The researcher disclosed the bug one week before Microsoft is scheduled to patch it. I'm sure MS isn't thrilled, but they did drag their feet:
"I decided to release this bug one week before the patch is released, because it is not the first time Microsoft sits on my bugs. I'm doing free work here with them (I'm not paid in anyways for that) with the goal of helping their users. When they sit on a bug like this one, they're not helping their users but doing marketing damage control, and opportunistic patch release."
The researcher sounds really petty. They're patching it, but not on this person's schedule so he's causing microsoft and USERS problems they didn't have before.
If they weren't patching, I'd understand, but this isn't the right way to get attention in my book.
He asked a PR person, probably one with little security background (how many security people do you know who went into PR?) gave the stock answer which does happen to actually be good security advice: run the latest supported version with patches.
The reporter was just butthurt about not getting a scoop and decided to write an article complaining about PR practices in place of an actual story.
Really like the click bait title though, it's a nice touch. /s
>Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible,
EDIT
and this
>The time has come for Microsoft vulnerability disclosure communications to mute the marketers and let the security engineers do the talking instead.
Truth be told, Microsoft has among the worst PR agencies/policies from the tech industry. Very bureaucratic, slow to get something out of them, and you usually end up with just canned answers and most questions dodged. It's hardly even worth the effort to contact Microsoft's PR about something.
Unless you know a higher-up exec, like Mary Jo Foley or Paul Thurrott does, for instance, you're unlikely to get a real answer for a security question. For a journalist, writing what you think happened, and then waiting for Microsoft to react, contact you, and tell you what really happened is likely a much more effective strategy to get something out of Microsoft.
tl;dr: a CVSS 7.8 Windows vulnerability in the SMB service can allow an attacker to DoS any machine with the filesharing service exposed; the possibility of RCE seems to have been discarded; exploits are freely available online. This article complains that Microsoft's communication is lacking details and transparency in times of war
Does anybody know how many days it would take from when a critical security bug is discovered in Windows and assuming that the fix is just a few lines of code and not a component rewrite and marketing is not in the way, I am wondering how many steps are from when a fix is created until is released.(I imagine that there may some QA and some managers that need to approve it but I have no idea)
Disclosure: I work at MS but not on the kernel or anything related to this security bug. Opinions are my own.
I've seen one-line bug fixes introduce many other bugs.
Adding a null check is always suspicious. Is the system in an invalid state? Should it fail fast instead of swallowing the error?
Maybe the code wasn't touched in several years. Maybe the person that wrote it no longer works there. Maybe the code in question doesn't have good test coverage or documentation. There are so many variables to consider when assessing risk of code changes.
It depends. Some bugs can be fixed easily and some might be too complicate to fix even though it looks simple. Usually all critical bugs are attended as soon as they are created (few hours delay). But the actual fix depends on the bug and there is no general formula for that
They could have a solution out the door in less than 24h but it may be a mitigation (ie, disable the service) rather than a proper fix. But that's pretty easy. In fact, it's usually the first thing an engineer does when verifying a bug report - "Ok I've reproduced it, now let's shut off the service and make sure the problem goes away."
Release a patch that disables the vulnerable service and give people a way to bypass that and turn it back on once they've taken proper internal measures. (Read the CVE, block ports, etc...)
> What is the threshold where you decide to release a bug description?
Absolute minimum: 1 month after patch.
Also: Leave 1 month, as an absolute minimum, to publish a patch.
Why that? Because it takes time to track a bug and fix it and test the fix and ship it to 1 billion consumers in 150 countries and languages.
Welcome to the world of real users where things take time to happen.
Of course, one may think that he's an idealistic enthusiast pressuring the evil big companies when giving them less time. But nope, the only thing one may truly accomplish is being an unrealistic asshole putting millions of computers and people at risk. Think twice before you disclose. There will also be your mom's computer on the other end of that 0-day ;)
ohitsdom|9 years ago
"I decided to release this bug one week before the patch is released, because it is not the first time Microsoft sits on my bugs. I'm doing free work here with them (I'm not paid in anyways for that) with the goal of helping their users. When they sit on a bug like this one, they're not helping their users but doing marketing damage control, and opportunistic patch release."
cujo|9 years ago
If they weren't patching, I'd understand, but this isn't the right way to get attention in my book.
nxc18|9 years ago
The reporter was just butthurt about not getting a scoop and decided to write an article complaining about PR practices in place of an actual story.
Really like the click bait title though, it's a nice touch. /s
aao|9 years ago
>Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible,
EDIT and this
>The time has come for Microsoft vulnerability disclosure communications to mute the marketers and let the security engineers do the talking instead.
I found it funny to be honest
mtgx|9 years ago
Unless you know a higher-up exec, like Mary Jo Foley or Paul Thurrott does, for instance, you're unlikely to get a real answer for a security question. For a journalist, writing what you think happened, and then waiting for Microsoft to react, contact you, and tell you what really happened is likely a much more effective strategy to get something out of Microsoft.
pomfpomfpomf3|9 years ago
MohammadLee|9 years ago
SlashmanX|9 years ago
j_s|9 years ago
PoC GIF: https://twitter.com/vvalien1/status/826935182456418304
slowmotiony|9 years ago
simion314|9 years ago
becarefulyo|9 years ago
I've seen one-line bug fixes introduce many other bugs.
Adding a null check is always suspicious. Is the system in an invalid state? Should it fail fast instead of swallowing the error?
Maybe the code wasn't touched in several years. Maybe the person that wrote it no longer works there. Maybe the code in question doesn't have good test coverage or documentation. There are so many variables to consider when assessing risk of code changes.
pizza234|9 years ago
nitinreddy88|9 years ago
EdHominem|9 years ago
Release a patch that disables the vulnerable service and give people a way to bypass that and turn it back on once they've taken proper internal measures. (Read the CVE, block ports, etc...)
user5994461|9 years ago
Absolute minimum: 1 month after patch.
Also: Leave 1 month, as an absolute minimum, to publish a patch.
Why that? Because it takes time to track a bug and fix it and test the fix and ship it to 1 billion consumers in 150 countries and languages.
Welcome to the world of real users where things take time to happen.
Of course, one may think that he's an idealistic enthusiast pressuring the evil big companies when giving them less time. But nope, the only thing one may truly accomplish is being an unrealistic asshole putting millions of computers and people at risk. Think twice before you disclose. There will also be your mom's computer on the other end of that 0-day ;)