Microsoft 0-day feud escalates as researcher threatens another exploit dump

Microsoft 0-day feud escalates as researcher threatens another exploit dump(theregister.com)

130 points by Cider9986 3 hours ago | 34 comments

gslepak 14 minutes ago |

It's poor form to publish exploits like this but Microsoft not paying their bounty is also poor form, and so is attempting to exploit the legal system to defend Microsoft's "right" to write buggy code.

8cvor6j844qw_d6 2 hours ago |

> “CVD is a two-way street,” he said. “The vendor has some responsibility as well, so to go out publicly stating this person violated CVD without showing any of the correspondence seems bold.”

> “It confusingly claims their program ‘ensures researchers are compensated and publicly acknowledged’ in a statement answering a researcher who says he got neither,”

Well said.

zamalek 1 hour ago | |

I would argue that this form of disclosure is ethical in the face of Microsoft misbehaving. It's like mutually assured destruction - and in this case (it sounds like) Microsoft tried to cheat and thought they would get away with it.

Feeling consequences are how they are kept in line. Maybe next time they will think twice before (allegedly) treating a person like they did here, as well as the creative reasoning I recall them using in the past to reduce payouts.

rustyhancock 1 hour ago |

I know this is a crazy take. But I go feel so down trodden by many many tech corps these days I find it hard not to have a smidge of satisfaction for this guy pointing out the colossal favour research developers do for them by responsible disclosure.

That said, I feel bad for the inevitable victims of exploitation and also I am certain he will end up criminalized or as per usual the law will enforce a large corps will against him.

Yes. Definitely a Friday night after a hard week take.

chasil 1 hour ago |

The best interests of the customers of Microsoft is an immediate apology, a payment of at least $100,000, and a signed agreement pledging that no (further) legal action will be taken.

The denial of Microsoft is just as harmful as the exploits of these flaws.

cyanydeez 1 hour ago | |

or everyone just dump all their exploits on Saturday morning 2AM, then buy puts.

TacticalCoder 47 minutes ago | | |

> or everyone just dump all their exploits on Saturday morning 2AM, then buy puts.

But nobody can buy PUTs at 2am on a saturday morning? You should buy PUTs on a friday before close then dump the exploits no?

aidenn0 57 minutes ago |

I wonder: what's the approximate market value on the bugs so far released?

rolph 3 hours ago |

there are active forks, and active mitigations for redsun undefend and bluehammer.

so far as i can tell yellowkey is problematic, as the exploit takes advantage of a backdoor that ms needs, to "manage" your computer.

only recently has a OOB mitigation been offered

https://www.techspot.com/news/112410-security-researcher-mic...

mittensc 2 hours ago | |

> so far as i can tell yellowkey is problematic, as the exploit takes advantage of a backdoor that ms needs, to "manage" your computer.

It does look like an intentional backdoor. The way ms is responding to it is even more suspicious.

Pretty funny since this defeats security on most corporate laptops, so impact is huge. You'd expect them to treat the reporter better and fix the issue fast...

I'm curious why they put it in, I'm not sure I understand the 'to "manage" your computer' note.

Microsoft should have no reason to put something like this in. So either they were forced or they had some engineers that did this on their own without any oversight.

jeroenhd 1 hour ago | | |

The backdoor could be a bug, but I don't really understand how it happened.

The attack works by having an NTFS log get replayed against another partition than the one the log is stored on.

Sending the right signals to unlock Bitlocker in TPM-only mode is a necessity for recovery operations. Managing to replace the executable launched post verification is a plausible attack vector.

The weird thing is why it's possible to put the corrupting transactions on a different disk than the one being updated.

In theory I think it would be possible that it's a combination of "all recovery partitions share the same FS identifier and are verified before transaction playback" (it is a pre-packaged WIM file after all) and "the transaction log stores the FS identifier of the partition the changes are meant for", but in my opinion the latter part is a very weird architecture to choose.

If this is a backdoor, I appreciate how clever they were hiding it. If this is a bug, the person who discovered it probably has a whole lot more ready to publish.

rolph 1 hour ago | | |

manage- meaning remove or disable your stuff and reinstate slopware.

i dont know how much fiddling around you may have done to make a win11 install local and secure, but but if you dont get it right the first time, most often the next update will involve re-installation of bloatkrapp.

the in house usage is apparently to allow bypass of bitlocker by the winRE recovery environment.

this has been exploited for some time already, allowing malicious uses of trustedinstaller ACL.

ive had to deal with persistent installs using exactly this route, and a really nasty one will brick your machine if you dont knock out its components in proper sequence pwning the trusted installer account, and disabling the viral recovery mechanism.

ranger_danger 2 hours ago | |

> backdoor that ms needs

source:

codedokode 1 hour ago |

I read a little about BitLocker. It seems to store the encryption key in TPM and acquire it automatically after boot. I wonder, can encryption key be extracted by inserting a rogue PCIe card and reading it from memory, or by inserting a rogue DDR memory card with a backdoor to read the key from it, or by sniffing CPU - TPM bus?

rolph 49 minutes ago | |

yes sniffing is possible, for now im waiting for some pluton variant to start making its way into the chip and die stream.

the concept is to shield the TPM its bus, and any keys whith the CPU chip.

kotaKat 1 hour ago | |

Sniffing the TPM's been available for quite some time, actually - and quite cheap!

https://pulsesecurity.co.nz/articles/TPM-sniffing

The best way would be to arguably keep the key completely off the TPM and use remote attestation. There's some preboot products out there like WinMagic SecureDoc* that use a little Linux partition, spin up just enough to get a network connection up to a remote server, provide authentication services, and then send the Bitlocker key down, unlock the partition, and chainload onwards to Windows.

* I acquired an enterprise device on eBay and was VERY surprised to find this product on it as the preboot protector. Zero way to crack in from my end, so I applaud it. There's even some MFA solutions they offer around this! https://winmagic.com/en/solutions/mfa-windows-login/

Retr0id 52 minutes ago | | |

Something I've never understood about TPM attestation, is what happens if you plug the TPM into a microcontroller and give it all the same measurements that it would normally receive during a normal boot? Would that let you spoof attestations?

throwaway763210 1 hour ago |

Responsible disclosure isn't a law, it's a norm vendors invented and lean on when it suits them. Nothing legally requires you to report to a vendor first. Full disclosure and non disclosure are a valid choice as well.

Maybe Microsoft should spend less energy threatening researchers and more on not shipping the slop code in the first place.

hungryhobbit 1 hour ago | |

Or maybe they shouldn't revoke the very accounts researchers are required to use to communicate exploits to MS?

zingababba 36 minutes ago |

Watching Microsoft squirm is always peak

Hikikomori 15 minutes ago |

Hey MSRC. Maybe don't ban security researchers and then complain about vulnerabilities not being disclosed to you? Have you tried not fucking yoursef?

themafia 1 hour ago |

> “We remain firmly opposed to these actions, and any disclosure outside proper coordination that could harm our customers and the digital ecosystem,”

Precisely. /Your/ customers. I have no obligation to them and you profit handsomely from them. I'm not sure you can use "opposition" as a strategy to ameliorate your own negligence followed by inaction.

ChrisArchitect 2 hours ago |

GitHub bans security researcher who posted zero-day Windows exploits

https://news.ycombinator.com/item?id=48315968

cryo32 1 hour ago |

I've been working with Microsoft products since about 1989. It has been mostly miserable, like living with a schizophrenic gorilla. You wake up in the morning and don't know how fucked your day is going to be. Dealing with them has been absolutely impossible even when you were one of their "gold" tier partners back in the day.

I hope the promise of a July 14th threat goes as planned. They need to hurt. And everyone needs to see the risks they are taking by using their products.

rekabis 3 hours ago |

I may not have seen the full story - and I am cognizant of this - but what I have seen so far puts me solidly on the side of Nightmare Eclipse.

Microsoft is making all indications that it is behaving like a colossal dick. It’s not a good look. As always: if you find yourself in a deep hole, stop digging.

zadkey 3 hours ago | |

Everything I've ready points to the same.

this_user 2 hours ago |

At the end of the day, Microsoft won't care how bad any of this will make them look. Their reputation has been abysmal for decades, but none of it actually seems to have any kind of negative effect on their bottom line.

lukan 26 minutes ago | |

Because they mainly care about their reputation in C suites not internet forums.

midtake 2 hours ago |

Sorry not sorry

45ahgd 2 hours ago |

This is poor damage control by Microslop. Why would the researcher publish valuable exploits without trying to get a bounty?

Usually, when an individual is that upset, the group or corporation is wrong and tries to shape public perception by lying.

Since when is publishing zero days a crime anyway? Shame on Microslop for these intimidation tactics. The real crime is vibe coding operating systems.