Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

MS Security Chief: Windows Never Exploited Until Patch Available

michael posted more than 10 years ago | from the if-you-say-so dept.

Microsoft 1040

BenBenBen writes "The head of Microsoft's security business and technology unit states that Windows is never vulnerable until a patch appears, and that releasing patches is what causes exploits to be developed. Good quotes: 'We have never had vulnerabilities exploited before the patch was known', and '[he] could only think of one instance when a vulnerability was exploited before a patch was available'. Erm..."

cancel ×

1040 comments

Sorry! There are no comments related to the filter you selected.

Oh really? (5, Funny)

ChaoticChaos (603248) | more than 10 years ago | (#8398670)

"The Earth is flat."
"The Sky is green."
"Earth is the center of the universe."

Other ridiculous statements that have also been proven false.

So, let me get this straight, Windows will become more secure if Microsoft stops issuing patches? :-)

Sakes alive, the Microsoft spin machine has been well oiled this morning!

ChaoticChaos
"If Windows wasn't vulnerable until the patch was released, why was the patch released in the first place???"

Re:Oh really? (5, Interesting)

Jotaigna (749859) | more than 10 years ago | (#8398712)

the simplest method used to detect a lie is to cross question the subject until it gets confused and contradict itself. This guys have security departaments, management, developing, sales, etc. They should build a "Lie Tracking" departament, then, they'll have at least something consistent. I think this post should have been published in "its funny, laugh" category.

Re:Oh really? (5, Insightful)

vandegraff (461064) | more than 10 years ago | (#8398718)

Sounds like a simple belief security through obscurity. That is really sad.

Re:Oh really? (1, Funny)

smchris (464899) | more than 10 years ago | (#8398721)


Karl Rove moonlights?

Re:Oh really? (5, Funny)

dingbatdr (702519) | more than 10 years ago | (#8398739)

In other news, Microsoft announce that cause and effect are reversed when it comes to their software.

"We think it is due to our patented time-traveling module," quips Steve Balmer.

Re:Oh really? (-1, Redundant)

ChaoticChaos (603248) | more than 10 years ago | (#8398758)

ROFLMAO!!!!!!!

Re:Oh really? (5, Funny)

FrostedWheat (172733) | more than 10 years ago | (#8398888)

"We think it is due to our patented time-traveling module," quips Steve Balmer.

It's true! I was copying a file over the LAN the other day, and IE said it had -8342563246 seconds to go!

Microsoft Time (C)(R)(TM)
Where do you want to go yesterday?

Re:Oh really? (1, Funny)

ChaoticChaos (603248) | more than 10 years ago | (#8398795)

Another way to look at this is that I should be able to remove every patch from my Windows PC and it would be totally secure? LOL!

On the BBC, no less... (-1, Offtopic)

ackthpt (218170) | more than 10 years ago | (#8398811)

Other ridiculous statements that have also been proven false.

Or pretty close to false. The BBC has had a great track record of interrogating people (includingworld leaders who could order the deaths of their correspondents), I wonder why this was so soft on 'experts' (0==0 except where 1==0).

Meanwhile they're doing a bang-up job on thursdays explaining the war on terrorism (a pretty good series which highlights intelligence failures around the world.)

Re:Oh really? (0)

CaptainPinko (753849) | more than 10 years ago | (#8398816)

To make it vulnerable so that they could make more patches of course!

In soviet russia... (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8398851)

the sky is green

Interesting stock photos (0, Insightful)

Anonymous Coward | more than 10 years ago | (#8398673)

Doesn't the BBC have any better stock photos to place in this article. I mean come on, a picture of an old clock and a close of zoom of the shift and return key (with the caption of "Exploits get written once patches appear").

Beware the evil shift and return keys! They should be removed from the keyboard as they clearly are used to write exploits.

Don't trivialise their complicit condonment!! (1, Funny)

adamofgreyskull (640712) | more than 10 years ago | (#8398770)

You may mock, but I doubt any exploit has been written without using the Shift & Return keys.

help!! you mom is on my sp0ke what should me do?! (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8398676)

n/t

Piffle (2, Interesting)

onyxruby (118189) | more than 10 years ago | (#8398677)

Choice quotes

"Almost all attacks against our software are against the legacy systems," he said.

"If you want more secure software, upgrade."

Sounds pretty close to an admission of deliberately leaving old OS's insecure to force upgrades to me. What really gets me though is the insinuation that those who don't hand over more money to the beast of redmond for shiny new software are somehow responsible for security exploits.

Certainly there are industry people that consider only NT 4 as being the only MS OS at all securable and only then because it has been around long enough to pretty much have it's holes ironed out. Is this just a prelude to their future excuse to force a rental model on the public?

Re:Piffle (0)

Anonymous Coward | more than 10 years ago | (#8398735)

Unlike the first poster who reversed what he said, you really got it right. But I do think he got it backwards as patching is something you do to buggy, and no doubt insecure, software.


I find it hard to believe that there were no holes in windows just because they had not come out with the first patch. Or all patches are insecure. Hmm. Does not compute.

Re:Piffle (5, Insightful)

sputnikid (191152) | more than 10 years ago | (#8398760)

"If you want more secure software, upgrade."

That quote goes for Linux as well as MS. How many people do you know that are still running 2.0.34

Re:Piffle (5, Funny)

Erratio (570164) | more than 10 years ago | (#8398837)

Yeah...I hate paying for those damn Linux upgrades.

Re:Piffle (-1, Redundant)

IWorkForMorons (679120) | more than 10 years ago | (#8398882)

How many people using Linux are forced to pay for upgrading?

Re:Piffle (-1, Insightful)

millahtime (710421) | more than 10 years ago | (#8398767)

"deliberately leaving old OS's insecure to force upgrades to me."

This isn't a deliberate thing. Not all old software is supported. If Linux 2.2.XX had security holes they would say upgrade. There aren't new fixes being written. If there was an old version of Lotus Notes that had a security hole, they would say upgrade. This isn't unusual or M$ forcing on people.

Re:Piffle (5, Informative)

darkjedi521 (744526) | more than 10 years ago | (#8398824)

Linux 2.0.40 - release 2/8/04 Linux 2.2.26 - release 2/25/04 Linux 2.4.25 - release 2/18/04 Linux 2.6.3 - release 2/18/04 The older versions of the Linux kernel seem to be alive, well, and still being patched for security flaws. In fact, the most recent kernel release is 2.2.26.

Re:Piffle (2)

wafflemonger (515122) | more than 10 years ago | (#8398848)

If Linux 2.2.XX had security holes they would say upgrade. The upgrade is to 2.2.XX+1 or the patch that fixes the problem. I don't have to spend $X00+ to get a more secure system.

Re:Piffle (5, Insightful)

xeaxes (554292) | more than 10 years ago | (#8398861)

If Linux 2.2.XX had security holes they would say upgrade. There aren't new fixes being written.

But, you are wrong about this. In fact, a new Kernel update to 2.2 was released. Version 2.2.26. It's been a year, but they were still released.

Here's a quote from the release: "Marc-Christian Petersen announced the release of the 2.2.26 Linux kernel. This release includes several security fixes, including a fix for the latest mremap() bug." See the Linux 2.2.26 Release Notes [kerneltrap.org]

So, really, MS is forcing users to upgrade by not releasing patches to old version.

Re:Piffle (5, Interesting)

onyxruby (118189) | more than 10 years ago | (#8398869)

I agree not all old software should be upgraded. Windows 3.1 may rest in hell as far as I'm concerned. But it wasn't that long ago they tried to kill of Windows 98, that's what 25% or so of the home user base? I recognize that the 9.x kernel is inherintly insecure and outdated, but that's no excuse not to patch known exploits when their is a substantial user base out there.

I am not, by the way, saying that users should nut patch their systems, only that they should not be forced to upgrade working systems under auspices of security just because MS want's more revenue. They can pull that crap on the business market and get away with it, but joe sixpack can always go try that linux thingie he heard about.

Re:Piffle (-1, Redundant)

ZorinLynx (31751) | more than 10 years ago | (#8398874)

BIG difference here. You have to pay *MONEY* for Windows upgrades, whereas upgrading a linux box is entirely free.

Since Microsoft forces people to pay money to upgrade in order to close security holes, this is what makes them morally questionable.

Re:Piffle (0, Redundant)

Xpilot (117961) | more than 10 years ago | (#8398890)

If Linux 2.2.XX had security holes they would say upgrade.

Bzzzt! Wrong answer. Linux 2.2.xx and even 2.0.xx is still being actively maintained for bugfixes :p

Re:Piffle (3, Interesting)

October_30th (531777) | more than 10 years ago | (#8398778)

those who don't hand over more money to the beast of redmond for shiny new software are somehow responsible for security exploits.

So, how much has using Windows Update cost you extra so far?

Re:Piffle (1)

g0hare (565322) | more than 10 years ago | (#8398780)

Wrong. Old OS's are insecure because a) they weren't really designed for the Internet and b) ease of use. Security is hard. You have to remember passwords. You have to get an admin to install software. Etc. And of course you are still running kernel 1.1 right?

Re:Piffle (4, Funny)

maiden_taiwan (516943) | more than 10 years ago | (#8398791)

>Sounds pretty close to an admission of deliberately leaving old OS's insecure to force upgrades to me...

Ridiculous. Why would they want to force upgrades to Windows ME?

The dark arts? (4, Interesting)

monstroyer (748389) | more than 10 years ago | (#8398678)

Has Microsoft become so jaded that they have turned to the dark art of trolling? Do they get some sort of perverse pleasure by fishing strong feelings out of educated people who know better just so their board of directors can laugh at the zeal of the rebuttals, knowing full well they were full of shit?

head of security? The article is pure genius by trolling standards. And having just read about Microsoft wanting to pollute java [linuxtoday.com] , maybe their new business strategy is to troll all aspects of the computer world... just to pollute it?

Re:The dark arts? (2, Interesting)

millahtime (710421) | more than 10 years ago | (#8398841)

M$ is doing great PR to the masses. They know what they are saying and why. But, the masses don't know the whole story.

The "truth" about them isn't going out to the masses. So, what M$ says is all that is seen by the masses so they by it.

It's like say in politics. Say there was one party that did 90% of the talking. The other 10% isn't see that often so your average joe believes the larger 90% of the info.

Re:The dark arts? (2, Funny)

Anonymous Coward | more than 10 years ago | (#8398862)

Has Microsoft become so jaded that they have turned to the dark art of trolling?

I sure hope so. I wonder how much MS will pay for:

a) First posts
b) "In Soviet Russia" jokes
c) "I for one welcome X overlords" jokes

Goatse & Tubgirl redirects must be worth a bundle!

Logic??? (5, Insightful)

BWJones (18351) | more than 10 years ago | (#8398679)

Meh.......The last statement in the article: "If you want more secure software, upgrade." pretty much sums up Microsoft's position. With this kind of logic, it's a wonder that any coding gets done at all there. So, by extension, if everybody were to leave their doors open and unlocked at night, there would be no crime? :-) Seriously though, if you actually read the article, what it says describes reverse engineering of patches to explore and exploit vulnerabilities. So, the statement if confused might be technically correct, but that does not mean that the security vulnerabilities are not there in the first place. What happens mostly is that the lazy are exploiting the patches, whereas the more experienced (perhaps more dangerous) hackers will do their own work. Furthermore, the more experienced hacker might not be as likely to release their attack into the wild promiscuously. Rather they are doing what they do for a likely monetary payoff.

The real question though is: If the patch can be exploited, is it a patch? Yes, I know that they are analyzing the patch to attack unpatched machines, but to claim that vulnerabilities are not present before patches are released is circular logic.

Upgrade sales? (2, Insightful)

ls-lta (681694) | more than 10 years ago | (#8398870)

I can't help wondering if they're anticipating a sales problem. If a CEO sees an upgrade request and "knows" that upgrading helps security issues, they're sure to say yes. Unless, of course the CEO thinks that the upgrade is really just another type of patch or realizes that they will get forced into a costly upgrade spiral. But, I wouldn't want to give anyone any ideas.

Post hoc, ergo propter hoc (5, Insightful)

Waab (620192) | more than 10 years ago | (#8398682)

At best, the notion that patches are the source of all exploits is a logical fallacy [datanation.com] . However, I'm sure I'd not be in the minority of /. readers if I opined that Mr. Aucsmith is either lying outright or simply delusional.

I say that since Microsoft has a policy of "eating their own dog food", they should be forced to stand by this ridiculous proclamation and henceforth cease and desist all efforts to patch their code. Thus, all exploitations of buggy MS code will also halt.

Re:Post hoc, ergo propter hoc (2, Interesting)

Anonymous Coward | more than 10 years ago | (#8398793)

Delusional. They're neither stupid enough or smart enough to lie outright. I think that there is a strong possibility that this sort of delusion is part of a corporate mindset.

Re:Post hoc, ergo propter hoc (5, Insightful)

jruschme (76180) | more than 10 years ago | (#8398830)

Actually, I think it has a sort of perverse logic (albeit a nearsighted one). If I understand it correctly, the idea is that when a patch is released, it opens up knowledge of a hole. This is similar to the whole argument about when to release info on a security hole.

The problem with this reasoning is that it assumes the only people writing exploits are lazy/clueless enough to wait for someone to tell them what to exploit. It ignores the fact that there is a community of hackers out there actively looking for the holes.

Simple solution (5, Insightful)

shystershep (643874) | more than 10 years ago | (#8398685)

If crackers never find exploits except for by comparing patched and unpatched versions, why the hell do they release security patches then? Seems like they've got their security problems licked -- no patches, no exploits. What could be simpler.

Also liked this quote, from the end of the article:
"Almost all attacks against our software are against the legacy systems," he said.
"If you want more secure software, upgrade."

Hmmm.

hmm (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8398686)

ouch ! fun fun

IN SOVIET RUSSIA... (-1, Funny)

sputnikid (191152) | more than 10 years ago | (#8398691)

the patches exploit you!

Re:IN SOVIET RUSSIA... (-1, Troll)

buffer-overflowed (588867) | more than 10 years ago | (#8398759)

In soviet russia, dead horse beats you!

Re:IN SOVIET RUSSIA... (-1, Troll)

andreMA (643885) | more than 10 years ago | (#8398820)

That'd be "In Redmond, Washington..."

Criminal tools like "diff"? (5, Funny)

RobertB-DC (622190) | more than 10 years ago | (#8398693)

He said tools were available that compared patched and unpatched versions of Windows to help vandals and criminals work out what was different.

"The guys who write the tools would not consider themselves to be criminals by any measure," he said, "but the tools are also being picked up by people with criminal intent."


I guess that explains why Windows doesn't include a "diff" function...

Re:Criminal tools like "diff"? (5, Interesting)

tomhudson (43916) | more than 10 years ago | (#8398833)

I guess that explains why Windows doesn't include a "diff" function...

fc - from your old DOS days - stands for file compare

I'd check to see if it still exists in Windows, but there aren't any Winboxen around here :-)

MSFT? OK, everybody - start bashing (-1)

Anonymous Coward | more than 10 years ago | (#8398694)

Slashdot fanatics and linux heads will kill the person in front of them if they mention the word Microsoft, for apparently no reason!

In other news... (5, Funny)

daeley (126313) | more than 10 years ago | (#8398695)

In related news, the Mayo Clinic has announced that if we eliminated cancer treatments, we would eliminate cancer.

NEO AND THE JEWS KILL JESUS AND FRODO FOR THE RING (-1)

Can it run Linux (664464) | more than 10 years ago | (#8398698)

WARNING!!! Spoilers in subject line!

So... (5, Funny)

Niles_Stonne (105949) | more than 10 years ago | (#8398705)


So, instead of poor programming it's incompetent management?

An article disproving this... (4, Insightful)

millahtime (710421) | more than 10 years ago | (#8398706)

If a politician said something like this it would get torn apart by the media. If a scientist said something he would loose his credibility and there would be articles written to counter this in major publications. Why does that not happen with M$??? It's almost like they are "above the law" and what thsy say happens. Kind of like when God speaks.

Re:An article disproving this... (1)

dynamo (6127) | more than 10 years ago | (#8398801)

God hasn't released a patch in a really long time... maybe you're right.

Re:An article disproving this... (0)

Anonymous Coward | more than 10 years ago | (#8398831)

Ummm, they've already lost all credibility and so cannot lose more?

Must have a good source for that stuff... (5, Funny)

ackthpt (218170) | more than 10 years ago | (#8398709)

Malicious hackers and vandals are lazy and wait for Microsoft to issue patches before they produce tools to work out how to exploit loopholes in Windows, say experts.

I love how people with vested interests are called 'experts'

thhhhhhhhhtttt *choke* *gag* "ahhhhhhh" So as I was saying, hackers haven't found any of these flaws and exploited them before they were patched. Man, this is some strong crack, I almost believe what I said, myself"

And how do these fine experts actually know there aren't, at this moment, flaws being exploited left and right? Ah, they're experts, of course!

This just in... (3, Funny)

cybercuzco (100904) | more than 10 years ago | (#8398713)

Microsoft to stop patching systems altogether to improve security. Also announces that War is Peace, Freedom is slavery etc etc etc

Re:This just in... (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#8398839)

from your sig:

If French Fries= Freedom Fries and French Toast = Freedom Toast I want to leave the US and go live in Freedom

Nobody is stopping you from moving to France. Go on ahead, unless you don't like your women to have hairly legs and hairy pits

If only... (0)

Anonymous Coward | more than 10 years ago | (#8398857)

If only Microsoft would get struck down at the next Zebra crossing

What happened to the month of March? (4, Funny)

andreMA (643885) | more than 10 years ago | (#8398716)

... we seem to have skipped directly to April 1st...

Re:What happened to the month of March? (1)

physicsboy500 (645835) | more than 10 years ago | (#8398885)

They obviously thought it was such a good one that they just couldn't sit on it for another month!

Iraq (4, Funny)

LittleLebowskiUrbanA (619114) | more than 10 years ago | (#8398725)

This ranks right up there w/ the Information Minister... Looks like the corporate world is just as bad about propaganda as the gov'ts of the world.

It's no wonder... (2, Funny)

Sayten241 (592677) | more than 10 years ago | (#8398726)

that with geniouses like this working for them, Microsoft has the most secure OS in the world.

Security is in the eye of the beholder (5, Interesting)

chaoskitty (11449) | more than 10 years ago | (#8398734)

MS' problem is clearly that they have too many managers and businesspeople, and not enough technical people (or perhaps their technical people have no voice). That a MS employee can say such things that everyone else in the world clearly knows is wrong says something about their concern for real security...

Re:Security is in the eye of the beholder (2, Funny)

kyoko21 (198413) | more than 10 years ago | (#8398785)

All the really technical people at Microsoft are all too juiced up from the free soda that they get readily available from the free soda machines posted at every 50 paces. Not to mention they also get free snacks, too.

Spin, spun, spend (4, Interesting)

Space cowboy (13680) | more than 10 years ago | (#8398736)

This is a fabulous marketing manouvre. It's completely ludicrous of course, but it makes the connection between not-upgrading and being-vulnerable in the pointy-haired heads.

There *must* however be laws against making statements *that* outrageous...

Simon.

Assume for me... (5, Insightful)

lacrymology.com (583077) | more than 10 years ago | (#8398744)

... just assume for a moment that what he says IS true (for argument's sake). Would you feel better as an M$ customer having heard it? That is, do you feel better knowing that there are many holes in the system that no one outside of M$ knows about? Does security through obscurity make you feel better?
-m

Riiight... (2, Insightful)

bendelo (737558) | more than 10 years ago | (#8398745)

"Almost all attacks against our software are against the legacy systems," he said.

"If you want more secure software, upgrade."


Should I start laughing now or later? David Aucsmith seems to be missing a clue.

Re:Riiight... (2, Funny)

Zerikai (645450) | more than 10 years ago | (#8398875)

He's not missing a thing!

I did exactly what he claims and I have a very secure system. I upgraded to Linux.

Or a very old quote:

"The box said Windows 95 or better, so I bought a Macintosh"

Revised Quote (3, Funny)

pumpknhd (575415) | more than 10 years ago | (#8398747)

Previous Quote: 'could only think of one instance when a vulnerability was exploited before a patch was available' Revised Quote: 'I can not think of even one instance when a vulnerability was exploited before windows was available'

Who is he talking to? (1)

IamGarageGuy 2 (687655) | more than 10 years ago | (#8398749)

Who could ever possibly believe such a statement. I am not necessarily anti-MS (maybe a little) but this is just so over the top that it can only be targeted at people without any clue whatsoever. This is not even a good spin on the topic. Remind me never to believe anything MS puts out in a press release.

POC (4, Interesting)

Bikini Kill (678047) | more than 10 years ago | (#8398751)

I'm sure that security researchers at companies like EEye are providing Microsoft with proof-of-concept exploit code when submitting vulnerabilities.

It's pretty obvious from that fact that exploit code does exist before a patch is released almost 100% of the time; it's just not released to the public until after the patch is available most of the time.

What could their motivation be.. (0, Redundant)

dynamo (6127) | more than 10 years ago | (#8398754)

Direct quote from the end of the article
---------
"Almost all attacks against our software are against the legacy systems," he said.

"If you want more secure software, upgrade."

Legacy Systems (2, Funny)

Archangel Michael (180766) | more than 10 years ago | (#8398873)

32 bit extensions to a 16 bit OS, built for an 8 Bit CPU by a two bit company.

Defining the Microsoft Legacy.

corepirate nazi felons surrendering? (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8398756)

about as likely as the moon/mars/bars shot being piloted buy the won-eyed girl & the illegal aliens?

these foulcurrs are in it up to their/yOUR last gasp.

consult with/trust in yOUR creators.... the kode is well, knowed.

On the same logic (5, Insightful)

EulerX07 (314098) | more than 10 years ago | (#8398761)

An unlocked door is safe until someone sees you lock it. Therefore everybody just leave all your door unlocked, since we do not know that they're unlocked there is no danger.

Reply to this post with your street adress and your usual work hours, thanks!

Re:On the same logic (1, Funny)

Anonymous Coward | more than 10 years ago | (#8398866)

1600 Pensylvania Avenue
Washington, D.C.

I work from home, but you can find out my vacation schedule by watching the news.

Hope to see you soon.

Since when.. (4, Funny)

bishiraver (707931) | more than 10 years ago | (#8398764)

Since when did Microsoft hire the Iraqi Information Minister?

Partly right (5, Insightful)

Anonymous Coward | more than 10 years ago | (#8398768)

I must admit that they are partly right on this statement. As long as they don't publish a patch, most the world doesn't even know there is a hole. A few security specialist firms know, but they are not dangerous.

As soon as they release the patch, every hacker knows 99% of the systems won't be patched for a while, and Microsoft just about gave out what is the problem and how to exploit it.

So I say yes, it is dangerous to say out loud "hey, there is a hole in our system, but we have a patch". I would prefer if they just shut up, and release a "cumulative patch" once in a while.

Just my opinion.

As they loose face before me... (2, Funny)

La Camiseta (59684) | more than 10 years ago | (#8398774)

"It's a myth that hackers find the holes," said Nigel Beighton, who runs a research project for security firm Symantec that attempts to predict which vulnerabilities will be exploited next.

wow, credibility meter falling ... falling ...

Never, util... (1)

MeBadMagic (619592) | more than 10 years ago | (#8398777)

"We never HAD a problem, until we NOTICED it!"


B-)

What the Fuck? What the Fucking Fuck Fuck? (5, Funny)

Tackhead (54550) | more than 10 years ago | (#8398784)

> 'We have never had vulnerabilities exploited before the patch was known'

"Bullshit" doesn't begin to do justice of the level of falsehood present here. We're talking about taking the very essence of falsity, distilling it over the flames of ignorance, condensing it within intestinal walls of monumentally bovine intellectual apathy and sponsoring a college kegger with the elixir-excremento obtained therefrom.

To be fair if I were to write an exploit.... (3, Informative)

Bob Zer Fish (568540) | more than 10 years ago | (#8398787)

If I were going to write an exploit, I'd write the exploit AFTER Microsoft had patched my OS so I didn't zombie my own computer up!!!!

With all the script-kiddies out there, would they know how to patch microsoft to protect themselves? They probably use code from security sites which show the exploit in action, and don't understand the underlying code.
Of course for the others, they probably realise that many people are forced to use Windows, and there only protection is Windows with a decent firewall and up to date WindowsUpdates.

Which one is next? (2, Informative)

loftwyr (36717) | more than 10 years ago | (#8398789)

Nigel Beighton, who runs a research project for security firm Symantec that attempts to predict which vulnerabilities will be exploited next.

So Symantec has a full list of all vulenrabilities and is keeping that a secret. Then why does it take 3 days to get a Outlook patch to fix the latest vulnerability?

Yes... upgrade (4, Informative)

nulltransfer (725809) | more than 10 years ago | (#8398796)

"If you want more secure software, upgrade."

I concur! :) Upgrade [linux.org] today!

Re:Yes... upgrade (1)

rusty0101 (565565) | more than 10 years ago | (#8398884)

I did some time back. Now the only copies of "Windows" I have, are securly stored on the CD rom's and images I got them on. Linux, Mac OS X, and BeOS, all running securly behind a firewall.

I don't know how many times I have heard people claiming that none of these are "truely secure" either, yet none are showing the level of security problems that Windows has demonstrated.

-Rusty

If not true, this should be easy disproved... (-1, Redundant)

Anonymous Coward | more than 10 years ago | (#8398799)

by contradiction.

Just one?? Really?! (5, Informative)

thesolo (131008) | more than 10 years ago | (#8398802)

I think [slashdot.org] he might [slashdot.org] be wrong [infoworld.com] .

Back at work, I see... (2, Funny)

Hawthorne01 (575586) | more than 10 years ago | (#8398805)

It's good that ol' Bagdhad Bob, aka The Iraqi "Information" Minister, has landed on his feet and found a good position with Microsoft.

I wonder if he's moonlighting for tobacco companies on the side as well.

XP = Legacy? (5, Funny)

La Camiseta (59684) | more than 10 years ago | (#8398808)

"Almost all attacks against our software are against the legacy systems," he said.

So is that what they're calling WindowsXP now?

How I read it (3, Informative)

chrisbtoo (41029) | more than 10 years ago | (#8398812)

When I read this story earlier, I figured that what they really meant was, "most of our vulnerabilities don't get announced until we have a patch, and people don't start to exploit them until they're announced".

Given that they're binary patches, it seems to me that it'd be a whole lot less effort to look at the details of the advisory (and example 'sploit) than to go reverse-engineering the patches. Particularly since they're accusing the h4x0rZ of being lazy.

They don't get the point... (5, Interesting)

chill (34294) | more than 10 years ago | (#8398822)

Who is it that finds all the exploits and reports them to Microsoft in the first place? It sure as hell isn't Microsoft employees!

This means, known holes and exploits are available to certain people BEFORE patches exist. Are you willing to bet your business that those "certain people" are ALWAYS good, ethical and honest? There are no intelligent "bad guys" who can do this?

Where are all the "hackers" and "black hats" the media is always screaming about! Please, don't tell me they are ALL script kiddies.

-Charles

P.S. -- How can I ever get "first post" if the damn artitle quotes make me laugh so hard I can't type?

Can we say windows ME? (1)

K0rnh010 (756793) | more than 10 years ago | (#8398823)

I seem to remember a buggy peice of crap software called Windows ME, that had a couple of bugs in it, and it was "new" software, is microsoft telling me that if I upgrade to winblows XT that i wont have any problems? HAH the only stable Microsoft OS out there was MS Dos oh yea, I need a print out of microsoft's EULA or my Bunghole

Iraqi Information Minister working for MS? (5, Funny)

ageoffri (723674) | more than 10 years ago | (#8398832)

Wow looks like Microsoft has hired the Former Iraqi Informaiton Minister.

"The infidels packets are slaughtering themselves at the ports to our OS"

"There are no exploits against windows, they are all lies from the so called Open Source community"

"We removed the Windows Update site to better serve our loyal followers."

The relationship between MS and SCO is paying off! (1)

DaSpudMan (671160) | more than 10 years ago | (#8398840)

The Micro$oft Information Minister must have been smoking crack^^^^H, I mean talking with Darl if he's spouting this kind of crap.

Source (1)

physicsboy500 (645835) | more than 10 years ago | (#8398842)

Or how about until their source itself is known publicly. to my knowledge several bugs were found by meerly looking at the source and if the patches show the vournerabilities of MS, then the source obviously shows the root of every problem.

I do enjoy how they state something that can never be proven correct on top of the fact that there are already a few known exploits to the source stolen a while back

Possible Reason (4, Insightful)

KJE (640748) | more than 10 years ago | (#8398855)

Could this possibly be because people who find flaws in the system might go to Microsoft first and say "look what we found", and then give MS a chance to fix it?

Then, when MS does release the patch, the people who found the flaw throw up the details on their website for all the "hackers" to get their hands on.

hence the exploits coming after the patch is released

He went on (2, Funny)

QuijiboIsAWord (715586) | more than 10 years ago | (#8398859)

He went on to prove that black was white and was run over at the next zebra crossing..

Darl?? IS THAT YOU?? (1, Funny)

Anonymous Coward | more than 10 years ago | (#8398863)

Since when did McBride get a job a Microsoft..

a quick read through thte comments yields..... (4, Interesting)

rumpledstiltskin (528544) | more than 10 years ago | (#8398865)

pretty much nothing to call into question what he said. granted, I didn't rtfa, but I would like to hear from some slashdot users of a windows vulnerability that was exploited on a large scale before a patch was released.

There's a lot of hand wringing and self righteous indignation over the statement, but has anyone bothered actually to counter it?

MSFT mentioned!! Slashbot tantrum time!!! (5, Insightful)

stratjakt (596332) | more than 10 years ago | (#8398868)

The guy does have a point. The description of the patches gives malicious coders a good detail of what to exploit.

There are no doubt circumstances where the super-1337 h4x0r finds an exploit all on his own, I'd imagine through trial and error, but for the most part, they look at windows update and see "This patch resolves a vulnerability in WMP which could allow arbitrary code execution", and they write an exploit for the unpatched boxes.

The MSDN knowledge base is a great source for folks looking for exploits, they very often have step-by-step directions to reproduce the problems.

That's how you get root on linux boxes too, you find people still running an older kernel version, or an old sendmail, ssh, whatever, and hit the known exploits for that version.

And if you want a more secure system, yeah, upgrade. It works that way no matter what your personal philosopy behind your OS choice.

shouldn't this be on bbspot? (2, Insightful)

hellraizr (694242) | more than 10 years ago | (#8398872)

sure this wasn't ripped from bbspot.com?

And despite photographic proof... (4, Funny)

Bug-Y2K (126658) | more than 10 years ago | (#8398878)

...I never did this. [goolsbee.org]

Ever.

No, really... I didn't.

Logic? (4, Funny)

CaptainBaz (621098) | more than 10 years ago | (#8398880)

Mr Aucsmith went on to prove that 1=2, that black is white, and promptly got himself killed on the next zebra crossing...
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>