Microsoft Explains and Defends Silent Fixes

[JMH]

Microsoft has detailed its policy of patching in-house discovered bugs silently and tried to answer the most frequently asked questions regarding this procedure.

The fact that Microsoft doesn't disclose all patched vulnerabilities in Security Bulletins is not a secret. This was admitted by the company in 2006.

This somewhat controversial policy applies to bugs discovered during the "Hacking for Variations" (HfV) process, which aims to limit the number of similar flaws in a product.

When the company receives reports of a vulnerability, it also inspects the source code for similar bugs and runs a plethora of tools, including fuzzers, against the vulnerable component.

Any flaw discovered in this way is considered a variant of the originally reported vulnerability and it doesn't get publicly disclosed, nor does it receive a CVE identifier.

Microsoft Explains and Defends Silent Fixes - Softpedia

 

[sreedhav]

Dear JMH,
I guess you are the person to answer two tiny doubts of mine!
1) Why did Microsoft allow it's customers a certain degree of free reign in allowing updates 1)unhindered installation,2) download, i will decide what to install and 3) i will decide whether to install or not( is option 3 there?)

2) On super Tuesdays, what % of users generally allow all downloads to be downloaded AND installed (You may give a rough restimate, lest we rust!)

3) Do you consider the under cover fixes are to avoid loss of face?
Regards,
Sreedhav

 

[JMH]

All of your questions pertaining to Microsoft's motives can only be addressed by Microsoft.

 

[sreedhav]

All of your questions pertaining to Microsoft's motives can only be addressed by Microsoft.

Dear JMH,
I am sincerely sorry for the ill-directed queries! I can only crave your pardon! I hold you in the highest regard!

Regards,
Sreedhav

 

[SledgeDG]

See...as long as those fixes are tested sufficiently enough to make sure they wouldn't crash my computer or cause any kind of unwanted behavior, i don't mind them being pushed on me.
But if they ever affect me in an undesired way you can bet your boots, Microsoft gets a special entry in my HOSTS

-DG

 

[mickey megabyte]

i really like the word 'fuzzer' - first time i've come across it - thanks JMH!

my next kitten may be in need of that name

 

[BCXtreme]

I think not disclosing the extent of all patched vulnerabilities has some security benefits. If the hackers can just pull up lists of all the vulnerabilities you fixed, they would be able to create exploits for new vulnerabilities that much faster.

 

[mr pc]

hmm...this is a very slippery slope

As consumers do we have the right to inquire as to what these fixes are? And if so - how does that protect against hacking - for a hacker could ask the same.

If they can do this without warning/liability who knows what they can put on personal, public, and corporate machines/servers without permission.

And what happens if they damage the OS/machine(s)?

Is the enduser SOL?

 

[Layback Bear]

I have no problem with the way Microsoft does it. Most of us wouldn't know what to do with the fine code that might be included. Giving all the fine details might also give some one access to the operating systems code with which it was created by it's owners.

 

[Tepid]

As consumers do we have the right to inquire as to what these fixes are?

Yes and No

Remember, you are renting the Windows OS, you do not own it.

And if so - how does that protect against hacking - for a hacker could ask the same. ---- Yes

If they can do this without warning/liability who knows what they can put on personal, public, and corporate machines/servers without permission.

There are limits and protections that they must adhere to.
They can't just drop a keylogger or something on your system.

And what happens if they damage the OS/machine(s)?

The end user is not necessarily SOL, if they ahve a legitimate copy of Windows, you can contact MS for help if an update does in fact break the OS. I do believe this does fall under the level of support they do provide under the Mainstream support period.


However, if they did do anything that would spy on or compromise a system, believe me, people are watching and it would spread like wildfire. MS would lose in the end.

There are alternatives, not excellent ones, but they do exist.
Mac and Linux would welcome the change.

 

[BCXtreme]

There isn't anything in that article that suggests that updates are being secretly pushed to users' machines. It sounds more like MS simply doesn't disclose every patch that is contained within their regular, visible security updates.

 

[mr pc]

I have a hard time agreeing that MS would completely fall in line with supporting complaints after a secret update considering it could be exceptionally time consuming and costly to support such claims if people were under the impression it had contributed to system failure or found a way to exploit it.

For example - if this update just happened (which I did find 2 critical windows updates but have coincidentally also run into a NEW S.M.A.R.T HD failure- how can I prove or disprove complicity with the update? I could very well be under the impression that this error (critical and a massive headache nonetheless) quite possibly correlates to their secret update.

So how would I or anyone else go about that?

 

[marsmimar]

For example - if this update just happened (which I did find 2 critical windows updates but have coincidentally also run into a NEW S.M.A.R.T HD failure- how can I prove or disprove complicity with the update? I could very well be under the impression that this error (critical and a massive headache nonetheless) quite possibly correlates to their secret update.

So how would I or anyone else go about that?

Microsoft would probably argue it's nothing more than coincidence. It would fall on you to find enough circumstantial evidence and/or corroborating data from other Microsoft users that would allow a reasonable and prudent person to reach a conclusion of fact that Microsoft's update(s) were responsible.

 

[severedsolo]

Not to mention that everytime an update is released, someone somewhere has an issue with installing it. Very hard to prove at the end of the day, as no two machine's are the same

 

[mr pc]

For example - if this update just happened (which I did find 2 critical windows updates but have coincidentally also run into a NEW S.M.A.R.T HD failure- how can I prove or disprove complicity with the update? I could very well be under the impression that this error (critical and a massive headache nonetheless) quite possibly correlates to their secret update.

So how would I or anyone else go about that?

Microsoft would probably argue it's nothing more than coincidence. It would fall on you to find enough circumstantial evidence and/or corroborating data from other Microsoft users that would allow a reasonable and prudent person to reach a conclusion of fact that Microsoft's update(s) were responsible.

And that is where the end user is SOL if there is a connection regardless of their knowledge or capability to prove so - MS can arbitrarily and blindly send out a hidden update with little to no regard for the system it is being delivered to. That is Dangerous and proves without a doubt that they can be held complicit for the shear fact that they are doing it with little to no knowledge of the kind of system they are attempting to alter.

Just because it has 4 wheels doesn't mean it takes unleaded gas - ya know what I mean?

 

[marsmimar]

And that is where the end user is SOL if there is a connection regardless of their knowledge or capability to prove so - MS can arbitrarily and blindly send out a hidden update with little to no regard for the system it is being delivered to. That is Dangerous and proves without a doubt that they can be held complicit for the shear fact that they are doing it with little to no knowledge of the kind of system they are attempting to alter.

Just because it has 4 wheels doesn't mean it takes unleaded gas - ya know what I mean?

I completely agree with what you're saying. Unfortunately, Microsoft is altering an operating system and it can't be responsible about how the consumers (you and me) are using that operating system or on what machine. Anymore than an automotive manufacturer can control what the consumer does to the vehicle once it leaves the dealer's showroom floor.

And speaking of dealers (just to continue the automotive analogy) many times a manufacturer releases service bulletins telling dealers that the next time a particular vehicle comes in for service, go ahead and change out part abc with newer part xyz. It's not something that requires a full-blown recall or even a letter to the buyer. It's simply the manufacturer "doing the right thing" to patch his product at no cost to the consumer. If I find out that my dealer replaced abc with xyz without my knowledge or consent, and I'm leasing my vehicle from the dealer, then I think it could be successfully argued that the dealer had the absolute right to keep his vehicle patched. If you bought your vehicle and the dealer patches it without your knowledge or consent, and something subsequently breaks, you'd still have to be able to show a cause and effect relationship.

 

[mr pc]

Difference between a mechanic and MS sending blind updates/changes to an OS

The mechanic CAN see what he is working on

And Once again if MS is not required to prove that their actions did not cause the problem when they are the ones who did something unknowing to the end user then that is reason why end users should be concerned, they have NO defense and could very well lose a great portion of their lives (many adults nowadays have massive amounts of their lives invested in their computers) because of it.

It is bullshit that favors the ones who have the power period.

I have this error after running the IE9 update - coincidence? Why should I think that?
I know that the IE9 wasn't a secret patch - but it was labeled as important so I thought initially it would benefit the security of IE
I am now wasting a TON of my time backing up my system and contemplating what to do next.

 

[steve-pressman]

You know I would rather Microsoft do what they do than face the possibility that my PC is laid bare for all to come along and hack it.

There is no such thing as a perfect OS and if people find exploits I for one am glad that MS are working on them and closing them as and when discovered, Paranoia about MS is abundant the world over, maybe we should all go back to using an Abacus can't get hacked on that.

I for one always make a weekly Image of my system if things do go pear shaped after a secret push I always have that to go back to.

Steve

 

[sreedhav]

hmm...this is a very slippery slope

As consumers do we have the right to inquire as to what these fixes are? And if so - how does that protect against hacking - for a hacker could ask the same.

If they can do this without warning/liability who knows what they can put on personal, public, and corporate machines/servers without permission.

And what happens if they damage the OS/machine(s)?

Is the enduser SOL?

Dear MR PC,
You said it! A REP. point is humming your way! We know that google collects info' of different varieties via all the three types of cookies. Three weeks back, i bought "CleanGoogle" for 5$( sort of a garage sale) and it is a program which alerts us via sounds, pop-ups, etc whenever Google ad-cookies are on the PC! Now it costs you 14$!
Whenever i used Google chrome browser, the number of cookies went up and up into the stratosphere, with beeps, sounds, alert messages and such! We value our God,Privacy and car,roughly in that order, don't we?

So,you can imagine what a database MS has on each and everyone of us! THANX for patiently reading my rants

Regards,
Sreedhav

PS: I can't locate any scales on the right upper end of the post ,not only yours, but everybody else!

 

[marsmimar]

PS: I can't locate any scales on the right upper end of the post ,not only yours, but everybody else!

Ability to rep has been disabled due to over repping for non-helpful posts.

See first note in this tutorial.

http://www.sevenforums.com/chillout-room/94446-reputation-badges-3-a.html