I exclude WinXP since it would not have been privilege to have some of these techniques at the time. However, it appears an unpatched Windows 10 would still have been vulnerable, indicating the OS has still not been improved.
He's been warning people for a LONG time to get their systems updated and sort out the SMB1 problems. Hardly MS's fault for consumers not patching / keeping their systems secure.
In fact, good-guy-Microsoft for patching the XP flaw while they were at it, as far as I'm concerned.
I hold WinXP users at fault for any problems they are having. It's clearly an unsupported and insecure operating system.
The issue I'm addressing is not one of individual patches. I applaud Microsoft for keeping their system patched in a timely manner.
What I'm taking issue with is the these types of exploits are allowed to happen at all. The OS could be designed to prevent this type of exploit from either happening, or at least significantly mitigating the damage. Until this underlying flaw is addressed we'll continue to see these attacks.
So, I see this argument being equivalent to saying websites shouldn't allow 3rd party ads because those ads can be used to drop malware. Websites shouldn't allow for iframes because a XSS could drop an iframe that drops ransomware via drive-by attack. In this regard, Microsoft should also be held responsible for allowing VB scripts to be linked in a Word document because those are also common methods of malware dissemination.
In a way yes. We must be designing software assuming that these vectors will be used to attack a system. As you correctly show, this isn't a problem limited to just Microsoft. It's a design issue that all projects face. We continue to use designs that do not adequately product our systems from attacks.
Websites allowing 3rd party ads is one particular thing that is a security/privacy issue. I mentioned this in another article of mine: mortoray.com/2017/05/02/fix-your-c...
The underlying flaw(s) in this case have been mitigated. The current SMB protocol is versions ahead of what was exploited here - the problem is that MS has to keep backwards compatibility for products / clients running older software. The onus is on the consumer to stay up-to-date.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
I exclude WinXP since it would not have been privilege to have some of these techniques at the time. However, it appears an unpatched Windows 10 would still have been vulnerable, indicating the OS has still not been improved.
A patch for vulnerabilities in SMBv1 was released by Microsoft in March.
twitter.com/NerdPyle would probably disagree with you on that one.
He's been warning people for a LONG time to get their systems updated and sort out the SMB1 problems. Hardly MS's fault for consumers not patching / keeping their systems secure.
In fact, good-guy-Microsoft for patching the XP flaw while they were at it, as far as I'm concerned.
I hold WinXP users at fault for any problems they are having. It's clearly an unsupported and insecure operating system.
The issue I'm addressing is not one of individual patches. I applaud Microsoft for keeping their system patched in a timely manner.
What I'm taking issue with is the these types of exploits are allowed to happen at all. The OS could be designed to prevent this type of exploit from either happening, or at least significantly mitigating the damage. Until this underlying flaw is addressed we'll continue to see these attacks.
So, I see this argument being equivalent to saying websites shouldn't allow 3rd party ads because those ads can be used to drop malware. Websites shouldn't allow for iframes because a XSS could drop an iframe that drops ransomware via drive-by attack. In this regard, Microsoft should also be held responsible for allowing VB scripts to be linked in a Word document because those are also common methods of malware dissemination.
Is that your line of thinking?
In a way yes. We must be designing software assuming that these vectors will be used to attack a system. As you correctly show, this isn't a problem limited to just Microsoft. It's a design issue that all projects face. We continue to use designs that do not adequately product our systems from attacks.
Websites allowing 3rd party ads is one particular thing that is a security/privacy issue. I mentioned this in another article of mine: mortoray.com/2017/05/02/fix-your-c...
The underlying flaw(s) in this case have been mitigated. The current SMB protocol is versions ahead of what was exploited here - the problem is that MS has to keep backwards compatibility for products / clients running older software. The onus is on the consumer to stay up-to-date.