
Hackers exploited Word flaw for months while Microsoft investigated - T-A
http://www.reuters.com/article/us-microsoft-cyber-idUSKBN17S32G
======
bitexploder
This is why what McAfee did is ok. It was already being exploited. This got it
patched and let Corp IT roll out a settings change to fix it immediately.
Google's 90 day policy from its team is also sane. Letting bad bugs live on in
the dark after submitting to a vendor is clearly more dangerous for everyone.

~~~
grub5000
Not really, according to the article the sequence of events went

* Microsoft warned in March of active attacks

* Microsoft schedules patch for April 11th

* McAfee sees attacks on April 6th

* McAfee publicly explains how to use the exploit on April 7th

* April 9th attack-kits are publicly for sale

* April 11th Microsoft releases public patch as scheduled

McAfee fucked up here.

~~~
rando444
Microsoft was formally notified of the vulnerability in October 2016. Why
leave this out of the timeline?

The researcher that found the vulnerability first noticed it in July 2016.
Between July and October he had gathered even more information about the
vulnerability, presumably in his interest to demonstrate how serious the
matter is, as well as a likely attempt to procure as large a bug bounty as
possible.

If Microsoft was presented with such a serious vulnerability and didn't
address it properly for over half a year, I would say that they are the owners
of the lion's share of the responsibility here.

------
gwu78
[https://mobile.twitter.com/hashbreaker/status/85322416941220...](https://mobile.twitter.com/hashbreaker/status/853224169412206593?p=p)

The strange "counterargument" I commonly see on HN to any suggestion that
Microsoft closed source software could potentially be unsafe for use on an
internet-connected computer is that the company has "improved" since some
earlier 1990's/2000's time period.

Are these commenters suggesting that other, open source operating system
choices have not also improved since that time period? Should one consider how
much did each respective system _need_ to improve?

(By "other, open source operating system choices", I mean the ones that were
able to connect to the internet for years before Gates decided the www was
something his company should be interested in and to copy the TCP/IP stack
from an open source kernel into the Windows kernel).

Are there convincing arguments why Microsoft deserves special treatment
compared to the open source alternatives, i.e., why their users should not be
permitted to freely evaluate the Windows kernel or Office source code via the
public web? Are there compelling reasons why MS users should not be allowed
i.e. given the _option_ to edit/remove source code they are uncomfortable with
and recompile? Consider the effects of limiting the number of people who can
find and fix defects in a product.

Does closed source status of Windows make Microsoft's software superior to the
longstanding open source operating system alternatives?

~~~
jmcdiesel
Their users don't need to be allowed to freely evaluate the source, period.
When you write software, you control its distribution.

What the users are free to do, however, is use an operating system/stack that
they CAN evaluate the source of.

If linux or any other open source alternative was a better actual product, it
would find its way to the top of the market. In fact, it already has, on the
server... by far. But linux wasn't made to be easy to use, to be quick and
easy to install, to install other software onto, etc... and that has kept it
back, and it kept it back long enough for microsoft to establish a de-facto
standard on the home desktop market...

The closed or open source status of a product has no bearing over its
superiority at all. Again, in the world of geeks, it may, but in the world at
large, it doesn't, and really, it shouldn't.

~~~
interfixus
"But linux wasn't made to be easy to use, to be quick and easy to install, to
install other software onto, etc"

For what it's worth (which may be not a great deal): I have installed _a lot_
of Windows and Linux over the years, but my Windows experience has been lackin
further and further behind these last few years. A short while ago, I had to a
rare chance of setting up two identical machines side by side, one with
Windows 10, one with Manjaro, an Arch Linux derivative. The Linux install
finished sooner and with less need of interference than the Windows one. It
also didn't require preparatory messing round with weird licensing codes and
what have you, and of course it didn't require one tenth the amount of
postprocessing to reach the desired level of functionality - compare the
twenty second operation of setting up a LaTeX which worked to the
corresponding twenty Windows minutes of setting up one which didn't.

Your anecdotal mileage may obviously vary.

~~~
dahauns
You needed twenty minues for

    
    
      choco install latexdistofchoice 
    

?

(Yeah, I know, I'm being a bit facetious. I omitted three additional lines of
PS to first install chocolatey...)

~~~
interfixus
I need a lot more than twenty minutes to learn about and ascertain the
validity of some third party installation robot, which your choco-thing
appears to be.

I then need some minutes to get it started.

And yes, installation proces itself took something on the scale of ten to
twenty minutes.

Pacman -Syu (or Pamac if you're in a clicky mood) took care of everything in
less time than the BibTeX took to download download.

~~~
dahauns
> I need a lot more than twenty minutes to learn about and ascertain the
> validity of some third party installation robot, which your choco-thing
> appears to be.

> Pacman -Syu

So it's basically "I know one system much better than the other". And your
ignorance is somehow the fault of the OS now?

~~~
interfixus
If you fail to understand the difference between an integrated package
management system overseeing all or most software installation, and a third
party bolt-on component like your chocolate robot, we may not really have the
basis of a meaningful conversation here.

Anyway, I am not putting anything or anyone at fault. As clearly stated, I was
relaying some anecdotal evidence of probably very littly use to the world at
large.

~~~
dahauns
I agree about the lack of a basis. Educate yourself.

[https://msdn.microsoft.com/en-
us/powershell/reference/5.0/pa...](https://msdn.microsoft.com/en-
us/powershell/reference/5.0/packagemanagement/packagemanagement)

[https://msdn.microsoft.com/en-
us/powershell/reference/5.0/pa...](https://msdn.microsoft.com/en-
us/powershell/reference/5.0/packagemanagement/get-packageprovider)

------
yitchelle
"A quick change in the settings on Word by customers would do the trick, but
if Microsoft notified customers about the bug and the recommended changes, it
would also be telling hackers about how to break in."

In their monthly update, couldn't Microsoft have released a patch to have this
setting to the correct configuration? Of course this would only be the short
term solution, rather than waiting for 9 months for the permanent solution.

~~~
teh_klev
I guess the reason is that by studying the patch, even a short term workaround
such as this, you can deduce what the vulnerability is and quickly knock out a
working exploit. I'm not suggesting that security-through-obscurity was the
correct choice by MS, or the time taken to build a comprehensive fix was
acceptable, but from the article it seems that this has been a bit of a gnarly
issue to solve properly and even a cursory fix might reveal deeper seated
issues.

I'm not defending MS here, but I imagine that Word's codebase is a helluva
pile of cards to work on. Especially given that it can still open document
formats such as WordPerfect 5 which date back to 1988. Add in all the legacy
OLE automation stuff, a VBA environment and all those shims and backwards
compatibility things that MS are known for (see Old New Thing blog) that
translates as "One Does Not Simply Patch Word".

------
doggydogs94
Vendors, even ones as large as Microsoft, do not have infinite resources
available to evaluate vulnerabilities. There are only so many of the issues
you can work on at once. They have to evaluate each issue and prioritize the
fix. In this case, they merely did not recognize the potential scope of the
problem at hand.

~~~
DanielBMarkham
That's true, but it doesn't matter. It's still broken.

That's why we have automatic release after a set time. Because it's a problem
for the public even if the vendor has zero resources. The ability of the
vendor to fix the problem is not related at all to the potential damage the
problem can cause.

Worst-case scenario? The software is shutdown and/or withdrawn from the market
because the vendor can't fix it. Not that the vulnerability isn't announced.

What we need is a public and open way to do this that doesn't involved walled
gardens.

~~~
adrianN
I don't want anyone to be able to shutdown and/or withdraw software that I'm
using for any reason. That cure is worse than the disease.

~~~
DanielBMarkham
Personally I don't want you to have to. As far as I'm concerned, if you're
notified in big, red letters (perhaps every time the software starts)? Works
for me. As long as you know -- and are reminded. (That's because different
people use the same software. If the notice only appeared once, a new person
might start using the software/machine and not be aware of what's going on)

But if you had a piece of software with a terrible vulnerability that was
currently being exploited to do some sort of terrible harm? Beats me. Does my
right to use the internet without being DDOSed override your right to use
unsafe software if you want?

~~~
stupidhn
Not sure why you're down voted. I had the same thought as parent, but this
seems like the answer.

A standard splash screen on load that pops up for 10 seconds and says "this
program has known active vulnerabilities that are unpatched". If people choose
to ignore it, that's on them. Cheap and easy, no?

~~~
adrianN
That still requires that a third party is allowed to flash things on my screen
without my explicit consent.

~~~
DanielBMarkham
Does it?

We already have a solution to this, which I hate: walled gardens. I'm
exploring options that preserve the peace while not letting companies
effectively own their users.

Maybe there is no answer that makes everybody happy. That's why it's worth
asking questions.

Just so I understand this, you're saying that if you have a piece of hardware
that's say, taking down the local ISP because you're running compromised
software on it, you don't want to even be notified before your box is
compromised or that there might be a problem.

Well, dang. Something's going to happen. That much is sure. What's the first
notification you'd like that you're destroying the internet experience for
others and perhaps ruining a local business? SWAT team at the door?

I hear your complaint. I'm just not able to figure out how it makes sense.

~~~
adrianN
I don't want other people to be able to change things on my computer. If my
setup is causing problems on their end, they have my contact information and
can tell me over traditional routes. An ISP can cut off my internet connection
if they detect suspicious traffic.

------
jokoon
Even though there is a lot of work in computer security, those stories really
scare me and I wonder if I would dare working in this field. I wonder if
hackers already lost their life due to their work in computer security, and I
would not like to fall in the crosshair of russia right now.

------
averagewall
What's more interesting than vulnerabilities being found is vulnerabilities
being created. I used to think they were progressively eliminated so older
software is safer. But is that true? Is MS accidentally creating new ones
faster than they're patching old ones? Same goes for any software.

~~~
mtgx
The answer is yes:

> _Despite being Microsoft’s newest and ‘most secure’ operating system,
> Windows 10 was found to have the highest proportion of vulnerabilities of
> any OS (395), 46% more than Windows 8 and Windows 8.1 (265 each)._

[https://www.avecto.com/news-and-events/news/94-of-
critical-m...](https://www.avecto.com/news-and-events/news/94-of-critical-
microsoft-vulnerabilities-mitigated-by-removing-admin-rights)

And if you've used Windows 10, you'd already know that. Windows 10 has added a
ton of new features/crap. The Q&A has suffered, too, and Windows 10 has been
quite buggy so far, ruining some people's computers, etc.

And since we were talking about Word, here's another tidbit from the same
source:

> _Microsoft Office products were the subject of 79 vulnerabilities, up from
> 62 last year. This represents a 295% increase in Office vulnerabilities
> since 2014._

The amount of bugs likely increases in general, too, because more code = more
complexity = more bugs and bigger attack surface, especially if we're talking
about "improving" or adding on top of an old codebase, as is the case with
Windows and Office, as opposed to writing something from scratch (which may
benefit from safer languages sometimes, newer safer architectures, etc).

------
HappyTypist
We need civil penalties for failing to patch any serious vulnerability (that
can be defined as RCE, priv. escalation, etc) within 30 days of disclosure.

If you can't patch it, you must issue a patch that announces the vuln and
disables the minimal set of functionality that enables it. Even if that's the
whole program.

~~~
throwanem
So, turn a nontrivial set of vulns into successful DoS attacks?

~~~
aurelianito
Yes. That, in turn, will give the economic incentive to not have the
vulnerabilities in the first place.

~~~
kobeya
Or for software not to get written in the first place.

~~~
goodplay
>Or for [buggy] software not to get written in the first place.

FTFY

We place too much trust and rely too much on computer systems these days to
have the luxury to write software like we used to.

~~~
kobeya
No don't twist my words. I meant I'm sure as hell not inventing something new
if it sets me up for civil liabilities. It would kill innovation.

~~~
goodplay
> meant I'm sure as hell not inventing something new if it sets me up for
> civil liabilities.

And I'm arguing that not doing so might be a good thing. I shudder to think
how we'd be off if other infrastructure disciplines took the same approach we
take to develop software.

If you build something that people use in important infrastructure, prepare to
be on the hook if it fails.

~~~
kobeya
So if you write some toy PID controller for your kids LEGO project and post it
to stack overflow, should you be held liable for all the places it is used?

~~~
goodplay
I don't think a person should be held liable in this case because the solution
was clearly labeled as a toy, and not as a serious solution.

If this person presented it as a real solution, however, then yes I believe he
should be held liable, as much as a lawyer would be for recklessly giving out
legal advice.

In either case, The developer who built upon the solution without validating
it or verifying its correctness should bear most of the blame, regardless of
how the answer was given.

------
scarybeast
And _this_, ladies and gentlemen, is why we have disclosure deadlines for
security vulnerabilities. For example, Project Zero expects vendors to fix
security vulnerabilities within 90 days of notification.

Looking at this story, it's possible that 90 days is almost too long and
should be shortened. As time goes on, it's becoming more and more common for
multiple parties to become aware of the same vulnerabilities. Not all of those
parties have good intentions, as we see here. Shortening the window of
exposure is key.

~~~
nikanj
Next up on HN: extreme outrage after a botched security update breaks hundreds
of millions of machines. Not all bugs can be fixed with a simple one-line fix,
and the faster patches need to be cranked out, the lower quality they'll be.

~~~
bitexploder
There was a simple settings change for a temp fix on this one too. When there
is even a remote chance a bug is being exploited in the wild it needs to be
disclosed. Corp IT can work around it almost always. Individuals can as well.
This argument that "it's complex to patch" is a non-starter at best. We the
users deserve the option to decide how to deal with it. Silent exploitation is
how we all lose, even the vendor.

------
HenryBemis
I thought that it is the norm for M$ to hand out the zero-days to the
3-letter-agencies for "a while" and patches them ONLY when someone else gets
hold and starts using the same vuln.. so it makes PERFECT sense that they
would do something like that.

Also who in their right mind allow Word/Excel/Powerpoint to access the
internet? (oh yes it's called "365" and it makes software, that is completely
unfit for the task, to access the internet)

~~~
HappyTypist
Not sure why you're being downvoted. This is literally the company that built
in "_NSAKEY" into the kernel, which is still present (just called "_KEY2" now.

~~~
repples
If "_key2" is an public key embedded within Windows, then presumably there
exists one or more holders of the private key somewhere - what exactly are
they able to do with this key?

I've seen a lot of concern about "_key2" and "_NSAKEY" being expressed over
the years, but scant technical detail.

