Microsoft asked for Sasser Worm?

[Vector]

I'm a new member. I was told about this site after letting a buddy of mine know how ticked I was about Microsoft's handling of the Sasser situation.
I was one of the first to be affected. Trying to find out what was going on, I found out about the LSA problem. Over the weekend, I started researching about other users with simmilar problems, and how they were dealing with it. My search discovered some facts that I knew and a few that I didn't. Virus software (I run both AVG and McAfee VirusScan w/ firewall) could not detect the worm initially, and trying to contact MS about the problem was very problematic. I rooted around Microsoft's site to find the right patch and failed. It was a link on a bulliten board (not Microsoft) that I was able to find the patch.
Here's my gripe: Microsoft released an anouncment that there was a security hole in LSA in the middle of April. When Sasser hit at the end of April, it attacked the very hole that Microsoft released. Why not wait until they fixed the problem <i>before</i> they let the hacks know about it??? The way they handled it, it almost seemed like they invited Sasser to happen.
Maybe I'm missing something...

[flap]

The idea behind telling people about it before you release a fix is that they can take limited measures to prevent an attack, even if they're not able to fix the problem. Generally it's better to be told the problem exists, rather than to be kept in the dark in the hope that potential attackers will also be kept ignorant. However Microsoft don't always bother telling people once they've been informed of a vulnerability.
For example, if you'd read the security bulletin you could have blocked the appropriate ports on your firewall, though you probably should have had them blocked anyway.

[ May 07, 2004: Message edited by: flap ]

[M51DPS]

quote:Originally posted by flap:
For example, if you'd read the security bulletin you could have blocked the appropriate ports on your firewall, though you probably should have had them blocked anyway.

This is good advice. By default, you should block all ports except for the ones you know you need. Things like the 135-139 range (NetBIOS) most likely aren't necessary.

[flap]

If he's running a firewall I don't know why he wouldn't have had that blocked already. The average user should simply have all incoming connections rejected by their firewall - whatever system they're running.

[ May 07, 2004: Message edited by: flap ]

[Calum]

windows firewalls generally don't encourage you to know what ports are and will generally manage firewalling from an applications perspective, rather than an actual network security one.

as for microsoft's approach to users and their concerns:

[FOO]

Look at it like this if you had a bunch of friends over at "bobs" house and you heard that there was ganna be a shooting at bobs house would you try see if you could stop the shooters and not warn your friends or would you tell them that this threat is there ?