what's worse: not disclosing a vulnerability or not releasing a patch a.s.a.p.?

[zMeul]

source: https://www.theregister.co.uk/2017/05/16/microsoft_stockpiling_flaws_too/

 

hold on to your tinfoil hats because this one is straight out of a Stanley and Laurel movie

get this:

Quote

When the WannaCrypt ransomware exploded across the world over the weekend, infecting Windows systems using a stolen NSA exploit, Microsoft president Brad Smith quickly blamed the spy agency. If the snoops hadn't stockpiled hacking tools and details of vulnerabilities, these instruments wouldn't have leaked into the wild, sparing us Friday's cyber assault, he said.

 

"This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem," said Smith.

 

Speaking of hoarding, though, it's emerged Microsoft was itself stockpiling software – critical security patches for months.

Around January this year, Microsoft was tipped off by persons unknown that the NSA's Eternalblue cyber-weapon, which can compromise pre-Windows 10 systems via an SMBv1 networking bug, had been stolen and was about to leak into the public domain. In March, Microsoft emitted security fixes for supported versions of Windows to kill off the SMB vulnerability, striking Eternalblue dead on those editions.

 

Quote

However, our analysis of the metadata within these patches shows these files were built and digitally signed by Microsoft on February 11, 13 and 17, the same week it had prepared updates for its supported versions of Windows. In other words, Microsoft had fixes ready to go for its legacy systems in mid-February but only released them to the public last Friday after the world was engulfed in WannaCrypt.

Here's the dates in the patches:

• Windows 8 RT (64-bit x86): Feb 13, 2017
• Windows 8 RT (32-bit x86): Feb 13, 2017
• Windows Server 2003 (64-bit x86): Feb 11, 2017
• Windows Server 2003 (32-bit x86): Feb 11, 2017
• Windows XP: Feb 11, 2017
• Windows XP Embedded: Feb 17, 2017

 

these mofos knew about the exploit and build the patches since February - you wot m8 

what the fuck!

 

 

if anyone got hit by the Wanna Crypt ransomware and lost important data or had to shut down services, sue these motha'fuckers

Edited May 16, 2017 by zMeul

[Valentyn]

All to increase Windows 10 market share as much as possible, since older systems will get wrecked.

[manikyath]

4 minutes ago, zMeul said:

knew about the exploit and build the patches since March

any guess on how long development took?

[ARikozuM]

Patches take time to build and, I would assume, they would have to be tested to ensure that they aren't in conflict with the current system and any future patches. 

 

I think the bigger issues are the amount of exploits that have been shown over the past few weeks. No one can possibly test and code fixes for everything in two month's time.

[Drak3]

Ah man, if only these things called development and validation existed!

4 minutes ago, manikyath said:

any guess on how long development took?

According to most people: 10 minutes, from the whiteboard to fully functional and completely tested patch.

2 minutes ago, ARikozuM said:

No one can possibly test and code fixes for everything in two month's time.

Don't you bring Logic into this, especially when I'm bringing in the sarcasm.

[ARikozuM]

Just now, Drak3 said:

According to most people: 10 minutes, from the whiteboard to fully functional and completely tested patch.

According to most people: Microsoft is the worst OS vendor.

Spoiler

But they'll still use the OS.

 

[manikyath]

Just now, Drak3 said:

According to most people: 10 minutes, from the whiteboard to fully functional and completely tested patch.

those are the people who think that fixing a broken 40km fiber line can be fixed within 10 minutes as wll.

 

they must lead a strange life.. expecting their toaster to pop toast out the moment they slide bread in..

[zMeul]

7 minutes ago, manikyath said:

any guess on how long development took?

according to what I read the fixes have a February build date

 

updating OP

Edited May 16, 2017 by zMeul

[ARikozuM]

1 minute ago, manikyath said:

they must lead a strange life.. expecting their toaster to pop toast out the moment they slide bread in..

Note: Invent pre-toasted bread.

[WMGroomAK]

3 minutes ago, zMeul said:

according to what I read the fixes have a February build date

 

updating OP

I'm expecting this to get a whole lot worse before it gets any better...  Security and intelligence agencies by their very nature want to have any exploits that they can for intelligence gathering purposes.  One of the speculated reason that some Russian and Chinese computers were hit so hard is that they are using pirated versions of Windows that cannot be patched.  This, of course, makes it easy for somebody like the CIA or NSA to actually access their systems and get any data they want with these tools.  Do I approve of the process behind this? Hell No, however, I can understand why the analysts would want to hold on to these tools.

[Drak3]

1 minute ago, zMeul said:

according to what I read the fix has a March build date

You mean, when the patches started going live? Shocker.

 

And those build dates, are just that, dates in which the then potential patches are built. Not when they're validated.

 

6 minutes ago, ARikozuM said:

Note: Invent pre-toasted bread.

Invent a butter that's already on the pre-toasted bread while you're at it.

[zMeul]

Just now, WMGroomAK said:

I'm expecting this to get a whole lot worse before it gets any better...  Security and intelligence agencies by their very nature want to have any exploits that they can for intelligence gathering purposes.  One of the speculated reason that some Russian and Chinese computers were hit so hard is that they are using pirated versions of Windows that cannot be patched.  This, of course, makes it easy for somebody like the CIA or NSA to actually access their systems and get any data they want with these tools.  Do I approve of the process behind this? Hell No, however, I can understand why the analysts would want to hold on to these tools.

• MS could employ exploit hunters, like Google does for example - Project Zero: https://googleprojectzero.blogspot.ro/
• spies do what they're trained to do - discover secrets and exploit them; but it works both ways
• running pirated versions of Windows doesn't mean it can't be patched 

[RagnarokDel]

14 minutes ago, zMeul said:

according to what I read the fixes have a February build date

 

updating OP

doesnt mean it was fully tested. The last thing you want is to push a fix that doesnt actually work.

[zMeul]

Just now, Drak3 said:

You mean, when the patches started going live? Shocker.

 

And those build dates, are just that, dates in which the then potential patches are built. Not when they're validated.

re-read my post, it's February not March

 

+ @RagnarokDel cut the crap, validating a fix doesn't take months - it's SW that was built by MS and not a 3rd party that had to go through the MS cert process

[Drak3]

Just now, zMeul said:

re-read my post, it's February not March

A) Irrelevant to the second point, which is EXTREMELY important in the context of security.

B) When I wrote that, what I quoted from YOU is what YOU WROTE.

[zMeul]

1 minute ago, Drak3 said:

A) Irrelevant to the second point, which is EXTREMELY important in the context of security.

B) When I wrote that, what I quoted from YOU is what YOU WROTE.

it's rather late, I fucked up 

[WkdPaul]

I fail to see the problem here ... the timeline from the article, MS was told in January, had patches mid-February and released them in March. While it could have been released faster, seeing those patches are for OS from XP and up, this whole thing seems like it falls into "conspiracy theories" territory.

 

I don't see how they were "hoarding" security patches, they were all available since march :

Quote

Published: March 14, 2017

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

[zMeul]

5 minutes ago, wkdpaul said:

I fail to see the problem here ... the timeline from the article, MS was told in January, had patches mid-February and released them in March. While it could have been released faster, seeing those patches are for OS from XP and up, it seems like this falls into "conspiracy theories" territory.

 

I don't see how they were "hoarding" security patches, they were all available since march :

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

wrong! so wrong!

http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

^ these are the dates MS publicly released the KBs

only WS2008 (Itanium and x64), XP embedded and Vista x64 were released in March - the rest were released ~4days ago

[Daniel644]

in concept, not releasing a patch is the lesser of 2 evils, we sure wouldn't want MS (or any other company) announcing an exploit exists before they patch it, we don't need every hacker in the world made aware of a problem before it gets fixed. But I see no evidence MS was intentionally holding back an releasing patches, I mean if they where, why would they release patches for XP at all, it's well past it's end of Support MS didn't have to do that if they didn't want to.

[WkdPaul]

1 minute ago, zMeul said:

wrong! so wrong!

http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

^ these are the dates MS publicly released the KBs

 

lol

 

that's "last updated" ... not "published dates"

 

They were ALL published in March

[zMeul]

Just now, wkdpaul said:

lol

 

that's "last updated" ... not "published dates"

 

They were ALL published in March

mate .. https://web.archive.org/web/*/http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

that page did not exist prior to May 13^th

[ARikozuM]

Today, I learned that Way Back Machine is a credible source.

Spoiler

Unsure if I should add "/s" or not.

 

[WkdPaul]

3 minutes ago, zMeul said:

mate .. https://web.archive.org/web/*/http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

that page did not exist prior to May 13^th

that's not how the wayback machine work. It's not because they don't have it in their archive that it didn't exist.

 

also, if the update catalog page didn't exist before may 13th, how did they have links to it in April????

https://web.archive.org/web/20170415180903/https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

 

 

Bottom line is, the patches were available since March.

[themctipers]

30 minutes ago, WMGroomAK said:

I'm expecting this to get a whole lot worse before it gets any better...  Security and intelligence agencies by their very nature want to have any exploits that they can for intelligence gathering purposes.  One of the speculated reason that some Russian and Chinese computers were hit so hard is that they are using pirated versions of Windows that cannot be patched.  This, of course, makes it easy for somebody like the CIA or NSA to actually access their systems and get any data they want with these tools.  Do I approve of the process behind this? Hell No, however, I can understand why the analysts would want to hold on to these tools.

Pirated windows 7, yes. Probably not windows 10 though, because there was a free upgrade. However, almost everyone I know that came from China stuck with Windows 7 because they knew it better, it ran quicker, and it just worked better (think 2015, brand new OS, bugs everywhere)

[zMeul]

2 minutes ago, wkdpaul said:

that's not how the wayback machine work. It's not because they don't have it in they archive that it didn't exist.

 

also, if the update catalog page didn't exist before may 13th, how did they have links to it in April????

https://web.archive.org/web/20170415180903/https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

 

 

Bottom line is, the patches were available since March.

why are you lying?

 

please post with proof that people installed through Windows Update, KB4012598 since March for W8, WS2003 and XP