undefined | Better HN

0 pointscookiengineer1y ago0 comments

From a security standpoint that's debatable.

Multiple RCEs and critical CVEs cannot be fixed because Microsoft "lost" the source code. So they disclosed those RCEs but without any solution or fix.

(Not kidding, sadly, look it up, there also have been occasional binary patches because of the same reason)

[1] https://msrc.microsoft.com/update-guide

0 comments

echoangle1y ago

Do you have a link for the „lost sourcecode so we won’t patch“ claim? The link you gave just gives me a long list of patches.

cookiengineerOP1y ago

CVE-2017-11882 and the NTLM relay attack come to mind, for example. Down the line they weren't actually fixed, and are continuously being used by a lot of ransomware / malware campaigns.

I remember some Windows Fax Service related CVEs and some Wi-Fi drivers that couldn't be fixed directly, too, but don't remember the CVE or whether that was related to the Broadcom driver/module sideloading fuckup.

> The link you gave just gives me a long list of patches.

The link I gave you is the only disclosure/advisory page that Microsoft offers, don't blame me for them not offering a better UI. Ask them to do better.

- https://nvd.nist.gov/vuln/detail/CVE-2017-11882

- https://blog.0patch.com/2017/11/did-microsoft-just-manually-...

- https://cert.europa.eu/publications/security-advisories/2022...

will42741y ago

> CVE-2017-11882 and the NTLM relay attack come to mind, for example. Down the line they weren't actually fixed, and are continuously being used by a lot of ransomware / malware campaigns.

Your own sources indicate CVE-2017-11882 was fixed in November of 2017. The title of the blob.0patch.com article is

> Did Microsoft Just Manually Patch Their Equation Editor Executable? Why Yes, Yes They Did. (CVE-2017-11882)

clearly indicating that Microsoft fixed the issue, contrary to your statement that they 'weren't actually fixed". The body content is consistent.

> NTLM relay attack

NTLM is bad, no question. It's based on a bad threat model - it assumes network admins can secure their corporate networks. Microsoft also fixed most of the issues in NTLM with NTLMv2 back in the Windows Vista and Windows 7 era. And Microsoft announced they will disable all NTLM versions by default within the Win11 lifetime. The biggest problem (unsurprisingly) is non-Microsoft software which has hardcoded the use of NTLM. It's fair to criticize Microsoft here for making available a technology that required so much from corporate network admins and leaving it available (and with use in Microsoft products) for so many years. At the same time, it's misleading to characterize these problems as "weren't actually fixed" - concrete issues with NTLM within its security model _were_ fixed and new technologies were created with better security models.

- https://techcommunity.microsoft.com/blog/windows-itpro-blog/...

> The link I gave you is the only disclosure/advisory page that Microsoft offers, don't blame me for them not offering a better UI. Ask them to do better.

You're mistaken. Microsoft has deep links for each CVE.

- https://msrc.microsoft.com/update-guide/vulnerability/CVE-20...

1 more reply

meiraleal1y ago

> From a security standpoint that's debatable.

still not incompetence if what they gain from it is bigger than what their customers lose, unfortunately.

j / k navigate · click thread line to collapse