Op-ed: Windows 10 0-day exploit goes wild, and so do Microsoft marketers (arstechnica.com).
“There’s a zero-day exploit in the wild that exploits a key file-sharing protocol in most supported versions of Windows, including Windows 10, the latest and most secure version of the Microsoft operating system.”
But is it a real or hypothetical risk?
“The exploit is probably not worth worrying about, but you’d never know that based on the statement Microsoft officials issued on Thursday when asked what kind of threat the exploit poses: ‘Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible,’ an unnamed spokesperson replied in an e-mail. ‘We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.’”
So… obviously hiding something apart from desire for good PR in the wake of the almighty fuss giving away Windows 10 to forget Win 8 caused (Latest Picks 26th Aug. 2016), oh, and pimp their new browser which isn’t really getting much market share:
“Ars reminded the employee that an advisory issued hours earlier by the CERT Coordination Center [non-profit computer emergency response team to improve computer security] at Carnegie Mellon University warned that the vulnerability might leave Windows users open to code-execution attacks. … Ars pressed the employee several more times for details that would allow Windows users to assess the risk they faced and learn of any potential workarounds. She declined. As is almost always the case with security-related questions from reporters, people inside Microsoft declined to be interviewed.”
But hey, that matters not because CERT now will, having held there tongue for a long enough period without Microsoft fixing it. But, indeed, as to its real seriousness now that CERT’s warning has not been heeded:
“In the hours that followed the [Microsoft] statement, outside sources made clear that the vulnerability didn’t pose as grave a threat as was suggested by the CERT advisory. CERT had initially scored the flaw's severity with a 10, the maximum in the Common Vulnerability Scoring System. The main reason that the true severity was lower is that the exploit—which stems from a null pointer dereference bug in version 3 of Microsoft’s server message block file server protocol—could only cause computers to crash as opposed to forcing them to execute malicious code. … CERT later removed the code-execution wording from the advisory and downgraded the severity score from 10 to 7.8.”
So… despite those pulling on conspiracy dungarees and writing Micro$oft’s obituary with RumRetro free Office on Rumbunktous Linux, it’s actually rather similar to the CVE-2016-0728 serious Linux kernel vulnerability (liquidweb.com, Jan. 2016) reported in first month of 2016 but which has existed since 2012 affecting most versions of Linux and Android which Red Hat swears also shows no sign of being “currently being exploited in the wild” and patching of which or not has been more down to particular version of Linux distro or unpatchable Android cheddar:
- Serious Linux Kernel vulnerability patched (threatpost.com, Jan. 2016)
- Your unpatchable, insecure Android mobe will feel right at home in the Internet of Stuff era (theregister.co.uk, Mar. 2016)
But…
But, that’s not for Ars to remind or push as, seriously, other than Android, most’s experience of Linux is “Umbo what?” and “why does all the free stuff look so… retro?” and that real testing of security requires market share as a prerequisite, as the sort that Android now has, which with Android, Linux and even Mac OS topping the list of most vulnerable operating systems in 2016 (businessinsider.com), ahead of Windows 10 and even hated Windows 8 perhaps they should… it could be copy if… well, if saintly Google had an “S” to hook on a $ in its name somewhere and that tied, ad hominem excuse for lack of market share being that all “Windoze users are know-nothing idiots who couldn’t master a DOS batch file let alone a REAL shell” is considered as equally un-real world for most users, as any security chap or chapess will tell you are honestly are the weak link in security and best to not be touching.
Updates/Follow Ups
9th March 2017
But the real question of course to fill conspiracy dungaree is did the “Deep Gov’ment’s” CIA have it in their toolbox when it was still not so much hypothetical? For sure, I’m sure they have all the patched/un-patched because Google/user couldn’t be bothered in there too.
WikiLeaks: We’ll work with software makers on zero-days (krebsonsecurity.com).
“When WikiLeaks on Tuesday dumped thousands of files documenting hacking tools used by the U.S. Central Intelligence Agency, many feared WikiLeaks would soon publish a trove of so-called ‘zero days,’ the actual computer code that the CIA uses to exploit previously unknown flaws in a range of software and hardware products used by consumers and businesses. But on Thursday, WikiLeaks editor-in-chief Julian Assange promised that his organization would work with hardware and software vendors to fix the security weaknesses prior to releasing additional details about the flaws. … It’s unclear if WikiLeak’s decision to work with software makers on zero-days was impacted by a poll the organization took via its Twitter page over the past few days. … So far, just over 38,000 people have responded, with a majority (57 percent) saying ‘Yes, make people safe,’ while only 36 percent selected ‘no, they’re part of the problem.’”
Recent/related stories
- Cyber attacks, the tentacle trope and Linux security (Latest Picks 3rd December 2016)
- Windows 10 anniversary update keeps breaking PCs—at least story copy and Linux evangelists say so (Latest Picks 26th August 2016)
- Apple Store no more: tech giant rebrands its retail outlets (Latest Picks 21st August 2016)
Share this story