Are MS Security Advisoris a good idea?

[Saracen999]

A potential security weakness has just come to light, and been reacted to. An MS Security Advisory says ...

"elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple s An ystem files, including the Security Accounts Manager (SAM) database," said the advisory.

The implication of this is to reverse-hash and derive passwords.

To fix it is pretty simple provided you:-

- have access to an admin account, and
- are comfortable running commands in a DOS box, and
- are happy to delete then create new system restore points.

None of that is at all difficult, and there's a guide (on Tom's) taking it step by step. Even a pretty technically clueless user should be able to cope. But I'm not confident all will.

But here's the thing.

Is it a good idea for MS to put out a security advisory describing the weakness?

I don't know.

I've been playing with computers for 50 years (-ish). And I got my first PC in the mid-80s, and it wasn't my first computer. So this stuff is pretty easy.

But when I think of some of my friends .... well, suffice it to say they aren't likely to be reading here, or at Tom's, and certainly not MS Security Advisories. And yet, more and more of our lives are being put on our computer. So while those advisories are great for professionals and the moderately clued up, so I guess are essential, I wonder if they also don't just alert hackers to another vulnerability, and paint a target on non-techy users' computers?

MS Advisory

[kalniel]

It's a tricky one. On one hand state actors will likely already know about a vulnerability, so letting people know about it means they have a chance to fix/mitigate it. On the other hand, non-state actors will now know and, like the MS exchange vulnerability, will start to pile in.

As for the end users? Well we're screwed anyway and our main hope it simply to be lost in the noise. The usual 'don't run programs you don't trust' 'don't click on email links' etc. apply and largely prevent this attack.

[DanceswithUnix]

They are a good idea.

The cat is out of the bag. The bad guys know about the flaw. Usually a patch is issued to secure against the problem, and once the patch is available for download the problem is admitted to in an advisory.

This one sounds like an oddity. Usually time is given for an OS vendor to get patches rolled out, but it looks like there was public discussion of a flaw in Windows 11 preview (so who cares) and then, oops, Windows 10 does the same. So yeah, in this specific instance, if the bad guys didn't know about the flaw then they do now, but not because of the advisory. The advisory just lets us lot catch up with what is happening. I'm sure a patch will be out pretty sharpish.

There is a new Linux advisory also out which is a real oddity. To exploit the Linux one you have to create a million nested directories to create a 1GB path length, and then delete it, so not surprising that one slid under the radar. Apparently that takes about 3 minutes. As a programmer it is good to have visibility of these things as it decreases the chances of me falling into similar privilege or overflow traps in my own code, but most people can just make sure they are up to date on patches.

People complain about automatic patching, but it makes all of this pretty irrelevant to the average user.

[jim]

It is fairly safe to assume that all "non-techy users" as you put it, do not have secure machines. They might take the odd precaution, use some security software etc, but they're not securing their computers in the way that enterprise should (emphasis on should, not does).

That's where the advisories are useful.

If you're running an enterprise network with lots of machines and lots of legally and / or regulatory protected data, you need a few things.

Firstly, you need a solution that's approved by the manufacturer. That gives you some confidence that you aren't creating a new security or usability problem. You can't realistically roll out a fix to 20,000 machines just because a few people on a tech forum think that this fix will work. And to note, I'm not talking here about inadequate testing pre-production (obviously that always matters), I'm talking about actually rolling out the correct fix, that genuinely does work and scales.

Secondly, you need a solution that your regulators, national cyber teams and your third parties / clients are going to be happy with. The chaos that would be caused if everyone was reporting back what they'd tried to do to fix things would be crazy. There would be no way of validating that the measures were correct, and it takes a long time to build consensus on security measures - that can't be achieved within the hours / days necessary for issues like this one. It does happen for certain types of exploit / weaknesses - of course it does. But if there's a clear flaw with a clear fix, everyone having their own stab at finding that fix is really unhelpful.

Thirdly, there is a certain middle ground of smaller enterprises who really need to plug security holes, but don't necessarily have the technical expertise to figure out how to do it (or to validate that JeffHacker182 on the TechForum is correct in his proposed solution). For them, a manufacturer advisory is the only realistic option.

So yes, you're right, it does leave a bunch of users exposed. But I don't think they're the priority, and in general it's better to ensure that the most important networks and systems are protected, even if it's at the expense of a slightly elevated risk for non-techy users (i.e. because now more people are aware of the exploit).

[Saracen999]

....

People complain about automatic patching, but it makes all of this pretty irrelevant to the average user.

My main criticism, in case that meant me, is more about updates than patches, especially security patches, and even then, is more about not being able to override the default option (do it to me).

Delaying patching a security hole is a much harder sell than delaying MS's latest wheeze of a good UI update or feature but still ought to be, for users, a case of "not right now".

And yes, I know we can delay now, specify non-active times etc now. And certainly for security patches, that's good enough. For features that MS wants but I don't? Not so much. My computer, my choice .... and my risk if delaying goes wrong. But also, just pointing out, mandatory patches are just as capable of introducing new threats as fixing old ones. Just sayin'.

[kompukare]

But surely the argument for them not being a good idea is essentially "Security through obscurity"?

Which has always been problematic.

Like the concept of open-source, having everything above board encourages trust, at least with me.

[Saracen999]

But surely the argument for them not being a good idea is essentially "Security through obscurity"?

Which has always been problematic.

Like the concept of open-source, having everything above board encourages trust, at least with me.

Not entirely. Part of the logic is that, while professionals are a different issue, a LOT of home users, and probably quite a few business users, know absolutely nothing about either existing risks or new ones, and aren't likely to learn by releasing details. Hackers, on the other hand, are pretty much by definiton interested in security, and of course, the weaknsses. Yes, clearly, really good hackers (especially state ones) will have better sources of info than Security Advisories. but my point was about the balance of benefit versus risk by giving out such details. Those non-clued up users are going to be facing all of the extra risk and getting none of the extra benefit. So for them, advisories are useless, because they don't know they exist,
and probably wouldn't bother reading them if they did.

Yeah, I get the parallels with locks and lockpicking. I've spent some fun time watching the lock-picling lawyer on YT too (loved the one on picking the gun locks in US police cruisers .... in about 10 seconds flat). That was hilarious.

[kompukare]

I've spent some fun time watching the lock-picling lawyer on YT too (loved the one on picking the gun locks in US police cruisers .... in about 10 seconds flat). That was hilarious.

Came across him when looking at bicycle locks.
What I find funny is him picking something in a few seconds and still giving a big thumbs up as the hardest mainstream lock he's ever picked.
I guess he's right that most bike thieves ether use bolt cutters for which a 16mm+ lock is safe, or a battery operated angle grinder against nothing holds up. (Thinking of the later, a material which purposefully sparked or made a lot of noise - more than an angle grinder! - would be a deterrent).

[kalniel]

(Thinking of the later, a material which purposefully sparked or made a lot of noise - more than an angle grinder! - would be a deterrent).

Titanium locks, here we come!