Microsoft customer warning: Bad exploit in Windows

Do Hitachi let strangers use their corporate network for internet access?? If so then they need to sort out their internal network policy and worry about patches after that

Kirsty: I’m not a stranger to Hitachi Data Systems. Their employees were watching what I was doing anyway. Thanks for your concern!

what to do in a crisis…Warn your customers.

Considering it’s MFST, hourly updates then.

But wait a second here, warn your customers? You punish security groups that do the same thing BEFORE a patch. You warn only AFTER a patch is available. At least that is your company policy. Whole raft of guidelines on how to report a security vulnerability to Microsoft. Warn your customers? Exactly WHEN do you do that? When it first hits the blogs?

Now say you were a security company like maybe Hexview or someone like Michal Zalewski, instead of a clueless blogger, why MFST’d punish you to high hell for warning, out of turn, and deny that they even got the emails/reports. They’d go “not disclosed responsibly, potentially putting computer users at risk.”

Some day, some day Christopher, you’ll realise that MFST is actually MSFT. At least then you’ll gain some limited credibility when everyone else realises what you are blabbing about is in line with what they think you are blabbing about. As opposed to being known as a know-it-all troll with no deliverables to back up your rants. Each comment dilutes the essence of the previous – maybe a year or so ago you could have been taken seriously within a soundbite, but now you can’t even get the company symbol right. Lay off the meds dude

Christopher: it’s out in the wild. I’d rather it not be, but because the exploit is out there I want to let customers know what the latest info is. You did notice that I pointed to where the official sources of info are, right? I have not communicated any new information other than to tell you what the latest news is. More to come, I’m sure.

Kristy, Providing access to the Internet for visitors is quite common, in my experience. Companies setup a separate virtual LAN/ wireless LAN to isolate visitors from internal resources.

haven’t posted about this issue yet…

Then you should keep quiet, and not warn anyone, at least if you want to follow your own companies policies. So it’s wrong for security companies (even if you parse it as ‘news’), but ok for you? Even CERT gives the vendor 45 days, before reporting such “news”. Just interesting however, that it’s somehow ok for you (and bloggers), but wrong for everyone else. Not saying you did anything wrong, not in my book, but by your own company’s security vulnerability reporting policies. Irony, no?

Security Company – Warn! News! This event happened! We can replicate! – “Out-of-turn, irresponsible. Not disclosed responsibly.”

Scoble – Warn! News! This event happened!, Bloggers can replicate! – “I (just) want to let customers know what the latest info is. And hey I pointed to the right websites”

And Smoi, I guess the concept of satire and irony is wholly lost on you. Sigh. But I will symbolize the ‘correct’ way for your sake. The joke has run it’s course anyways.

Does no one understand irony anymore?

Christopher, satire and irony is by no means lost on me. I grew up in the UK – we invented it, y’know? I should caveat that by saying that CONSTRUCTIVE and INTELLIGENT satire and irony is not lost. It’s the dumb, belligerent and petty stuff that falls through the gap. With that in mind, I still don’t get what you’re trying to say by your allegedly intentional dyslexia. That aside – the remainder of my post still stands.

Irony is only evident when used intelligently. Otherwise your comments are scanned, and dismissed with the word “prick” in mind.

Christopher: watch the video to see what the difference is between responsible and unresponsible disclosure are. I have not disclosed anything here that isn’t already public. That’s responsible. What’s unresponsible would be explaining an exploit for the first time without giving security researchers first shot at it.

But, thanks for continuing your series of “Scoble is wrong” posts.

I got hit with it yesterday on a clickthrough of a piece of spam, assuming my system was secure enough to not get hit. My mistake, as I had been running as admin to debug asp.net code (although 2.0 allows me to run as limited but I was too lazy to change it) and am running a recently-expired copy of McAfee, but it sounds like it wouldn’t have mattered. It freaked me out how quickly it worked and that it installed that much software. Sets the homepage to a spyware page, installs spyware + an onLoad bootstrap AND activates an ActiveDesktop policy that disables your ability to set the wallpaper. Took me about half an hour to fix everything and then set my system back to a restore point 12 hours before infection to be safe.
Nasty, nasty stuff

Robert – this is the first I’ve seen of this new threat, and it makes me EXTREMELY happy to see it coming here. Take that as a definite sign that you are reaching success in your objective to put a face on a huge corporation.

Larry

Here Here! Robert is a quick one

You should have seen how fast Robert addressed this issue.

Yes, I did learn a lot at today’s lunch. He was quick to listen (his cell is connected to him) and he was quick to respond.

We had JUST talked about this with Shel Israel on how to handle crisis a few minutes before this hit, and watching the man practice what he preached was quite amazing.

He got the word out, signaled teams to correct the issue, and addressed you all…all between and after a few pieces of sushi.

Jeremiah: yeah, I watch Memeorandum multiple times a day, just to see what’s happening. This one went to the top of Memeorandum while we were meeting.

By the way, thanks for lunch!

Your definition of “responsible” and “unresponsible” by saying it’s already news therefore ‘ok’, doesn’t wash with your own company. Tons of security companies that have reported on things already in the public domain that have had their wings clipped.

Crying Chicken Little (hey, it’s news) before your own people swat at it or even have a chance to blog about it, falls under “unresponsible”. Imagine if all the blogger reports are WRONG, what then. Sounding a false alarm?

(PS – to be Smoi boorishly nit-picky, the word is actually “irresponsible”. But I got what you were trying to say, and didn’t lay down a mile of snark)

The difference between what is responsible and what is not is determined by exactly how embarrassing it becomes for said company. If a vendor does NOT fix something, and has no inclination to do so, yet has been informed, then it is actually responsible to go over their heads. Delicate balance, CERT plays it best.

Christopher: whatever. I didn’t disclose anything. It’s pretty obvious you don’t know the difference between disclosure and linking.

Either way, here’s the latest security advisory: http://www.microsoft.com/technet/security/advisory/912840.mspx

Christopher: it was a worldwide PR crisis before I got involved. It was on the top of Memeorandum and is still there.

But, thanks for continuing your series of “Scoble is wrong” posts.

Ahhh, you make it easy. But actually I don’t think you are ‘wrong’ yourself, in so much that you are wrong in terms of your own company’s reporting policies.

Plus this could be something that impacts a minor minor few, and you have made it into a worldwide PR crisis, before they have really dug in. Not saying cover-up, just saying don’t overblow either. But said my piece. End Prog.

Linking? You cop-out with that? After a title with: “Microsoft customer warning: Bad exploit in Windows”

Heh. But yeah, as you say, whatever.

That’s a warning, not a disclosure. Geeeessshh. And I was late there after at least 30 blogs had said the same thing.

On the top of Memeorandum, is not a worldwide PR crisis. A post on the unofficial ‘third man’ Microsoftspokesperson blog is. (Hey, saying something nice).

I’d rather that our customers know there’s a problem and worry about the PR implications later.

Humans yet live within the borg cube.

Well, how about a fix? regsvr32 /u shimgvw.dll anyways. A 0 day exploit sure highlights the fallacy of security thru obscurity or forever proper disclosure policies. But I guess I lost that ironic battle. In ‘links’, ‘warnings’. Never mind.

But some good info…

http://isc.sans.org//diary.php?storyid=972

I’d rather that our customers know there’s a problem and worry about the PR implications later.

Likewise. But such violates your company policy. My point. But (obviously) beating a dead horse.