Windows

MS Windows 7 pre-beta gets a security patch 13 days early

Is the release of a security update for MS Windows 7 two weeks before it's available to the public a sign of security troubles to come, or is it a sign that Microsoft is finally paying real attention to security?

Microsoft's upcoming presentation of Windows 7 at PDC2008 is scheduled for next Tuesday. Among other things, it is expected to fill in a gap in Microsoft's operating system strategy, addressing the need for OSes that will run efficiently on a class of laptop computers that has come to be called "netbooks".

The growing popularity of netbook laptops such as the Eee PC, most of which run a custom Linux distribution with MS Windows XP only offered on the most expensive models, has led many to suggest that low-power, highly mobile, efficient, and low-cost little computers like the Eee PC might represent the tipping point for mass adoption of open source operating systems. The words "the year of Linux" have been uttered many times.

There's speculation that MS Windows 7 will address the netbook market more effectively than the pared-down version of MS Windows XP Home Edition that is offered on the most expensive Eee PCs. On Tuesday, Microsoft is expected to provide a pre-beta version of Windows 7 for attendees of PDC2008.

This is where things get strange:

A highly dangerous security vulnerability was discovered in MS Windows 7 between when the CDs to be distributed at PDC2008 were created and now. Microsoft has, as a result, released a security patch for software that hasn't been released yet. The patch announcement says:

A security issue has been identified that could allow an authenticated remote attacker to compromise your Microsoft Windows-based system and gain control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer. This update is provided to you and licensed under the Windows 7 Pre-Release License Terms.

I'm tempted to make jokes about security vulnerabilities being so numerous in something created by Microsoft that the company's patches have started appearing before it's even available. "Oh, it's starting already," I'm tempted to think. That's not really the lesson to be taking from this.

What I find remarkable is that Microsoft has provided a security patch before it is needed. In the past, the company's record for providing a patch to the public was ten days -- a dismal record, considering the fact that other operating systems' average patch time is less than that. With this Microsoft security update, available for almost a week already, we have a patch available 13 days before anyone outside Microsoft will even have the operating system.

I don't know how long ago the MS Windows 7 CDs were created, and I certainly don't know how long ago Microsoft became aware of this vulnerability. As such, I don't actually know how long it took Microsoft to develop, test, and release this patch. For once, I hope that a security update took longer to go through all of that, rather than taking less time, because it might suggest that Microsoft did a very thorough job of properly patching the vulnerability. Since there isn't as much urgency, from the point of view of the world outside Microsoft's walls themselves, it makes sense for the company to take its time and do the best job it can.

Superficially, however, a security update released 13 days before its public user base will even potentially be affected looks like a good sign for Microsoft's future attention to security. The company's marketing department and executives -- and Bill Gates himself -- have been talking about the company's increased focus on security for years, now. On the other hand, it seems likely that this happened only because Microsoft had a lot of lead time before the patch would be needed. A better test would be if another such vulnerability were discovered, say, today. How quickly would an update appear?

If this event is what it superficially looks like, however, Microsoft may finally start walking the walk after talking the talk for so long. Only time will tell.

Worried about security issues? Who isn't? Delivered each Tuesday, TechRepublic's IT Security newsletter gives you the hands-on advice you need for locking down your systems and making sure they stay that way. Automatically sign up today!

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

24 comments
Photogenic Memory
Photogenic Memory

? I guess moments like this should tell me "google is your best friend", lOL!

Oz_Media
Oz_Media

While you suggest, as does MS I'm sure, that only people within MS have a Beta of Windows 7, it is actually in widespread use/testing/hacking by anyone with a computer and an urge to be the first to hack it apart. Three different betas have been released as torrent files on P2P networks in the last few months, the latest even incorporating whta they deem is the final revision of the 'missing taskbar'. Until now, the taskbar has looked like a bad WinAmp skin, boxy and plain, but the last release showed a taskbar similar to the Vista bar, which amusingly everyone seems to love, while hating the look of Vista (go figure). So while the OS in its infancy has been publicly available for a few months now, so have the hackers been looking for new vulnerablities, as it is MS licencing has already been hacked and you can download a version that allows itself to login to the MS developer website and get the latest updates they make available for testers. In short, if you are a beta tester, you will probably get more upto date releases and updates from a cracked torrent file and P2P chat room than from MS themselves. I didn't think it was anything new at all, looks and feels just like Vista and apparently Vista is horrible, even though absolutely fine for me and I've had no problems at all with it, despite a few daunting mass email issues that are most likely server related. The last release I saw was 32 bit release 6801, though I think a couple of others came out since then. however there is a 64 bit out too, http://thepiratebay.org/torrent/4476097/Microsoft.Windows.7.64Bit.Build.6801.DVD-WinBeta Other private trackers have more up to date versions with better cracks/serials applied to them. As always the hackers beat the programmers to the punch, MS needs to hire more hackers and stop trying to beat them at their own game.

dhamilt01
dhamilt01

I think Microsoft got April Fool's mixed up with Halloween Tricks. A patch released BEFORE the actual software is released? That's gotta be an April Fool's gag. Or... maybe they are just tricking us (again) into believing that maybe (just maybe) they "really" care about us and want us to think more kindly of them ... even after all they've done to us over the years! Then why does Santa Claus have Microsoft as the FIRST name on his "naughty" list eh?

Oz_Media
Oz_Media

They released one on the first Beta too, but that was to try and stop the hackers from offering licensed copies on P2P sites. Now that they failed at that, you can download the latest Betas 32 or 63 bit from any public torrent tracker site, like The Pairate Bay, ISO Hunt, MiniNova, RapidShare etc. Teh software will activate and be able to connect to teh developer site for any updates and patches that are issued by MS. Windows 7 has already been shot down by teh masses, though only in Beta versions.

nwilt
nwilt

How do you know Father Xmas has microsoft first on his list??? mmmm

john3347
john3347

With Microsoft's performance from Windows 2000 to Windows XP, then from Windows XP to Windows Vista, and from XP SP2 to XP SP3; how can anyone have ANY hope in the world for Windows 7? My best expectation for Windows 7 is a further messed-up Vista.

Beoweolf
Beoweolf

Yes, I too think that there 'should be' a transition/migration path from existing windows installs to Windows 7, but microsoft does explicitely state that it is commited to bringing the world (kicking and screaming) to 64 bit. Obviously, this will require the cooperation of vendors in providing drivers that work. As you noted, most likely they will use this, much as they did with Vista as a way to boost sales and profit by forcing the public to purchase new hardware. Or, you can burn the midnite oil and spend the time to write your own. You can develop drivers for Windows just as easily as you can for xNIX OS.

charles.homsy
charles.homsy

I know one thing, I've gotten to play with the installer and it's just as bad as Vista's. Wipes your hard drive and destroy everything just to upgrade Vista to Win7. I guess this is a ploy by the hardware manufacturers to make your present hardware obsolete whenever a new version of Windows comes out, or it's just callousness on Microsoft's part and their selective hearing problem is afflicting them again. Unless the installer is fixed so that it leaves the user's programs, folders and files alone and only works it's magic on the OS, Windows 7 will be just another coming of Vista. How's this for a pie in the sky dream, those of us who purchased an upgrade or full version of Vista get free copies of 7, can I dream or what? That would require Microsoft to actually have some misgivings and have to admit they screwed everyone and that'll happen when . . .

lastchip
lastchip

Probably a bit of both, but to my mind, it shows however hard they try, the inherent architecture that *is* Windows, is never likely to produce a secure system. They've actually become a victim of their own success. The real answer for them is to scrap existing Windows and start from scratch. But we also all know, due to existing installations, that isn't an option. Something about a "rock and a hard place"? Edited - minor correction

Selvarin
Selvarin

For what it's worth, Leo Laporte and Paul Therrott (sp?) discussed a recent patch on Windows Weekly. Leo noted that the patch update on his Vista system mentioned it as also being applicable to Windows 7. Since Win7 hs been descibed as 'Vista only better' (less bloat, better UI, etc.)...sounds like shared code. No big deal.

Tony Hopkinson
Tony Hopkinson

bugs are in 7, bearing in mind some of them are unpatched XP ones , which are unpatched 2k ones, which are unpatched NT4 ones. SSDVersion......

AlexNagy
AlexNagy

It is for those who were led to believe that Win7 was to share as little code from the older versions of Windows as possible. Either the marketers and developers are out of sync again or a purposeful lie? Either way inconsequential to the issue at hand. A patch has been issued for software that hasn't even been released to any users as of yet. Not very promising.

Tony Hopkinson
Tony Hopkinson

An authenticated remote attacker. Authenticated by whom, when and with the privileges to do what? Trying to figure out which part of the system is broke, The description on MS's website seems somewhat terse, or perhaps obfuscated. Privilege escalation again?

Oz_Media
Oz_Media

For teh last three Betas there have been hacks wher eyou can download a copy form a P2P tracker and actually go online to MS and update it or get the latest patches, each time they stop it and add a new key system, it is hacked in minutes. Now i know that is different than a security vulnerability but it does show that MS can't even secure their licensing system, yet alone the software that uses it.

apotheon
apotheon

Expect an article on this subject in about two weeks.

AlexNagy
AlexNagy

Interesting to say the least. Perhaps your right. Maybe MS has finally started to walk the walk. Even so it has a long walk to catch up with Linux, Apple and the like.

Manitobamike
Manitobamike

It could be that MS released the patch pre-release because the gap in the security was so blatant that even a novice could crack into any system.

apotheon
apotheon

Starting with a new OS that (supposedly) doesn't share much fundamental codebase with previous versions of MS Windows, Microsoft might be able to get up to speed on security very quickly. All it would really need to do is employ a whole new set of policies for dealing with matters of security -- and, of course, do a really good job of creating MS Windows 7 to use a more secure basic design in the first place. Of course, that's a deceptively simple picture of what would have to happen. Microsoft would have to somehow achieve the security benefits of having a huge community of open source developers contributing to the improvement of the software, and of security patches, among other [url=http://blogs.techrepublic.com.com/security/?p=549]challenges facing closed source software security[/url]. There's no law of nature that prevents closed source software from achieving the same potential level of security as equivalent open source counterparts, but the challenges appear insurmountable. Who knows? Maybe MS Windows 8 will be released under a [url=http://copyfree.org]copyfree[/url] license. Then again, maybe pigs will fly.

AlexNagy
AlexNagy

I'll be going to the local Wal-Mart to get my faerie pig license tomorrow. ;)

Sterling chip Camden
Sterling chip Camden

MS's reputation has been so badly damaged by Vista that they need to make that happen immediately and convincingly.

apotheon
apotheon

Unfortunately, "convincingly" isn't necessarily correlated to "honestly". I'm not holding my breath.

Editor's Picks