undefined | Better HN

0 pointssillystuff2y ago0 comments

If MS really investigates all bug reports that is good. But, it seems like this should be expected?

From misc. articles I've seen (mainly posted here on HN; I don't buy MS products) MS dismisses bug reports as unimportant and sometimes takes an extremely long time to address known security vulnerabilities.

This VM escape was initially reported as an RDP bug that MS dismissed as unimportant, until it was used as a VM escape against their hypervisor.

https://www.bleepingcomputer.com/news/security/microsoft-ign...

The (in)famous pass-the-hash bug in windows is an example of MS not addressing serious security issues in a timely manner. Windows treats a password hash as equivalent to the password, so you don't even need to crack hashed passwords you've collected from e.g., the registry to authenticate to windows services (MS "protected" against this attack purely client-side). Microsoft acknowledged the issue was real more than a decade before even attempting to fix it.

Apparently it was a difficult bug that included design failures, but over 10 years and multiple versions of windows for an exploit this severe?

A couple days ago a Google Cloud container escape made HN front page. Comments on that article indicated Microsoft Azure had recently suffered the same, but while Google only allowed access to other containers owned by the same tenant, Microsoft's escape allowed access to all tenants on the same host. Google added a second layer of safety in case the first failed (a dedicated VM per host per customer to run each costumer's containers). Microsoft YOLO'd. I don't care enough to research these claims beyond noting that at the time I read them, no one had disputed them.

I don't know if Microsoft is overall still worse than its competitors WRT to security (I suspect it is true). But, Microsoft is certainly not an exemplar for how security should be done.

More on-topic with main thread, nonexistent support is kinda what Google is known for?

At least Google now uses abuse@gmail.com for reporting abuse from their infrastructure instead of forcing the reporting party to go through a god-awful web form (when I handled mail at past orgs, I didn't even bother reporting gmail abuse due to the hoops they made you jump through back then; I also used the RFC-Ignorant RBL to punish them and other sites that did not use the RFC mandated email addresses for reporting abuse with a higher bias toward triggering a SPAM tag on their mail).

Perhaps time for an RFC that mandates security contacts?

0 comments

LoganDark2y ago

> The (in)famous pass-the-hash bug in windows

I can't find any articles for this whatsoever on Google. No matter how many times I include "windows" or "microsoft" (quoted or otherwise) I only get clickbait SEO-spam articles talking about pass-the-hash vulnerabilities in general, not any description or reference to a specific incident in Windows.

Could you please link some article about this so I can read about it?

salynchnew2y ago

Try: https://www.coresecurity[.]com/sites/default/files/private-f... for a discussion that mentions Paul Ashton's PtH toolkit from ~1997 or so.

LoganDark2y ago

please don't defang that link. It makes it nearly impossible to access in my browser. Right clicking to copy doesn't work (no "Copy" option in context menu). Selecting to copy doesn't work, because HN cuts off the link. I had to open developer tools just to grab the value of the `href` attribute and then edit out the brackets.

But thank you for the PDF, it seems like an interesting read!

(non-defanged link for any future visitors: https://www.coresecurity.com/sites/default/files/private-fil...)

j / k navigate · click thread line to collapse

0 pointssillystuff2y ago0 comments

If MS really investigates all bug reports that is good. But, it seems like this should be expected?

This VM escape was initially reported as an RDP bug that MS dismissed as unimportant, until it was used as a VM escape against their hypervisor.

https://www.bleepingcomputer.com/news/security/microsoft-ign...

Apparently it was a difficult bug that included design failures, but over 10 years and multiple versions of windows for an exploit this severe?

I don't know if Microsoft is overall still worse than its competitors WRT to security (I suspect it is true). But, Microsoft is certainly not an exemplar for how security should be done.

More on-topic with main thread, nonexistent support is kinda what Google is known for?

Perhaps time for an RFC that mandates security contacts?

0 comments

LoganDark2y ago

> The (in)famous pass-the-hash bug in windows

Could you please link some article about this so I can read about it?

salynchnew2y ago

Try: https://www.coresecurity[.]com/sites/default/files/private-f... for a discussion that mentions Paul Ashton's PtH toolkit from ~1997 or so.

LoganDark2y ago

But thank you for the PDF, it seems like an interesting read!

(non-defanged link for any future visitors: https://www.coresecurity.com/sites/default/files/private-fil...)

j / k navigate · click thread line to collapse