Bill3d ago

Good writeup on @wdormann's recent efforts.

https://securityaffairs.com/190400/breaking-news/experts-published-unpatched-windows-zero-day-bluehammer.html

#0day #microsoft

Experts published unpatched Windows zero-day BlueHammer - Security Affairs

A researcher leaked the unpatched Windows zero-day “BlueHammer,” letting attackers gain SYSTEM rights; no patch exists yet. A disgruntled researcher released the BlueHammer Windows zero-day, a privilege escalation flaw that allows attackers to gain SYSTEM or admin rights, Bleeping Computer reports. The researcher privately reported the vulnerability to Microsoft but criticized the way the Microsoft’s Security […]

Security Affairs
Show threadSam3d ago
@Sempf @wdormann Thanks for the write-up and somehow being support for the community (watching your respond to someone was fun -- no intended slight to anyone). I enjoyed your description of computer file and process juggling (how I imagine stylish TOCTOU). I don't think I follow your critique on flowchart followers. Creating a meaningful process-flow is a form of architecture necessary to keep consistency and sanity of those involved. I think it's a bit dubious to assume that the researcher has higher ethical concerns that should override the pedantic norms of review (likely informed by specialists).
Show threadWill Dormann

@0f4d0335 @Sempf
I've been reporting vulnerabilities to Microsoft for about 22 years now.

So, when I report a simple vulnerability to Microsoft (e.g. One that can be described in one sentence), and I'm told that they cannot proceed until I provide a video recording of the exploit (presumably because their flowchart suggests that reports need videos), then OK. I reserve the right to be annoyed. And question your process.

Apr 8 at 4:00amWeb
Show threadSam3d ago
@wdormann @Sempf Ok. Many published CVEs follow this norm. I don't really see the harm in making this a requirement? I understand creating a workflow of fixing hundreds of bugs requires brevity (this doesn't seem to be case for the researcher), but all the solutions I must report take about 3 - 4 different forms of documentation. Yeah it takes a lot of time, but I guess on the clock I don't particularly feel annoyed. And it's easier to showcase later to senior management why they should continue funding the (growing and expensive) department.