Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Microsoft Slams Windows Exploit Code Disclosure
Newest First  |  Oldest First  |  Threaded View
YMOM100
50%
50%
YMOM100,
User Rank: Apprentice
3/21/2012 | 10:24:31 PM
re: Microsoft Slams Windows Exploit Code Disclosure
This is what I consider the cost of doing business with Microsoft. Get exploited systems, reboot critical systems at least once a month, get 'enterprise' apps that crash and leak memory like there is no tomorrow - and pay dearly for it while Microsoft gives crap about it all. Dear IT managers, CIOs, and CTOs, why the heck to you keep buying Microsoft?
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
3/20/2012 | 2:00:09 AM
re: Microsoft Slams Windows Exploit Code Disclosure
Is anyone else here distressed about the timeline of these events?

Bug discovered in May 2011 (10 months ago)
Bug verified and notification delivered to Microsoft in August 2011 (7 months ago)
Microsoft develops an exploit of this bug to test with in Novermber 2011 (4 months ago)
Microsoft releases patch in March 2012.

So, for 10 months (or longer), it's possible that this bug could have been exploited without any form of remediation? Given the list of operating systems that are affected by this bug (anything you could find on a Wintel system since roughly 2002, and possibly before that since there's no mention of Windows 2000), and the criticality of this sort of bug if it were exploited, that's worrysome for me as an IT professional.

I think the big thing that a lot of CIOs out there that lean heavily on Microsoft's products in their organization are asking is "What needs to happen at Microsoft to accelerate the remediation process when a problem of this size gets put on their radar?"

Andrew Hornback
InformationWeek Contributor


COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/30/2020
'Act of War' Clause Could Nix Cyber Insurance Payouts
Robert Lemos, Contributing Writer,  10/29/2020
6 Ways Passwords Fail Basic Security Tests
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/28/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How to Measure and Reduce Cybersecurity Risk in Your Organization
In this Tech Digest, we examine the difficult practice of measuring cyber-risk that has long been an elusive target for enterprises. Download it today!
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5991
PUBLISHED: 2020-10-30
NVIDIA CUDA Toolkit, all versions prior to 11.1.1, contains a vulnerability in the NVJPEG library in which an out-of-bounds read or write operation may lead to code execution, denial of service, or information disclosure.
CVE-2020-15273
PUBLISHED: 2020-10-30
baserCMS before version 4.4.1 is vulnerable to Cross-Site Scripting. The issue affects the following components: Edit feed settings, Edit widget area, Sub site new registration, New category registration. Arbitrary JavaScript may be executed by entering specific characters in the account that can ac...
CVE-2020-15276
PUBLISHED: 2020-10-30
baserCMS before version 4.4.1 is vulnerable to Cross-Site Scripting. Arbitrary JavaScript may be executed by entering a crafted nickname in blog comments. The issue affects the blog comment component. It is fixed in version 4.4.1.
CVE-2020-15277
PUBLISHED: 2020-10-30
baserCMS before version 4.4.1 is affected by Remote Code Execution (RCE). Code may be executed by logging in as a system administrator and uploading an executable script file such as a PHP file. The Edit template component is vulnerable. The issue is fixed in version 4.4.1.
CVE-2020-7373
PUBLISHED: 2020-10-30
vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759. ALSO NOTE: CVE-2020-7373 is a duplicate of CVE-2020-17496. CVE-2020-17496 is ...