although Windows has an amazing track record of failure due to obviously very bad programming (in certain places at least).

More important (1)

MC68040 (462186) | more than 4 years ago | (#32117486)

"[...]they're more important than the [two vulnerabilities] that Microsoft did disclose,' said Arce. 'That means [system] administrators may end up making the wrong decisions about applying the update."

Right, there's been a fair few times where I've not applied security patches "right away" for simple reasons; like they did not affect the way my system was set up.
But in the end I am hoping "[...]end up making the wrong decisions about applying the update" is talking about a time aspect rather than if-at-all... (this should explain itself)

Then that they did not declare this in their patch info is a whole other issue; Microsoft are certainly not the only ones who have a history of not doing so...

Microsofts creative stats has been known for ages. (0, Troll)

miffo.swe (547642) | more than 4 years ago | (#32117618)

Microsofts very creative way of handling security has been known for a long time. Instead of fixing the bugs they go for the statistics. By downplaying any security issue until openly proven wrong and rate vulnerabilities as low as possible the statistics look much better.

Another smart move was UAC that puts all the blame on the user but doesnt fix the underlying security issues.

Comparing only Windows to Linux + All applications is also very deceptive, especially with the practices above in mind.

The sad thing is, it works. People tend to think Microsoft has improved their security when infact Windows 7 in many cases are worse than than its predecessor. If you lie enough times with a straight face stupid cheep will think its true.

Re:Microsofts creative stats has been known for ag (1)

twidarkling (1537077) | more than 4 years ago | (#32118234)

You're a moron. I can tell by your use of words like "cheep."

So, explain how UAC differs significantly from OS X's requesting you input username and password each time it wants to update, or do other tasks, or in *nix, when it asks for temporary root access to install things? Or are those also just ways to put it on the user and not fix security issues?

Re:Microsofts creative stats has been known for ag (1)

mysidia (191772) | more than 4 years ago | (#32119238)

A key difference is Mac OS input for Administrative credentials and *nix sudo (which are the same thing), MacOS prompt for an Admin login is essentially a graphical sudo ------

Is that in those OSes, the elevation is a true security boundary respected by the underlying kernel, and actual user credentials are required to defeat it.

Whereas with UAC, the 'security boundary' is a soft, artficial one that is easily defeated through various techniques.

Also, the UAC prompts are required for many routine operations, such that users will get used to clicking OK/Continue.

In MacOS/*ix such prompts are extremely rare, rare enough to give the user pause.

Typing in the password also requires considerably more effort and thought than simply clicking Ok.

Most likely the user will at least see what is prompted for and part of the warning message, rather than blindly clicking OK.

Re:Microsofts creative stats has been known for ag (1)

Kalriath (849904) | more than 4 years ago | (#32119784)

In Windows 7, many of those operations no longer require UAC approval - regardless of the fact that they impact the system (i.e. changing the loaded driver for hardware without installing new hardware to do it) - just like Mac OS X.

UAC can also be configured to require the user's credentials to elevate, even when logged in as an admin.

Also, UAC is indeed a boundary at the lowest level, hence the requirement to bloody reboot when you change it (can you tell I hate rebooting).

But hey, don't let facts get in the way of your anti-Microsoft rant.

Re:Microsofts creative stats has been known for ag (1)

mysidia (191772) | more than 4 years ago | (#32120960)

Also, UAC is indeed a boundary at the lowest level, hence the requirement to bloody reboot when you change it (can you tell I hate rebooting).

Nonsense. If the user is an administrator, UAC is not a security boundary. See here [msdn.com] :

Security Boundary: this is a special term to Microsoft. It means that if someone discloses a way to violate a Microsoft-defined security boundary, that Microsoft will release a security patch as soon as possible, so that the method to violate the boundary no longer works against patched systems.

Administrator running in Admin Approval Mode (AAM): this is kind of a hybrid between An Administrator and a Standard User. You get a split token, which means you have the credentials of both a Standard User and an Administrator, and the right one is applied depending on what is going on.
...

Administrator in AAM: this is definitely not a security boundary. With the Administrator token available in the user’s space, it is too easy for malware to attack something in this very broad attack surface and gain elevation without the user’s approval. Microsoft could not patch this barrier without substantially breaking application compatibility. ..

Re:Microsofts creative stats has been known for ag (1)

Kalriath (849904) | more than 4 years ago | (#32150278)

You can actually configure UAC so you don't have the token, you know. Require password every time you try to elevate.

Anyway, if you say that UAC is not a boundary (you'll note I didn't specify which user type you elevate from) then neither is sudo or Mac OS X elevation.

Re:Microsofts creative stats has been known for ag (1)

mysidia (191772) | more than 4 years ago | (#32151196)

I'm talking about default configurations here, it's not worth it to dicuss imaginary high-security configurations that real users never apply to their systems in real life.

Repeat after me: If it is not secure by default, then it is not secure.

When Microsoft makes the default that the user does not possess the second token, and a password is required, then we can refer to UAC as a security boundary.

Big Brother knows best .. (0)

Anonymous Coward | more than 4 years ago | (#32117832)

if you have not yet figured out that the ruling class and the corporations that they own and control .. own and control this planet and your sorry ass .. you are just not paying attention ..

after all they control 98% of all the wealth on earth .. and it is because they are smarter and more deserving than the rest of humanity .. the divine rights of royalty and all that crap.

big brother knows what is best for us and them ..

and besides better if i can hide my shortcomings from scrutiny .. so no one is aware that in fact we are not really all that much brighter just more ambitious cunning and greedy .. as that might lead the masses to start questioning whether the ruling class is really deserving of controlling 98% of everything .. although with the effectiveness of 50% +1 demonocracy .. mass brainwashing through public education and the media .. i doubt it ..

and we would not want a second french revolution .. or one like the 60's were the awakening of consciousness among the youth(the peacemakers .. the biblical children of god) being asked to die for them in one of their for profit WARs and a relatively open and free press almost beat them .. which is why they have retaken control of the educational institutions .. mass media .. and effectively outsourced 95%+ of the government and the militarily to their corporations since 1984 and reagen's second term election .. while the working class grunts are under the threat of losing their livelihood or even death for not fallowing the orders they are given ..

that part is quit cunning .. really nothing new though .. and if it were not for lewis f. powell who went on to become a supreme court judge and his manifesto .. http://old.mediatransparency.org/story.php?storyID=21 [mediatransparency.org] .. WE THE PEOPLE might have fulfilled the true meaning of democracy and actually gained control over our own lives ..

what a perfect Catcha for the day .. indolent

This invalidates studies of Windows security (1)

mysidia (191772) | more than 4 years ago | (#32119140)

A claim researchers have sometimes made is that Windows has fewer critical security issues.

That this has come to light raises even more doubt about the validity of such studies.

This is a demonstration that Microsoft sometimes hides critical security bugs, and doesn't release advisories, even when they have been reported.

This is Prima Facie evidence that Microsoft closed-source software probably has many critical security vulnerabilities that were never publicized such, and were instead kept secret, and if patched, the patch was a hitch-hiker on top of a lesser prioritized patch.

Why hide security vulnerabilities, or make them seem less critical? To give a false impression that the software is more secure, and deceive researchers that try to estimate security through blind counting of vulnerabilities.

Re:This invalidates studies of Windows security (0)

Anonymous Coward | more than 4 years ago | (#32121496)

It doesn't invalidate the studies anymore than the fact many linux bugs are silently fixed invalidates the linux studies. Neither is a good thing but most studies tend to use independent 3rd parties for numbers as they are less likely to bend the truth.

Re:This invalidates studies of Windows security (1)

Ol Olsoc (1175323) | more than 4 years ago | (#32126310)

And this is new somehow?

Dunno if its related, but a recent update killed my computer at home. So between silent updates, updates that make your computer secure by making it non-functional, it's just more of the same from our friends at Redmond

Re:This invalidates studies of Windows security (1)

mysidia (191772) | more than 4 years ago | (#32126700)

I don't think it's new, but you see... this is tangible credible evidence that can be cited. Much better than anecdotes from individuals about MS practices.

It's very rare that MS silently patches something or pretends an issue doesn't exist, and the industry and major publications actually acknowledge that it happened.

Re:This invalidates studies of Windows security (1)

jim_v2000 (818799) | more than 4 years ago | (#32131170)

Read the article before you go spouting off about Microsoft.

>The truth is that it's business as usual for not just Microsoft, but for most software makers, said Storms. "Vendors commonly find bugs themselves in released code and will distribute the fixes inside a bundle of other patches," he noted. "Many times there simply is no benefit to anyone to disclose the bug."

Re:This invalidates studies of Windows security (1)

mysidia (191772) | more than 4 years ago | (#32131318)

"Many times there simply is no benefit to anyone to disclose the bug."

This is sure and utter nonsense.

  • Failing to publicize the more critical issue means fewer people will apply the patch -- less pressure to apply the patch
  • Sometimes higher-priority vulnerabilities are applied, and lower-priorities are not.
  • Often IT professionals will review the specific security advisory in question, and run the patch early only if the advised security issue impacts their setup; more general patching of issues that do not currently effect them, can wait until the normal upgrade cycle (possibly once every 12 to 24 months, or sometimes even longer).
  • Releasing the patch discloses the bug to anyone who is concerned into looking at it deeply -- they will analyze what is being changed by the patch, and can find the vulnerability based on the contents of the patch and what changed.

Second, more vendors doing something similar sometimes would just further invalidate studies of windows security, if you can prove they do.

You see... the mere possibility that their practices may be completely different or inconsistent makes the incidence of vulnerability report numbers useless as a metric.

Re:This invalidates studies of Windows security (1)

jim_v2000 (818799) | more than 4 years ago | (#32132164)

These weren't released as anonymous patches, they were bundled with other security updates. If you don't think you need to install security patch marked as "important", you should look into a career other than IT.

Re:This invalidates studies of Windows security (1)

mysidia (191772) | more than 4 years ago | (#32133970)

Time for you to get out of IT, if you think you need to blindly apply every patch marked important, that is an extreme waste.

It doesn't matter what the rating is, if the patch isn't for an issue that effects you, it is not worth the cost in terms of downtime risk and overhead to apply that patch.

Doubly so for non-critical rated issues.

For every patch, you read the security advisories in detail, and determine whether to implement the patch, or design a workaround to prevent the issue from being exploited until the next major upgrade cycle.

Or you may determine that the severity isn't sufficient to warrant patching, even if the rating is important.

trust? (1)

mrdtr (1343377) | more than 4 years ago | (#32122192)

So basically if you can't trust MS with be truthful and upfront about security updates, what can you trust them with?

what? (0)

Anonymous Coward | more than 4 years ago | (#32122228)

Microdosft? Are they still kicking around ?

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>