P
Papa
It was KB828026, regarding a security update for the Windows Media Player.
I'm not sure if it applies to W98, I'm using XP.
I'm not sure if it applies to W98, I'm using XP.
P
Papa
Sorry, I never could spell.
Hugh Candlin said:
P
Papa
I've been known to do that, i.e., others know I do it - repeatedly. ;>)
W
whoever
If the worm/virus is _ALREADY IN THE WILD_, then there's no sense in
refusing to alert the general public - as long as there are specific steps
that can be taken to mitigate the risk. On the other hand, if the virus is
a purely "social engineering" virus, that relies on the end user opening an
infected attachment, then making a big song and dance about it is a wate of
time - the people who will open the infected attachment aren't paying
attention anyway. (In fact, it might be argued that SWEN is more successful
this month, after all the publicity about SoBig.F and Blaster, precisely
because MS did make a big song and dance last month, so some people weren't
surprised to receive a "security patch from Microsoft" in the mail). There
are no patches for Swen and Sobig, because they're exploiting buggy
wetware, not buggy software.
It seems to me that at least some (if not all) of the high-profile attacks
in the last 12 months came _AFTER_ the public anouncement of the
vulnerability. In other words, the "white hats" that unearth a 5 year old
buffer overflow exploit and announce it to the world are doing far more
good for the "black hats" than for rest of us ordinary mortals.
J
Jim Eshelman
whoever said:
The last phrase is, I think, the main one. There are two considerations,
though, that I think it's just possible some folks aren't getting:
(1) The existence of a single exploit already in the wild doesn't mean that
other exploits couldn't be launched. The fact that there is a single worm
out there doesn't mean that, given sufficient resources, there wouldn't be
others. The risk is still quite high, therefore, that publishing information
about an exploit would invite more exploitations. For that reason, it seems
like a very bad idea.
(2) If it is only the single worm that concerns you -- the one already "in
the wild" -- then this should be handled by the AV companies. That's the
correct way to protect against a single known agent and its variants, and to
clean them if they're already present.
Within the company for which I work -- about 6,000 end-users that we
service -- the moment a new Critical Update appears there is a rapid move to
deploy it on the servers, and then turn to the question of whether or to
inform the end-users. By that time there is pretty much always an updated
virus definition file from our AV provider, and therefore there is no reason
to say anything further to the end-users. We've already set up the mechanism
whereby the AV software is in place and the definition files are
automatically updated every time the machine hits the Internet.
And that's the way it should be on *everyone's* system -- a good AV product
installed that updates itself automatically and frequently and checks in
real-time as you are working. With that in place, why is it necessary for MS
to duplicate what the AV companies are doing, and possibly increase the risk
of further exploits?
Yup. That's the problem. It's "damned if we do, damned if we don't." This
has led to serious discussions in newsgroups and elsewhere of whether MS
should *ever* announce such things. The consensus is that yes, they should,
and that's the path they've taken (and I agree with the path) -- but it is
at least a valid question.
--
Jim Eshelman, MS-MVP Windows
http://aumha.org/
http://WinSupportCenter.com/
Did you find this newsgroup on the web? A newsreader like Outlook Express
will make your online life a lot easier. Get better help! See:
http://aumha.org/win4/supp1b.htm and
http://support.microsoft.com/support/news/howto/default.asp
P
PCR
That's it, then. There does not seem to be a version of the WMP patch
for Win98 (unless we got it earlier for some reason).
But what are you doing here, if you are XP, Papa? Has your brain been
fried in the radiation?
--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
should things get worse after this,
PCR
(e-mail address removed)
| It was KB828026, regarding a security update for the Windows Media
Player.
| I'm not sure if it applies to W98, I'm using XP.
|
| | > Two? Why was I gypped, Papa? What was the second one? Here are the
last
| > six it had for me...
| >
| > Successful Saturday, October 04, 2003 October 2003, Cumulative Patch
for
| > Internet Explorer 6 Service Pack 1 (KB828750) Web site
| >
| > Successful Wednesday, August 20, 2003 August 2003, Cumulative Patch
for
| > Internet Explorer 6 Service Pack 1 (822925) Web site
| >
| > Successful Sunday, August 17, 2003 Root Certificates Update
| > Read more... Web site
| >
| > Successful Saturday, August 02, 2003 DirectX 9.0b End-User Runtime
| > Read more... Web site
| >
| > Successful Thursday, July 10, 2003 823559: Security Update for
Microsoft
| > Windows Web site
| >
| > Successful Friday, June 27, 2003 Flaw In Windows Media Player May
Allow
| > Media Library Access (819639) Web site
| >
| > And here is my sum total showing in various places...
| >
| > (A) At IE6, Help, About:
| > SP1, Q313829, Q328970, Q328389, Q324929, Q810847, Q813951 Q816506,
| > Q813489, Q330994, Q818529, Q822925, & Q828750.
| >
| > (B) At "START, Run, MSInfo32, Software Environment, Software
Updates":
| > Windows 98 Second Edition=4,10,0,2222
| > Updates=Year 2000 Update for Windows 98b
| > SP2: Windows 98 Second Edition USBHUB
| > W98: Q245729, Q274113, Q314147, Q323172, Q323255, Q329115,
| > Q811630
| > W98SE: Q823559, Q245272, Q256015, Q259728, Q260067, Q273017,
Q273991
| > Win98SE: Q249973, Q238453, Q239887, UHCD
| > Windows 98 Second Edition Digital Video
| > Windows 98 TELNET
| >
| > (C) At "Control Panel, Add/Remove Programs":
| >
| > (1) 128 bit encryption support for Dial-up Networking
| > (2) Internet Explorer Q828750 (was Q822925, Q818529)
| > (3) Microsoft Internet Explorer 5 Web Accessories
| > (4) Microsoft Internet Explorer 6 SP1 and Internet Tools
| > (5) Microsoft Internet Print Services
| > (6) Microsoft Outlook Express 6
| > (7) Outlook Express Update Q330994
| > (8) Windows 98 Q823559 Update
| > (9) Windows 98 Second Edition Digital Video Update
| > (10) Windows Media Player system update (9 series)
| >
| > --
| > Thanks or Good Luck,
| > There may be humor in this post, and,
| > Naturally, you will not sue,
| > should things get worse after this,
| > PCR
| > (e-mail address removed)
| > | > | Days?? Hardly. I was aware of it simply by clicking on the Update
| > button and
| > | installing the two critical updates that were listed. When did I
do
| > it?
| > | Friday, October 3rd.
| > |
| > | Every user should frequently check for updates, whether they have
the
| > update
| > | notification enabled or not.
| > |
message
| > | | > | > | > | >
| > | > > There is an old saying - "Keep it simple". So my advice will
| > continue to
| > | > > be - obtain your updates from one place, and one place only -
the
| > Update
| > | > > button.
| > | >
| > | > And when a critical update takes days to appear on Windows
Update,
| > yet can
| > | > be access via the Technet article that is invariably linked to
the Q
| > | article
| > | > that points to Windows Update in the first place? Then what?
| > | >
| > | > Your attitude is wrong.
| > | >
| > | > --
| > | > Install the latest IE cumulative patch for protection against
QHost:
| > | >
http://www.microsoft.com/security/security_bulletins/ms03-040.asp
| > | > More information about QHosts can be found here:
| > | > http://www.mvps.org/inetexplorer/darnit_3.htm#qhost
| > | > ________________________________________
| > | > Sandi - Microsoft MVP since 1999 (IE/OE)
| > | > http://www.mvps.org/inetexplorer
| > | >
| > |
| > |
| >
| >
|
|
for Win98 (unless we got it earlier for some reason).
But what are you doing here, if you are XP, Papa? Has your brain been
fried in the radiation?
--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
should things get worse after this,
PCR
(e-mail address removed)
| It was KB828026, regarding a security update for the Windows Media
Player.
| I'm not sure if it applies to W98, I'm using XP.
|
| | > Two? Why was I gypped, Papa? What was the second one? Here are the
last
| > six it had for me...
| >
| > Successful Saturday, October 04, 2003 October 2003, Cumulative Patch
for
| > Internet Explorer 6 Service Pack 1 (KB828750) Web site
| >
| > Successful Wednesday, August 20, 2003 August 2003, Cumulative Patch
for
| > Internet Explorer 6 Service Pack 1 (822925) Web site
| >
| > Successful Sunday, August 17, 2003 Root Certificates Update
| > Read more... Web site
| >
| > Successful Saturday, August 02, 2003 DirectX 9.0b End-User Runtime
| > Read more... Web site
| >
| > Successful Thursday, July 10, 2003 823559: Security Update for
Microsoft
| > Windows Web site
| >
| > Successful Friday, June 27, 2003 Flaw In Windows Media Player May
Allow
| > Media Library Access (819639) Web site
| >
| > And here is my sum total showing in various places...
| >
| > (A) At IE6, Help, About:
| > SP1, Q313829, Q328970, Q328389, Q324929, Q810847, Q813951 Q816506,
| > Q813489, Q330994, Q818529, Q822925, & Q828750.
| >
| > (B) At "START, Run, MSInfo32, Software Environment, Software
Updates":
| > Windows 98 Second Edition=4,10,0,2222
| > Updates=Year 2000 Update for Windows 98b
| > SP2: Windows 98 Second Edition USBHUB
| > W98: Q245729, Q274113, Q314147, Q323172, Q323255, Q329115,
| > Q811630
| > W98SE: Q823559, Q245272, Q256015, Q259728, Q260067, Q273017,
Q273991
| > Win98SE: Q249973, Q238453, Q239887, UHCD
| > Windows 98 Second Edition Digital Video
| > Windows 98 TELNET
| >
| > (C) At "Control Panel, Add/Remove Programs":
| >
| > (1) 128 bit encryption support for Dial-up Networking
| > (2) Internet Explorer Q828750 (was Q822925, Q818529)
| > (3) Microsoft Internet Explorer 5 Web Accessories
| > (4) Microsoft Internet Explorer 6 SP1 and Internet Tools
| > (5) Microsoft Internet Print Services
| > (6) Microsoft Outlook Express 6
| > (7) Outlook Express Update Q330994
| > (8) Windows 98 Q823559 Update
| > (9) Windows 98 Second Edition Digital Video Update
| > (10) Windows Media Player system update (9 series)
| >
| > --
| > Thanks or Good Luck,
| > There may be humor in this post, and,
| > Naturally, you will not sue,
| > should things get worse after this,
| > PCR
| > (e-mail address removed)
| > | > | Days?? Hardly. I was aware of it simply by clicking on the Update
| > button and
| > | installing the two critical updates that were listed. When did I
do
| > it?
| > | Friday, October 3rd.
| > |
| > | Every user should frequently check for updates, whether they have
the
| > update
| > | notification enabled or not.
| > |
message
| > | | > | > | > | >
| > | > > There is an old saying - "Keep it simple". So my advice will
| > continue to
| > | > > be - obtain your updates from one place, and one place only -
the
| > Update
| > | > > button.
| > | >
| > | > And when a critical update takes days to appear on Windows
Update,
| > yet can
| > | > be access via the Technet article that is invariably linked to
the Q
| > | article
| > | > that points to Windows Update in the first place? Then what?
| > | >
| > | > Your attitude is wrong.
| > | >
| > | > --
| > | > Install the latest IE cumulative patch for protection against
QHost:
| > | >
http://www.microsoft.com/security/security_bulletins/ms03-040.asp
| > | > More information about QHosts can be found here:
| > | > http://www.mvps.org/inetexplorer/darnit_3.htm#qhost
| > | > ________________________________________
| > | > Sandi - Microsoft MVP since 1999 (IE/OE)
| > | > http://www.mvps.org/inetexplorer
| > | >
| > |
| > |
| >
| >
|
|
P
PCR
He has been over-exposed to XP-radiation, it seems.
--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
should things get worse after this,
PCR
(e-mail address removed)
| "tauts the access of Windows Update"?
|
| --
| Install the latest IE cumulative patch for protection against QHost:
| http://www.microsoft.com/security/security_bulletins/ms03-040.asp
| More information about QHosts can be found here:
| http://www.mvps.org/inetexplorer/darnit_3.htm#qhost
| ________________________________________
| Sandi - Microsoft MVP since 1999 (IE/OE)
| http://www.mvps.org/inetexplorer
|
| | > Every time someone, MVP or whomever, tauts the access of Windows
Updates
| > from anywhere but the Update button, they are putting less
knowledgeable
| > users in harms way.
| >
| > | > > Nope. Most patches are available via Technet.
| > >
| > > --
| > > Install the latest IE cumulative patch for protection against
QHost:
| > > http://www.microsoft.com/security/security_bulletins/ms03-040.asp
| > > More information about QHosts can be found here:
| > > http://www.mvps.org/inetexplorer/darnit_3.htm#qhost
| > > ________________________________________
| > > Sandi - Microsoft MVP since 1999 (IE/OE)
| > > http://www.mvps.org/inetexplorer
| > >
| > > | > > > You like Russian roulette?
| > > >
| > > >
| > >
| >
| >
|
--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
should things get worse after this,
PCR
(e-mail address removed)
| "tauts the access of Windows Update"?
|
| --
| Install the latest IE cumulative patch for protection against QHost:
| http://www.microsoft.com/security/security_bulletins/ms03-040.asp
| More information about QHosts can be found here:
| http://www.mvps.org/inetexplorer/darnit_3.htm#qhost
| ________________________________________
| Sandi - Microsoft MVP since 1999 (IE/OE)
| http://www.mvps.org/inetexplorer
|
| | > Every time someone, MVP or whomever, tauts the access of Windows
Updates
| > from anywhere but the Update button, they are putting less
knowledgeable
| > users in harms way.
| >
| > | > > Nope. Most patches are available via Technet.
| > >
| > > --
| > > Install the latest IE cumulative patch for protection against
QHost:
| > > http://www.microsoft.com/security/security_bulletins/ms03-040.asp
| > > More information about QHosts can be found here:
| > > http://www.mvps.org/inetexplorer/darnit_3.htm#qhost
| > > ________________________________________
| > > Sandi - Microsoft MVP since 1999 (IE/OE)
| > > http://www.mvps.org/inetexplorer
| > >
| > > | > > > You like Russian roulette?
| > > >
| > > >
| > >
| >
| >
|
M
Me2
Whoever, Jim,
Your arguments are biased to protect Microsoft's assets, not yours or the
company you work for.
If a new worm/virus is starting to infect machines across the world -
spewing out your personal documents as spam or deleting hard drives - and
your company happens to be one of the first to be targeted. What do you do?
Jim might say: "...the moment a new Critical Update appears there is a rapid
move to deploy it on the servers, and then turn to the question of whether
or to inform the end-users. By that time there is pretty much always an
updated virus definition file from our AV provider..." Excuse me?
What? --- No, that's not what you would do. You would want to know RIGHT
NOW how to prevent infection/replication, pull the plug on the servers, or
get the fire ax and cut the ISP cable.
And if we have this drummed in "Microsoft is special - they should say
nothing" convention - Microsoft will be telling you - nothing. How nice.
In the mean time you are scrambling to get information from your AV
provider - who does not have a scan for the bug yet - in fact you are one of
the first to report the bug. What do you do? There are some newsgroups...
There are ALWAYS specific steps that can be taken to mitigate the risk!
Pull the plug for one. Shutdown the ISP connection. Stop using program
xyz. Block feature X, etc.
In one hour, 10% of Jim's 6000 machines have already been infected. (You
may have 200 offices around the country or world connected via different
ISPs). Jim's managers say "Stop this thing now!" The AV vendor is working
on a scan/repair tool. So you call Microsoft, who says "we know nothing"
(and we won't tell if we did), "sorry, it's not our problem" - "call your AV
vendor" (dam, you already did that.), "you can post on
microsoft.public.security if you like". "Have a nice day..."
Worse case scenario: The infection spreads. You had to shutdown ISP
connections, servers and what not. Eventually you get the thing under
control. The next day the AV vendor releases a scan/repair tool. You got
it mostly under control. There are some nagging problem sites. But then
the bomb shell hits - many of you company documents and employee SSNs and
stuff start showing up on the Internet.
Other organizations around the globe were spared most of the damage because
security folks and AV vendors figured out how to block it (possibly with the
help of Microsoft - behind the seines of course, because they can't be seen
involving them self's in anti virus issues affecting their products).
At this time Microsoft chimes publicly - "We have a patch for a new
vulnerability. We knew about the problem for months and were working on a
patch. We worked real hard to get the patch out today (three days after
Jim's company was hit)." "Oh by the way, if you can't apply the patch right
away, just shutdown the browser service." Microsoft says nothing about the
worm. In fact, since only 10,000 machines were hit - they don't even post
the fact that the patch was rushed out to address the worm that hit Jim's
company. "You know how bad it would be if Microsoft talked directly about a
specific bug on their security pages..." Customers should just find out
about the worm from the hundreds of news articles (the news articles all use
the worm name in their head lines).
At this point Jim is saying "WHAT! Microsoft knew about the vulnerability
and how to mitigate it by shutting down the browser service and did not tell
us that!!! What gall!!" Jim louses his job - But Microsoft did the right
thing by saying nothing. How nice for Microsoft sales...
The managers at Jim's old company are hopping mad at Microsoft. What is
this crap. Why didn't Microsoft tell us about the problem with the browser
service when we called? Let's sue...
[... he, he, he, we have that license agreement protection...]
* * * *
Sorry, the whole security thing is getting to me. I don't know where it's
all going. Some thoughts: It seems to me that the guys and gals who help
the hapless users in these security/virus newsgroups are like angels working
in a kind of hell. Every other post is from a user complaining about a
broken computer with a virus, spam, hijack, or virus infected message to fix
the virus that brings on another virus. There is no end in sight. When
will the posts slow down? Will it get worse? This must only be the very
tip of the iceberg...
Me out
Your arguments are biased to protect Microsoft's assets, not yours or the
company you work for.
Jim Eshelman said:
If a new worm/virus is starting to infect machines across the world -
spewing out your personal documents as spam or deleting hard drives - and
your company happens to be one of the first to be targeted. What do you do?
Jim might say: "...the moment a new Critical Update appears there is a rapid
move to deploy it on the servers, and then turn to the question of whether
or to inform the end-users. By that time there is pretty much always an
updated virus definition file from our AV provider..." Excuse me?
What? --- No, that's not what you would do. You would want to know RIGHT
NOW how to prevent infection/replication, pull the plug on the servers, or
get the fire ax and cut the ISP cable.
And if we have this drummed in "Microsoft is special - they should say
nothing" convention - Microsoft will be telling you - nothing. How nice.
In the mean time you are scrambling to get information from your AV
provider - who does not have a scan for the bug yet - in fact you are one of
the first to report the bug. What do you do? There are some newsgroups...
There are ALWAYS specific steps that can be taken to mitigate the risk!
Pull the plug for one. Shutdown the ISP connection. Stop using program
xyz. Block feature X, etc.
In one hour, 10% of Jim's 6000 machines have already been infected. (You
may have 200 offices around the country or world connected via different
ISPs). Jim's managers say "Stop this thing now!" The AV vendor is working
on a scan/repair tool. So you call Microsoft, who says "we know nothing"
(and we won't tell if we did), "sorry, it's not our problem" - "call your AV
vendor" (dam, you already did that.), "you can post on
microsoft.public.security if you like". "Have a nice day..."
Worse case scenario: The infection spreads. You had to shutdown ISP
connections, servers and what not. Eventually you get the thing under
control. The next day the AV vendor releases a scan/repair tool. You got
it mostly under control. There are some nagging problem sites. But then
the bomb shell hits - many of you company documents and employee SSNs and
stuff start showing up on the Internet.
Other organizations around the globe were spared most of the damage because
security folks and AV vendors figured out how to block it (possibly with the
help of Microsoft - behind the seines of course, because they can't be seen
involving them self's in anti virus issues affecting their products).
At this time Microsoft chimes publicly - "We have a patch for a new
vulnerability. We knew about the problem for months and were working on a
patch. We worked real hard to get the patch out today (three days after
Jim's company was hit)." "Oh by the way, if you can't apply the patch right
away, just shutdown the browser service." Microsoft says nothing about the
worm. In fact, since only 10,000 machines were hit - they don't even post
the fact that the patch was rushed out to address the worm that hit Jim's
company. "You know how bad it would be if Microsoft talked directly about a
specific bug on their security pages..." Customers should just find out
about the worm from the hundreds of news articles (the news articles all use
the worm name in their head lines).
At this point Jim is saying "WHAT! Microsoft knew about the vulnerability
and how to mitigate it by shutting down the browser service and did not tell
us that!!! What gall!!" Jim louses his job - But Microsoft did the right
thing by saying nothing. How nice for Microsoft sales...
The managers at Jim's old company are hopping mad at Microsoft. What is
this crap. Why didn't Microsoft tell us about the problem with the browser
service when we called? Let's sue...
[... he, he, he, we have that license agreement protection...]
* * * *
Sorry, the whole security thing is getting to me. I don't know where it's
all going. Some thoughts: It seems to me that the guys and gals who help
the hapless users in these security/virus newsgroups are like angels working
in a kind of hell. Every other post is from a user complaining about a
broken computer with a virus, spam, hijack, or virus infected message to fix
the virus that brings on another virus. There is no end in sight. When
will the posts slow down? Will it get worse? This must only be the very
tip of the iceberg...
Me out
G
George \(Bindar Dundat\)
From the moment Microsoft published the details of the RPC vulnerability we
could have started a pool on what date there would be an actual attack. From
that moment on it was a "given" that there would be one. Many operations need a
considerable lead time to institute patches to the company system. In large
organizations, they can not simply install the patch. It has to go through
testing within the company itself and in this particular case there were further
delay while the legal departments studied the EULA. Making too many details
public are making a big issue of it simply means that these companies do not
have time to institute the patches quickly enough to avoid the problem. As we
have been trying to say, publicity can have some undesirable side effects. They
would be better off to say that there was a security patch available and not
give any details.
--
George (Bindar Dundat ©) MS-MVP
This information is provided "AS IS"
It may even be wrong!
For Windows Troubleshooting Tips see;
9x/ME http://aumha.org/win4/a/tshoot.htm
2000/XP http://aumha.org/win5/a/tshoot.htm
| Whoever, Jim,
|
| Your arguments are biased to protect Microsoft's assets, not yours or the
| company you work for.
|
| "Jim Eshelman" wrote:
| > Within the company for which I work -- about 6,000 end-users that we
| > service -- the moment a new Critical Update appears there is a rapid move
| to
| > deploy it on the servers, and then turn to the question of whether or to
| > inform the end-users. By that time there is pretty much always an updated
| > virus definition file from our AV provider, and therefore there is no
| reason
| > to say anything further to the end-users. We've already set up the
| mechanism
| > whereby the AV software is in place and the definition files are
| > automatically updated every time the machine hits the Internet.
|
| If a new worm/virus is starting to infect machines across the world -
| spewing out your personal documents as spam or deleting hard drives - and
| your company happens to be one of the first to be targeted. What do you do?
| Jim might say: "...the moment a new Critical Update appears there is a rapid
| move to deploy it on the servers, and then turn to the question of whether
| or to inform the end-users. By that time there is pretty much always an
| updated virus definition file from our AV provider..." Excuse me?
| What? --- No, that's not what you would do. You would want to know RIGHT
| NOW how to prevent infection/replication, pull the plug on the servers, or
| get the fire ax and cut the ISP cable.
|
| And if we have this drummed in "Microsoft is special - they should say
| nothing" convention - Microsoft will be telling you - nothing. How nice.
|
| In the mean time you are scrambling to get information from your AV
| provider - who does not have a scan for the bug yet - in fact you are one of
| the first to report the bug. What do you do? There are some newsgroups...
|
| Whoever wrote:
| > > If the worm/virus is _ALREADY IN THE WILD_, then there's no sense in
| > > refusing to alert the general public - as long as there are specific
| > > steps that can be taken to mitigate the risk.
|
| There are ALWAYS specific steps that can be taken to mitigate the risk!
| Pull the plug for one. Shutdown the ISP connection. Stop using program
| xyz. Block feature X, etc.
|
| In one hour, 10% of Jim's 6000 machines have already been infected. (You
| may have 200 offices around the country or world connected via different
| ISPs). Jim's managers say "Stop this thing now!" The AV vendor is working
| on a scan/repair tool. So you call Microsoft, who says "we know nothing"
| (and we won't tell if we did), "sorry, it's not our problem" - "call your AV
| vendor" (dam, you already did that.), "you can post on
| microsoft.public.security if you like". "Have a nice day..."
|
| Worse case scenario: The infection spreads. You had to shutdown ISP
| connections, servers and what not. Eventually you get the thing under
| control. The next day the AV vendor releases a scan/repair tool. You got
| it mostly under control. There are some nagging problem sites. But then
| the bomb shell hits - many of you company documents and employee SSNs and
| stuff start showing up on the Internet.
|
| Other organizations around the globe were spared most of the damage because
| security folks and AV vendors figured out how to block it (possibly with the
| help of Microsoft - behind the seines of course, because they can't be seen
| involving them self's in anti virus issues affecting their products).
|
| At this time Microsoft chimes publicly - "We have a patch for a new
| vulnerability. We knew about the problem for months and were working on a
| patch. We worked real hard to get the patch out today (three days after
| Jim's company was hit)." "Oh by the way, if you can't apply the patch right
| away, just shutdown the browser service." Microsoft says nothing about the
| worm. In fact, since only 10,000 machines were hit - they don't even post
| the fact that the patch was rushed out to address the worm that hit Jim's
| company. "You know how bad it would be if Microsoft talked directly about a
| specific bug on their security pages..." Customers should just find out
| about the worm from the hundreds of news articles (the news articles all use
| the worm name in their head lines).
|
| At this point Jim is saying "WHAT! Microsoft knew about the vulnerability
| and how to mitigate it by shutting down the browser service and did not tell
| us that!!! What gall!!" Jim louses his job - But Microsoft did the right
| thing by saying nothing. How nice for Microsoft sales...
|
| The managers at Jim's old company are hopping mad at Microsoft. What is
| this crap. Why didn't Microsoft tell us about the problem with the browser
| service when we called? Let's sue...
|
| [... he, he, he, we have that license agreement protection...]
|
| * * * *
|
| Sorry, the whole security thing is getting to me. I don't know where it's
| all going. Some thoughts: It seems to me that the guys and gals who help
| the hapless users in these security/virus newsgroups are like angels working
| in a kind of hell. Every other post is from a user complaining about a
| broken computer with a virus, spam, hijack, or virus infected message to fix
| the virus that brings on another virus. There is no end in sight. When
| will the posts slow down? Will it get worse? This must only be the very
| tip of the iceberg...
|
| Me out
|
| | > whoever wrote:
| > > If the worm/virus is _ALREADY IN THE WILD_, then there's no sense in
| > > refusing to alert the general public - as long as there are specific
| > > steps that can be taken to mitigate the risk.
| >
| > The last phrase is, I think, the main one. There are two considerations,
| > though, that I think it's just possible some folks aren't getting:
| >
| > (1) The existence of a single exploit already in the wild doesn't mean
| that
| > other exploits couldn't be launched. The fact that there is a single worm
| > out there doesn't mean that, given sufficient resources, there wouldn't be
| > others. The risk is still quite high, therefore, that publishing
| information
| > about an exploit would invite more exploitations. For that reason, it
| seems
| > like a very bad idea.
| >
| > (2) If it is only the single worm that concerns you -- the one already "in
| > the wild" -- then this should be handled by the AV companies. That's the
| > correct way to protect against a single known agent and its variants, and
| to
| > clean them if they're already present.
| >
| > Within the company for which I work -- about 6,000 end-users that we
| > service -- the moment a new Critical Update appears there is a rapid move
| to
| > deploy it on the servers, and then turn to the question of whether or to
| > inform the end-users. By that time there is pretty much always an updated
| > virus definition file from our AV provider, and therefore there is no
| reason
| > to say anything further to the end-users. We've already set up the
| mechanism
| > whereby the AV software is in place and the definition files are
| > automatically updated every time the machine hits the Internet.
| >
| > And that's the way it should be on *everyone's* system -- a good AV
| product
| > installed that updates itself automatically and frequently and checks in
| > real-time as you are working. With that in place, why is it necessary for
| MS
| > to duplicate what the AV companies are doing, and possibly increase the
| risk
| > of further exploits?
| >
| > > It seems to me that at least some (if not all) of the high-profile
| > > attacks in the last 12 months came _AFTER_ the public anouncement of
| > > the vulnerability. In other words, the "white hats" that unearth a 5
| > > year old buffer overflow exploit and announce it to the world are
| > > doing far more good for the "black hats" than for rest of us ordinary
| > > mortals.
| >
| > Yup. That's the problem. It's "damned if we do, damned if we don't." This
| > has led to serious discussions in newsgroups and elsewhere of whether MS
| > should *ever* announce such things. The consensus is that yes, they
| should,
| > and that's the path they've taken (and I agree with the path) -- but it is
| > at least a valid question.
| >
| > --
| > Jim Eshelman, MS-MVP Windows
| > http://aumha.org/
| > http://WinSupportCenter.com/
| >
| > Did you find this newsgroup on the web? A newsreader like Outlook Express
| > will make your online life a lot easier. Get better help! See:
| > http://aumha.org/win4/supp1b.htm and
| > http://support.microsoft.com/support/news/howto/default.asp
| >
| >
|
|
could have started a pool on what date there would be an actual attack. From
that moment on it was a "given" that there would be one. Many operations need a
considerable lead time to institute patches to the company system. In large
organizations, they can not simply install the patch. It has to go through
testing within the company itself and in this particular case there were further
delay while the legal departments studied the EULA. Making too many details
public are making a big issue of it simply means that these companies do not
have time to institute the patches quickly enough to avoid the problem. As we
have been trying to say, publicity can have some undesirable side effects. They
would be better off to say that there was a security patch available and not
give any details.
--
George (Bindar Dundat ©) MS-MVP
This information is provided "AS IS"
It may even be wrong!
For Windows Troubleshooting Tips see;
9x/ME http://aumha.org/win4/a/tshoot.htm
2000/XP http://aumha.org/win5/a/tshoot.htm
| Whoever, Jim,
|
| Your arguments are biased to protect Microsoft's assets, not yours or the
| company you work for.
|
| "Jim Eshelman" wrote:
| > Within the company for which I work -- about 6,000 end-users that we
| > service -- the moment a new Critical Update appears there is a rapid move
| to
| > deploy it on the servers, and then turn to the question of whether or to
| > inform the end-users. By that time there is pretty much always an updated
| > virus definition file from our AV provider, and therefore there is no
| reason
| > to say anything further to the end-users. We've already set up the
| mechanism
| > whereby the AV software is in place and the definition files are
| > automatically updated every time the machine hits the Internet.
|
| If a new worm/virus is starting to infect machines across the world -
| spewing out your personal documents as spam or deleting hard drives - and
| your company happens to be one of the first to be targeted. What do you do?
| Jim might say: "...the moment a new Critical Update appears there is a rapid
| move to deploy it on the servers, and then turn to the question of whether
| or to inform the end-users. By that time there is pretty much always an
| updated virus definition file from our AV provider..." Excuse me?
| What? --- No, that's not what you would do. You would want to know RIGHT
| NOW how to prevent infection/replication, pull the plug on the servers, or
| get the fire ax and cut the ISP cable.
|
| And if we have this drummed in "Microsoft is special - they should say
| nothing" convention - Microsoft will be telling you - nothing. How nice.
|
| In the mean time you are scrambling to get information from your AV
| provider - who does not have a scan for the bug yet - in fact you are one of
| the first to report the bug. What do you do? There are some newsgroups...
|
| Whoever wrote:
| > > If the worm/virus is _ALREADY IN THE WILD_, then there's no sense in
| > > refusing to alert the general public - as long as there are specific
| > > steps that can be taken to mitigate the risk.
|
| There are ALWAYS specific steps that can be taken to mitigate the risk!
| Pull the plug for one. Shutdown the ISP connection. Stop using program
| xyz. Block feature X, etc.
|
| In one hour, 10% of Jim's 6000 machines have already been infected. (You
| may have 200 offices around the country or world connected via different
| ISPs). Jim's managers say "Stop this thing now!" The AV vendor is working
| on a scan/repair tool. So you call Microsoft, who says "we know nothing"
| (and we won't tell if we did), "sorry, it's not our problem" - "call your AV
| vendor" (dam, you already did that.), "you can post on
| microsoft.public.security if you like". "Have a nice day..."
|
| Worse case scenario: The infection spreads. You had to shutdown ISP
| connections, servers and what not. Eventually you get the thing under
| control. The next day the AV vendor releases a scan/repair tool. You got
| it mostly under control. There are some nagging problem sites. But then
| the bomb shell hits - many of you company documents and employee SSNs and
| stuff start showing up on the Internet.
|
| Other organizations around the globe were spared most of the damage because
| security folks and AV vendors figured out how to block it (possibly with the
| help of Microsoft - behind the seines of course, because they can't be seen
| involving them self's in anti virus issues affecting their products).
|
| At this time Microsoft chimes publicly - "We have a patch for a new
| vulnerability. We knew about the problem for months and were working on a
| patch. We worked real hard to get the patch out today (three days after
| Jim's company was hit)." "Oh by the way, if you can't apply the patch right
| away, just shutdown the browser service." Microsoft says nothing about the
| worm. In fact, since only 10,000 machines were hit - they don't even post
| the fact that the patch was rushed out to address the worm that hit Jim's
| company. "You know how bad it would be if Microsoft talked directly about a
| specific bug on their security pages..." Customers should just find out
| about the worm from the hundreds of news articles (the news articles all use
| the worm name in their head lines).
|
| At this point Jim is saying "WHAT! Microsoft knew about the vulnerability
| and how to mitigate it by shutting down the browser service and did not tell
| us that!!! What gall!!" Jim louses his job - But Microsoft did the right
| thing by saying nothing. How nice for Microsoft sales...
|
| The managers at Jim's old company are hopping mad at Microsoft. What is
| this crap. Why didn't Microsoft tell us about the problem with the browser
| service when we called? Let's sue...
|
| [... he, he, he, we have that license agreement protection...]
|
| * * * *
|
| Sorry, the whole security thing is getting to me. I don't know where it's
| all going. Some thoughts: It seems to me that the guys and gals who help
| the hapless users in these security/virus newsgroups are like angels working
| in a kind of hell. Every other post is from a user complaining about a
| broken computer with a virus, spam, hijack, or virus infected message to fix
| the virus that brings on another virus. There is no end in sight. When
| will the posts slow down? Will it get worse? This must only be the very
| tip of the iceberg...
|
| Me out
|
| | > whoever wrote:
| > > If the worm/virus is _ALREADY IN THE WILD_, then there's no sense in
| > > refusing to alert the general public - as long as there are specific
| > > steps that can be taken to mitigate the risk.
| >
| > The last phrase is, I think, the main one. There are two considerations,
| > though, that I think it's just possible some folks aren't getting:
| >
| > (1) The existence of a single exploit already in the wild doesn't mean
| that
| > other exploits couldn't be launched. The fact that there is a single worm
| > out there doesn't mean that, given sufficient resources, there wouldn't be
| > others. The risk is still quite high, therefore, that publishing
| information
| > about an exploit would invite more exploitations. For that reason, it
| seems
| > like a very bad idea.
| >
| > (2) If it is only the single worm that concerns you -- the one already "in
| > the wild" -- then this should be handled by the AV companies. That's the
| > correct way to protect against a single known agent and its variants, and
| to
| > clean them if they're already present.
| >
| > Within the company for which I work -- about 6,000 end-users that we
| > service -- the moment a new Critical Update appears there is a rapid move
| to
| > deploy it on the servers, and then turn to the question of whether or to
| > inform the end-users. By that time there is pretty much always an updated
| > virus definition file from our AV provider, and therefore there is no
| reason
| > to say anything further to the end-users. We've already set up the
| mechanism
| > whereby the AV software is in place and the definition files are
| > automatically updated every time the machine hits the Internet.
| >
| > And that's the way it should be on *everyone's* system -- a good AV
| product
| > installed that updates itself automatically and frequently and checks in
| > real-time as you are working. With that in place, why is it necessary for
| MS
| > to duplicate what the AV companies are doing, and possibly increase the
| risk
| > of further exploits?
| >
| > > It seems to me that at least some (if not all) of the high-profile
| > > attacks in the last 12 months came _AFTER_ the public anouncement of
| > > the vulnerability. In other words, the "white hats" that unearth a 5
| > > year old buffer overflow exploit and announce it to the world are
| > > doing far more good for the "black hats" than for rest of us ordinary
| > > mortals.
| >
| > Yup. That's the problem. It's "damned if we do, damned if we don't." This
| > has led to serious discussions in newsgroups and elsewhere of whether MS
| > should *ever* announce such things. The consensus is that yes, they
| should,
| > and that's the path they've taken (and I agree with the path) -- but it is
| > at least a valid question.
| >
| > --
| > Jim Eshelman, MS-MVP Windows
| > http://aumha.org/
| > http://WinSupportCenter.com/
| >
| > Did you find this newsgroup on the web? A newsreader like Outlook Express
| > will make your online life a lot easier. Get better help! See:
| > http://aumha.org/win4/supp1b.htm and
| > http://support.microsoft.com/support/news/howto/default.asp
| >
| >
|
|
M
Me2
George,
You know what? My companies assets were protected be cause we knew about
the RPC vulnerability - a lot of others had problems - but we did not.
Sorry to hear that some did not take appropriate steps to protect their
assests when the information was released. If there was not enough time to
install the patch, they could have been ready to pull the ISP plug.
If there is no active virus/worm/Trojan, then it's ok for Microsoft to say
nothing. The minute a critter starts ripping into your assets - YOU will
want to know all that Microsoft can tell you, unless you let them off the
hook...
Me out
You know what? My companies assets were protected be cause we knew about
the RPC vulnerability - a lot of others had problems - but we did not.
Sorry to hear that some did not take appropriate steps to protect their
assests when the information was released. If there was not enough time to
install the patch, they could have been ready to pull the ISP plug.
If there is no active virus/worm/Trojan, then it's ok for Microsoft to say
nothing. The minute a critter starts ripping into your assets - YOU will
want to know all that Microsoft can tell you, unless you let them off the
hook...
Me out
George (Bindar Dundat) said:
M
Me2
I wrote: " If there was not enough time to install the patch, they could
have been ready to pull the ISP plug." Well that overly simplifies the
situation - but at least a large company could be ready in many ways.
Me out
have been ready to pull the ISP plug." Well that overly simplifies the
situation - but at least a large company could be ready in many ways.
Me out
Me2 said:
G
George \(Bindar Dundat\)
The fact remains that there was no active exploit until AFTER the announcement.
--
George (Bindar Dundat ©) MS-MVP
This information is provided "AS IS"
It may even be wrong!
For Windows Troubleshooting Tips see;
9x/ME http://aumha.org/win4/a/tshoot.htm
2000/XP http://aumha.org/win5/a/tshoot.htm
| George,
|
| You know what? My companies assets were protected be cause we knew about
| the RPC vulnerability - a lot of others had problems - but we did not.
| Sorry to hear that some did not take appropriate steps to protect their
| assests when the information was released. If there was not enough time to
| install the patch, they could have been ready to pull the ISP plug.
|
| If there is no active virus/worm/Trojan, then it's ok for Microsoft to say
| nothing. The minute a critter starts ripping into your assets - YOU will
| want to know all that Microsoft can tell you, unless you let them off the
| hook...
|
| Me out
|
|
| | > From the moment Microsoft published the details of the RPC vulnerability
| we
| > could have started a pool on what date there would be an actual attack.
| From
| > that moment on it was a "given" that there would be one. Many operations
| need a
| > considerable lead time to institute patches to the company system. In
| large
| > organizations, they can not simply install the patch. It has to go
| through
| > testing within the company itself and in this particular case there were
| further
| > delay while the legal departments studied the EULA. Making too many
| details
| > public are making a big issue of it simply means that these companies do
| not
| > have time to institute the patches quickly enough to avoid the problem.
| As we
| > have been trying to say, publicity can have some undesirable side effects.
| They
| > would be better off to say that there was a security patch available and
| not
| > give any details.
| >
| > --
| > George (Bindar Dundat ©) MS-MVP
| > This information is provided "AS IS"
| > It may even be wrong!
| > For Windows Troubleshooting Tips see;
| > 9x/ME http://aumha.org/win4/a/tshoot.htm
| > 2000/XP http://aumha.org/win5/a/tshoot.htm
| > | > | Whoever, Jim,
| > |
| > | Your arguments are biased to protect Microsoft's assets, not yours or
| the
| > | company you work for.
| > |
| > | "Jim Eshelman" wrote:
| > | > Within the company for which I work -- about 6,000 end-users that we
| > | > service -- the moment a new Critical Update appears there is a rapid
| move
| > | to
| > | > deploy it on the servers, and then turn to the question of whether or
| to
| > | > inform the end-users. By that time there is pretty much always an
| updated
| > | > virus definition file from our AV provider, and therefore there is no
| > | reason
| > | > to say anything further to the end-users. We've already set up the
| > | mechanism
| > | > whereby the AV software is in place and the definition files are
| > | > automatically updated every time the machine hits the Internet.
| > |
| > | If a new worm/virus is starting to infect machines across the world -
| > | spewing out your personal documents as spam or deleting hard drives -
| and
| > | your company happens to be one of the first to be targeted. What do you
| do?
| > | Jim might say: "...the moment a new Critical Update appears there is a
| rapid
| > | move to deploy it on the servers, and then turn to the question of
| whether
| > | or to inform the end-users. By that time there is pretty much always an
| > | updated virus definition file from our AV provider..." Excuse me?
| > | What? --- No, that's not what you would do. You would want to know
| RIGHT
| > | NOW how to prevent infection/replication, pull the plug on the servers,
| or
| > | get the fire ax and cut the ISP cable.
| > |
| > | And if we have this drummed in "Microsoft is special - they should say
| > | nothing" convention - Microsoft will be telling you - nothing. How
| nice.
| > |
| > | In the mean time you are scrambling to get information from your AV
| > | provider - who does not have a scan for the bug yet - in fact you are
| one of
| > | the first to report the bug. What do you do? There are some
| newsgroups...
| > |
| > | Whoever wrote:
| > | > > If the worm/virus is _ALREADY IN THE WILD_, then there's no sense in
| > | > > refusing to alert the general public - as long as there are specific
| > | > > steps that can be taken to mitigate the risk.
| > |
| > | There are ALWAYS specific steps that can be taken to mitigate the risk!
| > | Pull the plug for one. Shutdown the ISP connection. Stop using program
| > | xyz. Block feature X, etc.
| > |
| > | In one hour, 10% of Jim's 6000 machines have already been infected.
| (You
| > | may have 200 offices around the country or world connected via different
| > | ISPs). Jim's managers say "Stop this thing now!" The AV vendor is
| working
| > | on a scan/repair tool. So you call Microsoft, who says "we know
| nothing"
| > | (and we won't tell if we did), "sorry, it's not our problem" - "call
| your AV
| > | vendor" (dam, you already did that.), "you can post on
| > | microsoft.public.security if you like". "Have a nice day..."
| > |
| > | Worse case scenario: The infection spreads. You had to shutdown ISP
| > | connections, servers and what not. Eventually you get the thing under
| > | control. The next day the AV vendor releases a scan/repair tool. You
| got
| > | it mostly under control. There are some nagging problem sites. But
| then
| > | the bomb shell hits - many of you company documents and employee SSNs
| and
| > | stuff start showing up on the Internet.
| > |
| > | Other organizations around the globe were spared most of the damage
| because
| > | security folks and AV vendors figured out how to block it (possibly with
| the
| > | help of Microsoft - behind the seines of course, because they can't be
| seen
| > | involving them self's in anti virus issues affecting their products).
| > |
| > | At this time Microsoft chimes publicly - "We have a patch for a new
| > | vulnerability. We knew about the problem for months and were working on
| a
| > | patch. We worked real hard to get the patch out today (three days after
| > | Jim's company was hit)." "Oh by the way, if you can't apply the patch
| right
| > | away, just shutdown the browser service." Microsoft says nothing about
| the
| > | worm. In fact, since only 10,000 machines were hit - they don't even
| post
| > | the fact that the patch was rushed out to address the worm that hit
| Jim's
| > | company. "You know how bad it would be if Microsoft talked directly
| about a
| > | specific bug on their security pages..." Customers should just find out
| > | about the worm from the hundreds of news articles (the news articles all
| use
| > | the worm name in their head lines).
| > |
| > | At this point Jim is saying "WHAT! Microsoft knew about the
| vulnerability
| > | and how to mitigate it by shutting down the browser service and did not
| tell
| > | us that!!! What gall!!" Jim louses his job - But Microsoft did the
| right
| > | thing by saying nothing. How nice for Microsoft sales...
| > |
| > | The managers at Jim's old company are hopping mad at Microsoft. What is
| > | this crap. Why didn't Microsoft tell us about the problem with the
| browser
| > | service when we called? Let's sue...
| > |
| > | [... he, he, he, we have that license agreement protection...]
| > |
| > | * * * *
| > |
| > | Sorry, the whole security thing is getting to me. I don't know where
| it's
| > | all going. Some thoughts: It seems to me that the guys and gals who
| help
| > | the hapless users in these security/virus newsgroups are like angels
| working
| > | in a kind of hell. Every other post is from a user complaining about a
| > | broken computer with a virus, spam, hijack, or virus infected message to
| fix
| > | the virus that brings on another virus. There is no end in sight. When
| > | will the posts slow down? Will it get worse? This must only be the
| very
| > | tip of the iceberg...
| > |
| > | Me out
| > |
| > | | > | > whoever wrote:
| > | > > If the worm/virus is _ALREADY IN THE WILD_, then there's no sense in
| > | > > refusing to alert the general public - as long as there are specific
| > | > > steps that can be taken to mitigate the risk.
| > | >
| > | > The last phrase is, I think, the main one. There are two
| considerations,
| > | > though, that I think it's just possible some folks aren't getting:
| > | >
| > | > (1) The existence of a single exploit already in the wild doesn't mean
| > | that
| > | > other exploits couldn't be launched. The fact that there is a single
| worm
| > | > out there doesn't mean that, given sufficient resources, there
| wouldn't be
| > | > others. The risk is still quite high, therefore, that publishing
| > | information
| > | > about an exploit would invite more exploitations. For that reason, it
| > | seems
| > | > like a very bad idea.
| > | >
| > | > (2) If it is only the single worm that concerns you -- the one already
| "in
| > | > the wild" -- then this should be handled by the AV companies. That's
| the
| > | > correct way to protect against a single known agent and its variants,
| and
| > | to
| > | > clean them if they're already present.
| > | >
| > | > Within the company for which I work -- about 6,000 end-users that we
| > | > service -- the moment a new Critical Update appears there is a rapid
| move
| > | to
| > | > deploy it on the servers, and then turn to the question of whether or
| to
| > | > inform the end-users. By that time there is pretty much always an
| updated
| > | > virus definition file from our AV provider, and therefore there is no
| > | reason
| > | > to say anything further to the end-users. We've already set up the
| > | mechanism
| > | > whereby the AV software is in place and the definition files are
| > | > automatically updated every time the machine hits the Internet.
| > | >
| > | > And that's the way it should be on *everyone's* system -- a good AV
| > | product
| > | > installed that updates itself automatically and frequently and checks
| in
| > | > real-time as you are working. With that in place, why is it necessary
| for
| > | MS
| > | > to duplicate what the AV companies are doing, and possibly increase
| the
| > | risk
| > | > of further exploits?
| > | >
| > | > > It seems to me that at least some (if not all) of the high-profile
| > | > > attacks in the last 12 months came _AFTER_ the public anouncement of
| > | > > the vulnerability. In other words, the "white hats" that unearth a 5
| > | > > year old buffer overflow exploit and announce it to the world are
| > | > > doing far more good for the "black hats" than for rest of us
| ordinary
| > | > > mortals.
| > | >
| > | > Yup. That's the problem. It's "damned if we do, damned if we don't."
| This
| > | > has led to serious discussions in newsgroups and elsewhere of whether
| MS
| > | > should *ever* announce such things. The consensus is that yes, they
| > | should,
| > | > and that's the path they've taken (and I agree with the path) -- but
| it is
| > | > at least a valid question.
| > | >
| > | > --
| > | > Jim Eshelman, MS-MVP Windows
| > | > http://aumha.org/
| > | > http://WinSupportCenter.com/
| > | >
| > | > Did you find this newsgroup on the web? A newsreader like Outlook
| Express
| > | > will make your online life a lot easier. Get better help! See:
| > | > http://aumha.org/win4/supp1b.htm and
| > | > http://support.microsoft.com/support/news/howto/default.asp
| > | >
| > | >
| > |
| > |
| >
|
|
--
George (Bindar Dundat ©) MS-MVP
This information is provided "AS IS"
It may even be wrong!
For Windows Troubleshooting Tips see;
9x/ME http://aumha.org/win4/a/tshoot.htm
2000/XP http://aumha.org/win5/a/tshoot.htm
| George,
|
| You know what? My companies assets were protected be cause we knew about
| the RPC vulnerability - a lot of others had problems - but we did not.
| Sorry to hear that some did not take appropriate steps to protect their
| assests when the information was released. If there was not enough time to
| install the patch, they could have been ready to pull the ISP plug.
|
| If there is no active virus/worm/Trojan, then it's ok for Microsoft to say
| nothing. The minute a critter starts ripping into your assets - YOU will
| want to know all that Microsoft can tell you, unless you let them off the
| hook...
|
| Me out
|
|
| | > From the moment Microsoft published the details of the RPC vulnerability
| we
| > could have started a pool on what date there would be an actual attack.
| From
| > that moment on it was a "given" that there would be one. Many operations
| need a
| > considerable lead time to institute patches to the company system. In
| large
| > organizations, they can not simply install the patch. It has to go
| through
| > testing within the company itself and in this particular case there were
| further
| > delay while the legal departments studied the EULA. Making too many
| details
| > public are making a big issue of it simply means that these companies do
| not
| > have time to institute the patches quickly enough to avoid the problem.
| As we
| > have been trying to say, publicity can have some undesirable side effects.
| They
| > would be better off to say that there was a security patch available and
| not
| > give any details.
| >
| > --
| > George (Bindar Dundat ©) MS-MVP
| > This information is provided "AS IS"
| > It may even be wrong!
| > For Windows Troubleshooting Tips see;
| > 9x/ME http://aumha.org/win4/a/tshoot.htm
| > 2000/XP http://aumha.org/win5/a/tshoot.htm
| > | > | Whoever, Jim,
| > |
| > | Your arguments are biased to protect Microsoft's assets, not yours or
| the
| > | company you work for.
| > |
| > | "Jim Eshelman" wrote:
| > | > Within the company for which I work -- about 6,000 end-users that we
| > | > service -- the moment a new Critical Update appears there is a rapid
| move
| > | to
| > | > deploy it on the servers, and then turn to the question of whether or
| to
| > | > inform the end-users. By that time there is pretty much always an
| updated
| > | > virus definition file from our AV provider, and therefore there is no
| > | reason
| > | > to say anything further to the end-users. We've already set up the
| > | mechanism
| > | > whereby the AV software is in place and the definition files are
| > | > automatically updated every time the machine hits the Internet.
| > |
| > | If a new worm/virus is starting to infect machines across the world -
| > | spewing out your personal documents as spam or deleting hard drives -
| and
| > | your company happens to be one of the first to be targeted. What do you
| do?
| > | Jim might say: "...the moment a new Critical Update appears there is a
| rapid
| > | move to deploy it on the servers, and then turn to the question of
| whether
| > | or to inform the end-users. By that time there is pretty much always an
| > | updated virus definition file from our AV provider..." Excuse me?
| > | What? --- No, that's not what you would do. You would want to know
| RIGHT
| > | NOW how to prevent infection/replication, pull the plug on the servers,
| or
| > | get the fire ax and cut the ISP cable.
| > |
| > | And if we have this drummed in "Microsoft is special - they should say
| > | nothing" convention - Microsoft will be telling you - nothing. How
| nice.
| > |
| > | In the mean time you are scrambling to get information from your AV
| > | provider - who does not have a scan for the bug yet - in fact you are
| one of
| > | the first to report the bug. What do you do? There are some
| newsgroups...
| > |
| > | Whoever wrote:
| > | > > If the worm/virus is _ALREADY IN THE WILD_, then there's no sense in
| > | > > refusing to alert the general public - as long as there are specific
| > | > > steps that can be taken to mitigate the risk.
| > |
| > | There are ALWAYS specific steps that can be taken to mitigate the risk!
| > | Pull the plug for one. Shutdown the ISP connection. Stop using program
| > | xyz. Block feature X, etc.
| > |
| > | In one hour, 10% of Jim's 6000 machines have already been infected.
| (You
| > | may have 200 offices around the country or world connected via different
| > | ISPs). Jim's managers say "Stop this thing now!" The AV vendor is
| working
| > | on a scan/repair tool. So you call Microsoft, who says "we know
| nothing"
| > | (and we won't tell if we did), "sorry, it's not our problem" - "call
| your AV
| > | vendor" (dam, you already did that.), "you can post on
| > | microsoft.public.security if you like". "Have a nice day..."
| > |
| > | Worse case scenario: The infection spreads. You had to shutdown ISP
| > | connections, servers and what not. Eventually you get the thing under
| > | control. The next day the AV vendor releases a scan/repair tool. You
| got
| > | it mostly under control. There are some nagging problem sites. But
| then
| > | the bomb shell hits - many of you company documents and employee SSNs
| and
| > | stuff start showing up on the Internet.
| > |
| > | Other organizations around the globe were spared most of the damage
| because
| > | security folks and AV vendors figured out how to block it (possibly with
| the
| > | help of Microsoft - behind the seines of course, because they can't be
| seen
| > | involving them self's in anti virus issues affecting their products).
| > |
| > | At this time Microsoft chimes publicly - "We have a patch for a new
| > | vulnerability. We knew about the problem for months and were working on
| a
| > | patch. We worked real hard to get the patch out today (three days after
| > | Jim's company was hit)." "Oh by the way, if you can't apply the patch
| right
| > | away, just shutdown the browser service." Microsoft says nothing about
| the
| > | worm. In fact, since only 10,000 machines were hit - they don't even
| post
| > | the fact that the patch was rushed out to address the worm that hit
| Jim's
| > | company. "You know how bad it would be if Microsoft talked directly
| about a
| > | specific bug on their security pages..." Customers should just find out
| > | about the worm from the hundreds of news articles (the news articles all
| use
| > | the worm name in their head lines).
| > |
| > | At this point Jim is saying "WHAT! Microsoft knew about the
| vulnerability
| > | and how to mitigate it by shutting down the browser service and did not
| tell
| > | us that!!! What gall!!" Jim louses his job - But Microsoft did the
| right
| > | thing by saying nothing. How nice for Microsoft sales...
| > |
| > | The managers at Jim's old company are hopping mad at Microsoft. What is
| > | this crap. Why didn't Microsoft tell us about the problem with the
| browser
| > | service when we called? Let's sue...
| > |
| > | [... he, he, he, we have that license agreement protection...]
| > |
| > | * * * *
| > |
| > | Sorry, the whole security thing is getting to me. I don't know where
| it's
| > | all going. Some thoughts: It seems to me that the guys and gals who
| help
| > | the hapless users in these security/virus newsgroups are like angels
| working
| > | in a kind of hell. Every other post is from a user complaining about a
| > | broken computer with a virus, spam, hijack, or virus infected message to
| fix
| > | the virus that brings on another virus. There is no end in sight. When
| > | will the posts slow down? Will it get worse? This must only be the
| very
| > | tip of the iceberg...
| > |
| > | Me out
| > |
| > | | > | > whoever wrote:
| > | > > If the worm/virus is _ALREADY IN THE WILD_, then there's no sense in
| > | > > refusing to alert the general public - as long as there are specific
| > | > > steps that can be taken to mitigate the risk.
| > | >
| > | > The last phrase is, I think, the main one. There are two
| considerations,
| > | > though, that I think it's just possible some folks aren't getting:
| > | >
| > | > (1) The existence of a single exploit already in the wild doesn't mean
| > | that
| > | > other exploits couldn't be launched. The fact that there is a single
| worm
| > | > out there doesn't mean that, given sufficient resources, there
| wouldn't be
| > | > others. The risk is still quite high, therefore, that publishing
| > | information
| > | > about an exploit would invite more exploitations. For that reason, it
| > | seems
| > | > like a very bad idea.
| > | >
| > | > (2) If it is only the single worm that concerns you -- the one already
| "in
| > | > the wild" -- then this should be handled by the AV companies. That's
| the
| > | > correct way to protect against a single known agent and its variants,
| and
| > | to
| > | > clean them if they're already present.
| > | >
| > | > Within the company for which I work -- about 6,000 end-users that we
| > | > service -- the moment a new Critical Update appears there is a rapid
| move
| > | to
| > | > deploy it on the servers, and then turn to the question of whether or
| to
| > | > inform the end-users. By that time there is pretty much always an
| updated
| > | > virus definition file from our AV provider, and therefore there is no
| > | reason
| > | > to say anything further to the end-users. We've already set up the
| > | mechanism
| > | > whereby the AV software is in place and the definition files are
| > | > automatically updated every time the machine hits the Internet.
| > | >
| > | > And that's the way it should be on *everyone's* system -- a good AV
| > | product
| > | > installed that updates itself automatically and frequently and checks
| in
| > | > real-time as you are working. With that in place, why is it necessary
| for
| > | MS
| > | > to duplicate what the AV companies are doing, and possibly increase
| the
| > | risk
| > | > of further exploits?
| > | >
| > | > > It seems to me that at least some (if not all) of the high-profile
| > | > > attacks in the last 12 months came _AFTER_ the public anouncement of
| > | > > the vulnerability. In other words, the "white hats" that unearth a 5
| > | > > year old buffer overflow exploit and announce it to the world are
| > | > > doing far more good for the "black hats" than for rest of us
| ordinary
| > | > > mortals.
| > | >
| > | > Yup. That's the problem. It's "damned if we do, damned if we don't."
| This
| > | > has led to serious discussions in newsgroups and elsewhere of whether
| MS
| > | > should *ever* announce such things. The consensus is that yes, they
| > | should,
| > | > and that's the path they've taken (and I agree with the path) -- but
| it is
| > | > at least a valid question.
| > | >
| > | > --
| > | > Jim Eshelman, MS-MVP Windows
| > | > http://aumha.org/
| > | > http://WinSupportCenter.com/
| > | >
| > | > Did you find this newsgroup on the web? A newsreader like Outlook
| Express
| > | > will make your online life a lot easier. Get better help! See:
| > | > http://aumha.org/win4/supp1b.htm and
| > | > http://support.microsoft.com/support/news/howto/default.asp
| > | >
| > | >
| > |
| > |
| >
|
|
M
Me2
Yes, it was educational for many. Do we expect a blaster or swen II from
the latest MS03-040 to hit any day now? The patch must be released (a
chicken and egg kind of thing will always happen) - exploits will follow.
Is there some secret way to get the patch out - to all system?
Considering the number of "I have a virus/spam problem" posts on this
newsgroup, I wonder what exactly is the installation percentage of MS03-039
or MS03-040? I know at least two home users who are scared to install ANY
updates - the AV subscription update screens and popups are all too
confusing... Just two in the ocean PCs on the net.
I'm sure Microsoft has an idea. But they wont tell.
* * * *
I remember - - - - The cigarette companies kind did a similar thing to
Microsoft's current actions. At first they said nothing about cancer.
[It's better for sales to not even mentions the word cancer.] Then the
public caught on, and they had to say something like "well its a minor
problem and we are working on - research..." and "we hold our customers in
the highest regards..." something like that.
Me out
the latest MS03-040 to hit any day now? The patch must be released (a
chicken and egg kind of thing will always happen) - exploits will follow.
Is there some secret way to get the patch out - to all system?
Considering the number of "I have a virus/spam problem" posts on this
newsgroup, I wonder what exactly is the installation percentage of MS03-039
or MS03-040? I know at least two home users who are scared to install ANY
updates - the AV subscription update screens and popups are all too
confusing... Just two in the ocean PCs on the net.
I'm sure Microsoft has an idea. But they wont tell.
* * * *
I remember - - - - The cigarette companies kind did a similar thing to
Microsoft's current actions. At first they said nothing about cancer.
[It's better for sales to not even mentions the word cancer.] Then the
public caught on, and they had to say something like "well its a minor
problem and we are working on - research..." and "we hold our customers in
the highest regards..." something like that.
Me out
George (Bindar Dundat) said:
C
cquirke (MVP Win9x)
True - but then, to a malware coder, it's prolly easier to
dissassemble 4k of worm than read the docs and code it from scratch
[*1]. If it's just a matter of scripting or crafting a packet of 100
bytes that breaks data sanity rules in very particular ways, it can be
as easy as Copy, Paste, Edit. And finally, the malware arena will
have its own forums where this knowledge will be shared.
IOW, once there's an ITW exploit grabbing the headlines, the horse is
well and truly out the stable door, on the plane, and through Customs
on the other side... and the reason to be coy is past.
At the risk of sounding like W.C., you are still thinking in terms of
the "virus infects computer" model. AV intercede on file operations
and keep a PC clean - but they cannot do anything to clean the entire
infosphere (the concept is absurd) or block DoS effects - and av don't
do anything at all within the risk management field.
Firewalls are supposed to handle DoS effects, but the firewall
industry is currently now where the av industry was in DOS era - the
software often messes up needed functionality and is often disabled,
either from the start or as soon as network-y things start going wrong
(and those things could be malware effects).
For example, getting firewall software to co-exist with TCP/IP on a
LAN, and all the file sharing etc. this involves, can be non-trivial.
The av's Day Zero is measured in days to weeks (i.e. a user who
updates whenever the 7-day nag pops up has a Day Zero of 8 days). The
spreading time of a pure worm - the kind of exploit that leverages
software coding defects - is measured in minutes.
Slammer and Code Red were the first pure worms I was aware of in the
MSware arena, and they looked like "someone else's problem".
End-users could say, "well, they only attack servers, and server
admins are professionals who should keep up with such matters as part
of their job description". Then it was found that some MS Office
installations had slipstreamed SQL into end-user systems and that this
could be exploitable also.
If those were heads-ups, Lovesan was rubbing our nose in the dwang.
Lovesan's impact was as much of a matter of bad design as a code flaw,
and it is the former that makes me fed up (we know that code flaws
will always be with us - but code design should be informend by this)
You cannot disinfect the infosphere, so everyone is exposed the DoS
effect of other systems' Lovesan etc. infections. The broken packets
will crash RPC, which by duhfault will restart XP (in fact, by
duhfault, any system-level crash will restart XP). The malware
doesn't have to "infect" the PC or ever exist as a file, which means
the role of av never even begins.
The first step should be to wall off the offending subsystem (i.e.
"bulkhead" damage control). But because the RPC that is exposed to
the 'net is indivisable from the RPC XP relies on to do crucial core
functions, you can't do that - and that IMO is bad design.
The next step is of course patching the hole, but you have to be able
to survive long enough to download it and the site you download it
from must be genuine, and alive. Oh yes; your PC has to be alive too.
Lovesan was a love-tap, compared to what it could have done. It could
have killed the system immediately and irreversably after 1 hour of
blasting the rest of the infosphere (more than enough spreading time,
in the fast-forward timescales of pure worms). It could have DDoS'd
the Windows Update site immediately, rather than allowing a grace
period of several days.
Once the wannabes started climbing in, nastier functionalities started
being added, such as RATs (all the RAT's in the world... ever wonder
who's pulling the tails?). So if I felt this process could be
arrested or hindered by silence on the underlying flaw, I might be
more ready to agree with you, but as I explained I think the info
malware coders need will come to hand irrespective of whether MS
publically describes the hole or not.
Because they would not be duplicating what av is doing; av is malware
detection, patching is risk management, and the two are complimentary,
with very little redundancy/overlap. In particular, the DoS effect of
pure worm attacks is unmanageable except via risk management.
I agree, it's a problem. Everyone stresses that the patch for Lovesan
was available a month before the attacks, but it's seldom mentioned
that the flaw existed since NT 4 (or earlier; the only reason we don't
know about NT 3.1, 3.5 etc. is they were not tested).
That's at least three "ground-up" revisions and countless service
packs where this flaw was not detected and fixed, and that bodes
poorly for the assumtion that white-hats will always find these holes
first and have patches prepared in advance.
It is. But the IMO more valid question is; if you *know* code will
always have bugs, why does every home user have to expose these
functionalities to the world, on the off-chance there may be a
legitimate need for "remote administration"?
Software design should have the humility to know that a code flaw
could require any subsystem to be walled off at instant notice.
Meshing internal control code with networking code in a way that
cannot be untangled means that any leak sinks the ship.
IOW if it's crucial to the system, don't inextricably expose it to the
network (any network). Bulkheads are your friend.
[*1] I can testify from experience that in my geekiest days, I found
it way easier to simply read raw assember than halting and inaccurate
documentation in English that tries to explain what it does. It's
particularly easier when the documentation is in German, etc.
Tech Support: The guys who follow the
'Parade of New Products' with a shovel.
J
Jim Eshelman
cquirke (MVP Win9x) said:
That's an old model. I'm not talking about that sort of reminder but,
rather, the kind of feature that at least Norton (and I'm sure others) has
had for at least a couple of years -- where it automatically checks for
updates everytime you go online. No setting it for "check every 3 days."
Some weeks I get more-than-daily updates. Some weeks, only one. But the
channel needs to push them through without user intervention.
For DoS you are exactly correct. That wasn't the sort of worm that started
this discussion, but it's certainly a big piece of what we all face today.
Yes. Isolation is usually the first step. Unplug from the network, kill the
port from the other side, whatever...
We had ever so much fun <dripping sarcasm> with SQL Slammer. Every machine
known to have the vulnerable product had been patched, but a lot of
developers had loaded SQL Server on their laptops. During the couple of
hours that different groups were arriving at work, we'd all be going along
fine and then - BAM! - the network would go dead. "Hey, who just got in?"
would ring around the halls. All it took was them coming in, plugging in,
and turning on. BAM!
Fortunately we caught all of those the first morning except for the two guys
who were out that day.
Yes -- since it, basically, could have done ANYTHING!
It's a judgement call, and my judgement slants more conservatively on this
than yours. The real pros... sure, they know where to go. But wannabe kids
are writing some of this malcode, and they aren't always in the loop.
Agreed completely -- when a patch is ready.
3 weeks, actually. 3 miserable weeks.
We're on the same side on that one, Chris. I was writing about that one, and
doing conjoint radio spots with Steve Gibson, and pushing Steve's point of
view on the matter when every last one of my closest colleagues were calling
him nuts. But he was exactly right and, IMHO, MS made a serious mistake in
that design issue, were warned about it, and didn't listen. Hopefully some
lessons were learned.
Agreed.
W
whoever
You seem to refuse to seperate the issues of viruses (that typically DON'T
target an OS vulnerability), and worms like Blaster that do.
If the problem isn't caused by a software exploit, then that seems like an
appropriate response to me.
Microsoft don't release patches for viruses like SoBig and Swen, because
they don't rely on software bugs to propogate. I don't know if you are
simply incapable of understanding the distinction, or if you're
deliberately confusing the issue by mixing these two scenarios up.
Microsoft published a security bulletin and patch for the RPC vulnerability
on July 16th. Blaster appeared on the scene about 3 weeks later. People who
had applied the July 16th pathc weren't affected.
W
whoever
Were you protected because you applied the patch or because of some other
steps that you took? If Microsoft had told you about the vulnerability as
soon as they found out about it, and before they had developed a patch,
would you be in the same sitiation?
Viruses, Worms and Trojans are different beasts. I don't expect Microsoft
to respond to SoBig and Swen, because they are not exploiting software
bugs. There's nothing for MS Security to comment on.
If I've got a virus on my hands that is spread by people opening infected
attachments, I'm not going to waste my time calling MS about it - it has
about as much to do with them as with my local plumber.
B
Bernie
Blaster came out when much of the backbone had to be up so unplugging wasn'tMe2 said:
an option. College online registration, newbies headed to college placing
their infected boxes behind the firewall, IT wannabes without a clue got
hit with this.
We had one moron in class asking why RPC was causing his system to shut down
just last week even though we had discussed this the first week of school.
The idiot responsible for these network problems got to teach my CCNA 3
class last week instead of getting fired.
What did we learn the week he taught you might ask, FREESCO firewall setup
the first day. I didn't even show up for the second three hour waste of
time that week. I'm trying to learn how to sell a $4,000.00 router that can
identify all infected boxes on the network if you look at the logs and this
moron is showing me how to use open source router software on an ancient 486
for use on a home network. Perhaps if he spent more time reading MS
bulletins that came out three weeks ago and learning how to use the Cisco
infrastructure at the school we wouldn't have had the large scale problem we
had. Let's promote the dumb **** instead of firing him.
If he can't do IT let's let him teach IT after all, those than can't teach
those that can do.
C
cquirke (MVP Win9x)
Hm. Trouble is, seems as if the patch is always going to be larger
than the exploiter, so chances are you might lose that race - esp. in
a "worm war" situation. The more acute the need, the more besieged
the update server (just from traffic, if not direct attack) and the
more malware'd PCs there will be "pushing" to you.
The dice are wieghted against us there, and that's why I suggest
looking at ways to fix this now - while the need is not quite obvious
and before a crisis has everyone asking why we dropped the ball.
And even now, I sometimes give up trying to pull updates and try again
the next day (especially when a new engine is out)
Seems it will be a common theme with raw buffer overruns, where the
difference between DoS and infection is in the quality of the coding -
and where an attack on one OS will DoS others that share the hole, but
require different offsets to infect rather than crash.
IOW I expect the Lovesan pattern to become fairly generic.
If it's exploitable by script, anyone who is infected has all they
need to spawn variations. Hell, it can even be semi-automated; Anna
Kournukovia was a handful of mouse clicks in a GUI "maker".
Meantime I believe it's prodent to mention crude steps that will
mitigate - such as a reminder that allowing scripts to run without
prompting is in fact conferring programming rights to every web site
you visit (or get re-directed to), etc.
Those of us with good instincts would catch the hint...
It's not the only source of info - the av reference sites are often
quite explicit as well. It's no good MS being coy if these sites
detail the blow-by-blow attack method.
This is all the old "security by obscurity" debate, which IMO is a
tautology. All security is by obscurity, but what you want is an
obscurity so dense that the strongest computational power cannot break
through within the time frame that the security is to work.
His mistake was to get too specific - he saw IP-spoofing as the great
satan, and dwelled too much on that (incidentally, note that malware
mail tracking pivots on IP address as From: and ReplyTo: etc. can be
assumed to be spoofed. Join the three dots...)
I've been worried about NTFS becoming a fire hazard, like that
sweatshop that incinerated a number of garment workers as the fire
escapes had been locked by management to stop them "goofing off".
My prediction was that malware would entrnch itself within core code,
or NTFS-specific nooks in the file system (a recent one does exactly
this, using NTFS streams). What is happening instead is that malware
is clobbering the interactive tools we'd used to clean it, even if it
were not embedded in core code.
The trend started with whacking av and spoofing the exefile
association, and it's broadening out to include RegEdit etc.
I'd have done a Gibson if I purely shouted about a specific risk that
doesn't seem to have arisen yet - i.e. infection within core code. So
I keep things general and dig into specifics purely as examples.
Left quoted for emphasis
A dog will give its life to save yours.
A cat will be annoyed by all the yelling and sirens.
G
George \(Bindar Dundat\)
Now there is the right solution. "Forced" updates. But look at all the
resistance to that concept. It would solve the problem. There would not have
to be any early notification that could tip someone off to the vulnerability.
MS could simply write the patch and force the download. I can hear all the
privacy advocates now, but it is the ultimate answer.
--
George (Bindar Dundat ©) MS-MVP
This information is provided "AS IS"
It may even be wrong!
For Windows Troubleshooting Tips see;
9x/ME http://aumha.org/win4/a/tshoot.htm
2000/XP http://aumha.org/win5/a/tshoot.htm
| | > >By that time there is pretty much always an updated virus definition
| > >file from our AV provider, and therefore there is no reason
| > >to say anything further to the end-users.
| >
| > The av's Day Zero is measured in days to weeks (i.e. a user who
| > updates whenever the 7-day nag pops up has a Day Zero of 8 days). The
| > spreading time of a pure worm - the kind of exploit that leverages
| > software coding defects - is measured in minutes.
|
| That's an old model. I'm not talking about that sort of reminder but,
| rather, the kind of feature that at least Norton (and I'm sure others) has
| had for at least a couple of years -- where it automatically checks for
| updates everytime you go online. No setting it for "check every 3 days."
| Some weeks I get more-than-daily updates. Some weeks, only one. But the
| channel needs to push them through without user intervention.
|
| > You cannot disinfect the infosphere, so everyone is exposed the DoS
| > effect of other systems' Lovesan etc. infections. The broken packets
| > will crash RPC, which by duhfault will restart XP (in fact, by
| > duhfault, any system-level crash will restart XP). The malware
| > doesn't have to "infect" the PC or ever exist as a file, which means
| > the role of av never even begins.
|
| For DoS you are exactly correct. That wasn't the sort of worm that started
| this discussion, but it's certainly a big piece of what we all face today.
|
| > The first step should be to wall off the offending subsystem (i.e.
| > "bulkhead" damage control).
|
| Yes. Isolation is usually the first step. Unplug from the network, kill the
| port from the other side, whatever...
|
| We had ever so much fun <dripping sarcasm> with SQL Slammer. Every machine
| known to have the vulnerable product had been patched, but a lot of
| developers had loaded SQL Server on their laptops. During the couple of
| hours that different groups were arriving at work, we'd all be going along
| fine and then - BAM! - the network would go dead. "Hey, who just got in?"
| would ring around the halls. All it took was them coming in, plugging in,
| and turning on. BAM!
|
| Fortunately we caught all of those the first morning except for the two guys
| who were out that day.
|
| > Lovesan was a love-tap, compared to what it could have done.
|
| Yes -- since it, basically, could have done ANYTHING!
|
| > So if I felt this process could be
| > arrested or hindered by silence on the underlying flaw, I might be
| > more ready to agree with you, but as I explained I think the info
| > malware coders need will come to hand irrespective of whether MS
| > publically describes the hole or not.
|
| It's a judgement call, and my judgement slants more conservatively on this
| than yours. The real pros... sure, they know where to go. But wannabe kids
| are writing some of this malcode, and they aren't always in the loop.
|
| > >And that's the way it should be on *everyone's* system -- a good AV
| product
| > >installed that updates itself automatically and frequently and checks in
| > >real-time as you are working. With that in place, why is it necessary for
| MS
| > >to duplicate what the AV companies are doing, and possibly increase the
| risk
| > >of further exploits?
| >
| > Because they would not be duplicating what av is doing; av is malware
| > detection, patching is risk management, and the two are complimentary,
| > with very little redundancy/overlap. In particular, the DoS effect of
| > pure worm attacks is unmanageable except via risk management.
|
| Agreed completely -- when a patch is ready.
|
| > >> It seems to me that at least some (if not all) of the high-profile
| > >> attacks in the last 12 months came _AFTER_ the public anouncement of
| > >> the vulnerability. In other words, the "white hats" that unearth a 5
| > >> year old buffer overflow exploit and announce it to the world are
| > >> doing far more good for the "black hats" than for rest of us ordinary
| > >> mortals.
| >
| > >Yup. That's the problem. It's "damned if we do, damned if we don't."
| >
| > I agree, it's a problem. Everyone stresses that the patch for Lovesan
| > was available a month before the attacks, but it's seldom mentioned
| > that the flaw existed since NT 4 (or earlier; the only reason we don't
| > know about NT 3.1, 3.5 etc. is they were not tested).
|
| 3 weeks, actually. 3 miserable weeks.
|
| > >...serious discussions in newsgroups and elsewhere of whether MS
| > >should *ever* announce such things. The consensus is that yes,
| > >they should, and that's the path they've taken (and I agree with
| > >the path) -- but it is at least a valid question.
| >
| > It is. But the IMO more valid question is; if you *know* code will
| > always have bugs, why does every home user have to expose these
| > functionalities to the world, on the off-chance there may be a
| > legitimate need for "remote administration"?
|
| We're on the same side on that one, Chris. I was writing about that one, and
| doing conjoint radio spots with Steve Gibson, and pushing Steve's point of
| view on the matter when every last one of my closest colleagues were calling
| him nuts. But he was exactly right and, IMHO, MS made a serious mistake in
| that design issue, were warned about it, and didn't listen. Hopefully some
| lessons were learned.
|
| > Software design should have the humility to know that a code flaw
| > could require any subsystem to be walled off at instant notice.
| > Meshing internal control code with networking code in a way that
| > cannot be untangled means that any leak sinks the ship.
|
| Agreed.
|
| > IOW if it's crucial to the system, don't inextricably expose it to the
| > network (any network). Bulkheads are your friend.
|
| Agreed.
|
| --
| JAE
|
|
resistance to that concept. It would solve the problem. There would not have
to be any early notification that could tip someone off to the vulnerability.
MS could simply write the patch and force the download. I can hear all the
privacy advocates now, but it is the ultimate answer.
--
George (Bindar Dundat ©) MS-MVP
This information is provided "AS IS"
It may even be wrong!
For Windows Troubleshooting Tips see;
9x/ME http://aumha.org/win4/a/tshoot.htm
2000/XP http://aumha.org/win5/a/tshoot.htm
| | > >By that time there is pretty much always an updated virus definition
| > >file from our AV provider, and therefore there is no reason
| > >to say anything further to the end-users.
| >
| > The av's Day Zero is measured in days to weeks (i.e. a user who
| > updates whenever the 7-day nag pops up has a Day Zero of 8 days). The
| > spreading time of a pure worm - the kind of exploit that leverages
| > software coding defects - is measured in minutes.
|
| That's an old model. I'm not talking about that sort of reminder but,
| rather, the kind of feature that at least Norton (and I'm sure others) has
| had for at least a couple of years -- where it automatically checks for
| updates everytime you go online. No setting it for "check every 3 days."
| Some weeks I get more-than-daily updates. Some weeks, only one. But the
| channel needs to push them through without user intervention.
|
| > You cannot disinfect the infosphere, so everyone is exposed the DoS
| > effect of other systems' Lovesan etc. infections. The broken packets
| > will crash RPC, which by duhfault will restart XP (in fact, by
| > duhfault, any system-level crash will restart XP). The malware
| > doesn't have to "infect" the PC or ever exist as a file, which means
| > the role of av never even begins.
|
| For DoS you are exactly correct. That wasn't the sort of worm that started
| this discussion, but it's certainly a big piece of what we all face today.
|
| > The first step should be to wall off the offending subsystem (i.e.
| > "bulkhead" damage control).
|
| Yes. Isolation is usually the first step. Unplug from the network, kill the
| port from the other side, whatever...
|
| We had ever so much fun <dripping sarcasm> with SQL Slammer. Every machine
| known to have the vulnerable product had been patched, but a lot of
| developers had loaded SQL Server on their laptops. During the couple of
| hours that different groups were arriving at work, we'd all be going along
| fine and then - BAM! - the network would go dead. "Hey, who just got in?"
| would ring around the halls. All it took was them coming in, plugging in,
| and turning on. BAM!
|
| Fortunately we caught all of those the first morning except for the two guys
| who were out that day.
|
| > Lovesan was a love-tap, compared to what it could have done.
|
| Yes -- since it, basically, could have done ANYTHING!
|
| > So if I felt this process could be
| > arrested or hindered by silence on the underlying flaw, I might be
| > more ready to agree with you, but as I explained I think the info
| > malware coders need will come to hand irrespective of whether MS
| > publically describes the hole or not.
|
| It's a judgement call, and my judgement slants more conservatively on this
| than yours. The real pros... sure, they know where to go. But wannabe kids
| are writing some of this malcode, and they aren't always in the loop.
|
| > >And that's the way it should be on *everyone's* system -- a good AV
| product
| > >installed that updates itself automatically and frequently and checks in
| > >real-time as you are working. With that in place, why is it necessary for
| MS
| > >to duplicate what the AV companies are doing, and possibly increase the
| risk
| > >of further exploits?
| >
| > Because they would not be duplicating what av is doing; av is malware
| > detection, patching is risk management, and the two are complimentary,
| > with very little redundancy/overlap. In particular, the DoS effect of
| > pure worm attacks is unmanageable except via risk management.
|
| Agreed completely -- when a patch is ready.
|
| > >> It seems to me that at least some (if not all) of the high-profile
| > >> attacks in the last 12 months came _AFTER_ the public anouncement of
| > >> the vulnerability. In other words, the "white hats" that unearth a 5
| > >> year old buffer overflow exploit and announce it to the world are
| > >> doing far more good for the "black hats" than for rest of us ordinary
| > >> mortals.
| >
| > >Yup. That's the problem. It's "damned if we do, damned if we don't."
| >
| > I agree, it's a problem. Everyone stresses that the patch for Lovesan
| > was available a month before the attacks, but it's seldom mentioned
| > that the flaw existed since NT 4 (or earlier; the only reason we don't
| > know about NT 3.1, 3.5 etc. is they were not tested).
|
| 3 weeks, actually. 3 miserable weeks.
|
| > >...serious discussions in newsgroups and elsewhere of whether MS
| > >should *ever* announce such things. The consensus is that yes,
| > >they should, and that's the path they've taken (and I agree with
| > >the path) -- but it is at least a valid question.
| >
| > It is. But the IMO more valid question is; if you *know* code will
| > always have bugs, why does every home user have to expose these
| > functionalities to the world, on the off-chance there may be a
| > legitimate need for "remote administration"?
|
| We're on the same side on that one, Chris. I was writing about that one, and
| doing conjoint radio spots with Steve Gibson, and pushing Steve's point of
| view on the matter when every last one of my closest colleagues were calling
| him nuts. But he was exactly right and, IMHO, MS made a serious mistake in
| that design issue, were warned about it, and didn't listen. Hopefully some
| lessons were learned.
|
| > Software design should have the humility to know that a code flaw
| > could require any subsystem to be walled off at instant notice.
| > Meshing internal control code with networking code in a way that
| > cannot be untangled means that any leak sinks the ship.
|
| Agreed.
|
| > IOW if it's crucial to the system, don't inextricably expose it to the
| > network (any network). Bulkheads are your friend.
|
| Agreed.
|
| --
| JAE
|
|