Slashdot Mirror
Hackers Exploited Word Flaw For Months While Microsoft Investigated (reuters.com)
An anonymous reader writes: To understand why it is so difficult to defend computers from even moderately capable hackers, consider the case of the security flaw officially known as CVE-2017-0199. The bug was unusually dangerous but of a common genre: it was in Microsoft software, could allow a hacker to seize control of a personal computer with little trace, and was fixed April 11 in Microsoft's regular monthly security update. But it had traveled a rocky, nine-month journey from discovery to resolution, which cyber security experts say is an unusually long time. Google's security researchers, for example, give vendors just 90 days' warning before publishing flaws they find. Microsoft declined to say how long it usually takes to patch a flaw. While Microsoft investigated, hackers found the flaw and manipulated the software to spy on unknown Russian speakers, possibly in Ukraine. And a group of thieves used it to bolster their efforts to steal from millions of online bank accounts in Australia and other countries.
Microsoft = Job Security*
* If you work for Microsoft, you're screwed. But for everyone else using Microsoft, you're golden.
*would of
Make the vendor responsible for losses in critical applications.
If MS had to cough up millions for every bank hack, you could be damn sure they would refine their code for such applications. Or, you know, go bankrupt. Either way, people win!
G'day mate. Chuck another shrimp on the bar-b mate. G'day skip.
ArsTechnica ran this story 2 weeks ago... congrats Reuters... now stop covering tech topics... you suck at it
Nope, GP is correct (if a little weird). Would have.
Microsoft makes more money if there are flaws.
Everyone who wants a new version of Windows must pay a full price, and get a new version that also has flaws.
"would of" is not and never was correct.
What you are actually thinking about is "would've" which is just a contraction of "would have".
Now that you know, you can at least be correct when you're being pedantic.
WTF! But "of" makes a V sound! If I would of known this earlier I would knot of made that mistake.
Shit.
drunken thieves?
Word Up!
You can have that however you have to accept a few things:
1) Costs are going to go way up. You aren't going to pay $50 or $100 for a software package, it'll be 5 or 6 figures. You'll be paying for all the additional testing, certification, and risk.
2) You won't get new stuff. Everything you use will be old tech. You'll be 5-10 years out of date because of the additional time needed to test and prove things. When a new chip or whatever comes on the market it'll be a good bit of time before it has undergone all the validation it needs to be ready for such a critical use.
3) You will not be permitted to modify anything. You will sign a contract (a real paper one) up front that will specify what you can do with the solution, and what environment it must be run in. Every component will have to be certified, all software on the system, the system itself, any systems it connects to, etc. No changes on your part will be permitted, everything will have to be regression tested and verified before any change is made.
If you are ok with that, then off you go! The way I know this is how it goes is that we have shit like this, we have critical systems out there and this is the kind of shit they go through. They are expensive, inflexible, and out of date compared to the latest mass market shit. If you look at the computers that control a fighter plane or the like you'll be amazed at how "dated" they are. Well they are that way because development took a long time and once they are developed, they continue to be used, they aren't changed often.
Now if that's not ok, if you want the free wheeling environment we have now where you can buy new tech when you like, put things together in any configuration, and run whatever you want that's cool, but accept that means problems will happen. You cannot have it both ways.
Oh and also with that critical stuff:
4) There will be no FOSS. If there's liability for losses, nobody will be willing to freely distribute their work. They aren't going to accept liability for no payment, and aren't going to accept that if their code was used by someone else they might be liable.
I know of a few PHP security exploits that haven't been properly triaged yet and could be used to easily take out a good chunk of the Internet.
For how long as MSWord had VB scripting, .NET and other vulnerabilities buit in?
Have gnu, will travel.
I would never use Windows 10 except connected to a separate router, and only for testing, so I didn't think about that.
Windows 10 is possibly the worst spyware ever made. Quote: "Buried in the service agreement is permission to poke through everything on your PC."
This story is so old and happens so often that it isn't news. That it continues is very frustrating for anyone who has been in the Internet industry since the Internet became popular around the release of Windows 3.1.
Windows is impossible to secure. I'm sure that if I bother to search a few darker spots of the net I will find current working unpatched Windows "total takeover" exploits.
The only good news appears to be that it used to take years rather than only 9 months for Microsoft to respond with effective patches.
Until Microsoft can be held responsible for the losses associated with using their software none of this will ever change. There is a very good reason that most Internet startups do NOT use Windows on their customer facing servers. It is just not maintainable.
Open source isn't perfectly secure, but at least knowledgeable persons can debug and patch it much, much faster than 9 months.
Microsoft usually ignores or spends a long time fixing severe bugs or design issues which can kill any business dumb enough to adopt Windows even with all kinds of regularly ineffective "3rd party protection."
Apple is better than Microsoft, but still weak in so many areas that it is also a non-starter for Internet facing servers.
Here is a simple test: If you need to add Anti-virus software or added firewalls you are using an insecure operating system unfit for use on the Internet.
Facebook is billions of individual "Skinner Boxes." And if you use it you are the pigeon!
.... and you have a gmail.com address.
I laughed so hard I tripped slashdot's anti-caps filter. :)
Here is a simple test: If you need to add Anti-virus software or added firewalls you are using an insecure operating system unfit for use on the Internet.
What operating system does pass that test? Certainly no flavor of Linux, Unix, or BSD.
> but at least knowledgeable persons can debug and patch it much, much faster than 9 months
No. It doesn't matter how "knowledgeable" you are, you aren't going to patch something as big as an OS faster than its developers.This is just wishful thinking.
> If you need to add Anti-virus software or added firewalls you are using an insecure operating system unfit for use on the Internet.
Because Linux can see the difference between good and malicious code. It's called "bullshit technology". Even Richard Stallman agrees that OS software isn't more or less secure than closed sourced one so STFU.
> Windows is impossible to secure.
Extraordinary claims require extraordinary evidence.
Microsoft = Job x !Security*
* If you work for Microsoft, you're screwed. For everyone else using Microsoft, you're also screwed unless you have lots of cash laying around.
FTFY
Care to name a "flavor of Linux, Unix, or BSD" that "need[s] to add Anti-virus software or added firewalls", and explain the "need"?
No one uses such things.