Conversation

Notices

1. Embed this notice
   Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 03-Mar-2024 01:30:07 JST Kevin Beaumont

   Another clanger from Microsoft -

   - zero day vulnerability being exploited in Windows OS for six months in the wild by North Korea

   - They didn’t tell anybody, took six months to make a patch

   - released the patch without saying what happened

   - didn’t mark it as a zero day in Microsoft Vulnerability Management

   You’d think having the largest market cap in the world and having $2bn a year in revenue from security alone would allow.. uh.. investment.

   https://www.bleepingcomputer.com/news/security/windows-kernel-bug-fixed-last-month-exploited-as-zero-day-since-august/

   • Haelwenn /элвэн/ :triskell: likes this.
   • Embed this notice
     Jim - webcomic (stupidjim@mastodon.social)'s status on Sunday, 03-Mar-2024 03:55:48 JST Jim - webcomic

     in reply to

     @GossiTheDog It's a corporation, what did you expect.

     Stop. using. corporate. services.

   • Embed this notice
     Jim - webcomic (stupidjim@mastodon.social)'s status on Sunday, 03-Mar-2024 04:42:10 JST Jim - webcomic

     @GossiTheDog Your choice, but you loose the right to complain when they frik up things again.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 05-Mar-2024 08:36:59 JST Kevin Beaumont

     in reply to

     https://arstechnica.com/security/2024/03/hackers-exploited-windows-0-day-for-6-months-after-microsoft-knew-of-it/

     Ars has a good look at this one.

     My take - it may well have been a bunch of technical work to fix the vulnerability, absolutely. But Microsoft can afford to resource this stuff - it’s one of the most profitable companies on earth, and they end to end own and create 100% of the code.

     To again repeat one plea for vulnerability researches - publish public timelines on blogs about disclosures. It would create visibility of how long fixes take, and encourage accountability.