Coffeehouse Thread

61 posts

Microsoft Security Alert, here's where to go

Back to Forum: Coffeehouse
  • User profile image
    scobleizer

    Microsoft has released a security alert. There is a team at Microsoft that is dedicated to these kinds of crisis situations.

    They publish their findings at microsoft.com/security.

    If you find a new exploit, or know of some security problem on one of our products, please send email to secure@microsoft.com.

    Already this page has been updated a few times in the past 24 hours. If you think you have a security problem with a Microsoft product, please check the security site.

    If you just want to make sure you are protected, then visit microsoft.com/protect.

  • User profile image
    ZippyV

    A patch is still not available for IE.

  • User profile image
    Charles

    "A patch is still not available for IE"

    Give them some time, ZippyV. Mama mia. You know how much has to happen before a patch is released?

    First, the hole needs to be isolated (not always easy). Then a solution designed (not always easy). Then implementation(not always easy). Then testing(not always easy). Then fixing the bugs caused by the implementation(not always easy). Then start the cycle again(easy).

    Look at this way: Developers and testers in IE land will be working through the weekend. Should they not be allowed to get any sleep or food or fresh air until the patch is ready to ship? There's only so many hours in a day.

    I have tremendous respect for what these guys and gals in patch land are doing. It's one of the hardest jobs at Microsoft and it also gets the least amount of love.



    Charles

  • User profile image
    LazyCoder

    While those diligent, hard working folks work overtime on the patch., some of us surf on...


    The patch people DO have the crappiest job at Microsoft, ok except for maybe anyone with an officemate who runs at lunch now that the towels are BYOT, and probably get the least amount of love Smiley  It's probably worse for the IE team than for any other team. At least the Server team can say "they should upgrade to Server 2003". What can the IE team say? "Help!"

  • User profile image
    phunky_avoc​ado

    Give it a rest already!  Go back to Slashdot.  Sheesh, what with 4 threads on how crappy IE is (or are there more threads now?) and how Blessed-By-God Firefox (or whatever it is) is...

    LazyCoder wrote:
    While those diligent, hard working folks work overtime on the patch., some of us surf on...


    The patch people DO have the crappiest job at Microsoft, ok except for maybe anyone with an officemate who runs at lunch now that the towels are BYOT, and probably get the least amount of love Smiley  It's probably worse for the IE team than for any other team. At least the Server team can say "they should upgrade to Server 2003". What can the IE team say? "Help!"

  • User profile image
    Charles

    LazyCoder,

    Keep in mind that IE, as the most used web browser in the world, will necessarily attract the most bad guys trying to find holes in it to use as means to do bad things to people surfing the web. When Gecko-based browsers increase significantly in usership, you will see an increase in security vulnerabilities in those browsers. Why? Well, if I am a hacker, then I want to hack as many people as possible with a single attack vector... 

    IE has certainly had its share of security blunders, but consider what IE does: it enables users to surf aimlessly in the dangerous waters of the Internet. It is necessarily on the front lines when it comes to facing Internet-based attack, because it is an Internet explorer, after all. It is not at all surprising to me. This is exactly why security is the most important focus for IE right now. It simply has to be. 

    You want a 100% secure browser, 100% secure operating system, 100% secure Internet? Well, then don't connect to the Internet. That said, in the future this will not necessarily be the case as users will have become more educated and systems made more secure, but the sad fact remains: there will always be bad people out there working tirelessly to figure out ways to hurt as many people as possible, even if only in abstract or virtual ways. 


    Charles 

  • User profile image
    clint_hill

    Charles, with all due respect listen to what you are saying. You are providing this forum to us to voice our opinion. To hear the cockpit and also talk back. Now, when you guys open your mouth about another security patch and we respond not so pleasantly - you say more or less to shut up and stop whining.

    Hear me out because I am a software engineer and I know what it is to debug something in production and also get all clients updated. My point is MS is a company that I think would be unrivaled in intelligence (at least that is what I would suspect). Wouldn't you listen to these comments and say "hmm, how do we get things done quicker?" or think to yourself this is an interesting challenge and wonder how to attack it? From your replies I would sense you are tired of hearing the "whining" and wanting someone to give you a break. No breaks in software development. This is a job you signed up for, and now you need to take your medicine.

    You don't want to hear us challenge MS or it's products - don't participate in your own site.

    How does that feel coming from me? Maybe now you can walk in our mocassins a mile.

  • User profile image
    rjdohnert

    I have had faster patches for Linux Tongue Out

  • User profile image
    Larry​Osterman

    You've also had patches for Linux that broke many many applications.

    The time spent in a patch is usually not in making the fix, it's spent on running lots of regression tests.

    For IE, the regression matrix is literally the size of the internet.

  • User profile image
    barlo_mung

    I think I read that it's fixed with XP SP2 RC2 already.  So I would suspect that a general fix isn't far off.
    Just one man's spin of the theory wheel though.

  • User profile image
    Charles


    I by no means intended my thoughts to cast such a negative shadow. I am just participating in the discussion and by no means am I trying to discourage the continuation of this thread.

    I do take my medicine: interacting with the ideas presented on this site and honestly and openly adding my thoughts. What I posted is not a representation of what Microsoft thinks, only what I think.

    Security holes suck and the blame for them falls squarely on the software where they're found. I would never think otherwise.

    Fixing security flaws in software used by millions of people necessarily takes some time since the process required to get a fix out the door can be either simple or really complex depending on the specific vulnerability, but needs to solve the problem and not create new ones, security-related or otherwise, regardless. Either way, this does take some amount of time. I'm not saying this is a good or bad thing. I'm only just saying it.

    I want to hear you challenge our products. I want this to be a place that enables and encourages the free excahnge of ideas. And I hope Channel 9 is just this.

    Even though I am one of the so-called Channel 9 guys and a Microsoft employee I believe that If I have ideas to add to a discussion I should be able to introduce them freely. I'm here for the conversation too.

    My aplogies if I've offended anyone or scared anyone away. It's certainly not my intention.


    Keep on posting,

    Charles

  • User profile image
    scobleizer

    Clint_hill: I usually agree with turning on the negative feedback as must as possible (you've seen me encourage it over and over). It's how we learn to be better. But in some situations a little dialog (er pushback even) is necessary too.

    This is a two-way street. Sometimes in the cockpit the pilot has to yell at the passengers and say "sit the hell down." I've heard it happen in a real plane. For their own good.

    In this case we have a team who is working 24-hours-a-day trying to do the best they can under extremely tense, and extremely trying, circumstances.

    You say "no breaks in software development." That's right. But, remember that there are human beings on this side of the fence too. Cut them a bit of slack, especially when they are working overnight trying to fix a problem that criminals exposed in the first place.

    I'd love to give you a tour sometime around the security team and the Internet Explorer team so you can see how they are working.

    Right now they are doing everything they can to help customers out. The patch will be out as soon as humanly possible. Can we do it any faster? I wish we could, but we're human and it takes time to make sure you don't cause a bigger mess than the one we're in already.

    Keep watching microsoft.com/security. As soon as something new is known, it'll be up there. Last update was at 8:35 p.m. our time on Friday night.

  • User profile image
    LazyCoder

    phunky_avocado wrote:
    Give it a rest already!  Go back to Slashdot.  Sheesh, what with 4 threads on how crappy IE is (or are there more threads now?) and how Blessed-By-God Firefox (or whatever it is) is...


    You're my hero man, you're so cool.

  • User profile image
    LazyCoder

    Charles wrote:

    LazyCoder,

    Keep in mind that IE, as the most used web browser in the world, will necessarily attract the most bad guys trying to find holes in it to use as means to do bad things to people surfing the web. When Gecko-based browsers increase significantly in usership, you will see an increase in security vulnerabilities in those browsers. Why? Well, if I am a hacker, then I want to hack as many people as possible with a single attack vector... 



    I never claimed that wouldn't happen if Gecko based browsers ruled the world. I implied that you're much safer surfing RIGHT NOW (and for the near future) using a non-IE based browser. Apache IS the most used web server in the world and therefore has the biggest target on it. That will always be a fact. Market share == more targets. But until the IE and Windows teams can rearchitect both the browser and the underlying OS (Windows Server 2003 is a GREAT start). You're better off using a browser with a smaller target on it's chest. Smiley

    btw: You can't scare me away. Charles. Provided you state your argument clearly and politely. If you just pop in and tell me to shut up or go back to slashdot , like psycho bunny or whoever, I'll just mock you.  BTW I've been programming on the MS platform since VB 4-32 bit version (no 16-bit thankyouverymuch) and I've got a "Midnight Madness IE 3" t-shirt in my closet that's too small now. Back when Netscape was stuck in 4.X limbo I was arguing with Netscape devs and telling them to get with the program.  My point being I was supporting MS before supporting MS was cool and "anti-/.". I convinced 3 hospitals to port a completed ColdFusion application to ASP.NET last year. I've got a pretty big stake in the MS web platform and I'd  to be able to tell users, "Use whatever browser you want.".  I can't quite do that yet.

  • User profile image
    nektar

    Getting to know the IE team and the Security Response Team is the best way we can understand them better. So, please give us a tour of the IE and Security teams, make them talk about their plans for the future, for the next IE version for example. What are they doing to improve IE based on our own feedback?
    Also, instead of just giving general answers like, "we need to do a lot of testing for this patch" etc, the Security Team could have a blog or better a wiki here on Channel9, where they can give reports of their progress, share their testing issues with us and generally let us in on their inside work and difficulties. Getting to know them better will make us more cabable of judging them and enable us to appreciate their work.

  • User profile image
    ZippyV

    How long does Microsoft now already about these bugs?

  • User profile image
    Lwatson

    Keep in mind that this particular bit of nastyness is the result of some Large web servers Not having all their patches in place. If these fellows had all the patches that were released some time ago in place we would NOT be having this discussion. Of course there is a hole in IE that this is exploiting and I am sure there are other holes also. But this particular vector was made known to the general public just on thursday an IE patch is going to take a bit of time. Untill that time use Firebird if you are so inclined. BTW Channel 9 work well with Firebird.


  • User profile image
    Larry​Osterman

    ZippyV wrote:
    How long does Microsoft now already about these bugs?

    As far as I know, Microsoft learned about the bugs in IE that are being exploited last week, when Jelmer announced them to Bugtraq.

    For whatever reason, Jelmer decided to announce the vulnerabilities publicly first, before contacting Microsoft, which puts further stress on the fix process.

    Over the past several vulnerabilities (Sasser, MS-Blaster, etc), we've seen a steadily decreasing period of time from the public announcement of the vulnerability to the exploitation of the vulnerability.

    It took 18 months for the vulnerability used in SQL Slammer to be exploited in the wild.  It took about 1 week for the vulnerability used in MS-Blaster/Sasser to be exploited.

    And it took Jelmer's vulnerabilities about a week.

    If someone contacts Microsoft FIRST with the vulnerability, without going public, it gives Microsoft a head start on the hackers to start the fix process. 

    This can be the difference between an exploit that devastates the internet and one that is a major annoyance.  Fortunately, for this one, it was neither.


    Btw, Jelmer's vulnerability was a way of crafting a URL so that it believes that that the target of the URL is in the Local Computer zone, and not the internet zone.  As a result, since IE believed that the script was in the local computer zone, it was allowed to do much more than normally allowed.

    The scary thing about this exploit is not this particular exploit.  It's the ones that are going to be coming in the future that use it.  This particular exploit was fairly ham-handed, it required defacement of vulnerable web sites.  I believe that there are other ways this can be exploited that don't require hosting on external web sites.

    The good news (as others above have said) is that the vulnerability was identified internally during the XP SP2 review process.  Which means that we probably know how destabilizing the fix will be.

    On another related tact...

    The security response team is on the 3rd floor of my building.  When an incident occurs, they shut down all the conference rooms on the floor, and effectively turn them into C&C centers.  They effectively live in the room from the start of an incident until it's over.  This is a REALLY big deal.

Comments closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.