34 comments

[ 4.7 ms ] story [ 81.9 ms ] thread
Interesting, with all of the money that Microsoft has, why can't they fix these backdoors and exploits? For many years now, MS Windows has been the "most" exploited OS in our history.

Maybe they're under an NDA with our, USA government thus allowing all these issues to exist.

I know they can fix these issues. They have the manpower and money to do so.

The community should start pressuring them to fix their OS and plug those back door holes and exploits.

Peace

It's also the most complicated, popular and most legacy kept OS out there.
Or maybe QA'ing a 0day patch just takes time. I can't begin to imagine the amount of third party software and application configurations (multiplied by the number of windows editions and localizations) they need to run through to make sure a somewhat of an architectural change doesn't break assumptions and thus 3rd party compatibility too much.
> MS Windows has been the "most" exploited OS in our history.

Doesn't look that way

Top 50 Products By Total Number Of "Distinct" Vulnerabilities https://www.cvedetails.com/top-50-products.php

  Vulns  Product
  
1. 2124 Linux Kernel Linux OS

2. 2084 Mac Os X Apple OS

3. 1924 Android Google OS

4. 1741 Firefox Mozilla App

5. 1664 Debian Linux Debian OS

6. 1546 Chrome Google App

7. 1495 Iphone Os Apple OS

8. 1123 Ubuntu Linux Canonical OS

9. 1103 Windows Server 2008 Microsoft OS

10. 1057 Flash Player Adobe App

11. 984 Safari Apple App

12. 961 Windows 7 Microsoft OS

13. 951 Internet Explorer Microsoft App

14. 951 Acrobat Adobe App

15. 856 Thunderbird Mozilla App

16. 818 Windows Vista Microsoft OS

17. 784 Opensuse Novell OS

18. 731 Windows Server 2012 Microsoft OS

19. 731 Windows Xp Microsoft OS

20. 698 Seamonkey Mozilla App

21. 685 Acrobat Reader Adobe App

22. 665 Windows 8.1 Microsoft OS

23. 641 Mac Os X Server Apple OS

24. 636 Windows 10 Microsoft OS

That list inconsistently splits some things by version (windows), and groups others (Debian, android, etc).

What it says is that a single version of Windows had more than half as many CVEs as the entire Linux kernel has ever had. That doesn't exactly support what you are trying to convey. If you add up all windows versions, it would top the list.

Since Windows versions share most of their code; I wonder how many vulnerabilities on that list are counted multiple times -- once for each version.

It's a terrible list one way or the other.

That's because the vulns are repeated across the Windows versions, adding the versions together counts the same vuln multiple times
(comment deleted)
I’m not sure if it’s worse to have the same vulnerability across two versions, or to have two distinct vulnerabilities.
It's almost like saying "vulnerabilities in our code exist for decades before they are noticed by anyone (with a whitehat)".

Sure, that happens in open source projects too (openssl anyone?), but it seems like an exception rather than a rule. If there are so many of these multiple-version vulnerabilities in Windows that the author of the list had to specifically break Windows into individual versions, then that speaks for itself.

is this a list of reported and as of yet still vulnerable, or is this a list of all reported vuln including ones that have been fixed?
Following the links it includes fixed vulns
By Vendor:

  Microsoft : 9673
  Apple     : 6157
  Adobe     : 3939
  Mozilla   : 3888
  Linux     : 2124
That's some seriously funny counting. You added together everything by "vendor" even though the CVE count can't be summed that way since they are reported for every affected version; so you would have double, triple, quadruple counting for a single vulnerability.

Then on the opposite side of the coin for Linux you left everything off except the kernel which is very misleading since it's really distros that most users need to be concerned with.

> You added [...]

I did not, I just reported the numbers given at the bottom of benaadams' linked page.

Number of fixed vulnerabilities does not equal number of times exploited. A vulnerability may be exploited many times by many different people.
Manpower and money will not magically fix the problem, you can have an infinite amount of both, it will not help the matter that bugs will always exist in even the most perfect code there is. I'd recommend reading the Mythical Man-Month book if you haven't: https://en.wikipedia.org/wiki/The_Mythical_Man-Month

There is no such thing as a bug-free software. Even if you have a perfect software, the said software can be exploited through the hardware. For an example, DMA attacks, memory attacks, CPU bugs, etc.

Intel has one of the most tested validation technologies in the world for their CPUs and they still have bugs in every CPU generation and now with Spectre/Meltdown bugs.

Microsoft has in fact been improving their security when they switched to the Security Development Lifecycle, Windows 10 is still more secure than Windows 7 or Vista was but you are talking about 30+ year old OS with a lot of legacy software that they need to harden up. They also cannot change things without breaking the backward compatibility.

I personally believe MS is trapped with the backward compatibility promise, it is holding them back but Microsoft has been trying to start over with a new OS via WinRT but it failed, developers are not willing to port software that has less users and users don't want it because it has less apps. It's a chicken and egg issue that Microsoft is still trying to fix with the Desktop Bridge app, supporting Win32/PWA apps in the Microsoft Store.

Today's Microsoft is less incompetent and more a victim of their success: In the end they are in the game to make money. Their users aren't, besides lip service, very interested in security. They are Windows users, after all.

Windows users (both corporate & consumer) routinely push back against changes brought on by Microsoft's security measures, and Microsoft has a hard time getting their customers to adopt new versions of Windows partly for this reason. Vast oceans of "enterprise" customers are on the 9 year old Windows 7 (and until recently, Windows XP).

MS has been peer with Apple & Linux for security vulnerabilities for several years (since releasing Defender). But that's OK, make up your own facts because MS bashing is fun and all the cool kids are doing it!
Are you sure you replied to the right comment? I was giving them credit and made no comparative claims.
wow wat a provacativ sujestion are u a philsofer u shud run mikrosoff
>Malware developers have started to use the zero-day exploit for Task Scheduler component in Windows, two days after proof-of-concept code for the vulnerability appeared online.

That's not a zero-day.

It literally stops being a zero-day after the initial day.

(comment deleted)
I don't know what communities you hang around, but there has never been some strict definition of 0day in infosec. 0day colloquially applies to anything circulating that didn't follow reasonable vendor disclosure, as was the case here
What? First time I hear of it. Not infosec, and yet I was under impression for years now that in colloquial usage, "0day" means "exploited before the problem was known publicly". It stops being a 0day after any info about it hits the press/social media.
Once a zero-day, always a zero-day IMO.
What is it called the day after you are aware of it. Zero day still? That makes no sense.
It makes sense if you think of the identifier "zero day" as a sort of birth-identity.

As far as I'm aware 0day refers to having zero days of notice to fix the bug. That doesn't change the day after it comes out, it's still zero days of notice.

The problem with that definition is that sometimes there is mitigation you can do before the vendor can get a patch out and that effectively counters the problem.

It also isn't reasonable when the vendor simply won't or can't patch it (because they've gone out of business). To have it be labeled a zero day forever because the vendor doesn't exist is silly.

I have followed "public knowledge" as the key factor because IT systems in production are complex and some companies actually do defense-in-depth and sometimes vendors are shit.

Using zero day excessively leads to alert fatigue IMO.