Slashdot Mirror

← Back to Stories (view on slashdot.org)

One Year After WannaCry, EternalBlue Exploit Is Bigger Than Ever (bleepingcomputer.com)

Posted by BeauHD on from the still-relevant dept.

An anonymous reader quotes a report from Bleeping Computer: Exactly one year after the biggest cyber-security incident in history, the exploit at the heart of the WannaCry attack is now more popular than ever, according to telemetry data gathered by Slovak antivirus vendor ESET. Named EternalBlue, the exploit was supposedly developed by the cyber division of the U.S. National Security Agency. EternalBlue was part of a large cache of tools that a hacker group known as The Shadow Brokers stole from NSA servers in 2016 and then leaked online from August 2016 to April 2017. Many suspect the NSA might have notified Microsoft of what the Shadow Brokers stole, because in March 2017, a month before EternalBlue was released, Microsoft released MS17-010, a security bulletin containing patches for the many SMB-targeting exploits included in the Shadow Broker leak.

Even if EternalBlue is not being used anymore to help ransomware become a virulent nightmare on a global level (only on a network level), most regular users don't know that it's still one of today's biggest threats. This threat doesn't only come from malware authors continuing to weaponize it for a diverse set of operations. Malware authors wouldn't ever bother with an inefficient exploit. ExploitBlue continues to be a threat because of the vulnerable machines still available online. According to Nate Warfield of the Microsoft Security Response Center, there are still plenty of vulnerable Windows systems exposing their SMB service available online.

62 comments

  1. Uh. ExploitBlue? Another one? by mnemotronic · · Score: 2

    ..ExploitBlue continues to be a threat because ...

    BleepingTypo, not BleepingComputer.

    --
    The Russians have won. They have made the world a cesspool of distrust, greed, fear and hate.
  2. No one wants the solution by Anonymous Coward · · Score: 2, Interesting

    You can explain to people that to work better, live without paranoia have increased security, have stability and control go use linux.

    It just does not work though, if we were logical animals out for our best interest and getting things done windows would have sank into oblivion decades ago but there is something mentally wrong with the vast majority of us and the obvious solution sitting under everyones nose is ignored to continue what we already know doesn't work.

    *shrug*

    Humans, weird lil monkies I must say, but unless we aerosol spray a retro virus to change our nature you can keep screaming at them full force with all the effect of a summer breeze against a mountain of stupid.

    1. Re:No one wants the solution by ArchieBunker · · Score: 2

      If Linux had 90% of the desktop marketshare I guarantee you'd see these exact same exploits. Look how long Heartbleed was around before anyone noticed it.

      --
      Only the State obtains its revenue by coercion. - Murray Rothbard
    2. Re:No one wants the solution by Anonymous Coward · · Score: 1

      I like your justification for not doing the correct thing.

      Keep those excuses coming, you can even pretend their real if you like. I'll just keep getting stuff done while you keep having IT meltdowns every day.

    3. Re:No one wants the solution by ArchieBunker · · Score: 1

      I'll switch to Linux as soon as SolidWorks and Altium release builds. At least AutoCAD has a version for OSX but they didn't do that until recently.

      --
      Only the State obtains its revenue by coercion. - Murray Rothbard
    4. Re: No one wants the solution by Anonymous Coward · · Score: 2, Insightful

      Why limit this discussion to desktops? There are plenty of reasons to target servers and, for that matter, high performance computing systems. A lot of potentially sensitive data could be obtained from compromising servers. And there may be even greater value from compromising high performance computing systems. Some of those systems include dedicated GPU resources. If such a system was compromised, an attacker could use those to mine cryptocurrency on someone else's bill, not to mention what other sensitive data might be stored on those systems. There are plenty of worms that attempt to target Linux systems, including exploiting vulnerable SSH servers. Part of the issue is that Linux systems typically don't run lots of potentially vulnerable services by default, whereas lots of services are running by default on Windows.

    5. Re:No one wants the solution by Anonymous Coward · · Score: 2, Informative

      I'll switch to Linux as soon as SolidWorks and Altium release builds. At least AutoCAD has a version for OSX but they didn't do that until recently.

      Technically, Altium already has...
      https://www.altium.com/solution/linux-pcb-design-software
      Maybe not the product you were wishing for, though?

    6. Re: No one wants the solution by phantomfive · · Score: 1

      Because for most people it works fine. At least, well enough. And the few times it doesn't, they buy a new computer and move on. They'd rather spend their time watching Netflix than learn a new skill.

      --
      "First they came for the slanderers and i said nothing."
    7. Re: No one wants the solution by Anonymous Coward · · Score: 0

      You do realize that this os circular reasoning since the ONLY rason they have no Linux build, is because you do not use Linux,so does not make sense, financially.

      I remember the same problem with Internet Explorer 6. Everybody was developing for it because everybody was using it because GOTO 10.

      It is still *your* job to do the change. You can still use multiple OS at the same time, you know? Seamlessly even.
      What matters is what you say you want, in public! If they hear more than 10% complain how they use competing companies, they *will* listen, since they feel their income being threatened.
      10% ... merely *saying* it suffices!
      Or a few large companies.
      E.g. back then, a large blow was Google not supporting IE6 anymore.

    8. Re:No one wants the solution by Ol+Olsoc · · Score: 1

      If Linux had 90% of the desktop marketshare I guarantee you'd see these exact same exploits. Look how long Heartbleed was around before anyone noticed it.

      Har! My operating system is best because it has the most exploits! Buy Windows - hackers can't be wrong!

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    9. Re:No one wants the solution by Anonymous Coward · · Score: 0

      > I'll switch to Linux as soon as SolidWorks and Altium release builds.

      It's always like that.

      I cannot leave M$ Office because it can produce labels for the front and back of the envelope in opposite orientation(*), so that we can stick them to our 3000+ mail letters we send daily.

      Or, I cannot run software A or B, so it's Windows for me.

      Except -- and I'm mean no disrespect for your preferences -- I don't use those programs nor have I ever heard of them before your post.

      Libreoffice/Linux solves 95% of the problems users might have; perhaps some 35% not as well as M$ Office, but 60% even better than the dominant suite. Without the price, but more importantly with faster progress and more compatibility with its previous versions -- even with the previous of M$ Office!

      Also, you can upgrade everyone at once (because costs are negligible). M$ Office new versions must be purchased -- often there's no money to upgrade everyone -- and often break some compatibility -- in some cases intently by adding an "activate compatibility" option (**). Alas, BTW, almost all compatibility problems arise from the use of different suites simultaneously in an organization (***). Document standards still have a ways to become as respected as PDF, for instance.

      (*) fictitious example just for illustration.
      (**) in my experience.
      (***) that would happen with any two different suites, even open source; M$ Office is no exception. It follows that, if not for costs, it would be better to standardize on a single suite company-wide -- preferably one which can be also upgraded company-wide.

    10. Re:No one wants the solution by Ol+Olsoc · · Score: 1

      I'll switch to Linux as soon as SolidWorks and Altium release builds. At least AutoCAD has a version for OSX but they didn't do that until recently.

      Are you bragging or complaining? I feel badly for people who are locked in to one OS.

      I have one stinking program that only runs on Windows, have to have a machine specifically for that one program, and I surely don't brag about it. Being a W10 machine, it takes more maintenance than all my other computers combined. Latest update took out a USB hub and mouse! Corrupted their drivers.

      I would think that using your bragging points of installed user base and Windows only monoculture programs, that hackers and malware people would be helping Microsoft fix their interminable update borks so they could have more uptime to work their bad guy stuff.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    11. Re:No one wants the solution by Ol+Olsoc · · Score: 1

      I agree, Linux is the safest. But after an update on my PC, it bricked my whole machine and converted my PC into an expensive paperweight.

      Windows latest update is taking out a lot of computers.

      I think it is called security through bricking. Draconian, but hey - it works!

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    12. Re:No one wants the solution by ArchieBunker · · Score: 1

      Web based.

      --
      Only the State obtains its revenue by coercion. - Murray Rothbard
    13. Re:No one wants the solution by HiThere · · Score: 1

      Sorry, but no. Linux isn't the most secure system, and it definitely has it's weak points. (Archives should never expand already executable, e.g.) But it's a lot better than even modern MSWind. Still, if security were your main consideration you'd either pick one of the BSDs (OpenBSD has the reputation of most secure, but I can't really judge), so something totally else. Probably something where the code can never be executed after being made executable until the next volume remount, or possibly reboot. This really needs to be addressed at a hardware level, though. If all executable code was essentially ROM, then the exploits would plummet. (Even that wouldn't suffice, however, because of virtual machines, in which category I include Interpreters, and scripting languages, and even things like UCSD Pascal, or BC-Algol, or, for that matter, MIXX.)

      The only thing that could really work and still be useful would be a checkpointed system where the checkpoints could never be edited or erased from within the system. Git does something rather like that, but without the protection of the prior versions, because it wasn't basically aimed at security, but rather at concurrent editing. This would basically mean that files could never really be deleted or altered. You'd need to specify at boot time what the last presumed good time was, and it would reboot to the checkpoint just before that time. (This also means that you need to protect whatever you're using as the time standard.)

      So. It's doable, but it would be a bit expensive. And you'd still need backups because hardware can fail.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
    14. Re:No one wants the solution by Anonymous Coward · · Score: 1

      Why not use a VM - no need for a physical machine these days for something like that.

    15. Re:No one wants the solution by ilsaloving · · Score: 1

      That's because when you give people that kind of explanation, they will look at you as if you've grown an extra head, and for good reason.

      Honestly, why is this so hard for die-hard Linux people to understand? Linux is *not* a viable option for a significant number of people for a variety of reasons:
      1. The OS is only tangentially important. Concern #1 are the applications, and a lot of those applications just arn't on linux.
      2. There is a learning curve which some people arn't prepared for, ESPECIALLY if it's not work-related.
      3. People complain about Apple's walled garden. Linux has an even worse walled garden, because if you have to so much as stick your pinky toe out from the carefully cultivated experience Linux distros provide you, you are effectively screwed unless you are a techy. And even if you are a techy, you have to ask yourself "is it worth my time to screw with this?". Just because I know how to edit an xorg.conf file doesn't mean I want to waste time doing so.
      4. For the overwhelming majority of computer users, CLI is *not* an option. Period.

      Linux is the single best server OS currently available and if given the choice, I would pick it 100% of the time when setting up a server or a development workstation. The power, flexibility and control are second-to-none.

      Linux is also second-to-none in the embedded space, because you can slice and dice it to an absurd degree, making it behave exactly as you want it to.

      But all those benefits turn into flaws on the user desktop side, and until linux fans realize that, Linux will *never* succeed on the desktop. And it's not about dumbing everything down either. It's about making features as accessible as possible. And that's just to start. I won't list all the things that need to be done cause no one will listen to me anyway.

    16. Re:No one wants the solution by Anonymous Coward · · Score: 0

      That is true, but when it was noticed it was patched up very quickly. From what I have seen, it was patched much faster than Apple or Microsoft usually do. Microsoft has had bugs in there system go unnoticed for years also.

  3. Re:Eternal Blue it's name wasn't derived from blue by AHuxley · · Score: 1

    Could all be part of the National Time Sensitive Systems tasks. Along with BLUEBERRY, BLUESKY, BLUESTREAM.

    --
    Domestic spying is now "Benign Information Gathering"
  4. Linux huge role in the flaw... by ELCouz · · Score: 4, Informative
    From the article tweet:

    Almost a year after WannaCry and there's still over a million SMB servers without auth exposed to the world. At least it looks like "only" 66k of them are running Windows

    Samba is still using SMB v1 by default on many configurations for legacy purpose.

    1. Re: Linux huge role in the flaw... by Anonymous Coward · · Score: 0

      Why blame an operating system for common third party software that runs on the system? There may be distributions that don't sufficiently prioritize security, but that's not really a Linux problem so much as it's an issue with some of the distributions. I just don't agree with your assessment.

      Lots of Android devices ship with third party bloat ware that's added by the manufacturer and carrier. If one of those applications is vulnerable, is that the fault of Android, which is an open source OS? We could debate that Google could curtail some of this with the licensing of Google Mobile Services, but that's still something that runs on top of Android rather than an issue with the OS.

      I just don't think an OS can be blamed for third party software that runs on top of it.

    2. Re: Linux huge role in the flaw... by Anonymous Coward · · Score: 0

      Shit bro, you stupid.

    3. Re: Linux huge role in the flaw... by ELCouz · · Score: 1

      I meant to say Samba not Linux in the title.
      Samba is the issue. It's not until late 2016 they switched to SMBv2 by default. Leaving too many servers vulnerable.

    4. Re:Linux huge role in the flaw... by thomst · · Score: 1

      ELCouz pointed out:

      From the article tweet:

      Almost a year after WannaCry and there's still over a million SMB servers without auth exposed to the world. At least it looks like "only" 66k of them are running Windows

      Samba is still using SMB v1 by default on many configurations for legacy purpose.

      If I had points, this post would get a +1 Informative upmod.

      I hope someone who has 'em agrees ...

      --
      Check out my novel.
    5. Re: Linux huge role in the flaw... by Anonymous Coward · · Score: 0

      Same AC replying to you. Thank you for clarifying, sir. I agree with you that Samba has a large role in this issue.

    6. Re: Linux huge role in the flaw... by Anonymous Coward · · Score: 0

      Same AC as the grandparent. Thank you for your civil response and your discussion of Samba's role in the flaw. Good day, sir.

    7. Re: Linux huge role in the flaw... by Anonymous Coward · · Score: 1

      That's why I am willing to embrace A.I., your response is civil, to the point, and corteous just like any AI. I congratulate your programmer.

    8. Re: Linux huge role in the flaw... by Anonymous Coward · · Score: 0

      Well the FOSS community nearly always attributes problems with Windows software on the OS itself.

      The number of exploitable Windows OS level vulnerabilities has been almost 0 for about a decade now, the attack vectors are almost always things like browsers, Java, and Flash, and yet the exploitation of these things always has the FOSS community attacking Windows security without fail.

      I don't actually disagree with you, but the FOSS community needs to make a decision one way or the other - you can't decide that stuff running on top the OS breaching the OS counts for Windows, but not Linux, as that's just incredibly hypocritical and ultimately what you're asking here.

      By your measure of actual OS level exploits only, Windows is easily as secure as Linux and has been for over a decade now.

    9. Re:Linux huge role in the flaw... by sjames · · Score: 1

      To be fair, without Windows, there would be zero Linux machines running Samba at all. Samba only exists because of Windows.

      And the legacy reason? Supporting Windows machines.

    10. Re: Linux huge role in the flaw... by Anonymous Coward · · Score: 0

      Um, Wannacry exploited an OS level vuln in windows. So not close to zero such bugs. There are still plenty of OS vulnerabilities being discovered in windows, as they are in other major operating systems too.

    11. Re:Linux huge role in the flaw... by thegarbz · · Score: 2

      And the legacy reason? Supporting Windows machines.

      There's nothing legacy about it. Samba itself is a perfectly fine protocol and one of the few that is actually nicely cross platform which can not be said for NFS or AFS. It nicely decouples the file system attributes from the sharing protocol and allows authentication on a per share level without having to worry about matching file system permissions between the server and clients.

      Hell I used to work at a linux only shop that used samba as its primary way of sharing for exactly this reason.

    12. Re: Linux huge role in the flaw... by Anonymous Coward · · Score: 1

      cifs.ko is a part of almost all Linux based operating systems, and actually is part of the kernel.

      Linux servers using mount -t cifs to attach to a windows file server on brand spanking new RHEL server still default to SMBv1 as far as I know. Some features like DFS were broken when you forced a higher version, until RHEL 7.5 came out I think. Who knows what else is broke, but I’m sure that’s the reason for defaulting to the oldest version of the protocol. Anyway this stuff makes it hard for shops with integrated Linux/Windows systems to disable SMBv1 entirely.

    13. Re:Linux huge role in the flaw... by sjames · · Score: 2

      You should look at the history of it. It took the EU ordering MS to open up to get anything like complete support for the distinctly MS protocol. I wouldn't call it exactly cross platform so much as a triumph of reverse engineering.

    14. Re:Linux huge role in the flaw... by Jeremy+Allison+-+Sam · · Score: 1

      Yes, but Samba also isn't vulnerable to WannaCry or EternalBlue, so that makes a difference.

    15. Re: Linux huge role in the flaw... by Anonymous Coward · · Score: 0

      Oh I see, so when you open up SMB to the world on a Windows machine it's an OS vulnerability, but on Linux it's not?

      Okay then, that's not astoundingly hypocritical or anything is it.

      Why not just accept that Linux has just as many vulnerabilities as Windows nowadays which is actually a true fact?

    16. Re:Linux huge role in the flaw... by thegarbz · · Score: 1

      I wouldn't call it exactly cross platform so much as a triumph of reverse engineering.

      What does the result have to do with the method?

    17. Re:Linux huge role in the flaw... by sjames · · Score: 1

      If it was truly cross platform, it would be easier to update Samba to the latest standard.

      Admins would have less reluctance to do updates on a setup that more or less works.

    18. Re:Linux huge role in the flaw... by thegarbz · · Score: 1

      Well three things.

      1) This is a red herring since ultimately the point was that there is nothing Legacy and only for supporting Windows machines about Samba.
      2) Samba has no problems adopting the latest standard. In fact the first release candidate of the Samba 4.3 which supports the current 3.1.1 protocol was released before Windows 10 (first to support 3.1.1) was. There was 5 weeks between the release of Windows 10 and Samba 4.3 Stable. Hardly a problem by any stretch of the imagination and a completely non issue if you didn't upgrade due to backwards compatibility.
      3) The protocol is incredibly stable with few major changes. The last major version change was in 2013, the one preceding it was 2006, minor incremental changes happen over a period of several years and do not introduce incompatibilities. What's my point? Admins have no technical reason to be reluctant to upgrade, and admins have no technical reasons to force the upgrade either unless their current major version ceases getting security updates (SMB2 released in 2006 is still covered, and SMB1 which is now depreciated due to fundamental flaws had a good long 20+ year life). From an administration and support point of view, Samba is more or less and ideal scenario in the IT world, far outliving the useful life of the very systems that gave birth to it (Microsoft OSes)

    19. Re:Linux huge role in the flaw... by sjames · · Score: 1

      Apparently you haven't had to actually deal with compatibility between Linux filesystems and Windows boxes using Samba.

      It is NOT fun when an upgrade breaks some corner case. The Windows machines certainly won't hint at what is wrong. All you can do is look on the web and hope someone has already figured out the magic incantation that makes the corner case go away or randomly guess at things until you stumble over it.

    20. Re:Linux huge role in the flaw... by thegarbz · · Score: 1

      Apparently you haven't had to actually deal with compatibility between Linux filesystems and Windows boxes using Samba.

      No I haven't. Mainly because in the past 15 years I haven't seen any.

      Actually that's a lie, I have seen a few but all have been down to the Samba team changing not some protocol level thing but rather depreciating or introducing some new settings with some default that is overwritten by an old config file.

      While you're searching across the web, just marvel at the number of "I upgraded and now this doesn't work" Samba "incompatibilities" that are fixed by starting with the default config file for the current version of samba. If you can make your corner case go away without editing and recompiling the samba code, then the problem is not in the protocol.

      Ubuntu was a classic one day upping the major version of Samba without going through the process of warning the user that the config file requirements have changed. For me, that broke authentication with Windows 10 machines.

    21. Re:Linux huge role in the flaw... by sjames · · Score: 1

      You do know those settings affect protocol, right? Meanwhile, they are settings rather than hard coded because SMB isn't really cross platform and so there will be corner cases that need to be handled differently in different environments.

    22. Re:Linux huge role in the flaw... by thegarbz · · Score: 1

      You do know those settings affect protocol, right?

      You missed the point. The fact that you're able to misconfigure something is not a fundamental compatibility problem in a protocol. A single configuration file will work with all flavours of Windows, Linux, and any other system with Samba installed. If you don't want security problems then you're limited with compatibility to Windows systems only in the last 12 years though.

      Windows has no hardcoded incompatibility settings anywhere, only Linux does have soft coded settings you can fuck up in its infinite quest to give users enough rope to hang themselves. You unpack a windows 10 machine it'll talk all the way to vista on its default configuration. Manually install SMBv1 in the features settings and you're going all the way back to LANManager. Samba with it's default out of the box config is the same.

      If you have a compatibility problem then you are the problem.

    23. Re:Linux huge role in the flaw... by sjames · · Score: 1

      Consider, XP just won't die. There are plenty of admins out there who are still stuck with XP.

      If you're just shuttling a few files back and forth, it's easy. OTOH, if you're dealing with locking and shared filed, it can get "interesting".

  5. Microsoft Windows strikes again .. by najajomo · · Score: 1, Troll

    Microsoft Windows strikes again ..

    1. Re:Microsoft Windows strikes again .. by thegarbz · · Score: 1

      I know. Right. It's like ... you're completely unable to read.

      Almost a year after WannaCry and there's still over a million SMB servers without auth exposed to the world. At least it looks like "only" 66k of them are running Windows

      I mean you don't even need to read a summary, just a 170 character tweet. Too difficult for some people I guess.

  6. Poor NSA by Anonymous Coward · · Score: 1

    You got to feel sorry for the poor NSA, getting hacked by hackers and all that fake news jazz. It's almost as scary as the terrorists who terrorized us on 9-11. I sleep better at night knowing the NSA is keeping me safe and secure. And heil Hillary as mandated by law! ae911truth dot org

  7. So why did you weaponize the internet? by Anonymous Coward · · Score: 0

    Criminals

  8. Re:Eternal Blue it's name wasn't derived from blue by Anonymous Coward · · Score: 0

    Isn't there supposed to be a punchline about how that was all the demo?

  9. Isn't it time to stop exposing SMB to the world? by jonwil · · Score: 2

    Isn't it time Microsoft started changing Windows so that it no longer exposes the horridly broken SMB protocol to the Internet at large (rather than the local LAN) unless you explicitly turn on the ability for the Internet at large to speak SMB to your computer?

  10. Re:Isn't it time to stop exposing SMB to the world by Anonymous Coward · · Score: 1

    I don't think it is open by default to the internet, because inbound packets on SMB port will surely be blocked by your routers firewall anyway. The problem is that some websites might attack this local SMB port on your machine and hence spread ransomwares. I am on Windows and I patched this SMB hole manually by myself. Fire up your beloved disassembler and pinpoint those hex codes responsible then replace them and then dump the original buggy file. Won't take you more than 2 hours. Verify by running netstat -ano

    If you wan't an easier solution, download MS patch for SMBv1.

  11. Re:Isn't it time to stop exposing SMB to the world by thegarbz · · Score: 4, Informative

    Microsoft doesn't. It's blocked by default. SMBv1 is also disabled by default and has been for quite a while. Unfortunately there are just as many idiots in the Linux admin world as there are in the Windows world, and the vast majority of these are nothing to do with Windows.

    The summary tweet in TFA:
    "Almost a year after WannaCry and there's still over a million SMB servers without auth exposed to the world. At least it looks like "only" 66k of them are running Windows"

  12. Shoot... by TheZeal0t · · Score: 1

    My cybersecurity company is still finding MS08-067 all over the place. IT'S ten years old, and it's "bigger than ever!" It's every burgeoning hacker's favorite, since it is so trivial to exploit.

  13. Microsoft testified browser is embedded in core OS by raymorris · · Score: 1

    Many security vulnerabilities can be exploited through multiple attack vectors. I'm more interested in where the actual flaw(s) are than which attack vectors are most convenient or popular at the moment.

    If Firefox has an issue that allows JavaScript to be loaded from URLs it shouldn't load from, bad on Firefox. If Windows (or Linux) had a big in the kernel that allowed JavaScript, in any browser, to bypass the separation between processes and read memory assigned to another process, bad on Microsoft. It is the kernel's job to enforce that protection. The flaw could be exploited in any number of ways, by any program, including via JavaScript.

    It is the sworn testimony of Microsoft's top executives Microsoft intertwined their browser so deep into the OS internals that it's impossible for Microsoft to make a version of Windows that can even boot without running browser code. Linux isn't designed that way. The browser isn't intertwined with the kernel or key parts of the OS. The browser (actually browsers) are completely separate applications like any other application, and the Linux OS is in no way dependant on the browser.

    It is fair, I think, to take Microsoft at their word, especially given the supporting evidence. When they testify under oath that their engineers are unable to remove legacy Internet Explorer code from Windows because it's so intertwined with the OS, and we see that in fact browser-based exploits do in fact infect the Windows OS at a deep level, we can only conclude that their testimony is true and they really did embed IE code deep in the OS.

    Unless we get some strong evidence that Microsoft was committing perjury, it does make sense to acknowledge that their browser is an intrinsic part of their OS. It also makes sense to acknowledge the fact that Linux is not designed that way.

  14. Feature? by hduff · · Score: 1

    "According to Nate Warfield of the Microsoft Security Response Center, there are still plenty of vulnerable Windows systems exposing their SMB service available online."

    That's a Windows feature, right?

    --
    "I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
  15. Re:Isn't it time to stop exposing SMB to the world by Jeremy+Allison+-+Sam · · Score: 1

    The SMB protocol itself isn't "horridly broken", although SMB1 doesn't support the integrity protection that prevents man-in-the-middle downgrade attacks (SMB3 does).

    Specific *implementations* can be broken, but if you're fully patched there are no existing vulnerabilities here.

  16. Re:Isn't it time to stop exposing SMB to the world by PPH · · Score: 1

    will surely be blocked by your routers firewall anyway

    I'll be sure to bring my router with me the next time I use my laptop at the local coffee shop.

    --
    Have gnu, will travel.
  17. Re:Eternal Blue it's name wasn't derived from blue by HiThere · · Score: 1

    No, because MSWind frequently failed on demos.

    --

    I think we've pushed this "anyone can grow up to be president" thing too far.
  18. Re:Microsoft testified browser is embedded in core by Anonymous Coward · · Score: 0

    "It is the sworn testimony of Microsoft's top executives Microsoft intertwined their browser so deep into the OS internals that it's impossible for Microsoft to make a version of Windows that can even boot without running browser code. Linux isn't designed that way. "

    Fucking hell aren't you a special kind of stupid? That's a) long been proven false, largely by FOSS zealots themselves who wanted to show Microsoft was lying, and b) It happened about 20 fucking years again on a completely different architecture of Windows to that which is in use now. You don't do yourself any favours when you use such profoundly stupid, dishonest, and trivially disprovable lies.

    In fact, about 10 years ago, Microsoft released the E editions in Europe precisely to stave off a fine about exactly this (unfortunately it didn't work when they tried to sneak it in pre-installed in later versions and they got fined anyway) but the very fact the E editions even existed were proof enough that even 10 years ago Windows wasn't bound to IE.

    Even if what you said were true though which it's clearly not, the vast majority of exploits just aren't happening in Edge anyway. Firefox, and even Chrome are seeing a far larger proportion of vulnerabilities.

    So stop talking shit and accept the reality of the fact that Windows is at least as secure as Linux nowadays. The most serious vulnerabilities of recent years have occured on open source's watch - Heartbleed, DNS Cache Poisoning, Shellshock, Stagefright, Java Serialisation Exploit, glibc getaddrinfo. The serious vulnerabilities that have affected Windows in the last decade such as EternalBlue, and POODLE affected FOSS equivalents as well.

    Whilst people like you have spent the last 20 years fighting a battle that ended in 2001, Microsoft has in contrast spent that time being actually useful, improving it's product, practices, and mindset, and now makes people like you look like a laughing stock because you've literally been living under a self-imposed rock for 20 years and are still stating things that were barely true back then as fact now when they're anything but. You really need to get with the program, and join the 21st century where Microsoft is an organisation that sells an OS that's at least as secure as it's MacOS and Linux competitors, but that also contributes to fixing FOSS vulnerabilities itself too. Until you've caught up on the last 20 years of progress though, kindly just shut the fuck up, go away, and stop spouting irrelevant factually incorrect bullshit.

    No wonder Linux is in such a relatively shit state nowadays if it's proponents like you are still functioning on now incorrect and useless 20 year old knowledge. The reality is that the premise of Microsoft being exploited more because it was a bigger target due to bigger market share was largely true, and now that Linux has increased it's installbase through mobile as has iOS and MacOS to a lesser degree we're seeing the increased scrutiny hit these OS' hard and highlight them as being just as vulnerable as Windows ever was (especially Android which doesn't even offer software patches beyond about a year for most phones unlike Windows which at least fixed vulnerabilities for over 10 years post release).

  19. Check your facts before calling someone stupid by raymorris · · Score: 1

    Calling someone stupid is always rude, but calling them stupid while you spout "facts" that well-known to be completely false makes you look really silly.

    For a few weeks, Microsoft TALKED ABOUT maybe releasing an "E" version of Windows 7 for Europe, which would have the IE icon removed from the desktop and such. It would still be installed, because it's required by a lot of other system components, but the shortcut to launch a pure IE window wouldn't be there by default. A few weeks later they announced they wouldn't be doing that, Europe would get Windows with IE pre-installed.

    I completely agree Microsoft has changed a lot in the last ten years or so. As their Windows revenue has been falling every year for a long time, they've shifted their focus to profitable products instead.

  20. Re:Isn't it time to stop exposing SMB to the world by Anonymous Coward · · Score: 0

    Blame routers with USB file sharing capabilities