
Microsoft Says Russian Hackers Exploited Flaw in Windows - collinmanderson
http://www.wsj.com/articles/microsoft-says-russian-hackers-exploited-flaw-in-windows-1478039377
======
Jedd
> Microsoft Says Russian Hackers Exploited Flaw In Windows > (And Blames
> Google)

Jedd Says Microsoft Should Have Fixed The Exploit

Yes, it sounds like a short notice period (5 days or so?).

But ... from the chronology it's sounding like this particular exploit was
performed long before Google revealed the vulnerability, and indeed a goodly
time before Google reported that vulnerability on the hush to Microsoft, so I
can't see how it's Google's fault.

EDIT: And, as per sentiment expressed by world+dog in previous threads about
this particular event, Google's observation that exploits were already in the
wild is the most important aspect of this story. If a vulnerability exists for
some software I'm using, and I don't know about it _but the bad guys do_ ... I
want to be told. I may not be able to patch, but I can _mitigate_.

~~~
cm2187
So you think you are safer now that every single bad guy knows about it
instead of one bad guy?

~~~
kbart
At least now you know what to defend against. Also, how do you know that only
_one_ bad guy knows about it? If it's in a wild, all the bad guys will know
about it sooner rather than later anyway.

~~~
forgottenpass
How do I turn the specific knowledge of the exploit into a more meaningful
defense than if I had vague knowledge there is a windows zero-day actively in
the wild?

I'm not asking snidely. I legit want to know how this is leveraged in defense
and what/how I can do.

Is it common practice in the pre-patch period to enable some sort of system
call tracing that monitors for (and/or kills) processes that use the
vulnerable call in a way described by the google blogpost? Or is there a
sandboxing solution where I can blacklist filter certain uses of system calls?

~~~
EdHominem
> How do I turn the specific knowledge of the exploit into a more meaningful
> defense than if [...]

By being able to raise an alarm and allocate actual time to fixing/mitigating
it, unlike if it was only a vague warning. We know that there's never been a
day where Windows didn't have a critical, remote-code execution, security
flaw. Obviously if you're still using it management isn't doing anything
proactive to improve security so you need these motivators.

------
tomp
So this is how rumour becomes truth - the US government accuses Russia of
hacking the DNC, either because they have some kind of proof (unlikely) or
because it serves their global interests (likely), media publishes articles of
this myth, and then _completely unrelated_ articles embed this "truth" in the
title, even though the content doesn't really require it. Abhorent!

~~~
empath75
It's funny how conspiracy theories take more evidence that they are wrong as
evidence that the conspiracy is bigger than they thought. So now, it's a bunch
of us intelligence agencies, the wall street journal, the democratic party,
several unrelated it security companies, microsoft and google that are all
trying to frame the russians?

~~~
13years
Just like there was no conspiracy to frame Iraq as having WMDs or being
responsible for 9/11? I mean, all of NATO was on board, they couldn't have
possibly been wrong.

~~~
dvtv75
So, because that conspiracy theory adopted some very well known (at the time)
correct elements, then this one is also correct?

Then how about these: because Iraq was framed as having WMDs, then the Titanic
was actually the Olympic rebadged and sunk as insurance fraud. The Moon? Man
didn't walk on it, that's just an American lie because no WMDs. It's also a
hologram, because Iraq didn't have WMDs!

~~~
13years
Nothing else you mention has a documented history of government non
transparency.

Foreign policy on the other hand continues to reveal events that occur not as
they were originally described.

------
dovdov
How naive one government agency has to be to think backdoors are for them
only.

How pissed was the FBI when the learned that now the Russians also have access
to the voting machines.

They're using next decade technology with a 60 year old mindset.

------
anc84
"New Shadow Brokers dump contains list of servers compromised by the NSA to
use as exploit staging servers." ->
[https://twitter.com/musalbas/status/793001139310559232](https://twitter.com/musalbas/status/793001139310559232)

Lots of .ru domains in that list. Attribution is hard if you care about being
correct.

------
jszymborski
Ok, I'm only going off the extremely limited information in this article, but
this attack phishes users, gets them on a malicious webpage and then uses
Flash as a vector to exploit an MS Windows vuln, right?

If that's the case, haven't Chrome and Firefox been blocking Flash for over a
year now[0]? Considering the MS Edge is apparently not vulnerable (according
to the article), that doesn't leave much market share left. If all of the
above is correct, I'd say the surface area of this attack is pretty low.

[0] [https://archive.fo/oxlmT](https://archive.fo/oxlmT)

------
my123
On Microsoft Edge and Google Chrome, it can't be exploited because of win32k
lockdown.

------
kutkloon7
Why would you submit an article that requires an account to read it?

------
mikebay
Russia has been so so bad again. Bla bla.

------
aluhut
First link that came up at google WITHOUT A PAYWALL:

[http://betanews.com/2016/11/02/russian-hackers-exploit-
windo...](http://betanews.com/2016/11/02/russian-hackers-exploit-windows-
security-flaw/)

And the Microsoft blog post:

[https://blogs.technet.microsoft.com/mmpc/2016/11/01/our-
comm...](https://blogs.technet.microsoft.com/mmpc/2016/11/01/our-commitment-
to-our-customers-security/)

~~~
aembleton
Alternatively, get this addon: [https://addons.mozilla.org/en-
GB/firefox/addon/refcontrol/](https://addons.mozilla.org/en-
GB/firefox/addon/refcontrol/) or an equivalent for Chrome.

Then add www.ft.com and www.wsj.com sites with the Action of
[https://www.google.com](https://www.google.com)

~~~
blahi
Hey, come work for me. I have an addon on Outlook that blocks emails where
employees demand their salary.

~~~
dvtv75
...I think my boss uses that.

------
acqq
Google's behavior seems strange:

[http://www.theverge.com/2016/10/31/13481502/windows-
vulnerab...](http://www.theverge.com/2016/10/31/13481502/windows-
vulnerability-sandbox-google-microsoft-disclosure)

"Google went public just 10 days after reporting the bug to Microsoft, before
a patch could be coded and deployed. The result is that, while Google has
already deployed a fix to protect Chrome users, Windows itself is still
vulnerable — and now, everybody knows it."

~~~
kbenson
IIRC from when this was originally reported, this was already being exploited
in the wild prior to release. The only reason to not go public is to give the
vendor a chance to patch it prior to general exploits being available. If
exploits are already happening, waiting only endangers more people as they
can't take actions to mitigate a danger themselves if they don't know about
it.

~~~
acqq
There's no need to know the actual details of exploit to provide workarounds,
if they exist. If they don't, everybody has to wait for Microsoft anyway, but
the malware authors get one now famous 0-day. Instead of being used
exclusively, it get to be available to everybody before Microsoft publishes
the fix. And that is only in the interest of Google, not the customers. When
today's Google writes something "gives clear benefits" you can almost imagine
them as the film villain saying to the camera with the wink afterwards "for
us, muahhaha." In this case I actually agree with Microsoft and with what they
write:

"We believe responsible technology industry participation puts the customer
first, and requires coordinated vulnerability disclosure. Google’s decision to
disclose these vulnerabilities before patches are broadly available and tested
is disappointing, and puts customers at increased risk."

Edit: The distinction is important: the "malware authors" that have the access
to the 0-day before Google publishes it are _a minority of all malware
authors_ : 0-days are carefully guarded and have high price. The moment Google
publishes the details, _the whole malware community has an access to something
that is provably 0-day working exploit._ The difference is huge, more orders
of magnitude, up to every script kiddie.

~~~
sangnoir
> There's no need to know the actual details of exploit to provide workarounds

Your premise is wrong - there is a need. The details can be used to create
signatures for anti-malware software and IDSes by 3rd parties who are nimbler
than Microsoft.

Additionally, there is more to be worried about than just workarounds: some
organisations do full-take packet capture archiving and might be interested to
know if they were hacked via this flaw (retrospectively) before (more) data is
exfiltrated, the sooner they are made aware of an actively-exploited bug, the
better.

> ... If they don't, everybody has to wait for Microsoft anyway, but the
> malware authors get one now famous 0-day

Wrong again: there is no need to wait for Microsoft for the reasons I
mentioned above. Before this, only the bad guys knew about the exploit, now
the good guys also know about it and may work to mitigate it. We have no idea
how well-known this exploit was in underground forums, so it is hard to
quantify how many more bad guys know it for certain.

~~~
acqq
> The details can be used to create signatures for anti-malware software and
> IDSes by 3rd parties who are nimbler than Microsoft.

No, you don't need to publish the details of the vulnerability to the public
in order to cooperate among the anti-virus vendors.

> some organisations do full-take packet capture archiving and might be
> interested to know if they were hacked via this flaw

Observing full packets has nothing to do with giving to the public the details
of which system API flaw was used for the attack.

