Tag: Microsoft
-
MSRC; Tell The Whole Story Please
Every so often, it seems that Microsoft Security Response Center (MSRC) likes to stick their proverbial foot in their mouth on the topic of vulnerability disclosure. The root issue is that collectively, MSRC does not seem to appreciate either their own history or the bigger picture. As such they have a myopic view on the…
-
Windows 10 Fails
[This was originally started on 2021-03-07, adding notes from months before that. Given the time that has passed, I will not finish this but wanted to post my notes, as is.] windows is X years old, and despite the bloating and bugs, they still haven’t figured out some pretty basic UI/UX things. these are the…
-
APT Naming Woes Redux (Bonus ‘DOJ’ Oops!)
One aspect of vulnerability intelligence is also doing a best-faith effort to track the threat actors that are using the vulnerabilities. While that information often isn’t published, when it is we should include it. For example, less than 1% of data breaches publish the vulnerability associated with the initial compromise, and that is often the…
-
Microsoft SIR and Vulnerability Statistics
[I wrote this for my day job back in February, 2017, but it never got posted. Including it here for reference.] The notion of expertise in any field is fascinating. It crosses so many aspects of humans and our perception. For example, two people in the same discipline, each with the highest honors academic can…
-
Perlroth and the History of Microsoft Vulns
While reading “This Is How They Tell Me The World Ends“, early in the book I ran across a single line that made me double-take. I took a note to revisit it after a complete read since it was so early in the book. For those familiar with my blogs, I tend to write about…
-
Microsoft, CVE, MITRE, ETERNALBLUE, Headache…
2019-02-14 Update: Thanks to Chris Mills @ MSRC (@TheChrisAM), who has been working behind the scenes since this blog was published, he has brought clarity to these assignments! MSRC is still potentially touching up some additional documentation to make it easier to see these associations, but here is the definitive answer from him: CVE-2017-0143 ShadowBrokers…
-
That Vulnerability is “Theoretical”!
[This was originally published on the OSVDB blog.] A few days ago, while writing a draft of a different blog, I made reference to and said “we’re well aware of the pitfalls around calling a vulnerability ‘theoretical’“! I wanted to link off to what I was referencing, a case where security researchers found a vulnerability…
-
The Duality of Expertise: Microsoft
[This was originally published on the OSVDB blog.] The notion of expertise in any field is fascinating. It crosses so many aspects of humans and our perception. For example, two people in the same discipline, each with the highest honors academic can grant, can still have very different expertise within that field. Society and science…
-
An Analysis of Google’s Project Zero and Alleged Vendor Bias
[This was originally published on RiskBasedSecurity.com.] Google announced a new initiative called Project Zero. The basic premise of the project was that Google invests heavily in their own security and had for quite some time been also tasking their researchers part time work on improving the security of other high-profile products. Project Zero is Google’s…
-
Microsoft’s latest plea for CVD is as much propaganda as sincere.
[This was originally published on the OSVDB blog.] Earlier today, Chris Betz, senior director of the Microsoft Security Response Center (MSRC), posted a blog calling for “better coordinated vulnerability disclosure“. Before I begin a rebuttal of sorts, let me be absolutely clear. The entire OSVDB team is very impressed with Microsoft’s transition over the last…