Microsoft’s Security Lunacy

MS seems to have adopted a monthly/lunar cycle for security updates.  One really has to ask why and at what cost ?   Sure, there should or could be delays in shipping patches due to the need for rigorous testing, but which is the greater risk, leaving systems un-protected, or risking some glitches once a system is secured ?
I think most folk would take the glitches rather than having their system controlled/or infected from the outside world.  After all, that is what we usually have to do anyway… lock things down, which means loss of functionality for the sake of security.

So why is it that Microsoft takes a month to ship critical security updates ?  Is it some sick PR campaign to make people think there are less patches, less flaws by only updating your system once a month ?  Gee, what a brilliant idea (NOT !!). Maybe they can get the anti-virus companies to follow suit, and hold off shipping new virus definitions until next month 

Meanwhile, we see more and more “day-zero” exploits.  That is, as MS becomes predictable, it also becomes predictable to release an exploit to the public domain the same day as MS releases it patches, thus giving 30 days free exploitation.
This latest one is also a very nasty one.  I was amazed at how it got through so many systems.  Some anti-virus programs will stop some of the vectors being used, but that is actually catching older known un-patched exploits!  (Why didn’t they wait till next month ?)

Anyway, if you are using windows, turn off active scripting, and wait till MS comes into its next lunar cycle, and just be thankful they don’t actually have security products.  Imagine if they sold bullet-proof vests.. Oh well, I s’pose there they’d just deliver it to your grave.

6 Comments so far

  1.   Jerry on June 14th, 2004          


    There is actually very good reason for our montly security patch release schedule: our customers asked for it. They asked for longer cycles between releases and asked for more predictability so that they can plan for large roll outs.

    We never said we would not release a patch out side of this schedule either. Quite the contrary actually. In fact, we did an out of band release back in February. We will do this any time we a) see that our customers are at risk from an exploit and b) have a tested patch ready for release.

    You said: "Meanwhile, we see more and more "day-zero" exploits." Really? How many exactly? The reality is that there has not been that many. Most security researches practice responsible disclosure which means they wait for the vendor to release a patch before they make their exploit code public (if they ever do at all). Obviously this is not always the case and as stated above, we will act out of band if we can.

    We DO have security products and they work quite well for what they are designed for. Take ISA Server 2004 for example. It has the best application level filtering of any firewall product out there and works extremely well for publishing/exposing Exchange and IIS servers to the net.

    To summarize, our monthly patch release cycle has nothing to do with our needing more time to develope patches and has everything to do with what our customers have asked us for. We WILL release patches outside of this schedule if we can and we actively engage with security researchers to promote responsible disclosure.


  2.   Bill on June 14th, 2004          


    When you say “our customers asked for it”, I think that is in reality a gross over statement. What you meant was that *some* corporate customers asked for security rollups. That is, they wanted to make it easier to keep track of rolling out updates inside a corporate network. I bet you not one of them said “hold off on patches even though the vulnerability is known and reported in the wild”.

    Further more, I bet “customers” does not refer to home users. Screwing the home user for the sake of the corporate client is bad. There would not be a home user out there that would say hold off on updates, instead make them bigger monthly rollups. What they might say is “don’t make me have to reboot”, but they would not say “leave my system vulnerable to known exploits for a month so as your corporate customers fell happier”.

    Microsoft, if it wants to be honest about this, can put this to the test, and allow people to subscribe to patches as soon as they are available or wait till next month and get them in a rollup. The only problem with that approach is the level of disclosure MS gives would be minimal until the rollup is released. But that’s far more feasible than your concept of trying to silence the internet till MS is ready to hear the truth. (aka: “responsible disclosure”)

    As to ISA server, great Jerry, how does that protect anyone from this exploit? In what *meaningful* way is it even applicable to the home user? It simply isn’t. I ask for a bullet proof vest, and you say we have an armored car. Like to see that running on a pocket PC <g>.

    Finally, as to your “has not been that many” statement, well it has not been many months since MS started this “lunacy”. This month we have the exploit that allows code to run in the local zone, that impacts on home users. Last month we had the chm store exploit that basically did the same. Once again that one was documented on the internet for probably a least a month before MS patched it. I know I removed the relevant registry keys while waiting for MS to release a patch. But instead of releasing it immediately, they held off, and included it as part of last month’s rollups. As to this latest one, well the clock is ticking.

    To put it simply Jerry, it only takes one bullet. Microsoft knows of this vulnerability, just like they did on the chm store vulnerability last month. But instead of “scaring” the public, Microsoft decides to leave them at un-due risk, and wait till next month just so as their corporate customers can have easier patch management. Like Caeser throwing the home user users to the lions for the pleasure of his corporate buddies. Sick, and totally irresponsible.

  3.   Jerry on June 15th, 2004          

    Bill, with all due respect, you seemed to overlook this:

    We never said we would not release a patch out side of this (monthly) schedule either. Quite the contrary actually. In fact, we did an out of band release back in February. We will do this any time we a) see that our customers are at risk from an exploit and b) have a tested patch ready for release.

    As far as my mention of ISA Server, that was in response to your statement that we don’t have security products. I was not implying that it was a product applicable to home users.

    I personally talk to lots of end (home) users who like the monthly release schedule and prefer it to releasing patches whenever they might be available or even the weekly schedule we did previously. As long as we can and will release a patch out of band, how is the monthly schedule bad?

  4.   Susan on June 15th, 2004          

    Bill they have released an "out of band patch" and they say they might do this ALL THE TIME. I’m probably the only person I know who didn’t mind the weekly schedule because I have a Patching tool both at the office and at home…but even then … I had to make a decision …is it okay to do it now…. should I see what my fellow SBSers are experiencing with it? Now.. way way easier to better track "issues" because we typically tend to patch around the same schedule.

    IE is one of the NASTIEST ones to patch. They can’t just roll out a English patch but have to patch ALL localized versions. It’s like 400 "flavors" of IE that they have to "roll a patch for" and test.

    Jeff Middleton did a white paper about 2 years ago saying that we couldn’t handle the once a week patch schedule… sorry but I so disagree with you… I LIKE the once a month, occasional "out of band" patch schedule. As a SBSer who has applied practically all of Microsoft’s patches I don’t WANT to go back to once a week.

    Bill… they have to test… they can’t just throw out a crappy patch and then go "gee, I’m sorry". All it takes is one crappy patching experience and people remember that forever.

    You know what I’m doing right now… which excuse me… we should be doing anyway…. running with IE in high security and then adjusting "trusted zones" to run in Medium and adding line of business web sites where needed. Man do some of these web sites use crappy coding practices. geeze…. it’s unbelieveable out here what bad practices we put up with.

    You have to have patches go through a certain test pattern, that’s just downright common sense to ensure that the patch will do it’s "thing"

    Other than the POC links and security exploit emails.. I honestly have not seen these types of web sites. Hey we’re surfing in the hood these days.. keep your doors locked and don’t talk to strangers… you know?

  5.   Susan on June 15th, 2004      

    "Now, about the darn security fixes. These are tough. Tougher than it might seem on the outside. Why? Because Internet Explorer’s engine is used in several different OS’s. Dozens of different languages. Thousands of different applications. Changing one line of code in the inards of Windows means potentially breaking a large number of applications. That’s unacceptable to the team. So, when they change things, they need to do it in a way that doesn’t break things for customers."

    XP sp2 "is" going to break line of business web sites. RC2 is [per Neowin] out shortly. I hope you are downloading and messin’ with it.

  6.   Bill McCarthy on June 17th, 2004          

    Hey Susan,

    Having patches made available at the earliest possible time does not preclude Microsoft doing monthly roll-ups. Personally I think monthly rollups are great, and they should really think about extending that and making it easier to bring new systems up to date as well. Once upon a time ago TechNet seemed to help a lot there, but it really became overly complex and also terrible out of date by the time you got the CD’s. Rollups help address those issues. I actually would like to see MS have a business update subscription, where you can pay an annual fee and they express ship to you CD’s or DVD’s (your choice) with the latest patch rollups and administration tools to help you roll them out.

    Anyway, the thing is *timely* updates are not counter to rollups. Timely updates make more systems secure earlier which is good for all of us. But most importantly it gives the *customer* the choice as whether to patch now, or wait till the end of the month. That is the customer gets to choose, not MS holding the patch back for some artificial monthly schedule.

    As to IE and using the secure zone, yeh that might work although that might actually be more dangerous 😉 But I seem to have this faint memory of you not using IE, instead it was mozilla, Thunderbird not Firebird, no ??? 😉