26 September 2021

Microsoft versus Security

We had a post on Apple. Seems only fair to pick on Microsoft.

It is very convenient when your computer figures out stuff for you on the fly. It just facilitates leaking login credentials. Microsoft rushes to register Autodiscover domains leaking credentials

As Steve Gibson is always saying, convenience is the enemy of security. Guess which side executives usually come down on.

When users configure their Exchange accounts on email clients, the app will attempt to authenticate to various Autodiscover URLs associated with Microsoft Exchange servers for their organization. If a successful authentication occurs, the Exchange server will send back settings that the mail client should use.

Are we shocked to discover that they did not consider all of the ways that could go wrong? I'm not.

They made such a fetish of Secure Boot, and then they built a feature that can bypass it. Because of course they did. Microsoft WPBT flaw lets hackers install rootkits on Windows devices

WPBT [Windows Platform Binary Table] is a fixed firmware ACPI (Advanced Configuration and Power Interface) table introduced by Microsoft starting with Windows 8 to allow vendors to execute programs every time a device boots.

However, besides enabling OEMs to force install critical software that can't be bundled with Windows installation media, this mechanism can also allow attackers to deploy malicious tools, as Microsoft warns in its own documentation.

They knew it was a potential problem, but building in problems by way of work-arounds was easier than solving the fundamental issue. Or something.

PrintNightmare is still in the news, as the latest fix caused problems. (Hey, you never said you actually needed to be able to print!) Outlook has problems with security keys as a means of Multifactor Authentication. And More.

As I mentioned in the post about Apple, Microsoft also suffers NO financial fallout when one of their systems gets hit with hack and you pay the price. Why? Because that is what you agreed to when you opened the shrink-wrap, or clicked on "accept terms and condtions" (even though you did not read them) when you downloaded or installed the software. And so their default position seems to be, "Meh, another zero-day; no impact to us."

No comments:

Post a Comment

Comment Moderation is in place. Your comment will be visible as soon as I can get to it. Unless it is SPAM, and then it will never see the light of day.

Be Nice. Personal Attacks WILL be deleted. And I reserve the right to delete stuff that annoys me.