what's worse: not disclosing a vulnerability or not releasing a patch a.s.a.p.?

[WkdPaul]

EDIT; my bad, see my reply here;

 

 

 

2 hours ago, zMeul said:

why are you lying?

 

WTF???

 

How am-I lying?

 

The patches have been released in March, explain to me how am-I lying about that?

Edited May 16, 2017 by wkdpaul

[LAwLz]

Just so that everyone reading this understands what is going on (I already see MS apologists who don't understand the information in front of them try to justify things).

 

The patches were created, as in, they were fully programmed and built, and could be installed, back in February. This includes the patches for Windows XP, Windows Server 2003, and Windows RT.

 

17 minutes ago, wkdpaul said:

lol

that's "last updated" ... not "published dates"

They were ALL published in March

[Citation Needed]

The "last update" date will be the upload date if they have not been replaced since.

12 minutes ago, zMeul said:

mate .. https://web.archive.org/web/*/http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

that page did not exist prior to May 13^th

That might just be because the page wasn't cached before then.

 

 

Neither of you have provided any solid evidence to support your claims. I however, have solid evidence.

This page.

That link shows the page which was uploaded on March 14, 2017. It lists all the versions of Windows which got the patch for the SMBv1 exploit (KB4012598).

The list is:

Quote

Article ID: 4012598 - Last Review: Mar 14, 2017 - Revision: 9

Windows Server 2008 Service Pack 2, Windows Server 2008 Foundation, Windows Server 2008 Standard, Windows Server 2008 for Itanium-Based Systems, Windows Web Server 2008, Windows Server 2008 Enterprise, Windows Server 2008 Datacenter, Windows Vista Service Pack 2, Windows Vista Home Basic, Windows Vista Home Premium, Windows Vista Business, Windows Vista Ultimate, Windows Vista Enterprise, Windows Vista Starter

 

None of the versions which has the "last update" date before 13-05-2017 are listed there.

Coincident? Of course not...

 

Now I would appreciate if you could stop making bold claims which are most likely wrong, without providing any evidence @wkdpaul.

Thanks.

 

10 minutes ago, ARikozuM said:

Today, I learned that Way Back Machine is a credible source.

  Reveal hidden contents

Unsure if I should add "/s" or not.

 

Of course it's a creditable source. You just have to use it correctly.

[ARikozuM]

1 minute ago, zMeul said:

why are you lying?

Time for fallacy memes?

[zMeul]

2 minutes ago, wkdpaul said:

WTF???

 

How am-I lying?

 

The patches have been released in March, explain to me how am-I lying about that?

that the patches were released since March - it's not true!

KB4012598 for W8, WS2003 and XP were released only few days ago and MS sat on them since Fabruary

[zMeul]

10 minutes ago, LAwLz said:

Neither of you have provided any solid evidence to support your claims. I however, have solid evidence.

This page.

That link shows the page which was uploaded on March 14, 2017. It lists all the versions of Windows which got the patch for the SMBv1 exploit.

The list is:

again

I'm talking about XP, WS2003, W8 that are clearly not included in your link

and according to The Register were build since February; and according to MS' own TechNet page were released just couple of days ago

 

here: W8 KB4012598 https://www.microsoft.com/en-us/download/details.aspx?id=55246 date published: 5/13/2017

W8 x64 https://www.microsoft.com/en-us/download/details.aspx?id=55249 date published 5/13/2017

WS2003 x64 https://www.microsoft.com/en-us/download/details.aspx?id=55244 

... etc

[sof006]

Its a conspiracy! 

[LAwLz]

And here is my theory of why this happened.

 

Some customers are still paying for support for these old OSes. Last time I heard anything about it, that extended support should have ended sometime in 2015. The deal I read about was created between Microsoft and the CCS (Crown Commercial Service), which runs the NHS among other things. However, chances are the contract has just gotten extended over and over again since that time (or some other agency/company has also made contracts which extended even further).

So Microsoft has had to create security updates for these OSes all this time. They are contractually obligated to do so by companies and governments who pay for special extended support.

 

These patches were most likely built in February, tested for a little while (software testing of patches does not take several months) and then released. The update only went public for the OSes which were still within the regular support period, and kept hidden for the out-of-support OSes like Windows XP.

 

Once Microsoft realized what a terrible situation this was, they made the previously made patches available to the public too.

 

 

 

 

My opinion:

I think it is a shitty move by Microsoft to keep security updates (which are already developed and ready to be deployed) away from the public. But I understand them as well. They are stuck between a rock and a hard place.

They only have a few choices and all of them are bad.

 

1) Just never stop supporting OSes. This is obviously not practical in the long run, and it removes the "planned obsolescence" which is in fact needed for progress to some degree (which is not to say I like or is OK with planned obsolescence).

 

2) The OS support goes into limbo where some updates gets released but some don't, and this goes for everyone. This is not a good situation either because support becomes unreliable for organizations and agencies.

 

3) They completely drop support for everyone. This is bad because organizations like the NHS don't stay on XP because they want to. They stay because it is infeasible for them to switch. You think this was bad? It would have been much worse without the extra extended support.

 

So Microsoft can't win. Whatever they do, they do something bad/evil in this scenario they are in.

 

I think they deserve a round of applauds for releasing the update to the public in the end though. They didn't need to, and it didn't come until after shit had hit the fan, but at least they did something for the greater good without it benefiting themselves in the end. I think we should encourage that type of behavior whenever we can.

[goodtofufriday]

26 minutes ago, wkdpaul said:

WTF???

 

How am-I lying?

 

The patches have been released in March, explain to me how am-I lying about that?

Not trying to fan the flames but in all of your links I dont see any references to any of the XP or Server 2003 updates.

[zMeul]

20 minutes ago, LAwLz said:

My opinion:

I think it is a shitty move by Microsoft to keep security updates (which are already developed and ready to be deployed) away from the public. But I understand them as well. They are stuck between a rock and a hard place.

They only have a few choices and all of them are bad.

they are responsible for the shit

they had the fixes since February, they tested and released some of them (by god knows what criteria) in March but held off on the rest ... why?!?!

the data mining shows they had them since February and them publishing the fixes could've potentially mitigated the impact of the ransomware - now, since the fucktards didn't release it, we can't know for sure how less bad it could've been

 

they knew, they had them and didn't released them - that's inexcusable and malicious

[SpaceGhostC2C]

1 hour ago, WMGroomAK said:

One of the speculated reason that some Russian and Chinese computers were hit so hard is that they are using pirated versions of Windows that cannot be patched.

You would need to try really, really hard to get a Windows version, pirate or not, that can't be patched. If possible at all. That's highly unlikely to be the reason.

 

I would find it easier to believe if you told me that non-updated versions of Windows are common on China and Russia. Given the way data collection crept into older Windows versions as Win 8/ Win 10 unfolded, I wouldn't be surprised if sysadmins in China and Russia became too cautious when it came into deploying patches, trading-off one risk for another, as we see now.

(Remember how China gets its own Win 10 version where updates can be disabled).

[Master Disaster]

1 hour ago, zMeul said:

source: https://www.theregister.co.uk/2017/05/16/microsoft_stockpiling_flaws_too/

 

hold on to your tinfoil hats because this one is straight out of a Stanley and Laurel movie

get this:

 

 

these mofos knew about the exploit and build the patches since February - you wot m8 

what the fuck!

 

 

if anyone got hit by the Wanna Crypt ransomware and lost important data or had to shut down services, sue these motha'fuckers

Or they simply used files created on those dates as a starting point when creating the new patches?

[LAwLz]

34 minutes ago, Master Disaster said:

Or they simply used files created on those dates as a starting point when creating the new patches?

The timestamp is from the digital signature. If they had modified the file without resigning it (and thus generating a new timestamp) then the signature check would fail.

[WkdPaul]

@LAwLz @zMeul my bad, I'm mostly on my phone and honestly only skimmed the article.

 

Had time to read it carefully and I see this is specifically about XP SP3, Server 2003 and Win 8 (not 8.1).

 

The way the OP is written also seems to imply it's about all patches, not limited to some unsupported OS.

 

With that said, like I just mentioned, it's unsupported OS and the article even mention the NHS misused budget that was supposed to be reserved for transitioning away from XP ... So I still think MS didn't do anything wrong.

 

Is it strange that they issued patches for some unsupported OS and not all? Yes. But IMO it's far from being a shitty move on their parts because ; unsupported...

[ARikozuM]

Did anyone notice that @zMeul stealth-edited his OP without using the journalistic standard of "update:" or "edit:"... Shouldn't this be a part of the News posting standards?

3 hours ago, zMeul said:

these mofos knew about the exploit and build the patches since February - you wot m8 

 

[Okjoek]

So am I reading this right? They purposefully withheld the patches to older OS so that it would kill off computers using the old OS and getting more people into W10?

 

Or is my tinfoil hat setting too high?

[WkdPaul]

4 minutes ago, Okjoek said:

So am I reading this right? They purposefully withheld the patches to older OS so that it would kill off computers using the old OS and getting more people into W10?

 

Or is my tinfoil hat setting too high?

I honestly doubt that.

 

They only omitted some versions, not all (XP embedded and SP 2 had patches). It's odd though. But you have to remember those are now unsupported OS. They technically didn't have to distribute freely the patches.

[zMeul]

37 minutes ago, ARikozuM said:

Did anyone notice that @zMeul stealth-edited his OP without using the journalistic standard of "update:" or "edit:"... Shouldn't this be a part of the News posting standards?

 

1. this is not journalism
2. I made a mistake, it's late
3. at the bottom of the OP there's a edit note with the date and time it was last edited

[zMeul]

30 minutes ago, Okjoek said:

So am I reading this right? They purposefully withheld the patches to older OS so that it would kill off computers using the old OS and getting more people into W10?

 

Or is my tinfoil hat setting too high?

fuck knows ...

the facts are MS had the patches ready since February and released some of them in March and the rest only few days ago

[KuJoe]

First off, XP and Server 2003 are EOL meaning the people running those OSes were told years ago they would not be getting patched for critical exploits or otherwise without writing a sizable check, the fact that MS did release patches to the public at all is extremely nice of them to do so. The fact that they released these patches publicly is a big smack in the face for companies who spend hundreds of thousands of dollars for these patches from MS.

 

So yes, MS did have these OSes patched back in March and those companies still paying for XP and 2003 patches DID get them back in march. The people not paying for extended support did not get these patches until this whole WannaCry debacle.

 

Contrary to popular belief, MS is still writing patches for XP and 2003 but they aren't free. I can't comment on exactly how much we're paying per server (it's insanely expensive) but we still get monthly security patches including the MS17-010 fix.

 

EDIT: And I have confirmed on a handful of our 2003 servers at work that these were patched for MS17-010 prior to this month.

[zMeul]

14 minutes ago, KuJoe said:

First off, XP and Server 2003 are EOL meaning the people running those OSes were told years ago they would not be getting patched for critical exploits or otherwise without writing a sizable check, the fact that MS did release patches to the public at all is extremely nice of them to do so. The fact that they released these patches publicly is a big smack in the face for companies who spend hundreds of thousands of dollars for these patches from MS.

 

So yes, MS did have these OSes patched back in March and those companies still paying for XP and 2003 patches DID get them back in march. The people not paying for extended support did not get these patches until this whole WannaCry debacle.

 

Contrary to popular belief, MS is still writing patches for XP and 2003 but they aren't free. I can't comment on exactly how much we're paying per server (it's insanely expensive) but we still get monthly security patches including the MS17-010 fix.

 

EDIT: And I have confirmed on a handful of our 2003 servers at work that these were patched for MS17-010 prior to this month.

here's the funny hypocritical bit - MS does not care about the consumer

but, at the same time went on a high horse and accused the NSA for not disclosing the exploit - but they did knew, they knew since February at least if not earlier

 

the problem is that MS could've diminished the ransomware impact if they would've released the fixes as soon as possible - they did not

the OSes in question are out of the support window, then why MS even bothered to publicly release the patches!? do they care only about the money or they don't?

if MS would've released the patches foe everyone at the same time they would've got less money? they would've not!

 

MS literally holds people's data hostage, they're at the same level with the people that developed the ransomware - pay to secure your data or lose it

[The Sloth]

4 minutes ago, zMeul said:

here's the funny hypocritical bit - MS does not care about the consumer

but, at the same time went on a high horse and accused the NSA for not disclosing the exploit - but they did knew, they knew since February at least if not earlier

 

the problem is that MS could've diminished the ransomware impact if they would've released the fixes as soon as possible - they did not

the OSes in question are out of the support window, then why MS even bothered to publicly release the patches!? do they care only about the money or they don't?

 

MS literally holds people's data hostage, they're at the same level with the people that developed the ransomware - pay to secure your data or lose it

 

 

 

 

watch this video, having a hateboner is not going to help 

edit- this video should give you a good idea on what virus is and how it came to be. 

[zMeul]

1 minute ago, nerdslayer1 said:

watch this video, having a hateboner is not going to help 

I'm not watching a 15 minute video at 2:20AM; what for?!

 

fucking hospitals were hit by the ransomware and this put the people's lives at risk

MS are behaving like raving lunatics with a single purpose, money, doing everything to get it - while at the same time preaching from their high horse how professional they are

[KuJoe]

12 minutes ago, zMeul said:

the problem is that MS could've diminished the ransomware impact if they would've released the fixes as soon as possible - they did not

Do you honestly think that if they had released the patches a few weeks earlier the people who were unpatched this month (almost 2 months later) would have been patched? Nope. If MS had released a patch in 2016 then MAYBE it would have limited the outbreak but I highly doubt it. So far every person's PC that I've updated to patch for MS17-010 needed at least every patch from 2017 with quite a few still not even having a service pack installed.

 

Is Microsoft to blame for WannaCry? Nope, not in the slightest. Now had they known about the exploit and never released a patch for it then there would be lawyers involved but as it stands MS did an adequate job of releasing a patch for their clients and anybody who says otherwise needs to switch to Linux already before their blood pressure gets too out of control.

[JoostinOnline]

5 hours ago, Drak3 said:

According to most people: 10 minutes, from the whiteboard to fully functional and completely tested patch.

Bullshit.  Just coding and compiling Hello World would take that long.

[zMeul]

Just now, KuJoe said:

Do you honestly think that if they release the patches a few weeks earlier the people who were unpatched this month (almost 2 months later) would have been patched? Nope. If MS had released a patch in 2016 then MAYBE it would have limited the outbreak but I highly doubt it. So far every person's PC that I've updated to patch for MS17-010 needed at least every patch from 2017 with quite a few still not even having a service pack installed.

 

Is Microsoft to blame for WannaCry? Nope, not in the slightest. Now had they known about the exploit and never released a patch for it then there would be lawyers involved but as it stands MS did an adequate job of releasing a patch for their clients and anybody who says otherwise needs to switch to Linux already before their blood pressure gets too out of control.

who knows? maybe ... most people don't mess with Windows Updates and if MS had pushed the KB at the same time back in March I would guarantee the spread of the exploit would've been diminished

 

is MS to blame? yes!

did MS had knowledge of the exploit before hand? yes!

did MS created fixes for the exploit? yes!

did MS released all fixes for all OSes they worked on? no!

and because of this the ransomware spread like wildfire on a global level