
Microsoft fixed critical vulnerabilities in uncredited update released in March - fujipadam
https://arstechnica.com/security/2017/04/purported-shadow-brokers-0days-were-in-fact-killed-by-mysterious-patch/
======
TwoBit
Why are my taxes being used to fund the NSA exploiting our software instead
improving it?

~~~
eksemplar
Probably because "your" enemies use "your" software as well. If it makes you
feel any better it looks like the NSA shared the vulnerabilities with
Microsoft a month before they were leaked.

~~~
cies
I think the NSA spying/surveillancing harder on "us" then on "them" (the
enemies).

~~~
bigbugbag
I don't know who the "us" and "them" are here, but fact is the NSA is into
global spying and mostly does industrial spying and "business intelligence" so
the USA gets and maintains an edge over the rest of the world.

But it also spies on US citizen to be sure to control dissent and shut people
down.

~~~
cies
> it also spies on US citizen to be sure to control dissent and shut people
> down.

Yups. Shut dissents down, in an undemocratic way, to keep an undemocratic
gov't from receiving public scrutiny. In the mean time keep up the appearance
you're fighting (inter)national terrorism. Yeah for "National Security".

------
sqldba
What I feel is awful is the lack of information stored against each update.

It's all just "security" or "reliability" and possibly a link to a KB which
says the same.

Some large organisations still have stalwart IT managers who insist not to
apply updates unless they know it affects a specific issue that they have. And
now that this information is unpublished they apply nothing. It's lost on me
how they keep their jobs.

Oh well.

~~~
symlinkk
Why is that necessary? Ive run Windows on the desktop for probably 10 years
and I have never had an update break anything. Seems like people just trying
to make themselves useful if you ask me.

~~~
rbanffy
It never broke anything you noticed.

What if you are a bank, an airline or a hospital, with thousands of networked
Windows machines, and one update breaks a specific networking feature
(remember [1]) and that crashes your most vital piece of software?

1- [https://support.microsoft.com/en-us/help/968920/windows-
vist...](https://support.microsoft.com/en-us/help/968920/windows-vista-and-
windows-server-2008-dns-clients-do-not-honor-dns-round-robin-by-default)

------
I_am_neo
Microsoft is a broken shell company with awful PR

------
cies
MS has a long history of broking in zero-days. Could not find an article with
sources quoted, but a lot of cases have come to light:

[https://www.quora.com/Is-there-any-evidence-for-backdoors-
in...](https://www.quora.com/Is-there-any-evidence-for-backdoors-in-Windows-
or-other-client-software-for-the-NSA-CIA)

~~~
repples
That Quora post is pretty bad. Actual evidence is requested, but the top
answer is a list of wild conjecture.

The responder prefaces most of their comment with "it is widely believed that"
and "it is likely that", states without any explanation that the Malicious
Software Removal Tool is somehow a backdoor, and that "everyone who knows
about [the backdoors] is under NDA", with no evidence to support that
statement either.

~~~
bitexploder
Undisclosed "1-day" is real and has gone on forever. A popular set of tools is
binary diff tools such as the now defunct Zynamics acquired by Google. There
is evidence. The amount of tooling around examining MS patches should convince
most.

[http://www.blackhat.com/presentations/bh-
usa-09/OH/BHUSA09-O...](http://www.blackhat.com/presentations/bh-
usa-09/OH/BHUSA09-Oh-DiffingBinaries-SLIDES.pdf)

[http://www.phreedom.org/presentations/reverse-engineering-
an...](http://www.phreedom.org/presentations/reverse-engineering-and-
security/reverse-engineering-and-security.pdf)

People built businesses around this.

With so many eyeballs on release diffs, undisclosed vulnerable were often
discovered (and still are). With the number of experts on file observing this
it should not be controversial at all.

~~~
repples
Totally agree with you on this.

I was responding to the Quora link (where the question was "is there any
evidence for backdoors in Windows or other client software for the NSA/CIA?")

~~~
bitexploder
Got it. Quora post is suspicious. That said windows is a lot of machine code.
It is more than plausible. NSA is known to have an active relationship with
Microsoft.

If 9/11 == inside job is say 2/10 plausible this Quora speculation like 7/10
plausible IMO.

