what's worse: not disclosing a vulnerability or not releasing a patch a.s.a.p.?

[WkdPaul]

Thread cleaned.

 

Please keep the personal insults out of the discussion.

[Clanscorpia]

Just now, zMeul said:

who knows? maybe ... most people don't mess with Windows Updates and if MS had pushed the KB at the same time back in March I would guarantee the spread of the exploit would've been diminished

 

is MS to blame? yes!

did MS had knowledge of the exploit before hand? yes!

did MS created fixes for the exploit? yes!

did MS released all fixes for all OSes they worked on? no!

and because of this the ransomware spread like wildfire on a global level

Maybe people should look up the definition of "END OF LIFE"

[Clanscorpia]

Just now, wkdpaul said:

Thread cleaned.

 

Please keep the personal insults out of the discussion.

I was wondering why page 3 disappeared as I clicked it lol

[WkdPaul]

Just now, Clanscorpia said:

I was wondering why page 3 disappeared as I clicked it lol

[zMeul]

1 minute ago, Clanscorpia said:

Maybe people should look up the definition of "END OF LIFE"

then why MS even bothered to release the patches to public? out of mercy? pitty?

MS only did it because it made them look very bad, otherwise they wouln't've budged a finger

[KuJoe]

Just now, zMeul said:

who knows? maybe ... most people don't mess with Windows Updates and if MS had pushed the KB at the same time back in March I would guarantee the spread of the exploit would've been diminished

 

is MS to blame? yes!

did MS had knowledge of the exploit before hand? yes!

did MS created fixes for the exploit? yes!

did MS released all fixes for all OSes they worked on? no!

and because of this the ransomware spread like wildfire on a global level

If only we lived in a perfect world where companies offered a lifetime warranty on everything we bought, but they don't and the people were told well in advance. If you want to continue discussing this we'll need to both agree that this discussion will have to take place in reality and not a fantasy world.

[Clanscorpia]

2 minutes ago, zMeul said:

then why MS even bothered to release the patches to public? out of mercy? pitty?

MS only did it because it made them look very bad, otherwise they wouln't've budged a finger

Because it was spreading so they decided to release them?

[KuJoe]

2 minutes ago, zMeul said:

then why MS even bothered to release the patches to public? out of mercy? pitty?

MS only did it because it made them look very bad, otherwise they wouln't've budged a finger

You're right, they shouldn't have. But they did because they were being extremely nice. How greedy of them only caring about money! 

[zMeul]

Just now, KuJoe said:

If only we lived in a perfect world where companies offered a lifetime warranty on everything we bought, but they don't and the people were told well in advance. If you want to continue discussing this we'll need to both agree that this discussion will have to take place in reality and not a fantasy world.

I asked once and I'll ask again

were these OSes out of support period? yes - then why MS even bothered to release the patches publicly?

 

what MS did was to:

• know about the exploit
• create fixes for affected OSes
• push the fixes to select clients
• blame the NSA for not making public the exploit
• this allowed the ransomware to spread globally
• then MS publishes all the fixes - too late

[Drak3]

19 minutes ago, zMeul said:

the problem is that MS could've diminished the ransomware impact if they would've released the fixes as soon as possible - they did not

Where's your source for that statement? How do you know, 100% sure, that they didn't release a functional fix as soon as they could? Give us a source that the finalized versions of those updates underwent every bit of validation and tweaking, that the delivery system was in proper, working order for new updates, early enough to prevent anything.

 

Because a build date in meta data doesn't mean jack, because it doesn't reflect every change that had to be made before they can be pushed.

6 minutes ago, JoostinOnline said:

Bullshit.  Just coding and compiling Hello World would take that long.

The joke.

 

1 minute ago, Clanscorpia said:

Maybe people should look up the definition of "END OF LIFE"

Would like to point out, Windows 8, one of the versions supposedly held back, isn't EoL. It's still supported. It's only End of Sale.

2 minutes ago, wkdpaul said:

Thread cleaned.

With cleansing fire of a vengeful god?

 

@JoostinOnline

 

Your head.

[zMeul]

3 minutes ago, Clanscorpia said:

Because it was spreading so they decided to release them?

it already spread and they had no obligation to release them, as you pointed out

so ...

[The Sloth]

1 minute ago, zMeul said:

it already spread and they had no obligation to release them, as you pointed out

so ...

 

 

they were helping out all the Businesses who were affected and getting free PR at the same time. 

[KuJoe]

Just now, zMeul said:

I asked once and I'll ask again

were these OSes out of support period? yes - then why MS even bothered to release the patches publicly?

 

what MS did was to:

• know about the exploit
• create fixes for affected OSes
• push the fixes to select clients
• blame the NSA for not making public the exploit
• this allowed the ransomware to spread globally
• then MS publishes all the fixes - too late

To me it looks like a PR stunt and a damn good one. Yes, it was late but enough people and news outlets praised them for patching EOL OSes that it was worth it to them. Does it make them the bad guy for releasing something for free that would otherwise cost more than a Windows license? To my knowledge I cannot think of any other OS developer who has ever done this, even most open source projects won't go back and patch their EOL versions.

 

As for blaming the NSA for not reporting the exploit, of course they should blame them. If the NSA knew about the exploit before MS did then not reporting it would mean we would have to wait for MS to find the exploit themselves before they could patch it. You should be mad at somebody for not fixing something they don't know about.

[Clanscorpia]

10 minutes ago, zMeul said:

it already spread and they had no obligation to release them, as you pointed out

so ...

How were they supposed to know it was so big? Do you expect them to release security updates for every exploit found in an EOL OS?

 

[zMeul]

Just now, KuJoe said:

To me it looks like a PR stunt and a damn good one

that backfired right in their fucking heads

 

Quote

You should be mad at somebody for not fixing something they don't know about.

really?

let's see:

• MS fires all their SW testers - ALL!
• Google creates Project Zero who's aim is to discover, inform and publish zero-day exploits in all software, including Windows

NSA discovers a Windows vulnerability, but the company that designed, developed and published the OS is incapable of?! ha! 

[zMeul]

Just now, Clanscorpia said:

How were they supposed to know it was so big? Do you expect them to release security updates for every exploit found in an EOL OS?

they have experts and they knew it to knew it was big since they had all the patches since February, as soon as they found out

[Okjoek]

I remember Jerry said you could play devil's advocate and say MS could tell people using all these pre-W7/8 ish OS to "F off" and that they took the risk of using an outdated and unsupported system.

[Clanscorpia]

Just now, zMeul said:

they have experts and they knew it to knew it was big since they had all the patches since February, as soon as they found out

Well, you normally patch something as soon as it comes up... Thats a shitty argument

[ARikozuM]

Maybe they released the patches to the other systems for the sake of hitting every business-PC under the sun regardless of needing an IT team to [roll] it out.

 

@leadeater Does this sound plausible? Would MS be able to get through?

[KuJoe]

11 minutes ago, zMeul said:

that backfired right in their fucking heads

How did it backfire? I haven't heard about any negative press from releasing updates for EOL version of Windows. I'm interested to see who is upset at MS for releasing a patch that effects a lot of people and businesses.

 

Quote

really?

let's see:

• MS fires all their SW testers - ALL!
• Google creates Project Zero who's aim is to discover, inform and publish zero-day exploits in all software, including Windows

NSA discovers a Windows vulnerability, but the company that designed, developed and published the OS is incapable of?! ha! 

I am very happy to see that you hold MS in such high regards. Your expectations of them are simply too high though so I would knock it down a bit, they aren't perfect like you expect them to be but they aren't horrible either. It makes sense why you are so upset now, you don't like it when Microsoft's flaws are revealed to the public but it's OK, they're not going out of business so cheer up.

 

At first I thought you were just a professional angry person who's job is to always be angry at something regardless of how little, but now I see the truth and you'll be fine. This is a safe place. The world isn't perfect and that's OK. 

[zMeul]

Just now, Clanscorpia said:

So you mean literally every EOL?

I'm talking about the OSes that got patched: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

• Windows XP - Embedded, x86, x64
• Windows Server 2003 - x86, x64
• Windows Vista - x86, x64
• Windows 8 - x86, x64
• Windows Server 2008 - Itanium, x86, x64

[Clanscorpia]

Just now, zMeul said:

I'm talking about the OSes that got patched: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

• Windows XP - Embedded, x86, x64
• Windows Server 2003 - x86, x64
• Windows Vista - x86, x64
• Windows 8 - x86, x64
• Windows Server 2008 - Itanium, x86, x64

So all EOL

[zMeul]

Just now, Clanscorpia said:

So all EOL

huh!? MS released the patches

[Clanscorpia]

Just now, zMeul said:

huh!? MS released the patches

For EOL products, why are you complaining? Thats a lot of money they lost

[Kherm]

This is unreal. Windows XP/8/Server 2003 are all officially unsupported. Microsoft wasn't even legally obligated to support those OSes anymore. They patched them (for un-paying users) because Microsoft was trying to avoid a global catastrophe 

 

 

 

The biggest flaw in your argument? Microsoft supports Windows XP actively for people who pay for extended out of warranty support. Of course they patched it in March, but only for paying out-of-warranty subscribers. All of those hospitals and airports and businesses who were affected and running XP weren't paying for crucial security updates. That's borderline criminal. Microsoft should be applauded for releasing this patch for non-paying Windows XP users.