
Windows 10 0day exploit goes wild, and so do Microsoft marketers - aao
https://arstechnica.com/security/2017/02/op-ed-when-marketers-drive-microsofts-0day-exploit-communications-we-all-lose/
======
ohitsdom
The researcher disclosed the bug one week before Microsoft is scheduled to
patch it. I'm sure MS isn't thrilled, but they did drag their feet:

"I decided to release this bug one week before the patch is released, because
it is not the first time Microsoft sits on my bugs. I'm doing free work here
with them (I'm not paid in anyways for that) with the goal of helping their
users. When they sit on a bug like this one, they're not helping their users
but doing marketing damage control, and opportunistic patch release."

~~~
cujo
The researcher sounds really petty. They're patching it, but not on this
person's schedule so he's causing microsoft and USERS problems they didn't
have before.

If they weren't patching, I'd understand, but this isn't the right way to get
attention in my book.

~~~
pdimitar
There are very competent people on this planet who make a very good buck out
of zero-days (not to mention remotely control users' machines, and steal
data). IMO the researcher didn't want that particular vulnerability to dwell
on somebody's todo list for several years.

It definitely puts pressure on MS but I don't think that's bad. Corporations
have demonstrated time and again that the only way to get them to move is a PR
hype.

If they want researchers to stop doing preliminary public disclosures, they
should prioritize security higher than PR damage control.

~~~
eli
Just because there are other people who act totally unethically doesn't mean
you get bonus points for doing kinda the right thing.

~~~
mlmlmasd
MS is acting 'totally unethically' by not patching this bug immediately and
rewarding the researcher.

~~~
WayneBro
Meh. The bug requires you to connect Windows to a malicious SMB server.

Now that everybody knows that, if anybody is really concerned, they can stop
SMB connections from LAN to WAN by blocking TCP 139, 445 and UDP 137, 138.

~~~
mlmlmasd
> Now that everybody knows that

Wait, when did everyone become aware of that? I'm willing to bet the vast
majority of windows users have no idea. _Some_ people only know _because_ he
released the bug.

~~~
cmdrfred
I'm now aware, and I was able to block connections in my organizations
firewall that protects a few thousand users. Not every single user needs to be
aware for it to be effective.

~~~
mlmlmasd
Yes, but the point is you wouldn't be aware unless he released the info. He
gave individual users an option to protect themselves in the absence of a
patch from MS.

------
nxc18
He asked a PR person, probably one with little security background (how many
security people do you know who went into PR?) gave the stock answer which
does happen to actually be good security advice: run the latest supported
version with patches.

The reporter was just butthurt about not getting a scoop and decided to write
an article complaining about PR practices in place of an actual story.

Really like the click bait title though, it's a nice touch. /s

~~~
aao
It's a rant about PR bullshit, specifically this:

>Windows is the only platform with a customer commitment to investigate
reported security issues and proactively update impacted devices as soon as
possible,

EDIT and this

>The time has come for Microsoft vulnerability disclosure communications to
mute the marketers and let the security engineers do the talking instead.

I found it funny to be honest

~~~
golfer
Microsoft always seems to prefer going on offense rather than playing defense.
They are one of the least self-aware companies I can think of. For example,
this absolutely insane "funeral march" for iPhone and Blackberry they held in
2010 to celebrate the launch of Windows Phone 7 [1]. What other company would
even consider this?

[1] [https://www.engadget.com/2010/09/10/microsoft-celebrates-
win...](https://www.engadget.com/2010/09/10/microsoft-celebrates-windows-
phone-7-rtm-with-funeral-parade-for/)

~~~
PhantomGremlin
_They are one of the least self-aware companies I can think of._

That was Uncle Fester's Microsoft. That behavior was an extension of Ballmer's
pugilistic personality.

Today's Microsoft is just as tone-deaf, but in a different respect. For the
life of me I can't understand why Nadella thinks that their recent behavior
wrt. Win 10 is a good idea. E.g. rebooting user's machines during
presentations, having spyware that it's not possible to disable, advertising
in the OS, etc.

------
pomfpomfpomf3
tl;dr: a null deref in windows kernel when you connect to a malicious SMB
share

~~~
SlashmanX
That's not what this article is about though really

~~~
tokenizerrr
Sure, but the main question I had when reading the headline was if I should go
into "Oh shit!" mode.

------
simion314
Does anybody know how many days it would take from when a critical security
bug is discovered in Windows and assuming that the fix is just a few lines of
code and not a component rewrite and marketing is not in the way, I am
wondering how many steps are from when a fix is created until is released.(I
imagine that there may some QA and some managers that need to approve it but I
have no idea)

~~~
becarefulyo
Disclosure: I work at MS but not on the kernel or anything related to this
security bug. Opinions are my own.

I've seen one-line bug fixes introduce many other bugs.

Adding a null check is always suspicious. Is the system in an invalid state?
Should it fail fast instead of swallowing the error?

Maybe the code wasn't touched in several years. Maybe the person that wrote it
no longer works there. Maybe the code in question doesn't have good test
coverage or documentation. There are so many variables to consider when
assessing risk of code changes.

~~~
tremon
_Maybe the person that wrote it no longer works there. Maybe the code in
question doesn 't have good test coverage or documentation_

These are not valid excuses for a company the size of Microsoft.

~~~
Sunset
These are the kind of consideration only companies the size of Microsoft are
likely to have.

~~~
Relys
Touché!

------
user5994461
> What is the threshold where you decide to release a bug description?

Absolute minimum: 1 month after patch.

Also: Leave 1 month, as an absolute minimum, to publish a patch.

Why that? Because it takes time to track a bug and fix it and test the fix and
ship it to 1 billion consumers in 150 countries and languages.

Welcome to the world of real users where things take time to happen.

Of course, one may think that he's an idealistic enthusiast pressuring the
evil big companies when giving them less time. But nope, the only thing one
may truly accomplish is being an unrealistic asshole putting millions of
computers and people at risk. Think twice before you disclose. There will also
be your mom's computer on the other end of that 0-day ;)

