Feeds

back to article Microsoft breaks bug-bounty virginity in $100,000 contest

Microsoft is breaking its long-standing tradition of not paying for security vulnerabilities by offering a $100,000 cash prize for the first penetration tester to crack Windows 8.1 and a $50,000 bonus to explain how they did it. At this year's Black Hat USA conference – held at the end of July in the sweaty hell that is Las …

COMMENTS

This topic is closed for new posts.

This post has been deleted by a moderator

Bronze badge

Re: MS Security Fails - Eadon the BlueHat bonus winner

GRATING ADOLESCENT CLUELESS GOBSHITE SPAMMING PRAT FAIL!!!!!!!!!!!!!!

(kindy STFU until the stress of puberty is past)

15
9
FAIL

Re: MS Security Fails - Eadon the BlueHat bonus winner

Most of that is clearly utter shit, but just so you're aware of one point the UI of Windows ISN'T part of the Kernel. It's part of the program that provides your post-file-manager 'Windows Explorer' views. And can, very easily, be changed.

Documents aren't started automatically, and haven't been for ages (assuming you're meaning Macros and VBA code), unless the user specifically asks for it. In fact any version of Office since word 6 was on the go (so just before you were born) has this security built in and turned on.

USB sticks were a fuckup but this was sorted a few years ago. They even rolled out a fix to customers running still-supported MS OSes.

Users still click 'YES' or enter their root password under Linux. It's the /mentality/ that's wrong rather than the software.

I have no idea what the fuck you're on about with 'don't execute arbitrary code'.

What's wrong with making executables EXE files? If anything this makes it EASIER to spot potential malware for your average user- if something ends in ".doc.exe" it's a virus and you delete it immediately. That also means that email can easily be removed as a way of blocking executables except where the user has renamed it to a non-executable extension (so there is a definite user action to change it back and then run it, so it's likely one they know the source and content of).

The layers thing is bullshit of the lowest order. Alternatively I've missed something, so please enlighten me.

'Don't bundle IE' Fair point, but isn't it more or less as secure as Chrome or Firefox now with most vulns coming from plugins?

Hiding file extensions is indeed a retarded idea as it gets rid of the security benefits of being able to see what the file will do. I can't believe I'm agreeing with Eadon on that one. Saying that, you've negated your argument about the executables thing so it's still a MASSIVVEE EEADON FAILL LOLLORZ

Separate Data from System... in what way? They already do keep your documents separate from your program files separate from your OS files.

Don't support Win32?! That would remove support for 30 years of applications and relegate it to a Linux-level of program availability. Which, while perfectly useable, doesn't have 'the real thing' in a lot of cases. Shout all you like about LibreOffice but it's still trying to get to where MS Office was 10 years ago.

You know what, I can't be arsed answering any more of these points. Please get off the side of Linux, Eadon- you're stopping people from changing over.

9
4
Anonymous Coward

They could wait

Give it two days after general release and someone will already have discovered the flaws.

However, why not just contact the NSA, they have access to a backdoor and will be well versed on the flaws as they were in on the development of the product.

3
1
Paris Hilton

Re: MS Security Fails - Eadon the BlueHat bonus winner

@Eadon

My word you need a girlfriend. All that frustration built up inside you.

3
0

This post has been deleted by a moderator

Anonymous Coward

Re: @Eadon

Wow that's some serious anger vented - do you need nurse to come and visit you with some meds?

All electronic systems have vulnerabilities, sure some have more than others. maybe you could stop using Windows and then you wouldn't need to care.

3
2
FAIL

Re: MS Security Fails - Eadon the BlueHat bonus winner

Eadon, the rubbish you come up with is not only wrong but also shows a complete lack of understanding of Windows. When was the last time you even used Windows?

I'm just going to pick my favourite "don't support Win 32". Win32, otherwise known as "The 32-bit version of the Windows API" isn't some old legacy code kicking around to support Windows 95 programs - Win32 is the core API through which all 32-bit applications interact with Windows (there is a Win64 API, however its just a 64-bit port of the standard Windows API).

To put it another way - every single application running on Windows depends on the Windows API. The .Net framework - implemented using the Windows API, Java - also implemented using the Windows API. Yes, even your precious LibreOffice would not run without the Windows API!

4
3
Anonymous Coward

Re: MS Security Fails - Eadon the BlueHat bonus winner

Don't let you lack of Windows knowledge prevent you from claiming things about it, eh? We've gone through a fair few of these points before and you still trot out arguments that you've been told are incorrect time and time again.

So here we go:

The fix is for a problem with a "specially crafted document" allowing a remote code vulnerability when opened, it is not executing code within the document.

UAC can be configured in many ways, from asking for password each time to asking for a password for major changes, but a yes/no clicked button for some, yes/no for most, yes/no for everything and off. This is because of the amount of complaints when Vista was introduced about it being too obtrusive. How you set it up is hardly MS' fault.

Executables aren't arbitrary executed, there are ACLs which control their execution or not. If you're running as an administrator level ID, that's your lookout and nothing to do with the underlying software. Furthermore files downloaded form the internet can't be directly run by users until they are marked as trusted.

I don't have a problem with IE being distributed with Windows, all OSes need a browser from day one, if only to allow you to download another browser.

I agree about hiding file extensions.

You assersion that data and system are mixed up is the sort of situation that someone who is indisciplined and operates as an administrator level ID suffers from, this would be the same with Linux. Also, they may have changed the name of "Documents and Settings" but try to write to the old name and it still works, it uses links, a fairly common technique in UNIX/Linux. You also seem to misunderstand how the registry works.

Win32 support will die with time, as Win16 did, but the investment in software for Win32 needs to be maintained. Besides, there's nothing inherently wrong with Win32.

I don't think that Windows does suffer from a lot of remote exploits, it certainly used to, but this situation has changed.

You could also stop abusing people, you know, calling people clueless just gets their back up. Telling people that they are laymen while demonstrating your own ignorance doesn't really help your cause.

4
3
h3
Bronze badge

Re: MS Security Fails - Eadon the BlueHat bonus winner

Win32 is also immensely flexible. Look at UWIN it is less braindead when it comes to POSIX than Linux.

Dunno about the old POSIX api. (The NT4 one think that is long gone but don't remember whether it sat at the same level as win32 or used it).

Look at colinux

(People use cygwin but colinux or uwin is loads better. There again people use Linux when Freebsd or Solaris are much better to use).

0
0
Anonymous Coward

Ah I see you have a virus installed

Security vulnerability detected: MS Operating System

Recommend fix: Format C: then install Linux

G ;-)

4
7
Silver badge

Re: Ah I see you have a virus installed

I like Linux.

I also dislike Microsoft as much as anybody except perhaps Eadon.

However kindly explain how I'm going to run the Adobe or Autodesk creative suites, or Microsoft Office, in a nice straightforward manner, in Linux?

No, "use LibreOffice, The GIMP and Blender" is not an answer. Neither is the "will it, won't it" WINE.

11
3

This post has been deleted by a moderator

This post has been deleted by a moderator

Silver badge

Re: Ah I see you have a virus installed

you're a locked in MS customer.

Well, I'm not personally, but many are and that's what you have to deal with.

Steam for Linux

That would be jumping straight out of the frying pan and into the fire, there.

1
0
Anonymous Coward

Re: Ah I see you have a virus installed

We used LibreOffice at work for a week once.

Then bought MS Office 2003, legitimate copies of it, for a few quid off eBay. MS Office 2003 isn't worth the up-front premium but it is SOOOO much better than LibreOffice. Everything works, documents read correctly, Macros and VBA can be run, etc.

3
1

This post has been deleted by a moderator

Anonymous Coward

Re: Ah I see you have a virus installed

> As Linux is faster than Windows, gamers might prefer it for gaming.

Linux is faster, but a significant amount of graphics rendering etc is run by the GPU which is a problem for linux. The graphics card manufacturers do not disclose the full feature set of the cards so open source drivers can not take advantage of it. They do include the full feature set in the windows drivers so games on windows can take full advantage of the graphics card.

2
2
Alien

Re: Ah I see you have a virus installed

"However kindly explain how I'm going to run the Adobe or Autodesk creative suites, or Microsoft Office, in a nice straightforward manner, in Linux?"

In a browser just as you do in other web apps!?

Adobe Creative Cloud

Autodesk 360

Office 365

1
0
Silver badge

Re: Ah I see you have a virus installed

But both AMD and nVidia develop proprietary drivers for Linux as well. The Linux community may bitch and moan about the lack of OS on it, but to them the code's part of the secret sauce: they won't slip trade secrets for fear the other will exploit them. Once you slot in the manufacturer drivers, though, the system cranks. And with less OS overhead, things DO tend to run smoother. I'm planning a migration myself but need to tie up some Windows-only loose ends first.

0
0
h3
Bronze badge

Re: Ah I see you have a virus installed

Linux (And members of Redhat) are trying the same thing on BSD / real UNIX.

They are in the extinguish phase now.

0
0
Linux

Modify the UEFI security to allow installation of concurrent OS's

I am sorry but Microsoft are trying to divert the attention from a major FU, the UEFI debate.

I have been a consultant for many years and although I can see the direction in which MS have been trying to take in improving security with Windows 8.x however at the request of the CEO have been instructed to lock out the potential of other OS's being installed. Typical underhanded methodologies merely to gain a monopoly on the market.

I personally do not like the UI of Window's 8.x, it is clunky & it does not adhere to typical processes of the user. As with all revisions of the Window's lineage, there are always flaws & security holes present. This is by design of Redmond to allow for future exploits by MS to monitor and potentially gain access to the systems remotely.

I fervently do not own a license of Window's 8.x because I am a true believer in the GPL modelling, admittedly I do on-sell licensed copies of Windows 7 because that is what the client requests for HOWEVER I do also suggest & promote the point of dual-boot systems to those people I recognize would benefit from also operating with any one of the POSIX based operating systems (Linux/BSD/Open Solaris) due to far superior security these environments provide.

5
7
Gold badge
Facepalm

Re: Modify the UEFI security to allow installation of concurrent OS's

This is by design of Redmond to allow for future exploits by MS to monitor and potentially gain access to the systems remotely.

Er, citation needed? I doubt there is one, that looks like purest kneejerk tinfoil hattery to me. First thing it fails on is; "What would be in it for them?". The reputational damage, were that proven to be true, would far outweigh any possible benefit they might have gained from doing it and whatever faults they may have, I doubt that every single last one of their people being monumentally fucking stupid is one of them.

3
2
Anonymous Coward

Re: Modify the UEFI security to allow installation of concurrent OS's

MS has a history of installing patches without the users permission. Their update system decided to ignore the "download but don't install" setting and install patches without the users permission (and then reboot). This effectively means the MS has the capability to monitor and gain access to your system any time it wants to.

http://www.emailbattles.com/2006/02/08/vuln_aacfhddccc_de/

2
2
Anonymous Coward

Re: Modify the UEFI security to allow installation of concurrent OS's

"A history of" is not equal to "one example from six years ago".

0
1
Anonymous Coward

Re: Modify the UEFI security to allow installation of concurrent OS's

So how many examples are needed for it to be "A history of"? Would you include such things as labelling patches as critical security updates in order to trick users into installing monitoring software? They originally did that with "Windows Genuine Advantage" which sent details of your system, on a daily basis, back to Microsoft. They have also previously labelled new versions of IE as security updates as well as patches to DRM.

Overall, MS has a habit of playing fast and loose with what it calls critical security patches.

1
1
Bronze badge

Re: Modify the UEFI security to allow installation of concurrent OS's

I think your muddling UEFI with secure boot.... UEFI brings more preboot control to the BIOS apple has been using it for years...

and im not against secure boot... Commodity PCs are cheap enough to live and die with the shipped OS and not having to find a windows key from a smudged, faded sticker is a bonus... just poke a win 8 disk in and it self licences from the bios... Want to run an alternate OS? just do it the same as before... need to use legacy pxe boot? just disable UEFI...

0
0
Anonymous Coward

and Relax

Breathe in, hold for 10, breathe out and relax...repeat as is necessary

4
0
Anonymous Coward

Microsoft cannot even get this right. It should have been $50,000 for the vulnerability and $100,000 to show how it was done.

Now the real question; is that $100,000 vulnerability and can they be added together to increase the payout? Also, at the conference will they have a buzzer they hit to record who hacked it first?

3
0

"the" hacker ? .. they might need to hand out numbered tickets !

I predict there will be at least 47 hackers waiting for the convention to open .. to claim that $150,000

might be worse than Walmart on black friday

2
0
Anonymous Coward

Re: "the" hacker ? .. they might need to hand out numbered tickets !

Not sure $150k is enough to get them firing up windows 8 in the first place.

Virtual machine maybe, short bursts....

3
1
Gold badge
Paris Hilton

$100,000 ... plus a laptop ?

$100,000 probably covers all my "laptop" needs, thanks. No need to post a crappy Surface machine as well.

0
0
This topic is closed for new posts.