Tweet
http://www.microsoft.com/technet/col...ity/noarch.asp
What the-- Stupid! Sonofa... Mother-f-- GYAAAH!!
Sorry, just needed to rant incoherently there for a minute. I actually used to like what Scott Culp had to say... But I guess that was back when he was saying Microsoft was trying to get its act together on security.
If I ever see that guy, he's gettin himself a wedgie, that's all I have to say...
First off, despite what Scott says, Code Red was not based on the ISS advisory. Of all people, *he* should know that! It was similar, but it was not the same code and didn't attack the same vulnerability. I haven't confirmed that myself, mind you, but Elias Levy did, and when it comes to something like this, I'll trust his word.
Second, there are other benefits to full disclosure than getting admins to apply patches. People get to see what sort of practices lead to security holes, so they know not to make the same mistake. If we hadn't been seeing details on buffer overflow exploits, and if Elias (aleph1) hadn't written his paper, how many more exploitable programs would we be seeing today?
Third, telling admins that there is a patch is *not* enough to get them to apply it. Especially in the MS world, when you're never sure if the patch is going to provide you with added security, or cause Outlook to crash and burn (Or, *cough*, 2.2.15, *cough* 2.4.11... sorry Linus).
If I don't know that there's a security risk involved with a patch, then I don't know that I'll blow a few hours installing it on all our systems; I just don't have time.
Telling people that there's a security issue isn't enough, though. You need to explain the vulnerability or they'll put it on the back burner. Meanwhile, some attacker with a clue is installing the patch on their system and checking for modification times, tracking down the vulnerability through the patch, and using it to attack anyone who isn't up to date.
As much as I hate to say it, this is even easier in the open source world, all you have to do is diff the original source and the patched source (or just look at the patch, depending on how its distributed) in order to see where the vulnerability can be found.
Yes, developing exploits requires some skill. But once that exploit has been built, there is nothing keeping it from spreading through the underground. Meanwhile, the IT workers of the world are busy installing ram, putting out motherboard fires and hooking themselves up to the UPS rather than installing "Patch Q413312343842b" which fixes "A problem with IIS/Outlook/IE/Random .dll that only Tim Mullen and RFP will recognize as doing something".
Do we need working exploit code released with patches? Maybe not. I've been lucky enough that I can tell the CEO there's an issue that needs to get patched, and have him believe me. Other people might not have the kind of discression that I do when it comes to rolling out updates on production servers or spending 8 hours kicking everyone off their systems so I can install a version of IE that was developed since the stone age.
Also, as I said before, having that information available can help keep the rest of us from making the same mistake in our own code.
So what should MS be doing? IIS lockdown and hotfix programs are a step in the right direction. Making the patches easier for admins to install will actually make it possible for some of us to get them handled. Their announced audit of IIS is another good step. They certainly have the resources to put some extra manpower into quality checking their product.
Bugs, holes and patches are all to be expected; people are fallible, whether they work at MS or not. Not everyone can code like DJB. So, MS needs to handle it well when those problems do arise. I'd been hearing that they'd been handling security holes a lot better lately, but this denialist crap isn't going to cut it.
Its nothing new for companies like MS to want to drive security back into the closet. They don't like our modern world of rock-star security experts like the CDC, RFP, Bruce Schneier or myself. ;) And as much as I hate to propogate a conspiracy theory, ever since September, they've been trying damn hard to force us back into the dark. The ATA is a prime example; I was trying to decide what country I was going to flee to if it passed, and people at work now refer to me as "the terrorist".
Big business is trying to close pandora's box, but its too late... and that's a good thing. Its time for MS, Scott Culp, the RIAA and the MPAA -- and everyone else out there -- to figure that out!
</rant>
What the-- Stupid! Sonofa... Mother-f-- GYAAAH!!
Sorry, just needed to rant incoherently there for a minute. I actually used to like what Scott Culp had to say... But I guess that was back when he was saying Microsoft was trying to get its act together on security.
If I ever see that guy, he's gettin himself a wedgie, that's all I have to say...
First off, despite what Scott says, Code Red was not based on the ISS advisory. Of all people, *he* should know that! It was similar, but it was not the same code and didn't attack the same vulnerability. I haven't confirmed that myself, mind you, but Elias Levy did, and when it comes to something like this, I'll trust his word.
Second, there are other benefits to full disclosure than getting admins to apply patches. People get to see what sort of practices lead to security holes, so they know not to make the same mistake. If we hadn't been seeing details on buffer overflow exploits, and if Elias (aleph1) hadn't written his paper, how many more exploitable programs would we be seeing today?
Third, telling admins that there is a patch is *not* enough to get them to apply it. Especially in the MS world, when you're never sure if the patch is going to provide you with added security, or cause Outlook to crash and burn (Or, *cough*, 2.2.15, *cough* 2.4.11... sorry Linus).
If I don't know that there's a security risk involved with a patch, then I don't know that I'll blow a few hours installing it on all our systems; I just don't have time.
Telling people that there's a security issue isn't enough, though. You need to explain the vulnerability or they'll put it on the back burner. Meanwhile, some attacker with a clue is installing the patch on their system and checking for modification times, tracking down the vulnerability through the patch, and using it to attack anyone who isn't up to date.
As much as I hate to say it, this is even easier in the open source world, all you have to do is diff the original source and the patched source (or just look at the patch, depending on how its distributed) in order to see where the vulnerability can be found.
Yes, developing exploits requires some skill. But once that exploit has been built, there is nothing keeping it from spreading through the underground. Meanwhile, the IT workers of the world are busy installing ram, putting out motherboard fires and hooking themselves up to the UPS rather than installing "Patch Q413312343842b" which fixes "A problem with IIS/Outlook/IE/Random .dll that only Tim Mullen and RFP will recognize as doing something".
Do we need working exploit code released with patches? Maybe not. I've been lucky enough that I can tell the CEO there's an issue that needs to get patched, and have him believe me. Other people might not have the kind of discression that I do when it comes to rolling out updates on production servers or spending 8 hours kicking everyone off their systems so I can install a version of IE that was developed since the stone age.
Also, as I said before, having that information available can help keep the rest of us from making the same mistake in our own code.
So what should MS be doing? IIS lockdown and hotfix programs are a step in the right direction. Making the patches easier for admins to install will actually make it possible for some of us to get them handled. Their announced audit of IIS is another good step. They certainly have the resources to put some extra manpower into quality checking their product.
Bugs, holes and patches are all to be expected; people are fallible, whether they work at MS or not. Not everyone can code like DJB. So, MS needs to handle it well when those problems do arise. I'd been hearing that they'd been handling security holes a lot better lately, but this denialist crap isn't going to cut it.
Its nothing new for companies like MS to want to drive security back into the closet. They don't like our modern world of rock-star security experts like the CDC, RFP, Bruce Schneier or myself. ;) And as much as I hate to propogate a conspiracy theory, ever since September, they've been trying damn hard to force us back into the dark. The ATA is a prime example; I was trying to decide what country I was going to flee to if it passed, and people at work now refer to me as "the terrorist".
Big business is trying to close pandora's box, but its too late... and that's a good thing. Its time for MS, Scott Culp, the RIAA and the MPAA -- and everyone else out there -- to figure that out!
</rant>
Comment