So an incompetent CA is trusted by an even more incompetent company, Microsoft?
Is anybody else surprised at this point?
replies(1):
Is anybody else surprised at this point?
Multiple RCEs and critical CVEs cannot be fixed because Microsoft "lost" the source code. So they disclosed those RCEs but without any solution or fix.
(Not kidding, sadly, look it up, there also have been occasional binary patches because of the same reason)
I remember some Windows Fax Service related CVEs and some Wi-Fi drivers that couldn't be fixed directly, too, but don't remember the CVE or whether that was related to the Broadcom driver/module sideloading fuckup.
> The link you gave just gives me a long list of patches.
The link I gave you is the only disclosure/advisory page that Microsoft offers, don't blame me for them not offering a better UI. Ask them to do better.
- https://nvd.nist.gov/vuln/detail/CVE-2017-11882
- https://blog.0patch.com/2017/11/did-microsoft-just-manually-...
- https://cert.europa.eu/publications/security-advisories/2022...
Your own sources indicate CVE-2017-11882 was fixed in November of 2017. The title of the blob.0patch.com article is
> Did Microsoft Just Manually Patch Their Equation Editor Executable? Why Yes, Yes They Did. (CVE-2017-11882)
clearly indicating that Microsoft fixed the issue, contrary to your statement that they 'weren't actually fixed". The body content is consistent.
> NTLM relay attack
NTLM is bad, no question. It's based on a bad threat model - it assumes network admins can secure their corporate networks. Microsoft also fixed most of the issues in NTLM with NTLMv2 back in the Windows Vista and Windows 7 era. And Microsoft announced they will disable all NTLM versions by default within the Win11 lifetime. The biggest problem (unsurprisingly) is non-Microsoft software which has hardcoded the use of NTLM. It's fair to criticize Microsoft here for making available a technology that required so much from corporate network admins and leaving it available (and with use in Microsoft products) for so many years. At the same time, it's misleading to characterize these problems as "weren't actually fixed" - concrete issues with NTLM within its security model _were_ fixed and new technologies were created with better security models.
- https://techcommunity.microsoft.com/blog/windows-itpro-blog/...
> The link I gave you is the only disclosure/advisory page that Microsoft offers, don't blame me for them not offering a better UI. Ask them to do better.
You're mistaken. Microsoft has deep links for each CVE.
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-20...
I'll just leave this here, a month old (Oct 2024) because you seem to critize my old examples [1]. You can also google for "malware NTLM relay attack" and you'll find plenty of other examples.
PS: I also want to add that I won't collect 100s of CVEs for some random person online. I got better things to do than to convince people to ditch Windows. If you want a dossier and analysis, pay us and we'll make a contract for it.
If you want a better vulnerability database, we'll have that available as a product :)
[1] https://www.bleepingcomputer.com/news/security/exploit-relea...