Malicious hackers and vandals are lazy and wait for Microsoft to issue patches before they produce tools to work out how to exploit loopholes in Windows, say experts. Instead of working it out for themselves, malicious hackers are reverse engineering the patches to better understand the vulnerabilities, said David Aucsmith, who is in charge of technology at Microsoft’s security business and technology unit.
Microsoft Corp. is working on security technologies for the upcoming Longhorn release of Windows that will protect users against security threats by monitoring system and network behavior as well as the security patches that Microsoft has issued.
VeriSign will work with Microsoft to deliver authentication services that combine Microsoft Windows Server 2003 with VeriSign’s strong authentication services. VeriSign assures us that these services will significantly decrease the cost and complexity of deploying strong authentication across the enterprise.
In other security news, at MacObserver: “In the case of BSD and Mac OS X, for some strange reason, the developers and the OS people appear to be doing a better job of dealing with vulnerabilities and applying the patches,” said DK Matai, Executive Chairman of mi2g in an exclusive interview with The Mac Observer. “In addition, system administrators are doing a better job on these platforms in making sure default configurations are switched off so they have the maximum level of security. No matter how you calculate it, the numbers for Mac OS X and BSD are very small in comparison to the market share we know BSD has, which is about 10 percent at present from three percent in the last year.”
“We have never had vulnerabilities exploited before the patch was known,” he said.
Mr Aucsmith said he could only think of one instance when a vulnerability was exploited before a patch was available.
I think David Aucsmith is more a PR guy than a “expert”.
Sheesh. Talk about a blatant ignorant statement. Who is this guy think he’s fooling. He should have cleared that statement before making it.
Yea, sure… it only took Microsoft 2 years to fix the Remote Compromise Cache Attack in IE since it was first reported.
I’m sure no one tried to exploit that bug during those two years…
“We have never had vulnerabilities exploited before the patch was known,” he said.
I almost urinated myself from laughing so hard… There has been countless number of vulnerabilities that were exploited long before MS ever produced a patch.. Anyone remember winnuke? By this bizarro world logic, if MS never released any patches, their software would be more secure since lazy crackers won’t have anything to learn from? Huh? I thought it was funny when Bill Gates said MS products are more secure because there are more crackers and script kiddies. But this statement from MS is far more entertaining. I’m waiting for the next one…
Hi
This is an very idiotic statement. He says he is secure by obscurity because MS wouldnt reveal any security holes before they are patched. I see where they are trying to get at. They would say next that because open source stuff might reveal glitches before they are patched they are less secure.
Funny and strange logic thou
regards
Jess
‘…exploit loopholes in Windows, say experts.’
Then I read the article and discovered the ‘expert’ is in change of the security at MS. Make the abstract at bit misleading IMHO.
I think the more Windows is attacked, it becomes more secure because, slowly yet surely, the holes are being exposed then closed. Basically its Microsoft’s version of Open Source.
lately its been like microsoft is trying to give us joke after joke… havnt laughed this hard since they said that to use IE safely, type in URLs instead of clicking on links.
I think the more Windows is attacked, it becomes more secure because, slowly yet surely, the holes are being exposed then closed.
That would actually be the case if not for the fact that new things keep getting added, and new classes of exploits are discovered.
Basically its Microsoft’s version of Open Source.
That’s a very silly thing to say.
It took 6 months to patch the ASN.1 library and there was not a single “known” exploit durring that 6 months. While few statements are true 100% of the time it would seem that exploits ARE almost always realeased after patches. The few stated examples are the exception rather than the rule.
“Anyone remember winnuke?”
Good example. And moreover, the first patch only barely patched the exploit. The crackers modified the OOB attack (strings) and then released a new DoS tool. MS finally had to come up with a true patch, instead of temporary fix.
“I think the more Windows is attacked, it becomes more secure because, slowly yet surely, the holes are being exposed then closed.”
I think OSS is a double-edged sword. I can take the code to say, AOL server or proftpd, and look over it for new vulns. Meanwhile, attacking server 2003 would need a different approach. So OSS is absolutely hammered on by crackers wading through source, auditors looking over the source, vuln researchers, etc. I think with crypto specifically, that open-source algos are the only way to go (excepting military ciphers lol).
“Yea, sure… it only took Microsoft 2 years to fix the Remote Compromise Cache Attack in IE since it was first reported.”
If you are talking the 6 step cache attack from the Chinese dude, I agree. It used several old vulns chained to one or two newer ones. Had the old vulns been patched, the attack would have needed mods, if it even worked at all.
Anyway, 1/3 to 1/2 of the quotes from the MS security guy were totally false, or totally misleading. And a lot of the attack simulations, and exercises, are rigged. I remember MS offered up sacrificial 2k servers years ago. And I’ve seen OS/400 tests, openbsd tests, etc. First, new OS need time to be attacked and analyzed. Second, firewalling the crap out of a network, and then shutting off every service except httpd is not proving security to me. Openbsd does this crap too, shutting off every service, until it can’t be attacked, in the DEFAULT config hehe.
If you really trust ur OS, get a sack and offer up real sacrificial servers with several services. And moreover, it’s this cocky attitude from MS and Openbsd, that keeps Chinese crackers developing exploits just to screw them over.
“I think the more Windows is attacked, it becomes more secure because, slowly yet surely, the holes are being exposed then closed. Basically its Microsoft’s version of Open Source.”
Doesn’t it just show that Windows is just more vulnerable?
I would hate to live in a castle constantly under siege and breached now and then.
I think the more Windows is attacked, it becomes more secure because, slowly yet surely, the holes are being exposed then closed.
The problem is that Microsoft has a considerable amount of code running with administrative rights per default with network listeners, most of which is legacy code from NT’s days as a business oriented operating system.
There is absolutely no reason why the DCOM service should be running per default on an operating system named “XP Home”
“It took 6 months to patch the ASN.1 library and there was not a single “known” exploit durring that 6 months.”
If it doesn’t result in a juicy remote root, it’s not terribly useful anyway. And some attacks (esp on ciphers) are more theoretical in nature, and developing working code could be tough.
“While few statements are true 100% of the time it would seem that exploits ARE almost always realeased after patches. The few stated examples are the exception rather than the rule.”
People could scroll dozens of other examples, however google.com and bugtraq archives will bear this out. Explain how Hoglund, Aitel, and others routinely conduct training classes, that reveal new 0 day in MS stuff and other products.
“We have never had vulnerabilities exploited before the patch was known,” David Aucsmith head Microsoft security business and technology unit said.
Word! LIAR. Yes you have! Just like others had.
In fact, _a_ link which proves you’re wrong is on the page to which OSnews links to!
Let’s see. This article from which i took above quote:
http://news.bbc.co.uk/2/hi/technology/3485972.stm
On the top left bottom there’s a link to eEye:
http://www.eeye.com/html/
Who have this upcoming advisory page as part of their research page:
http://www.eeye.com/html/Research/Upcoming/index.html
Oops, those are advisories waiting to be released after Microsoft patched.
Don’t get me even started about MSIIS, MSO(E), MSIE. In the past, and regarding MSIE currently too (Liu’s page), this has been proven wrong. Any dork can copy the examples on Liu’s page and use ’em.
The guy speaking on Mac security works for Mi2g, who has gained a reputation for down-talking Linux security unfairly (and I think uptalking Windows security – don’t quote me). Just thought I’d point it out.
“We have never had vulnerabilities exploited before the patch was known,” he said.
Mr Aucsmith said he could only think of one instance when a vulnerability was exploited before a patch was available.
I think David Aucsmith is more a PR guy than a “expert”.
Oh really, I may not agree with the way Microsoft does business but find me an exploit that was not known and exposed before Microsoft released the patch. This is one instance where I agree with MS
I find the headline of this story strange as it could lead one to believe that Mac OS X could be wrapped up in this OS security issue. Perhaps the title could be clarified. In the article specified I was unable to find reference to Apple and it’s OS products.
This isn’t meant as any kind of bashing to anyone just an observation.
“Oh really, I may not agree with the way Microsoft does business but find me an exploit that was not known and exposed before Microsoft released the patch. This is one instance where I agree with MS”
Huh?!?! You agree with the guy, yet you just said the complete opposite.
Did you mean “known and exposed” instead of “not known and exposed”? No offense, but get ur grammar straight, read the Bugtraq and Vuln Dev archives, and then come back and reply.
Second, firewalling the crap out of a network, and then shutting off every service except httpd is not proving security to me. Openbsd does this crap too, shutting off every service, until it can’t be attacked, in the DEFAULT config hehe.
Sorry but I have to disagree here, I think turning off all the services in a default install and turning them on is EXACTLY the type of security policy that actually works. If you don’t agree with me then you are just wrong. That point is so proven that it should not even be up for debate.
“If you don’t agree with me then you are just wrong”
That’s quite a strawman.
I disagree. It depends. It can be a good measure.
You know, OpenBSD handles it a bit different than other OSes. Instead of putting everything off in the default (NetBSD), or huge loads on in the default (like RedHat does / used to do), they have a default in which a few services are enabled. A huge pile of services -of which not all are by default enabled, but some are- in their base OS runs as non-root user, privsep’ed, chroot’ed and are audited. Those are all security measures.
If these services are on, with W^X (or PaX, or SELinux, …) by default and when there’s a hole in them _and_ they’re caught by these precautions; then what is the problem when they do run [except the waste of resources]? I don’t see any. So when this is the case, then your logic doesn’t apply, yet the system _is_ secure.
When OpenBSD refers to “no hole […] default install” they refer to the services which were on in the default. When an admin turns on (or off!) more, then the quote doesn’t count anymore. Then there’s Ports. Exactly for who is the default good enought? Right, and that makes the quote rubbish.
All of the holes in windows were exposed after MS released a patch. MS makes a patch and hacker run out as quick as possible to exploit it. This is npothing new.
Jimbo: i guess i wasn’t too clear. By all means, disable services or whatever floats ur boat. I was referring to fair, and balanced, sacrificial server setups and evaluation of host-based security.
Dpi: It certainly raises the bar for attackers. However, there are ways past VMware, chroot jails, stackguard, and so on. And while openbsd has had only one remote root in current, they are excluding locals, DoS, and older patched installs. Still, Openbsd is impressive.
Gnome Lover: As someone noted above, 6 step cache attack is a counter example to ur argument. Guninski also released several exploits that have only recently been patched. List goes on and on. And MS doesn’t discover some of these vulns, independent researchers do (and in rare cases blackhats). They are under no legal obligation to aid MS. In fact, some OSS projects, etc, spit in the face of researchers who contact them about holes in their code.
What it boils down to is that “are systems being exploited?” We know that they’re already vulnerable, but if releasing a patch harms instead of helps, then it’s in everybody’s best interest for microsoft to release the update in say a sp update and never tell anybody that the vulnerability did exist. That’s only if the vulnerability isn’t being exploited. It could be that some black hats are exploiting it and nobody knows. They have to take this into account. It’s a hard decision to make since the problem is not everybody patches.
Sure, there are exploits that come out before patches, so the guy is either ignorant or lying, but the trend seems to be that it’s just easier to wait for microsoft to issue an update, and make an exploit to harm unpatched system since there are enough of them.
The bitmap exploit due the source code leak is one example in which microsoft did better not to release the vulnerability. Nobody was being hurt (99.999999…% probability) and announcing this update would probably hurt those that don’t patch. I guess that’s why microsoft says, “upgrade upgrade upgrade.” They fix hidden vulnerabilities that will probably never be exploited, but in the extreme case they are, then you’re safe.
It’s bad business to ask customers to upgrade cause it makes you look greedy.
Again, what it boils down to is “is the vulnerability being exploited already?” The problem is nobody knows. Releasing a patch will hurt those who never update. Anyways Microsoft should be like, “screw you if you don’t patch. That’s your problem.”
Often it’s enough to read the comments here to get an idea about whether its even worthy to read the article or not.
Having said that, and taking into account that there are gazillions of possible holes, gazillions of patches and gazillions of hackers, I do see his point. Of course you cannot state this as a general rule, but for example Blaster/Lovesan was the users fault and ENTIRELY and ONLY the damn, darn, lazy, silly, stoopid users fault !!
I have loads of amateurish users I am taking care of. I annoyed the hell out of then to install the patch, because normanlly the attitude is like: “Why if it works so well..?! — Well just do it silly-bily.” Noone I know and whom I nagged got Blaster-problems.
Hell, I have read about that patch in every single least remotely computer related tabloid, it was on every TV-news. Still, it appears quite about every stoopid user does not care. What’s with your auto-update feature, people?! Not with every hole its possible to attack a system by merely having a net-connection, as was the case with Blaster. Often you need to talk the user into doing stoopid things first. So at least the broad misuse of a hole will in fact only take effect after a new patch gives it enough publicity.
“Of course you cannot state this as a general rule, but for example Blaster/Lovesan was the users fault and ENTIRELY and ONLY the damn, darn, lazy, silly, stoopid users fault !!”
Really? Well how about this.. What if they made a secure OS that didn’t need patches every week? And if the releasing of patches is what gives crackers and script kiddies there opening, then why each time they release a patch must they say it what it’s for? Why not just call it a security patch period.
What if software engineers recognized that the common man is busy with his job and his life, and has more important things to do with his time, and that he doesn’t get paid to fix faulty software like they do, nor does he have the time to constantly worry about worms and crackers, and that having spent a pile of money on a new computer, he thinks it ought to just work without a lot of headaches and BS? And most importantly, what if the people who create OSes were actually smarter than the “script kiddies”?