
Microsoft is absolutely at fault for WannaCry - bhalp1
https://dev.to/mortoray/microsoft-is-absolutely-at-fault-for-wannacry
======
subway
Garbage article. Of course if everyone did everything correctly the first
time, we'd be in an entirely different world.

~~~
0xCMP
Exactly, MS did it right this time: Released a fix.

How many times has MS never released a fix and a researcher been forced to
publish 90 days after submitting?

Not the case here and they did good. It was everyone else's fault.

------
UnoriginalGuy
The title is clickbait, but I actually enjoyed the discussion of Windows'
design within the article.

One key thing that the author has missed: Ransomware works very well even
without SYSTEM level privileges. The goal here is to encrypt files the user
has access to, therefore if you move SMB Server into the user's context you
haven't really hampered WannaCry's overarching goal.

Back in the early 2000s there was this assumption that malware needs
root/SYSTEM to be successful. The last five years has shown that that
assumption is incorrect, with a lot of popular malware never even attempting
to escalate, and happily performing their function as the user (since that's
where all the "goods" are anyway).

There are a few exceptions to this, like stealing cached AD credentials, but
overall you can do a lot just by having the ability to install evil browser
extensions, turn on the webcam, and encrypt files.

------
iask
So, you wanna cry? Cry all you want. MS did the right thing.

Look. I get all the cry about changing OS versions. This becomes more evident
when you move up the ranks and into management. One get to see the true cost
of doing business.

The problem here is that MS gave a lot of notices regarding moving from XP.
They even did an extended support...remember? 10 years was enough time to:

1\. Move to a newer version of Windows.

2\. Change dependency on Windows...seek alternative.

3\. Hire the professionals.

Companies need to hire professional IT staff, not the f _ing FLY BY NIGHT
SPACE CADETS, to run their operations or they risk getting what they paid for.
Simple as that.

This is now shared responsibility. Different times. Thinking we can go around
blaming the vendors is a waste of time.

Employees are also the weakest f_ing link. How many companies do you know of
spend time educating their employees about malware, phishing etc.

------
ungzd
> Yet it seems the WannaCry malware has gained full control of the system.
> This is only possible if the SMB component is not segregated. We know from
> Samba that this protocol can run as isolated software.

Hmm, I connected to local file sharing service on Mac Os and see
/usr/sbin/smbd running as root. Is there any user isolation in Samba? And
anyway there should be central process running from root to be able to switch
to user after authentication. After all, it's a file sharing service and it
should have access to files.

------
dxhdr
I'd like to commend Microsoft for issuing the fix months ago.

There was some interesting discussion recently about Microsoft's potential
role in creating an environment where users feel the need to disable automatic
update. Disabling it for fear of system reboots, loss of performance,
unexpected changes, or what have you.

Reworking automatic update so that it feels like an essential, useful feature
to the end user could be a productive next step for Microsoft. Software bugs
aren't going anywhere.

~~~
r00fus
Then why did WannaCry even pose a threat? Perhaps Microsoft needs to think
about the consequences of shoving Win10 down the throats of their users via
critical security patches.

~~~
KirinDave
> Then why did WannaCry even pose a threat?

In the case of entities like the NHS: Because many large organizations are
locked into abusive contracts with IT providers that prevent them from
upgrading past 2008-level software without exorbitant fees.

In the case of China, rampant pirated software that cannot be updated without
revealing the fact that it was stolen.

The idea that this is a repercussion of "shoving Win10 down the throats of
users" is just an incorrect and sour read of the situation. Win8 also got a
security patch.

The idea that Microsoft is on the hook for the results of neglected machines,
stolen machines, or machines under the rule of IT contractors that are trying
to turn due diligence into profit is a very unfair one, by any standard. But
even if you hold it, _the solution would be a subscription-with-updates-model
of software like windows 10_.

I'm not going to defend Microsoft's missteps in Win10 marketing, or the
occasional (and quickly retracted) ad shoved into the lockscreen. But I am
trying to be absolutely fair when I point out that no Win10 machine at default
configuration is vulnerable to WannaCry and Microsoft issued patches to
supported versions of Windows as fast as anyone could expect them to.

------
mrbonner
My impression reading the article is that writing an OS is easy, let alone
writing a secure one.

------
gruez
tl;dr: hindsight is 20/20

~~~
kaoD
I think the article has a point. How is the principle of least privilege
hindsight?

~~~
KirinDave
I think the article is dead wrong, you don't need system privileges to encrypt
user data. Users have write access to their own data.

~~~
kaoD
Yes, but that wasn't GPs line of reasoning. Even if it doesn't apply in this
case it's valid criticism that you can't just attribute to hindsight.

------
jimrandomh
tl;dr: Microsoft has historically under-invested in security engineering,
especially with regards to software architecture.

I sort of agree. Microsoft's direct competitors in this area (Google with
Android, Apple with OS X) seem to be doing better than they are. But software
security is _hard_ , and it can't be solved just by throwing money at the
problem; it requires a good development culture and practices, and in a
company as big as Microsoft, building that is also hard. Microsoft is also
saddled with considerably more legacy code and backwards-compatibility
requirements than Google and Apple are; and SMB, which contains the relevant
exploit, is absolutely legacy code.

~~~
lostmsu
Perhaps Apple, but Google with Android? Really???

