Bill

Good writeup on @wdormann's recent efforts.

https://securityaffairs.com/190400/breaking-news/experts-published-unpatched-windows-zero-day-bluehammer.html

#0day #microsoft

Experts published unpatched Windows zero-day BlueHammer - Security Affairs

A researcher leaked the unpatched Windows zero-day “BlueHammer,” letting attackers gain SYSTEM rights; no patch exists yet. A disgruntled researcher released the BlueHammer Windows zero-day, a privilege escalation flaw that allows attackers to gain SYSTEM or admin rights, Bleeping Computer reports. The researcher privately reported the vulnerability to Microsoft but criticized the way the Microsoft’s Security […]

Security Affairs
Apr 8 at 3:10amWeb
Show threadcR0w   3d ago
@Sempf @wdormann Wait that was Will?! 
Show threadWill Dormann3d ago

@cR0w @Sempf
I didn't discover the vulnerability or make the exploit. I merely looked at it after it was published. Now that I'm allowed to talk infosec publicly again.

I also shared my thoughts about what it's like to work with MSRC these days. 😂

Show threadcR0w   3d ago
@wdormann @Sempf Ah, got it. Still cool. It's open in a tab to read tomorrow when I have have a functioning brain cell again.
Show threadWill Dormann3d ago
@cR0w @Sempf
It's kind of neat. And slightly complex.
But essentially the consequences of pissing off security researchers wanting to do the right thing.
Show threadcR0w   3d ago
@wdormann @Sempf We need more of that.
Show threadViss3d ago

@cR0w @wdormann @Sempf no more free security work

[edit]: no more free security work for giant megacorps that could trivially afford to pay you very very well but literally dont out of spite and greed. help tiny companies, the little guy, foss projects..

if the org makes over a billion a year, no more free infosec

Show threadWill Dormann3d ago

@Viss @cR0w @Sempf
That's completely fair. There are some big for-profit companies that don't even do the bug bounty thing. So in that case, it's as free as it gets.

And for those that do bounties, what's sort of hand-waved over is that those bounties merely pay for your silence. Not for your work.

Show threadViss3d ago

@wdormann @cR0w @Sempf or they do what keeps happening to me
- they find a way to claim its out of scope
- add language to the bounty to retcon that into existence
- fix the bug
- i get fucked

i dont do bounties anymore.
its like 5 in a row now

Show threadSam3d ago
@Sempf @wdormann Thanks for the write-up and somehow being support for the community (watching your respond to someone was fun -- no intended slight to anyone). I enjoyed your description of computer file and process juggling (how I imagine stylish TOCTOU). I don't think I follow your critique on flowchart followers. Creating a meaningful process-flow is a form of architecture necessary to keep consistency and sanity of those involved. I think it's a bit dubious to assume that the researcher has higher ethical concerns that should override the pedantic norms of review (likely informed by specialists).
Show threadWill Dormann3d ago

@0f4d0335 @Sempf
I've been reporting vulnerabilities to Microsoft for about 22 years now.

So, when I report a simple vulnerability to Microsoft (e.g. One that can be described in one sentence), and I'm told that they cannot proceed until I provide a video recording of the exploit (presumably because their flowchart suggests that reports need videos), then OK. I reserve the right to be annoyed. And question your process.

Show threadSam3d ago
@wdormann @Sempf Ok. Many published CVEs follow this norm. I don't really see the harm in making this a requirement? I understand creating a workflow of fixing hundreds of bugs requires brevity (this doesn't seem to be case for the researcher), but all the solutions I must report take about 3 - 4 different forms of documentation. Yeah it takes a lot of time, but I guess on the clock I don't particularly feel annoyed. And it's easier to showcase later to senior management why they should continue funding the (growing and expensive) department.