M$ knew that the Wannacrypt vulnerability had gone public in January

And waited almost 2 months to issue patches for Win 7 and 10, and 3
months for XP.

https://www.theinquirer.net/inquirer...ry-xp-patching

https://www.theregister.co.uk/2017/0...ing_flaws_too/

Patches that were apparently compiled in early February.

I wonder why ?
[]'s

--
Don't be evil - Google 2004
We have a new policy - Google 2012

On 5/17/2017 5:40 PM, Shadow wrote:

And waited almost 2 months to issue patches for Win 7 and 10, and 3
months for XP.

[...]

Patches that were apparently compiled in early February.

I wonder why ?
[]'s

Why not? It's the USER'S responsibility to make unsupported OS versions
secure as well as to keep supported versions up-to-date. Those that
choose to do otherwise suffer the consequences, and we'll see whether
they learn anything from this episode or continue to point fingers.

--
best regards,

Neil

On 17/05/2017 22:40, Shadow wrote:


Patches that were apparently compiled in early February.

I wonder why ?
[]'s

Because Microsoft is still providing support of XP to anybody (mainly
big corporations and Governments) who is prepared to pay for the
service. Therefore, the patch was already prepared for them but out of
loyalty decided to release it for the general public to patch up their
old xp machines just for the attack that took place last week. No big
surprise in this don't you think so?

--
With over 500 million devices now running Windows 10, customer
satisfaction is higher than any previous version of windows.

On Wed, 17 May 2017 17:57:38 -0400, Neil
wrote:

On 5/17/2017 5:40 PM, Shadow wrote:

And waited almost 2 months to issue patches for Win 7 and 10, and 3
months for XP.

[...]

Patches that were apparently compiled in early February.

As shown here (you deleted the links):

https://www.theinquirer.net/inquirer...ry-xp-patching

https://www.theregister.co.uk/2017/0...ing_flaws_too/


I wonder why ?
[]'s

Why not? It's the USER'S responsibility to make unsupported OS versions
secure as well as to keep supported versions up-to-date. Those that
choose to do otherwise suffer the consequences, and we'll see whether
they learn anything from this episode or continue to point fingers.

All those words must be tough .... MS was warned in JANUARY
that their backdoor had gone public and was being exploited. They
compiled patches for Win 7 and 10 in early FEBRUARY, but only released
them to users in MARCH.
IOW, lusers that "keep supported versions up to date" were
vulnerable for TWO months.
Please read the reports before commenting.
[]'s

--
Don't be evil - Google 2004
We have a new policy - Google 2012

"Shadow" wrote

| Patches that were apparently compiled in early February.
|
| I wonder why ?

Patches compiled in Feb and included in the March
update. Doesn't that make sense? The XP issue is
interesting, though. The NSA have turned into blackhats.
Meanwhile MS criticizes them for not reporting the
bug. Yet MS routinely withhold patches from XP (and
now apparently also from Win7 with newer CPUs).
And they're famous for stalling on patches until
someone like Google goes public with them.

They make all the patches for XP, and they sell them
to companies willing to pay through the nose. But
they won't sell them at any price to the general
public because they want to push people to buy new
computers. Wannacry has shed a lot of light on a
lot of dark, stinky corners of both gov't and tech
companies.

I was surprised at how much MS are extorting
from the British health centers for XP support: $200
for year 1, then that doubles each year. No wonder
the Brits were trying to get by without paying for
support.

On 18-May-17 1:39 AM, Mayayana wrote:
Wannacry has shed a lot of light on a
lot of dark, stinky corners of both gov't and tech
companies.


Beautifully put.

On 05/18/17 00:28, Good Guy wrote:
On 17/05/2017 22:40, Shadow wrote:


Patches that were apparently compiled in early February.

I wonder why ?
[]'s

Because Microsoft is still providing support of XP to anybody (mainly
big corporations and Governments) who is prepared to pay for the
service. Therefore, the patch was already prepared for them but out of
loyalty decided to release it for the general public to patch up their
old xp machines just for the attack that took place last week. No big
surprise in this don't you think so?

They only released it for their own stock price wouldn't fall like a
stone as it would if they kept internet in chaos and let wannacry keep
on infecting machines.

On 5/17/2017 7:29 PM, Shadow wrote:
On Wed, 17 May 2017 17:57:38 -0400, Neil
wrote:

On 5/17/2017 5:40 PM, Shadow wrote:

And waited almost 2 months to issue patches for Win 7 and 10, and 3
months for XP.

[...]

Patches that were apparently compiled in early February.

As shown here (you deleted the links):

https://www.theinquirer.net/inquirer...ry-xp-patching

https://www.theregister.co.uk/2017/0...ing_flaws_too/


I wonder why ?
[]'s

Why not? It's the USER'S responsibility to make unsupported OS versions
secure as well as to keep supported versions up-to-date. Those that
choose to do otherwise suffer the consequences, and we'll see whether
they learn anything from this episode or continue to point fingers.

All those words must be tough .... MS was warned in JANUARY
that their backdoor had gone public and was being exploited. They
compiled patches for Win 7 and 10 in early FEBRUARY, but only released
them to users in MARCH.
IOW, lusers that "keep supported versions up to date" were
vulnerable for TWO months.
Please read the reports before commenting.
[]'s

Your premise is quite clear...without any clue as to why it might take a
couple of weeks for a company to release an update, you merely complain
that they didn't. Whatever you think might be the point of such
"reports", IMO, it's neither informative nor useful information.

--
best regards,

Neil

Neil wrote:
On 5/17/2017 7:29 PM, Shadow wrote:
On Wed, 17 May 2017 17:57:38 -0400, Neil
wrote:

On 5/17/2017 5:40 PM, Shadow wrote:

And waited almost 2 months to issue patches for Win 7 and 10, and 3
months for XP.

[...]

Patches that were apparently compiled in early February.

As shown here (you deleted the links):

https://www.theinquirer.net/inquirer...ry-xp-patching


https://www.theregister.co.uk/2017/0...ing_flaws_too/


I wonder why ?
[]'s

Why not? It's the USER'S responsibility to make unsupported OS versions
secure as well as to keep supported versions up-to-date. Those that
choose to do otherwise suffer the consequences, and we'll see whether
they learn anything from this episode or continue to point fingers.

All those words must be tough .... MS was warned in JANUARY
that their backdoor had gone public and was being exploited. They
compiled patches for Win 7 and 10 in early FEBRUARY, but only released
them to users in MARCH.
IOW, lusers that "keep supported versions up to date" were
vulnerable for TWO months.
Please read the reports before commenting.
[]'s

Your premise is quite clear...without any clue as to why it might take a
couple of weeks for a company to release an update, you merely complain
that they didn't. Whatever you think might be the point of such
"reports", IMO, it's neither informative nor useful information.


A lot of testing has to go into SMB changes. SMB has
"versions" and "dialects", and has to be matrix tested
against all the OSes. I'm sure whatever they use for a
test suite, hasn't been taken apart and destroyed in the
name of purity. Still, it's going to take a while to
test and make sure the patches don't break anything.

I still haven't seen any comments from WePOS users, as to
whether they got a patch or not automatically. And at what
point in time.

Paul

On Thu, 18 May 2017 08:43:38 -0400, Neil
wrote:

On 5/17/2017 7:29 PM, Shadow wrote:
On Wed, 17 May 2017 17:57:38 -0400, Neil
wrote:

On 5/17/2017 5:40 PM, Shadow wrote:

And waited almost 2 months to issue patches for Win 7 and 10, and 3
months for XP.

[...]

Patches that were apparently compiled in early February.

As shown here (you deleted the links):

https://www.theinquirer.net/inquirer...ry-xp-patching

https://www.theregister.co.uk/2017/0...ing_flaws_too/


I wonder why ?
[]'s

Why not? It's the USER'S responsibility to make unsupported OS versions
secure as well as to keep supported versions up-to-date. Those that
choose to do otherwise suffer the consequences, and we'll see whether
they learn anything from this episode or continue to point fingers.

All those words must be tough .... MS was warned in JANUARY
that their backdoor had gone public and was being exploited. They
compiled patches for Win 7 and 10 in early FEBRUARY, but only released
them to users in MARCH.
IOW, lusers that "keep supported versions up to date" were
vulnerable for TWO months.
Please read the reports before commenting.
[]'s

Your premise is quite clear...without any clue as to why it might take a
couple of weeks for a company to release an update, you merely complain
that they didn't. Whatever you think might be the point of such
"reports", IMO, it's neither informative nor useful information.

TWO MONTHS is not a "couple of weeks". Maybe you use a
different calendar.
And they could have released a 'notice' warning about the SMB
issue, so IT techs could have minimized the impact of the exploit,
which hit Win 7 and 10.
[]'s
--
Don't be evil - Google 2004
We have a new policy - Google 2012

On 5/18/2017 9:37 AM, Shadow wrote:
On Thu, 18 May 2017 08:43:38 -0400, Neil
wrote:

On 5/17/2017 7:29 PM, Shadow wrote:
On Wed, 17 May 2017 17:57:38 -0400, Neil
wrote:

On 5/17/2017 5:40 PM, Shadow wrote:

And waited almost 2 months to issue patches for Win 7 and 10, and 3
months for XP.

[...]

Patches that were apparently compiled in early February.

As shown here (you deleted the links):

https://www.theinquirer.net/inquirer...ry-xp-patching

https://www.theregister.co.uk/2017/0...ing_flaws_too/


I wonder why ?
[]'s

Why not? It's the USER'S responsibility to make unsupported OS versions
secure as well as to keep supported versions up-to-date. Those that
choose to do otherwise suffer the consequences, and we'll see whether
they learn anything from this episode or continue to point fingers.

All those words must be tough .... MS was warned in JANUARY
that their backdoor had gone public and was being exploited. They
compiled patches for Win 7 and 10 in early FEBRUARY, but only released
them to users in MARCH.
IOW, lusers that "keep supported versions up to date" were
vulnerable for TWO months.
Please read the reports before commenting.
[]'s

Your premise is quite clear...without any clue as to why it might take a
couple of weeks for a company to release an update, you merely complain
that they didn't. Whatever you think might be the point of such
"reports", IMO, it's neither informative nor useful information.

TWO MONTHS is not a "couple of weeks". Maybe you use a
different calendar.
And they could have released a 'notice' warning about the SMB
issue, so IT techs could have minimized the impact of the exploit,
which hit Win 7 and 10.
[]'s

Your "warning" notion reminds me of those commercials where the "problem
monitor" informs the person of a problem, but it isn't his job to
provide a fix.

My calendar puts February ONE MONTH before March, which means it was a
matter of WEEKS between developing the patch and its distribution to
Win10 users in Mid-March. Do you have any clue what it takes to do that?
I think not.

--
best regards,

Neil

On 5/18/2017 9:11 AM, Paul wrote:
Neil wrote:
On 5/17/2017 7:29 PM, Shadow wrote:
On Wed, 17 May 2017 17:57:38 -0400, Neil
wrote:

On 5/17/2017 5:40 PM, Shadow wrote:

And waited almost 2 months to issue patches for Win 7 and 10, and 3
months for XP.

[...]

Patches that were apparently compiled in early February.

As shown here (you deleted the links):

https://www.theinquirer.net/inquirer...ry-xp-patching


https://www.theregister.co.uk/2017/0...ing_flaws_too/



I wonder why ?
[]'s

Why not? It's the USER'S responsibility to make unsupported OS versions
secure as well as to keep supported versions up-to-date. Those that
choose to do otherwise suffer the consequences, and we'll see whether
they learn anything from this episode or continue to point fingers.

All those words must be tough .... MS was warned in JANUARY
that their backdoor had gone public and was being exploited. They
compiled patches for Win 7 and 10 in early FEBRUARY, but only released
them to users in MARCH.
IOW, lusers that "keep supported versions up to date" were
vulnerable for TWO months.
Please read the reports before commenting.
[]'s

Your premise is quite clear...without any clue as to why it might take
a couple of weeks for a company to release an update, you merely
complain that they didn't. Whatever you think might be the point of
such "reports", IMO, it's neither informative nor useful information.


A lot of testing has to go into SMB changes. SMB has
"versions" and "dialects", and has to be matrix tested
against all the OSes. I'm sure whatever they use for a
test suite, hasn't been taken apart and destroyed in the
name of purity. Still, it's going to take a while to
test and make sure the patches don't break anything.

I still haven't seen any comments from WePOS users, as to
whether they got a patch or not automatically. And at what
point in time.

Paul

Some get it, others not so much. Users of a poorly maintained or
unsupported OS are in no position to whine about the time it took to get
a free fix. Priorities have an impact on such things.

--
best regards,

Neil

J.O. Aho wrote:
On 05/18/17 00:28, Good Guy wrote:
On 17/05/2017 22:40, Shadow wrote:

Patches that were apparently compiled in early February.

I wonder why ?
[]'s

Because Microsoft is still providing support of XP to anybody (mainly
big corporations and Governments) who is prepared to pay for the
service. Therefore, the patch was already prepared for them but out of
loyalty decided to release it for the general public to patch up their
old xp machines just for the attack that took place last week. No big
surprise in this don't you think so?

They only released it for their own stock price wouldn't fall like a
stone as it would if they kept internet in chaos and let wannacry keep
on infecting machines.


Microsoft commits to supporting an OS for a fixed period.
Sometimes the period is extended, to help their bigger customers.
(In the same way as SunOS 4.1 support was dragged on a bit,
because of the situation on the installed base.)

When Microsoft really wants to commit to something, it is
put in writing on the web site. Any time they want to
flim-flam customers, they have their "partners", like
Andre Costas write an article. When Andre says something,
the lawyers can later refute what was said.

But the Lifecycle is defined on the Microsoft website.

If you use WinXP after April 2014, it is up to you
as the customer, to understand the consequences. That's
why they put that annoying "End Of Life" banner via
windows Update around that time, as an "official" warning
to the less-motivated customers. If you knew the banner
was incoming on Windows Update, you could avoid installing it.

Sure their stock price could fall. But there have been
other issues, for which Microsoft did not patch WinXP
(if you're lucky, maybe WePOS got a patch), so I
don't see anything really different here. If you
want to "go rogue" with your copy of WinXP, they're
not stopping you. Any more than they're stopping Win98
users from using that OS. Did Win98 get patched ?

I don't think it's stock price. It's "Enterprise support"
that's driving the decision. They're not doing this for
NHS, they're doing this for companies that run a
clean shop and still have legacy machines present.

*******

And to show what a half job of this they're doing,
4012598 is *not* showing up in Windows Update. If
you reinstall WinXP today, you will *not* get patched
by just using Windows Update. I used wsusoffline 9.2.1
a few minutes ago, and it's obvious the wsusscn2 file
that wsusoffline uses, is "frozen in size". That means
the WinXP patch train right now, is "frozen" in some way.
So the patch that was made available, was not done properly.
The patch file is available from catalog.update.microsoft.com
(to suit IT departments), but for lazy home users, you
don't get this one by sitting on your ass. Anyone who
reinstalls the OS now, has to remember "oh yeah, don't
forget to add 4012598". I hardly see this level of service
as "saving the stock price". They extended this olive branch,
to keep some Enterprise customer from freaking out. This
doesn't look like a "home user freebie" to me, because the
usual delivery mechanism is now busted. Wsusoffline pulls
in the whole wsusscn2.cab file, just like MBSA 2.3 does.
That would suggest (I haven't tested this), that if you
scan a vulnerable WinXP machine with MBSA 2.3, it *cannot*
detect that 4012598 is missing. The onus is on the user
to do this *manually*. Hardly any face is being saved,
by doing it this way.

Paul

In message , Neil
writes:
On 5/18/2017 9:11 AM, Paul wrote:
[]
I still haven't seen any comments from WePOS users, as to
whether they got a patch or not automatically. And at what
point in time.
Paul

Some get it, others not so much. Users of a poorly maintained or
unsupported OS are in no position to whine about the time it took to
get a free fix. Priorities have an impact on such things.

I saw no whine in what Paul said.
--
J. P. Gilliver. UMRA: 1960/1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf

If you believe in telekinesis, raise my right hand

On 5/18/2017 4:34 PM, J. P. Gilliver (John) wrote:
In message , Neil
writes:
On 5/18/2017 9:11 AM, Paul wrote:
[]
I still haven't seen any comments from WePOS users, as to
whether they got a patch or not automatically. And at what
point in time.
Paul

Some get it, others not so much. Users of a poorly maintained or
unsupported OS are in no position to whine about the time it took to
get a free fix. Priorities have an impact on such things.

I saw no whine in what Paul said.

Since Paul is one of the least likely contributors on this ng to have a
poorly maintained computer, why do you think my comment referred to him?
Or, were you trying to warp the discussion in a particular direction by
snipping the relevant parts?

--
best regards,

Neil