Discussion in 'other security issues & news' started by itman, May 8, 2017.
Let's hope MS fixes this before they release more info (patch Tuesday coming tomorrow).
That's just general PR statement ("promotion") and has nothing to do with specific flaw.
MS pushed out fix in record time, very impressive.
I assume you might know. Do you think that even without a fix/patch Windows 10 would have been protected? Like it was here: http://news.softpedia.com/news/supe...s-zero-days-even-without-patches-511901.shtml
Good news for users of MS' antimalware software.
I don't think that protections in Win 10 would help here (in fact the problem is in a component that is a part of OS protection). Patch is only solution for this bug.
I can't way with 100% certainty, but I do know that several prominent Microsoft security dev team members had mentioned that, despite the severity of this bug, latest Windows 10 releases (assuming Anniversary Update and Creators Update) the bug would have been mitigated with Control Flow Guard (CFG). Anniversary Update had received some significant improvements to CFG over the initial implementation. Therefore no matter the vuln, Windows 10 users on the latest major platforms (AU/CU) are always going to be more secure in comparison to Windows 7/8.1 through to Windows 10 initial release, at least from a vulnerability perspective.
But this bug was still pretty bad considering viewing a web site or an unopened email could trigger this. There were warning within the Project Zero bug report about even simply viewing the PoC in the bug report would crash Defender and potentially the whole system. I did not end up reading too much details other then what several trusted developers from Google and MS were discussing, but this was quite low-level. It's a good thing that they were able to push out an update this quickly for Defender engine as opposed to waiting for a regular patch day. My first guess was that they wouldn't make a patch until June patch release at least. So they surprised many people with this quick response. Good, safe vulnerability disclosure along with a fast and efficient patch.
According to this: https://technet.microsoft.com/en-us/library/security/4022344.aspx , it only affected MS security software.
More info below. And yes, it is CVE-2017-0290.
I agree - especially since, apparently, the researchers who discovered the vulnerability recklessly (IMO), in an irresponsible selfish attempt to get attention decided to announce their findings publicly over the weekend without giving the security community or Microsoft a chance to address it first. Yet, in just 2 days, Microsoft developed the fix and was able to roll it into the normal Windows Defender/Windows Update engine. Very impressive.
Even one of Microsoft's biggest bashers was impressed with how fast Microsoft fixed this, as noted by Woody at InfoWorld.
Frankly, beside the reckless publication of this vulnerability, I think this "crazy bad" description was mostly hype to grab more attention. Yes, it is bad, but in order to exploit this vulnerability, the Malware Protection Engine would have to scan a "specially crafted file" that somehow was downloaded and already saved on the local computer. So while the Malware Protection Engine in question is installed during Windows installation, that "specially crafted file" is not. So there are a lot of "ifs" and other conditions that must come into play before this "crazy bad" vulnerability could be exploited by a bad guy.
I am not defending Microsoft because the vulnerability should not have been there in the first place. But there are 30+ million lines of code in Windows and contrary to the expectations of Microsoft bashers and many in the IT press who blindly follow and repeat each other, the developers at Microsoft are not infallible. But they sure look good today!
In regards to the vulnerability:
MS bashers, Google bashers... all the same
Except Microsoft routinely gets bashed for things not under their control. This is often over security issues going way back to XP when MS tried to put AV code in XP, but the anti-virus program makers whined and cried "monopoly" to Congress and the EU claiming that it was their job to rid the world of malware.
But who got blamed for the security mess we are in? Norton, McAfee, TrendMicro, AVG and the others for their failure to rid the world of malware? Nope! Did the users get blamed for failing to keep their computers updated? Nope! Did the bad guys get blamed? Nope!!! Microsoft got blamed - relentlessly for years and years.
So it is good to see MS get some credit this time.
Yes I agree. I give kudos to both - researchers for responsible disclosure and to MS for quick fix.
Responsible? It was irresponsible! Responsible disclosure would be to discretely report the findings to the responsible organization so they can fix it BEFORE the bad guys learn about it. It is irresponsible to report the finding to the public first.
If your neighbor discovered you forgot to close a window before you left on vacation, would it be responsible if they posted a sign in your front yard saying, "Owners are gone, back window is unlocked"? Or would the responsible thing be for your neighbors to contact you first so you can make arrangements to have your home secured before a burglar discovers the open window?
The way I understand it is that they disclosed it to Microsoft giving them 90 days to fix it. Failing that, they would then fully disclose the vulnerability to the public.
Whether this is the correct way to disclose vulnerabilities I don't know but it seems to be the method in which 'responsible' security experts work. I think this is how Tavis Ormandy has been doing it in recent months with his findings of flaws in various products.
No, Bill it was responsible disclosure. Bug was reported to MS, which released a patch. After release, bug was released to public. (that's why I mentioned Google bashing in post #14 - don't bash their researchers, they are making great effort to secure other companies products)
Yes, that is how it should work.
If the researcher who discovered the flaw reported it discretely to Microsoft first, and waited for Microsoft to release the patch before announcing it, then that is definitely good! But is that good enough?
But patches don't get distributed and installed across the globe in minutes or even hours. Patches are distributed in waves to prevent overloading severs and the entire Internet. And from what I saw, this update requires a reboot. Users can delay reboots until the middle of the night, or even for up to a week.
Here's something else that is interesting.
I just checked my WD scan engine ver. and it is 1.1.12805.0. Any ver. less than 1.1.13704.0 is vulnerable. I just got done with this month's Win 10 updates and no update to WD.
I use a third party AV and as such WD is disabled. So the question is if the patch to WD will be delivered if WD is disabled? In any case, best people check to see if the patch has indeed been applied to their OS ver..
-EDIT- OK. I received the WD patch as part of the Win 10 1607 April cumulative update. Appears MS is splitting up the downloads since I did not receive this update in my first download attempt.
In any case, it appears that MS is delivering the WD patch via the Win update channel; at least for Home versions. So anyone who hasn't updated yet is vulnerable. And I am sure this vulnerability is now being actively exploited since its details have been made public.
I am on Windows 10 Version 1703 and i have looked at the defender UI and it doesnt seem to list engine version anymore. it only lists threat definition version which is currently 22.214.171.124
I am running Sophos home at my AV and have enabled periodic scanning for windows defender so i can check which version it is and also try to update it.
windows update has installed a May 9th patch but in the release notes i do not see any mention of fixes for windows defender: https://support.microsoft.com/en-gb/help/4016871/windows-10-update-kb4016871
If you go to Settings / Update & Security and click on Windows Defender, it lists version info, including the engine version.
I have Eset and had issues with engine version, etc. showing up in Win 10 WD settings. I had to temporarily disable Eset's protection settings in the GUI, not the firewall. Then I ran a WD definition update which I believe updated the engine ver. to 1.1.13704.0. I also enabled WD periodic scanning like you to keep the Win 10 WD settings showing.
Also I misspoke about April cum update updating WD's engine. You have to do so manually.
Thanks for the info.
Separate names with a comma.