Rendered at 20:10:03 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
anonymousiam 20 hours ago [-]
Attacking the messenger is an age-old trend in the bug reporting arena.
Microsoft has the backing of many governments, and has access to the best legal teams possible, leaving this guy in a world of hurt.
Microsoft seems to have brought this on themselves by creating a complex and user-hostile bug reporting system. It seems to me that they could have offered this person a job or a contract, because Eclipse has been amazingly effective at uncovering high-severity exploits.
Also, Eclipse could have approached various governments offering the exploits for sale, because a lucrative market exists for such things, assuming they aren't already in the NSA portfolio. Lots of above-board companies do the same thing.
Quotes in this article blame Eclipse for the damage, but the blame should really rest with Microsoft. Eclipse is apparently just one person using an AI framework. Microsoft has vastly more resources to discover and fix problems with their products, but they never seem to do it themselves.
scamdrill 22 minutes ago [-]
Assuming he wasn't trying to extort them -- which seems absurd, this is a real self-own by Microsoft. We'll see what July 14th brings.
pjmlp 15 hours ago [-]
Worse is that they proud themselves of having a security culture since XP SP2, hence having even a security conference and related podcast.
So something went down really bad on their side.
RajT88 19 hours ago [-]
I knew a guy who reported an Apple 0day and got similar treatment. I would expect it from those petty bitches. Guess times change.
monster_truck 17 hours ago [-]
You don't even need to find a whole 0day, you can find step 3 of 14.
Just dump it anon or sell it, don't even try to claim a bounty or get a cve. Without elaborating, they will make sure you regret it
Same goes for games. If you find RCE, report it and move on. If it remains unfixed let a journalist know. Do NOT accept their invite to the studio, they want to have you arrested. Would have happened to me were it not for one dude with a conscience at the company warning me not to go
SXX 18 hours ago [-]
Now iOS 0-day is worth up to $2,000,000 on gray market so Apple kind a take it seriously.
pjmlp 15 hours ago [-]
When someone says memory corruption is nothing special, they aren't the ones paying those amounts.
Naturally there are other kinds of bugs as well.
However reducing 70% of root causes, saves a bunch of money already.
walrus01 18 hours ago [-]
If you find a real iOS zero day that you think has a market value of 2 million, how do you (a) find a legit buyer for it, and (b) ensure you get paid, presumably in your own choice of cryptocurrency?
Even if you dont count obvious dark markets there is plenty of well known companies mostly from Israel buying exploits.
You can even reach them via Linkedin and even demonstrate and sell in person with all paperwork. No risk here because they will re-sell them for much more.
Having it both fully anonymous, safe and in crypto will be harder. You need to have a trusted friend with right connections in industry not to get scammed.
moscoe 17 hours ago [-]
Are you asking for step by step instructions?
walrus01 17 hours ago [-]
no, I'm making the rhetorical point that the sort of persons that might have 2 million laying around to pay for an iOS zero day for blackhat type purposes might not be the most honorable or likely to actually pay you. And what recourse would you have?
SXX 17 hours ago [-]
This depends on what you consider black hat. Israeli company that sells surveillance malware to dictatorships around the globe isnt exactly moral, but its legal business.
Unlike Apple or Microsoft buying and selling exploits is their only source of income so they have no motivation not to pay. Reputation is much more important. Also legal system does work in Israel.
riedel 13 hours ago [-]
I am really somehow happy about this feud as it really demasks Microsoft. The signal Microsoft sends to their costumers (also corporate and government) is IMHO as disasterous as it is to security researchers.
8cvor6j844qw_d6 24 hours ago [-]
> “CVD is a two-way street,” he said. “The vendor has some responsibility as well, so to go out publicly stating this person violated CVD without showing any of the correspondence seems bold.”
> “It confusingly claims their program ‘ensures researchers are compensated and publicly acknowledged’ in a statement answering a researcher who says he got neither,”
Well said.
zamalek 23 hours ago [-]
I would argue that this form of disclosure is ethical in the face of Microsoft misbehaving. It's like mutually assured destruction - and in this case (it sounds like) Microsoft tried to cheat and thought they would get away with it.
Feeling consequences are how they are kept in line. Maybe next time they will think twice before (allegedly) treating a person like they did here, as well as the creative reasoning I recall them using in the past to reduce payouts.
thewebguyd 17 hours ago [-]
> the creative reasoning I recall them using in the past to reduce payouts.
It's a wonder anyone even reports things to Microsoft anymore because of this. They have a long habit of declaring things as intentional, then silently patching it after.
12_throw_away 20 hours ago [-]
TBH, the microsoft statement itself feels like slop. Not necessarily LLM slop (although who are we kidding, it probably was), but definitely like corporate slop, written by some manager with no context for how any of this is supposed to work (they laid off all the people who did), but with a need to make some sort of statement-shaped response
rustyhancock 23 hours ago [-]
I know this is a crazy take. But I go feel so down trodden by many many tech corps these days I find it hard not to have a smidge of satisfaction for this guy pointing out the colossal favour research developers do for them by responsible disclosure.
That said, I feel bad for the inevitable victims of exploitation and also I am certain he will end up criminalized or as per usual the law will enforce a large corps will against him.
Yes. Definitely a Friday night after a hard week take.
thewebguyd 18 hours ago [-]
> I am certain he will end up criminalized
DMCA has exemptions for "good faith" security research, whatever that means when interpreted by a judge. Outside of copyright law, not sure what Microsoft could pursue legally. The researcher is just disclosing information. CFAA doesn't apply because it's an operating system, running on their own machine there's no unauthorized access there.
They could drag Eclipse through civil lawsuits though.
But yeah, zero sympathy for Microsoft here from me. They deserve it and what's coming for them, whatever that may be. Consider it karma for their past abuses.
literallyroy 8 hours ago [-]
Unfortunately I think “good faith” goes away quick in the face of “bone shattering”
j-bos 17 hours ago [-]
Sadly CFAA always applies, just read the letter if the law and multiply by the wide net cast by the microsoft TOS.
matheusmoreira 19 hours ago [-]
Nothing crazy about it. Crazy is feeling sorry for the trillion dollar corporation. Don't let anyone tell you otherwise.
The right thing is immediate publication of all exploits, zero liability for the researcher who's just doing a public service and maximum liability for the corporation whose criminal negligence enabled the exploits to begin with.
thot_experiment 20 hours ago [-]
Naw totally agree, we need way more robust protections for security researchers and way harsher penalties for corpos doing bullshit, it should be a percentage of revenue.
We have way too much fuck around these days and not nearly enough find out.
vorpalhex 21 hours ago [-]
Microsoft chose to run a shoddy bounty program. The researcher tried to do the right thing.
Microsoft could have prevented this. They were warned. It's their own fault.
The exploit exists whether or not the researcher reports it. They didn't make the exploit.
thewebguyd 18 hours ago [-]
> They didn't make the exploit
This is important to remember, in this situation and all other 0-day disclosures. There's also no guarantee that the uses of said 0 day after disclosure are the only time its been actively exploited. The exploit was already existing, and there are plenty of three letter agencies and Israeli companies that could very well have already been aware of them.
The only place blame belongs here is on Microsoft, no where else.
mrandish 2 hours ago [-]
It's kind of fascinating how large corporations can end up acting like petulant children against their own interests and stated goals. We don't know who said or did what in this situation, but as TFA says, even if the researcher was a maximally bad actor, MSFT's public response hurts their interests. Sometimes individuals behave like petulant children but for a well-run corporation it's a failure mode.
In my experience, corps sometimes behave this way not because it's the 'corporate intent' but simply due to internal politics and ass-covering by individual middle managers. MSFT's response is puzzling because it doesn't clear up anything nor does it try to de-escalate. It's also not the sort of completely neutral statement made when you need to respond but have nothing to say yet. This statement implies the researcher is a bad actor while also being vaguely threatening. I can't imagine any way this benefits MSFT.
It appears more like a junior exec trying to manage the optics so it looks like their department isn't in the wrong. This ass-covering accomplishes nothing for MSFT. Even if the researcher was demanding payment for a vuln and wasn't producing sufficient justification for their demand or wasn't following the process, this isn't a productive response. It sounds more like a manager is worried what their boss thinks. The manager acting this way is bad but the root cause is often the manager's upline creating a context where managers feel they need to ass-cover and stage manage optics.
chasil 22 hours ago [-]
The best interests of the customers of Microsoft is an immediate apology, a payment of at least $100,000, and a signed agreement pledging that no (further) legal action will be taken.
The denial of Microsoft is just as harmful as the exploits of these flaws.
cyanydeez 22 hours ago [-]
or everyone just dump all their exploits on Saturday morning 2AM, then buy puts.
vkou 19 hours ago [-]
You don't want to go short on a company when that happens, you want to go long.
Amazon stock goes up when AWS bugs take down the entire internet, because everyone realizes that more of the internet depends on Amazon than they thought.
TacticalCoder 21 hours ago [-]
> or everyone just dump all their exploits on Saturday morning 2AM, then buy puts.
But nobody can buy PUTs at 2am on a saturday morning? You should buy PUTs on a friday before close then dump the exploits no?
theogravity 21 hours ago [-]
Short via Hyperliquid or some other crypto exchange that tokenizes stock? HL does have a trading pair for MSFT and trades 24/7.
21 hours ago [-]
bink 20 hours ago [-]
Responding to bug bounty reports is a thankless job. Especially these days it's a flood of AI spam, language barriers, "pay me first", incomplete reports, huge egos, and people who think every find should be treated as a critical vulnerability. The people who handle these reports often do so after-hours or on holidays. In smaller companies they're also often the ones who manage the triage, patching, testing, and security release process. In larger companies they have to find owners for every line of code and convince those code owners of the severity (often knowing that neither or them will be rewarded for doing the work).
All it takes is one wrong person to be assigned as a report comes in, a person who doesn't understand the real value of a bounty program, or one person having a bad day to completely ruin a company's reputation. It seems like that might have happened here (of course MS has done this before so who knows if it'll matter in the end).
Microsoft needs to be completely transparent and to do so immediately. They should, with the reporters permission, release all communications. They can exclude technical details if patches aren't available yet. Doing anything less is going to prevent a lot of people from using their bounty program in the future and we'll all be worse off for it. They almost certainly made a mistake and they need to own up to it.
myself248 20 hours ago [-]
> The people who handle these reports often do so after-hours or on holidays.
If that's the case at Microsoft, something is absurdly wrong.
rileymat2 21 hours ago [-]
It is not all about money, but microsoft had a net income of 101 billion last year, and a 36% profit margin.
I am not saying humans or AI can create "perfect" software, but NASA has shown there is a HUGE gap between what can be achieved and what commercial software has generally done. We have given software a pass on the liability for the damage it can caused when it is defective for too long, that's the only way to change this, it must hit the bottom line.
skinfaxi 20 hours ago [-]
Is NASA software accessible over the public internet?
_trampeltier 18 hours ago [-]
All the things up there can be contacted with radio. Some downstream data is easly readable. Sending is another thing, but satelites are in public communication space.
rileymat2 20 hours ago [-]
Not all, but wouldn't that make a case for more rigorous standards? Economically things must be prioritized, but there is a very big gap between NASA standards and typical commercial software.
skinfaxi 19 hours ago [-]
To be fair NASA doesn't have to turn a profit.
rileymat2 18 hours ago [-]
There are economic realities, but there is a huge gap between not turning a profit and a 36% margin on billions.
bilekas 14 hours ago [-]
I was reding about this yesterday and my tinfoil hat started to rustle in the drawer.
It sounded like it really could have been a backdoor, that was complicated enough to not be an easy replacement to roll out without being detected, so Microslop tried to shut down the discovery as soon as possible, annoyed the wrong researcher and now they're at risk of really having to remove their back door to an administration that is not exactly understanding.
gslepak 21 hours ago [-]
It's poor form to publish exploits like this but Microsoft not paying their bounty is also poor form, and so is attempting to exploit the legal system to defend Microsoft's "right" to write buggy code.
rolph 1 days ago [-]
there are active forks, and active mitigations for redsun undefend and bluehammer.
so far as i can tell yellowkey is problematic, as the exploit takes advantage of a backdoor that ms needs, to "manage" your computer.
> so far as i can tell yellowkey is problematic, as the exploit takes advantage of a backdoor that ms needs, to "manage" your computer.
It does look like an intentional backdoor. The way ms is responding to it is even more suspicious.
Pretty funny since this defeats security on most corporate laptops, so impact is huge. You'd expect them to treat the reporter better and fix the issue fast...
I'm curious why they put it in, I'm not sure I understand the 'to "manage" your computer' note.
Microsoft should have no reason to put something like this in. So either they were forced or they had some engineers that did this on their own without any oversight.
jeroenhd 22 hours ago [-]
The backdoor could be a bug, but I don't really understand how it happened.
The attack works by having an NTFS log get replayed against another partition than the one the log is stored on.
Sending the right signals to unlock Bitlocker in TPM-only mode is a necessity for recovery operations. Managing to replace the executable launched post verification is a plausible attack vector.
The weird thing is why it's possible to put the corrupting transactions on a different disk than the one being updated.
In theory I think it would be possible that it's a combination of "all recovery partitions share the same FS identifier and are verified before transaction playback" (it is a pre-packaged WIM file after all) and "the transaction log stores the FS identifier of the partition the changes are meant for", but in my opinion the latter part is a very weird architecture to choose.
If this is a backdoor, I appreciate how clever they were hiding it. If this is a bug, the person who discovered it probably has a whole lot more ready to publish.
Shank 20 hours ago [-]
The thing that made Nightmare think it was a backdoor is that the bug is only present in the recovery version of the DLLs, not the one built into the system, and not prior versions of Windows. It’s also for a file system feature that Microsoft hasn’t “touched” in ages and they consider fairly esoteric.
mittensc 10 hours ago [-]
> The attack works by having an NTFS log get replayed against another partition than the one the log is stored on.
Obfuscated enough to pass internal reviews, sloppy enough to make it look like a bug.
Other reply makes it even more suspicious... change is new in a subsystem that hasnt been updated in a long tine and it's only present in recovery mode files.
Microsoft handle of this also screams it's not a regular bug and they're likely investigating or someone is trying to cover their ass.
What's even more troubling is that the fix would be a very simple/quick rollback of the change that introduced this... and that they haven't done that is interesting.
rolph 23 hours ago [-]
manage- meaning remove or disable your stuff and reinstate slopware.
i dont know how much fiddling around you may have done to make a win11 install local and secure, but but if you dont get it right the first time, most often the next update will involve re-installation of bloatkrapp.
the in house usage is apparently to allow bypass of bitlocker by the winRE recovery environment.
this has been exploited for some time already, allowing malicious uses of trustedinstaller ACL.
ive had to deal with persistent installs using exactly this route, and a really nasty one will brick your machine if you dont knock out its components in proper sequence pwning the trusted installer account, and disabling the viral recovery mechanism.
ranger_danger 23 hours ago [-]
> backdoor that ms needs
source:
legohead 20 hours ago [-]
I guess I'll play devil's advocate here, don't shoot me.
Over the course of my career I've had to deal with multiple hacks, DDOSes, and even situations working with the FBI. It's a mess, and extremely frustrating and unfair to those of us who are just trying to do a good job and make a living. Those of you who are throwing stones at Microsoft's coding, how confident are you that your code is safe from this new AI age?
Obviously MS handled this poorly, even after reading this article it's not clear how MS handles bug bounties. But that doesn’t mean this “researcher” deserves a pass.
Releasing 0-days, especially working exploit code for unpatched vulnerabilities, is extremely unethical. It has real potential to cause a lot of harm to regular engineers, and users who had nothing to do with the dispute.
nemomarx 20 hours ago [-]
I don't think it's their fault for not making code without exploits. I do think they should try and close them in a timely fashion when the exploit is pointed out though - the longer they wait the more chance bad actors find it in addition to the security researchers. Ultimately they need to cooperate here for users to be safe.
rileymat2 17 hours ago [-]
> I do think they should try and close them in a timely fashion when the exploit is pointed out though - the longer they wait the more chance bad actors find it in addition to the security researchers.
You are assuming it is not already being actively exploited and there will be a timely response to fix it, which is why we have these ticking clocks.
thewebguyd 18 hours ago [-]
They should also be fully transparent and not silently patch, and only issue a CVE weeks later after being called out like they did with RedSun, from this same researcher.
That Microsoft releases vulnerable software isn't the issue (that's a known quality at this point), it's their lack of transparency and refusal to hold themselves accountable.
did they start to do that at some point, or is this a pressure (blackmail?) campaign to get the to do that? I have no love for, but rather hate for, Microsoft, so I'm not suggesting blackmail in the sense of defending them, but it's something they could claim.
this is on Microsoft's website, they don't promise much for CVD
Instead they have a reputation for telling researchers that their disclosure isn’t actually a vulnerability and doesn’t qualify for a bounty or recognition, then quietly patching said non-vulnerability with a suspicious degree of urgency.
jiggawatts 13 hours ago [-]
Happened to me when I reported that I could get Azure to issue me a certificate for a domain I don’t own.
Rejected, then quietly fixed a couple of months later.
aidenn0 22 hours ago [-]
I wonder: what's the approximate market value on the bugs so far released?
mentalgear 6 hours ago [-]
Reeks of a Management trying not to assign CVE labels to obvious vulnerabilities, so that in the public Windows doesn't come across as the security swiss chess nightmare that it is.
themafia 23 hours ago [-]
> “We remain firmly opposed to these actions, and any disclosure outside proper coordination that could harm our customers and the digital ecosystem,”
Precisely. /Your/ customers. I have no obligation to them and you profit handsomely from them. I'm not sure you can use "opposition" as a strategy to ameliorate your own negligence followed by inaction.
throwaway763210 23 hours ago [-]
Responsible disclosure isn't a law, it's a norm vendors invented and lean on when it suits them. Nothing legally requires you to report to a vendor first. Full disclosure and non disclosure are a valid choice as well.
Maybe Microsoft should spend less energy threatening researchers and more on not shipping the slop code in the first place.
hungryhobbit 22 hours ago [-]
Or maybe they shouldn't revoke the very accounts researchers are required to use to communicate exploits to MS?
1vuio0pswjnm7 8 hours ago [-]
"Ultimately, “the bugs are Microsoft's,” Moussouris said."
Not much has changed at Microsoft
Still trying to blame others for its own incompetence
SXX 18 hours ago [-]
What is Microslop management and PR department doing? How come this can go for a week?
They spent billions trying to build this open source and developer friendly image to just burn it all over $200,000 of unpaid security bounties.
Microsoft is a dumpster fire.
codedokode 22 hours ago [-]
I read a little about BitLocker. It seems to store the encryption key in TPM and acquire it automatically after boot. I wonder, can encryption key be extracted by inserting a rogue PCIe card and reading it from memory, or by inserting a rogue DDR memory card with a backdoor to read the key from it, or by sniffing CPU - TPM bus?
kotaKat 22 hours ago [-]
Sniffing the TPM's been available for quite some time, actually - and quite cheap!
The best way would be to arguably keep the key completely off the TPM and use remote attestation. There's some preboot products out there like WinMagic SecureDoc* that use a little Linux partition, spin up just enough to get a network connection up to a remote server, provide authentication services, and then send the Bitlocker key down, unlock the partition, and chainload onwards to Windows.
* I acquired an enterprise device on eBay and was VERY surprised to find this product on it as the preboot protector. Zero way to crack in from my end, so I applaud it. There's even some MFA solutions they offer around this! https://winmagic.com/en/solutions/mfa-windows-login/
Retr0id 22 hours ago [-]
Something I've never understood about TPM attestation, is what happens if you plug the TPM into a microcontroller and give it all the same measurements that it would normally receive during a normal boot? Would that let you spoof attestations?
g_p 21 hours ago [-]
Yes, you should be able to. In essence, the state of the TPM is represented in the values of the PCRs (Platform Configuration Registers). Those are hash-extended through the boot process.
You can create a key or similar attribute which has an unlock policy based on those PCR values. If you play back the log of PCR write events from first principles (the log can be captured for debug purposes), you'll put the TPM into the same state and should be able to use anything protected by the respective policy.
For attestation, I presume you're thinking about sending an attested PCR quote - in that case, the TPM uses a non-extractable key to sign the current PCR states. As you can put the PCRs into the "correct" state, you'd be able to get a signed attestation the system is in that state.
pitched 21 hours ago [-]
TPM-only saves you against someone pulling your drive. Probably more than enough for a USB drive. Enable startup PIN if you’re worried about someone grabbing the whole laptop.
codedokode 21 hours ago [-]
I think it does not make much sense to protect the USB drive, as you won't be able to access it from another computer which is what USB drives are for. It makes sense to protect interval drives, but it is unlikely that someone would remove the drives and leave an expensive laptop to the owner.
pitched 20 hours ago [-]
I think of TPM-only more like a privacy lock than a deadbolt.
An encrypted external drive though works like a safe. Put things in there you want to keep safe but don’t need every day. Air gapped while not in use makes it even more safe.
21 hours ago [-]
Retr0id 21 hours ago [-]
I'm asking about TPM attestation in general, not Bitlocker
dlgeek 20 hours ago [-]
Yes.
Some modern CPUs have moved the TPM inside the CPU itself. But traditionally, TPMs were attached via the LPC (low pin-count) bus, and you could absolutely sniff them or de-solder them and arbitrarily MiTM.
21 hours ago [-]
rolph 21 hours ago [-]
yes sniffing is possible, for now im waiting for some pluton variant to start making its way into the chip and die stream.
the concept is to shield the TPM its bus, and any keys whith the CPU chip.
wolvoleo 10 hours ago [-]
Current TPMs already have the ability to encrypted the comms to the CPU. Motherboard manufacturers just don't bother implementing it.
rolph 5 hours ago [-]
Pluton is about physically placing the TPM behind the CPU die, its more than a SoC it eliminates the possibility of getting to the TPM at all, you wont be able to drill into the chip to access bus lines without mangleing the whole thing.
no sniffing would be possible after Pluton chips, even if you could decrypt.
but as i said, for now you can still sniff.
21 hours ago [-]
ChrisArchitect 23 hours ago [-]
Related:
GitHub bans security researcher who posted zero-day Windows exploits
I've been working with Microsoft products since about 1989. It has been mostly miserable, like living with a schizophrenic gorilla. You wake up in the morning and don't know how fucked your day is going to be. Dealing with them has been absolutely impossible even when you were one of their "gold" tier partners back in the day.
I hope the promise of a July 14th threat goes as planned. They need to hurt. And everyone needs to see the risks they are taking by using their products.
this_user 23 hours ago [-]
At the end of the day, Microsoft won't care how bad any of this will make them look. Their reputation has been abysmal for decades, but none of it actually seems to have any kind of negative effect on their bottom line.
lukan 21 hours ago [-]
Because they mainly care about their reputation in C suites not internet forums.
iJohnDoe 16 hours ago [-]
I know this is a cynical approach, but I imagine most security flaws in Microsoft products are somewhat intentional. Either by purposefully putting them there or by willingly ignoring them.
It’s widely known how much Microsoft cooperates with three letter agencies. I think they are in a bind on how to act in these situations. They don’t want to acknowledge or fix the 0-day vulnerabilities because they don’t know if those are in use via state sponsored operations. Either they deal with customer fallout or they deal with the grief from their agency liaisons that they interrupted a multi-year operation by fixing the 0-day.
Vulnerability researchers really should avoid reporting to Microsoft and just sell them instead.
zingababba 21 hours ago [-]
Watching Microsoft squirm is always peak
rekabis 1 days ago [-]
I may not have seen the full story - and I am cognizant of this - but what I have seen so far puts me solidly on the side of Nightmare Eclipse.
Microsoft is making all indications that it is behaving like a colossal dick. It’s not a good look. As always: if you find yourself in a deep hole, stop digging.
zadkey 1 days ago [-]
Everything I've ready points to the same.
notawhitemale 24 hours ago [-]
[dead]
nicman23 12 hours ago [-]
bold move in the age of llm 0 days. this will be worse than geohot and sony
beng-nl 11 hours ago [-]
Off-topic, but I found his diss track years after the fact and actually reallly respect he could put together and perform a pretty smooth, catchy, witty track in what must have been a stressful time.
nicman23 11 hours ago [-]
geohot is a main character in this world tbh
CTDOCodebases 19 hours ago [-]
Did Microsoft ever explain why Bitlocker could be deliberately circumvented?
Part of me thinks they are welcoming this drama because if the other 0-days are genuine bugs then it muddies the water and shifts the focus away from a the fact that they shipped an intentionally backdoored security product.
45ahgd 23 hours ago [-]
This is poor damage control by Microslop. Why would the researcher publish valuable exploits without trying to get a bounty?
Usually, when an individual is that upset, the group or corporation is wrong and tries to shape public perception by lying.
Since when is publishing zero days a crime anyway? Shame on Microslop for these intimidation tactics. The real crime is vibe coding operating systems.
midtake 23 hours ago [-]
Sorry not sorry
UltraSane 18 hours ago [-]
They should really hire him.
Hikikomori 21 hours ago [-]
Hey MSRC. Maybe don't ban security researchers and then complain about vulnerabilities not being disclosed to you? Have you tried not fucking yoursef?
Microsoft has the backing of many governments, and has access to the best legal teams possible, leaving this guy in a world of hurt.
Microsoft seems to have brought this on themselves by creating a complex and user-hostile bug reporting system. It seems to me that they could have offered this person a job or a contract, because Eclipse has been amazingly effective at uncovering high-severity exploits.
Also, Eclipse could have approached various governments offering the exploits for sale, because a lucrative market exists for such things, assuming they aren't already in the NSA portfolio. Lots of above-board companies do the same thing.
Quotes in this article blame Eclipse for the damage, but the blame should really rest with Microsoft. Eclipse is apparently just one person using an AI framework. Microsoft has vastly more resources to discover and fix problems with their products, but they never seem to do it themselves.
So something went down really bad on their side.
Just dump it anon or sell it, don't even try to claim a bounty or get a cve. Without elaborating, they will make sure you regret it
Same goes for games. If you find RCE, report it and move on. If it remains unfixed let a journalist know. Do NOT accept their invite to the studio, they want to have you arrested. Would have happened to me were it not for one dude with a conscience at the company warning me not to go
Naturally there are other kinds of bugs as well.
However reducing 70% of root causes, saves a bunch of money already.
https://en.wikipedia.org/wiki/Cyber-arms_industry
You can even reach them via Linkedin and even demonstrate and sell in person with all paperwork. No risk here because they will re-sell them for much more.
Having it both fully anonymous, safe and in crypto will be harder. You need to have a trusted friend with right connections in industry not to get scammed.
Unlike Apple or Microsoft buying and selling exploits is their only source of income so they have no motivation not to pay. Reputation is much more important. Also legal system does work in Israel.
> “It confusingly claims their program ‘ensures researchers are compensated and publicly acknowledged’ in a statement answering a researcher who says he got neither,”
Well said.
Feeling consequences are how they are kept in line. Maybe next time they will think twice before (allegedly) treating a person like they did here, as well as the creative reasoning I recall them using in the past to reduce payouts.
It's a wonder anyone even reports things to Microsoft anymore because of this. They have a long habit of declaring things as intentional, then silently patching it after.
That said, I feel bad for the inevitable victims of exploitation and also I am certain he will end up criminalized or as per usual the law will enforce a large corps will against him.
Yes. Definitely a Friday night after a hard week take.
DMCA has exemptions for "good faith" security research, whatever that means when interpreted by a judge. Outside of copyright law, not sure what Microsoft could pursue legally. The researcher is just disclosing information. CFAA doesn't apply because it's an operating system, running on their own machine there's no unauthorized access there.
They could drag Eclipse through civil lawsuits though.
But yeah, zero sympathy for Microsoft here from me. They deserve it and what's coming for them, whatever that may be. Consider it karma for their past abuses.
The right thing is immediate publication of all exploits, zero liability for the researcher who's just doing a public service and maximum liability for the corporation whose criminal negligence enabled the exploits to begin with.
We have way too much fuck around these days and not nearly enough find out.
Microsoft could have prevented this. They were warned. It's their own fault.
The exploit exists whether or not the researcher reports it. They didn't make the exploit.
This is important to remember, in this situation and all other 0-day disclosures. There's also no guarantee that the uses of said 0 day after disclosure are the only time its been actively exploited. The exploit was already existing, and there are plenty of three letter agencies and Israeli companies that could very well have already been aware of them.
The only place blame belongs here is on Microsoft, no where else.
In my experience, corps sometimes behave this way not because it's the 'corporate intent' but simply due to internal politics and ass-covering by individual middle managers. MSFT's response is puzzling because it doesn't clear up anything nor does it try to de-escalate. It's also not the sort of completely neutral statement made when you need to respond but have nothing to say yet. This statement implies the researcher is a bad actor while also being vaguely threatening. I can't imagine any way this benefits MSFT.
It appears more like a junior exec trying to manage the optics so it looks like their department isn't in the wrong. This ass-covering accomplishes nothing for MSFT. Even if the researcher was demanding payment for a vuln and wasn't producing sufficient justification for their demand or wasn't following the process, this isn't a productive response. It sounds more like a manager is worried what their boss thinks. The manager acting this way is bad but the root cause is often the manager's upline creating a context where managers feel they need to ass-cover and stage manage optics.
The denial of Microsoft is just as harmful as the exploits of these flaws.
Amazon stock goes up when AWS bugs take down the entire internet, because everyone realizes that more of the internet depends on Amazon than they thought.
But nobody can buy PUTs at 2am on a saturday morning? You should buy PUTs on a friday before close then dump the exploits no?
All it takes is one wrong person to be assigned as a report comes in, a person who doesn't understand the real value of a bounty program, or one person having a bad day to completely ruin a company's reputation. It seems like that might have happened here (of course MS has done this before so who knows if it'll matter in the end).
Microsoft needs to be completely transparent and to do so immediately. They should, with the reporters permission, release all communications. They can exclude technical details if patches aren't available yet. Doing anything less is going to prevent a lot of people from using their bounty program in the future and we'll all be worse off for it. They almost certainly made a mistake and they need to own up to it.
If that's the case at Microsoft, something is absurdly wrong.
I am not saying humans or AI can create "perfect" software, but NASA has shown there is a HUGE gap between what can be achieved and what commercial software has generally done. We have given software a pass on the liability for the damage it can caused when it is defective for too long, that's the only way to change this, it must hit the bottom line.
It sounded like it really could have been a backdoor, that was complicated enough to not be an easy replacement to roll out without being detected, so Microslop tried to shut down the discovery as soon as possible, annoyed the wrong researcher and now they're at risk of really having to remove their back door to an administration that is not exactly understanding.
so far as i can tell yellowkey is problematic, as the exploit takes advantage of a backdoor that ms needs, to "manage" your computer.
only recently has a OOB mitigation been offered
https://www.techspot.com/news/112410-security-researcher-mic...
It does look like an intentional backdoor. The way ms is responding to it is even more suspicious.
Pretty funny since this defeats security on most corporate laptops, so impact is huge. You'd expect them to treat the reporter better and fix the issue fast...
I'm curious why they put it in, I'm not sure I understand the 'to "manage" your computer' note.
Microsoft should have no reason to put something like this in. So either they were forced or they had some engineers that did this on their own without any oversight.
The attack works by having an NTFS log get replayed against another partition than the one the log is stored on.
Sending the right signals to unlock Bitlocker in TPM-only mode is a necessity for recovery operations. Managing to replace the executable launched post verification is a plausible attack vector.
The weird thing is why it's possible to put the corrupting transactions on a different disk than the one being updated.
In theory I think it would be possible that it's a combination of "all recovery partitions share the same FS identifier and are verified before transaction playback" (it is a pre-packaged WIM file after all) and "the transaction log stores the FS identifier of the partition the changes are meant for", but in my opinion the latter part is a very weird architecture to choose.
If this is a backdoor, I appreciate how clever they were hiding it. If this is a bug, the person who discovered it probably has a whole lot more ready to publish.
Obfuscated enough to pass internal reviews, sloppy enough to make it look like a bug.
Other reply makes it even more suspicious... change is new in a subsystem that hasnt been updated in a long tine and it's only present in recovery mode files.
Microsoft handle of this also screams it's not a regular bug and they're likely investigating or someone is trying to cover their ass.
What's even more troubling is that the fix would be a very simple/quick rollback of the change that introduced this... and that they haven't done that is interesting.
i dont know how much fiddling around you may have done to make a win11 install local and secure, but but if you dont get it right the first time, most often the next update will involve re-installation of bloatkrapp.
the in house usage is apparently to allow bypass of bitlocker by the winRE recovery environment.
this has been exploited for some time already, allowing malicious uses of trustedinstaller ACL.
ive had to deal with persistent installs using exactly this route, and a really nasty one will brick your machine if you dont knock out its components in proper sequence pwning the trusted installer account, and disabling the viral recovery mechanism.
source:
Over the course of my career I've had to deal with multiple hacks, DDOSes, and even situations working with the FBI. It's a mess, and extremely frustrating and unfair to those of us who are just trying to do a good job and make a living. Those of you who are throwing stones at Microsoft's coding, how confident are you that your code is safe from this new AI age?
Obviously MS handled this poorly, even after reading this article it's not clear how MS handles bug bounties. But that doesn’t mean this “researcher” deserves a pass.
Releasing 0-days, especially working exploit code for unpatched vulnerabilities, is extremely unethical. It has real potential to cause a lot of harm to regular engineers, and users who had nothing to do with the dispute.
You are assuming it is not already being actively exploited and there will be a timely response to fix it, which is why we have these ticking clocks.
That Microsoft releases vulnerable software isn't the issue (that's a known quality at this point), it's their lack of transparency and refusal to hold themselves accountable.
did they start to do that at some point, or is this a pressure (blackmail?) campaign to get the to do that? I have no love for, but rather hate for, Microsoft, so I'm not suggesting blackmail in the sense of defending them, but it's something they could claim.
this is on Microsoft's website, they don't promise much for CVD
https://www.microsoft.com/en-us/msrc/cvd
Instead they have a reputation for telling researchers that their disclosure isn’t actually a vulnerability and doesn’t qualify for a bounty or recognition, then quietly patching said non-vulnerability with a suspicious degree of urgency.
Rejected, then quietly fixed a couple of months later.
Precisely. /Your/ customers. I have no obligation to them and you profit handsomely from them. I'm not sure you can use "opposition" as a strategy to ameliorate your own negligence followed by inaction.
Maybe Microsoft should spend less energy threatening researchers and more on not shipping the slop code in the first place.
Not much has changed at Microsoft
Still trying to blame others for its own incompetence
They spent billions trying to build this open source and developer friendly image to just burn it all over $200,000 of unpaid security bounties.
Microsoft is a dumpster fire.
https://pulsesecurity.co.nz/articles/TPM-sniffing
The best way would be to arguably keep the key completely off the TPM and use remote attestation. There's some preboot products out there like WinMagic SecureDoc* that use a little Linux partition, spin up just enough to get a network connection up to a remote server, provide authentication services, and then send the Bitlocker key down, unlock the partition, and chainload onwards to Windows.
* I acquired an enterprise device on eBay and was VERY surprised to find this product on it as the preboot protector. Zero way to crack in from my end, so I applaud it. There's even some MFA solutions they offer around this! https://winmagic.com/en/solutions/mfa-windows-login/
You can create a key or similar attribute which has an unlock policy based on those PCR values. If you play back the log of PCR write events from first principles (the log can be captured for debug purposes), you'll put the TPM into the same state and should be able to use anything protected by the respective policy.
For attestation, I presume you're thinking about sending an attested PCR quote - in that case, the TPM uses a non-extractable key to sign the current PCR states. As you can put the PCRs into the "correct" state, you'd be able to get a signed attestation the system is in that state.
An encrypted external drive though works like a safe. Put things in there you want to keep safe but don’t need every day. Air gapped while not in use makes it even more safe.
Some modern CPUs have moved the TPM inside the CPU itself. But traditionally, TPMs were attached via the LPC (low pin-count) bus, and you could absolutely sniff them or de-solder them and arbitrarily MiTM.
the concept is to shield the TPM its bus, and any keys whith the CPU chip.
no sniffing would be possible after Pluton chips, even if you could decrypt.
but as i said, for now you can still sniff.
GitHub bans security researcher who posted zero-day Windows exploits
https://news.ycombinator.com/item?id=48315968
I hope the promise of a July 14th threat goes as planned. They need to hurt. And everyone needs to see the risks they are taking by using their products.
It’s widely known how much Microsoft cooperates with three letter agencies. I think they are in a bind on how to act in these situations. They don’t want to acknowledge or fix the 0-day vulnerabilities because they don’t know if those are in use via state sponsored operations. Either they deal with customer fallout or they deal with the grief from their agency liaisons that they interrupted a multi-year operation by fixing the 0-day.
Vulnerability researchers really should avoid reporting to Microsoft and just sell them instead.
Microsoft is making all indications that it is behaving like a colossal dick. It’s not a good look. As always: if you find yourself in a deep hole, stop digging.
Part of me thinks they are welcoming this drama because if the other 0-days are genuine bugs then it muddies the water and shifts the focus away from a the fact that they shipped an intentionally backdoored security product.
Usually, when an individual is that upset, the group or corporation is wrong and tries to shape public perception by lying.
Since when is publishing zero days a crime anyway? Shame on Microslop for these intimidation tactics. The real crime is vibe coding operating systems.