Interesting, with all of the money that Microsoft has, why can't they fix these backdoors and exploits? For many years now, MS Windows has been the "most" exploited OS in our history.
Maybe they're under an NDA with our, USA government thus allowing all these issues to exist.
I know they can fix these issues. They have the manpower and money to do so.
The community should start pressuring them to fix their OS and plug those back door holes and exploits.
Or maybe QA'ing a 0day patch just takes time. I can't begin to imagine the amount of third party software and application configurations (multiplied by the number of windows editions and localizations) they need to run through to make sure a somewhat of an architectural change doesn't break assumptions and thus 3rd party compatibility too much.
That list inconsistently splits some things by version (windows), and groups others (Debian, android, etc).
What it says is that a single version of Windows had more than half as many CVEs as the entire Linux kernel has ever had. That doesn't exactly support what you are trying to convey. If you add up all windows versions, it would top the list.
It's almost like saying "vulnerabilities in our code exist for decades before they are noticed by anyone (with a whitehat)".
Sure, that happens in open source projects too (openssl anyone?), but it seems like an exception rather than a rule. If there are so many of these multiple-version vulnerabilities in Windows that the author of the list had to specifically break Windows into individual versions, then that speaks for itself.
That's some seriously funny counting. You added together everything by "vendor" even though the CVE count can't be summed that way since they are reported for every affected version; so you would have double, triple, quadruple counting for a single vulnerability.
Then on the opposite side of the coin for Linux you left everything off except the kernel which is very misleading since it's really distros that most users need to be concerned with.
Manpower and money will not magically fix the problem, you can have an infinite amount of both, it will not help the matter that bugs will always exist in even the most perfect code there is. I'd recommend reading the Mythical Man-Month book if you haven't: https://en.wikipedia.org/wiki/The_Mythical_Man-Month
There is no such thing as a bug-free software. Even if you have a perfect software, the said software can be exploited through the hardware. For an example, DMA attacks, memory attacks, CPU bugs, etc.
Intel has one of the most tested validation technologies in the world for their CPUs and they still have bugs in every CPU generation and now with Spectre/Meltdown bugs.
Microsoft has in fact been improving their security when they switched to the Security Development Lifecycle, Windows 10 is still more secure than Windows 7 or Vista was but you are talking about 30+ year old OS with a lot of legacy software that they need to harden up. They also cannot change things without breaking the backward compatibility.
I personally believe MS is trapped with the backward compatibility promise, it is holding them back but Microsoft has been trying to start over with a new OS via WinRT but it failed, developers are not willing to port software that has less users and users don't want it because it has less apps. It's a chicken and egg issue that Microsoft is still trying to fix with the Desktop Bridge app, supporting Win32/PWA apps in the Microsoft Store.
Today's Microsoft is less incompetent and more a victim of their success: In the end they are in the game to make money. Their users aren't, besides lip service, very interested in security. They are Windows users, after all.
Windows users (both corporate & consumer) routinely push back against changes brought on by Microsoft's security measures, and Microsoft has a hard time getting their customers to adopt new versions of Windows partly for this reason. Vast oceans of "enterprise" customers are on the 9 year old Windows 7 (and until recently, Windows XP).
MS has been peer with Apple & Linux for security vulnerabilities for several years (since releasing Defender). But that's OK, make up your own facts because MS bashing is fun and all the cool kids are doing it!
>Malware developers have started to use the zero-day exploit for Task Scheduler component in Windows, two days after proof-of-concept code for the vulnerability appeared online.
That's not a zero-day.
It literally stops being a zero-day after the initial day.
I don't know what communities you hang around, but there has never been some strict definition of 0day in infosec. 0day colloquially applies to anything circulating that didn't follow reasonable vendor disclosure, as was the case here
What? First time I hear of it. Not infosec, and yet I was under impression for years now that in colloquial usage, "0day" means "exploited before the problem was known publicly". It stops being a 0day after any info about it hits the press/social media.
It makes sense if you think of the identifier "zero day" as a sort of birth-identity.
As far as I'm aware 0day refers to having zero days of notice to fix the bug. That doesn't change the day after it comes out, it's still zero days of notice.
A cursory search ( https://www.google.co.uk/search?q=%22patched+zero-day%22 ) reveals many industry sources misusing it following that definition. How can a 0day ever possibly be considered "patched" if the vendor had no knowledge of what the patch is for? etc.
The problem with that definition is that sometimes there is mitigation you can do before the vendor can get a patch out and that effectively counters the problem.
It also isn't reasonable when the vendor simply won't or can't patch it (because they've gone out of business). To have it be labeled a zero day forever because the vendor doesn't exist is silly.
I have followed "public knowledge" as the key factor because IT systems in production are complex and some companies actually do defense-in-depth and sometimes vendors are shit.
Using zero day excessively leads to alert fatigue IMO.
34 comments
[ 4.7 ms ] story [ 81.9 ms ] threadMaybe they're under an NDA with our, USA government thus allowing all these issues to exist.
I know they can fix these issues. They have the manpower and money to do so.
The community should start pressuring them to fix their OS and plug those back door holes and exploits.
Peace
Doesn't look that way
Top 50 Products By Total Number Of "Distinct" Vulnerabilities https://www.cvedetails.com/top-50-products.php
1. 2124 Linux Kernel Linux OS2. 2084 Mac Os X Apple OS
3. 1924 Android Google OS
4. 1741 Firefox Mozilla App
5. 1664 Debian Linux Debian OS
6. 1546 Chrome Google App
7. 1495 Iphone Os Apple OS
8. 1123 Ubuntu Linux Canonical OS
9. 1103 Windows Server 2008 Microsoft OS
10. 1057 Flash Player Adobe App
11. 984 Safari Apple App
12. 961 Windows 7 Microsoft OS
13. 951 Internet Explorer Microsoft App
14. 951 Acrobat Adobe App
15. 856 Thunderbird Mozilla App
16. 818 Windows Vista Microsoft OS
17. 784 Opensuse Novell OS
18. 731 Windows Server 2012 Microsoft OS
19. 731 Windows Xp Microsoft OS
20. 698 Seamonkey Mozilla App
21. 685 Acrobat Reader Adobe App
22. 665 Windows 8.1 Microsoft OS
23. 641 Mac Os X Server Apple OS
24. 636 Windows 10 Microsoft OS
What it says is that a single version of Windows had more than half as many CVEs as the entire Linux kernel has ever had. That doesn't exactly support what you are trying to convey. If you add up all windows versions, it would top the list.
It's a terrible list one way or the other.
Sure, that happens in open source projects too (openssl anyone?), but it seems like an exception rather than a rule. If there are so many of these multiple-version vulnerabilities in Windows that the author of the list had to specifically break Windows into individual versions, then that speaks for itself.
Then on the opposite side of the coin for Linux you left everything off except the kernel which is very misleading since it's really distros that most users need to be concerned with.
I did not, I just reported the numbers given at the bottom of benaadams' linked page.
There is no such thing as a bug-free software. Even if you have a perfect software, the said software can be exploited through the hardware. For an example, DMA attacks, memory attacks, CPU bugs, etc.
Intel has one of the most tested validation technologies in the world for their CPUs and they still have bugs in every CPU generation and now with Spectre/Meltdown bugs.
Microsoft has in fact been improving their security when they switched to the Security Development Lifecycle, Windows 10 is still more secure than Windows 7 or Vista was but you are talking about 30+ year old OS with a lot of legacy software that they need to harden up. They also cannot change things without breaking the backward compatibility.
I personally believe MS is trapped with the backward compatibility promise, it is holding them back but Microsoft has been trying to start over with a new OS via WinRT but it failed, developers are not willing to port software that has less users and users don't want it because it has less apps. It's a chicken and egg issue that Microsoft is still trying to fix with the Desktop Bridge app, supporting Win32/PWA apps in the Microsoft Store.
Windows users (both corporate & consumer) routinely push back against changes brought on by Microsoft's security measures, and Microsoft has a hard time getting their customers to adopt new versions of Windows partly for this reason. Vast oceans of "enterprise" customers are on the 9 year old Windows 7 (and until recently, Windows XP).
That's not a zero-day.
It literally stops being a zero-day after the initial day.
As far as I'm aware 0day refers to having zero days of notice to fix the bug. That doesn't change the day after it comes out, it's still zero days of notice.
It also isn't reasonable when the vendor simply won't or can't patch it (because they've gone out of business). To have it be labeled a zero day forever because the vendor doesn't exist is silly.
I have followed "public knowledge" as the key factor because IT systems in production are complex and some companies actually do defense-in-depth and sometimes vendors are shit.
Using zero day excessively leads to alert fatigue IMO.