An interesting tidbits is Google's Project Zero was known to discover zero day used by Western government agencies for counterterrorism operation and made such vulnerability patched.
Yes. The NSA has disclosed hoarded zero-days to Microsoft when they have fallen into the hands of people they did not like. See the Shadow Brokers incident [1]:
> the critical vulnerabilities for four exploits previously believed to be zero-days were patched in March, exactly one month before a group called Shadow Brokers published Friday's latest installment of weapons-grade attacks
Obviously, the problem with this is that the NSA were unaware their zero-days had fallen into enemy hands until the Shadow Brokers very publicly advertised the fact that they had them.
Take the EternalBlue exploit [1] as an example, NSA had been aware of the vulnerability for years, but only informed Microsoft once it slipped out of their control:
"The NSA did not alert Microsoft about the vulnerabilities, and held on to it for more than five years before the breach forced its hand. The agency then warned Microsoft after learning about EternalBlue's possible theft, allowing the company to prepare a software patch issued in March 2017,[19] after delaying its regular release of security patches in February 2017.[20] On Tuesday, March 14, 2017, Microsoft issued security bulletin MS17-010,[21] which detailed the flaw and announced that patches had been released for all Windows versions that were currently supported at that time
...
Many Windows users had not installed the patches when, two months later on May 12, 2017, the WannaCry ransomware attack used the EternalBlue vulnerability to spread itself"
–CVE-2021-33742, a remote code execution bug in a Windows HTML component.
The only one that stands out as being a real concern, but who's willing to bet it requires JS to exploit (or even if not, the attackers prefer to obfuscate it using JS)? Turning off JS by default in IE is probably the single most effective way of preventing these attacks. Even if you don't use IE, it'll greatly reduce the attack surface. I've browsed the shadier parts of the Internet for literally decades this way.
Fortunately IE lets you apply different settings to groups of sites, so you can stop JS from any random site on the Internet while allowing the enterprise apps that need it:
We see JS as insecure because we can turn it off, and it's history is pretty bad. We can't turn off parsing, rendering, and other features necessary to display a webpage - and those are just as well exploited. JS at least gets multi layered sandboxing and isolation.
Modern browsers are not well fit for security and anonymity. Torbrowser is the only one that actually removes tracking data and the wider attack surfaces of modern browser features like webgl. However it's still not 'secure'. You still have plenty of features that come from complex codebases, such as media decoders.
> Microsoft also patched five critical bugs — flaws that can be remotely exploited to seize control over the targeted Windows computer without any help from users.
Extended Support ended January 14, 2020, however Microsoft is offering Extended Security Updates (ESU) until January, 2023. It's a paid program to extend security patches, having to be paid once a year for each of the 3 years; so only truly desperate companies are paying for this privilege.
But the Update Catalog shows updates that you can apparently download as usual for Windows 7 in this case. There is a specific rationale given on at least one of the reports[1] for why a patch is still being issued even though Windows 7 is out of support. So I'm not sure this time it has anything to do with ESU.
Last week I saw a friend using dot net software that scrapes the Catalog, automatically downloads all patches and applies them to the system. It's apparently common in enterprises without an ESU subscription... I was quite surprised and amused
Hahah, that's actually awesome. Of course someone out there put in the leg work to work around the licensing issue, and then shared it to the (minor?) masses.
Incidentally I just finished building a new Win7 machine yesterday and applying all the updates.
You are correct, this one wasn't caught organically through Windows Update. I had to install the KB4555449 Servicing Stack update first (https://www.catalog.update.microsoft.com/Search.aspx?q=KB455...), after which I was able to install the patch you linked. Did it on two machines (one freshly formatted, one old) and it took several minutes on each to install (longer than a typical update), and required a reboot after.
Rollup Patches following 2020-01 will install and then rollback after reboot if you're not following the ESU requirements. Most likely the new patch just rollbacked and you're still on KB4534310.
Are these on the same level as Stuxnet? For an amazing technical deep dive into each 0-day Stuxnet vulnerability watch this talk with Bruce Dang from Microsoft[1]. I really enjoy his natural speaking style (it's like talking about Stuxnet over beers with him).
Do the Microsoft links not work for anyone else too? I get a "Something went wrong" error on all the links. Would like to read more about specific vulns.
To add insult to injury, Microsoft's server refuses to honour the Accept-Encoding header, e.g., setting the value to "identity" has no effect. It returns compressed content no matter what, even when the content size is very small.
To create a simple HTML page with all the info you need, no Javascript required
I use Linux exclusively. You don't need a zero-day when everyone forgets to patch or takes a month to do so. To say nothing of the documented vulnerabilities with no available patch.
People have different preferences for what they like to work on, but you seem to be implying the weather app engineers are incapable of doing that work. Like they're some kind of lower caste that must be kept away from working on security mitigations for filesystem drivers.
I don't believe there's some category of human that's capable of shipping Windows 10 feature apps, and only that. People can move internally! People can leave and other people can be hired. It's all priorities and task allocation.
The impression I get (and please correct me) is not really that there's an oversupply of news feed app builders on the market, but that the Windows team at Microsoft has been shifting to more user-facing features rather than internal deep kernel work.
There are many engineers who do super-boring stuff as main work, working on mind-bogglingly hard problems afterhours.
Also that weather-widget engineer could do some basic tasks offloading more experienced engineer, who would offload even more experienced engineer until that chain of offloading makes enough time for NTFS-ninja to hunt down and fix that bug or write a fuzzer that finds new zero-days.
So they shouldn't fund adding local weather to task bar while there are potential security flaws anywhere in the OS? This seems like a sillier straw man.
You have to look at the customers. If you push for Linux throughout your organisation and you got hit with a linux zero day, it's your fault.
If you use MS, then it's Microsoft s fault, you won't be blamed because almost everyone was exposed to it and you got hit.
These companies also have older workforce who are used to windows and the switch would be difficult. Yes I know some older users would be fine but that is not the majority.
It's similar to the "no one got fired for buying oracle" situation
That’s a ridiculous claim. Kernel programming isn’t some fantasy world where only the most passionate developers can do effective work. Most software engineers are web engineers because that’s where the market says they should focus. It says nothing about talent or ability to learn. smh.
There is nothing in their terms of service or privacy policy that says personal information can't be used for an ongoing investigation.. just that it can't be used by "the Community". They even say that they collect personal information when submitting. When it is shared with the Community at large, it is assigned a non-personal identifier.
I view Krebs as a tabloid. It is a stopgap for layman's with slightly above average opsec knowledge. It is rather dangerous because he is wrong or misrepresents reality rather often. And there's something sensationalist about every article. They always have this rushed, panic driven, sophomoric writing style.
To quote a comment I read on HN once, "Krebs is a security entertainer, not a security researcher."
Could you provide some examples to bolster your claim about this person's journalistic integrity?
There are some technical details that may be abstracted or analogized in less-than-accurate fashion, but I don't recall reading an article or post and thinking "gosh, that's just _wrong_"
To his credit, he never claims to be a hands-on researcher who disassembles and analyzes malware himself. I guess that's why I scratch my head when people point to his work as substantial. He has no skin in the game, no hands on technical experience, and just reblogs more technical articles from actual experts. His only real experience is getting personally hacked and hijacked.
Also, to clarify I never questioned his journalistic integrity. I just think he's a mediocre writer. It's his style that I, personally, don't like. One thing he does that I can't wrap my head around is writing about himself in the third person. He uses phrases like "...this author..." in reference to himself. Most authors would not be injecting themselves into a journalistic piece in the first place, but to do it with such bravado is awkward for the reader. Am I supposed to be impressed that you operate a WordPress blog?
Security warfare is fascinating to watch from the mud huts.