[HN Gopher] Zero-click, wormable, cross-platform remote code exe... ___________________________________________________________________ Zero-click, wormable, cross-platform remote code execution in Microsoft Teams Author : Tomte Score : 912 points Date : 2020-12-07 12:13 UTC (10 hours ago) (HTM) web link (github.com) (TXT) w3m dump (github.com) | post_break wrote: | So glad Microsoft installed teams on our server with an update | even though we never asked for it. | jonathanlydall wrote: | How sure are you that it wasn't some sort of Active Directory | group policy which did the install? | post_break wrote: | Because they forced the install with an office 365 update. | mwcampbell wrote: | I'm confused about the scope of the RCE. Can it escape the | Chromium renderer sandbox? Or is that sandbox disabled? Based on | the following: | | > MS Teams ElectronJS security: remote-require is disabled & | filtered, nodeIntegration is false, webview creation is filtered | and normally removes insecure params/options. You cannot simply | import child_process and execute arbitrary code or create a | webview with a custom preload option. | | it looks like they did everything right. | | I would like this thread to go beyond outrage at how Microsoft | handled this, or another excuse to bash Electron. What lessons | can developers using Electron take from this? (No, "don't use | Electron" doesn't count.) | CyanLite2 wrote: | They could ummm.... build a cross-platform UI framework that | rivals Electron without the security and memory bloat issues? I | think that's the plan with MAUI. | coldtea wrote: | > _No, "don't use Electron" doesn't count_ | | Why would it count? The situation would have more easily | occured and be even worse with a C/C++ native app. | gitweb wrote: | Rust advocates remind me of Apple and Firefox fanbois. They | are like the snake oil salesmen. | coldtea wrote: | Or, you know, reasomable people, with their own arguments, | you knee-jerkly dismiss... | | (Not that Rust's safety over C/C++ is an "opinion" or | subject to argumentation). | jcelerier wrote: | would it though - in a C++ app there'd be way less places | where people could send you arbitrary code to run over the | network ; and if you use any kind of high-level network | library you'd be well pressed to have any kind of buffer | overflow, as all the buffer handling is done in already- | vetted libs, such as Qt, Boost, cpp-rest-sdk, etc | freeone3000 wrote: | It's in the IPC invocation, so for this app in particular, | it'd be in the exact same place. | jcelerier wrote: | I have a hard time seeing how. It seems to work by having | some JS code to create a webview getting executed. In a | pure C++ app there would be no place that would even be | able to interpret that js, or any other "script language" | in that pipeline. | oskarsv wrote: | there are different levels of security for ElectronJS, some, | like in this case are not enough. | | I think it will take a long time before we can call ElectronJS | secure. there are regular sandbox escapes and that is from what | we know publicly | untog wrote: | The OP is asking for more detail than "not enough", though: | | "Can it escape the Chromium renderer sandbox? Or is that | sandbox disabled?" | oskarsv wrote: | to simplify - no it's not enabled | | the real answer is more complicated as it is not | necessarily a global setting and depends on what you call a | "sandbox" | mwcampbell wrote: | Thanks. I'd pay (moderately) for the more complicated | answer. An ebook on Electron security might be a good | idea. | oskarsv wrote: | I'm not an expert on Electron security! | | But if not addressed to me, there is no need to pay, you | can start here: - | https://www.electronjs.org/docs/tutorial/security - | https://github.com/electron/electron/security/advisories | | As you can see there are plenty of considerations and | pitfalls to take into account. Best option is to enable | contextIsolation for everything. | | Further, Electron security is closely tied to Chrome | security so that is one deep rabbit hole | pjmlp wrote: | Best Electron security is not using it in first place. | coldtea wrote: | Yeah, let's stick with raw C/C++, that would be much | safer... | | Or maybe let's use some research language made by Wirth, | and get access to all 10 of packages and 5 devs worldwide | using it :-) | pjmlp wrote: | For starters, leave it on the browser. | | I didn't mention any programming language. | gitweb wrote: | Telegram Desktop is a cross-platform C++ app. What | similar remote code execution exploit has existed in the | wild for it? | untog wrote: | C'mon. Just because there is one C++ app without remote | exploits doesn't mean all C++ apps are immune. | valand wrote: | FYI it's not just PL that factors into security. The | engineers, for example. | coldtea wrote: | The exact same kind of RCE? | | https://securelist.com/zero-day-vulnerability-in- | telegram/83... | | and others... | | https://www.notebookcheck.net/Researchers-at-Symantec- | discov... | gitweb wrote: | One of them requires the user to click run on a file, | much like running an EXE. The other, simply saves | potentially malicious data to external storage which | would then have to be run by a separate malicious third- | party app. This are far from RCE exploits that execute | immediately without poor user decision making, and Rust | is not impervious to security exploits similar to these. | MaxBarraclough wrote: | Rather just keep it in the browser? ;-P | kevingadd wrote: | This is safer to a significant degree. | [deleted] | dbjorge wrote: | The article explains the technical details of the render | process escape. Contrary to all the current replies to this | comment, it does not look to me that this is using a | generalized Electron escape; rather, it is using specific | main/render IPC calls which Teams has implemented unsafely as | the escape mechanism. Perhaps folks are confusing this with an | electron sandbox issue because Teams happens to have called the | variable containing their IPC APIs "electronSafeIpc". | stagger87 wrote: | What lessons can we learn from banging our heads on the wall? | (No, "don't bang your head on the wall" doesn't count.) | rakoo wrote: | Bang our heads on the wall at the appropriate angle. It's | only our fault if we get hurt, we must learn to properly use | the tools we have | darepublic wrote: | I bang my head against a wall everyday for a living. | coldtea wrote: | Yeah, because remote code exploits are particularly an issue | with Electron, as opposed an order of magnitude less likely | to happen with it compared to native code. | | Basically you got it completely backwards. The typical native | app (which is not Rust or Java but C/C++/Obj-C, etc) only | keeps the unsafe part of Electron, and even drops the sandbox | (whose holes can always be patched, but total absense | cannot). | jyriand wrote: | Don't use Teams app, but connect through browser instead... | that is if there is no other way to avoid Teams, because | you're company has already migrated from Slack. | jacquesm wrote: | Avoid Microsoft for stuff that is important, and don't | install their software on your machines if you can help it. | ROARosen wrote: | Especially if said machines are actually built by | Microsoft. | boogies wrote: | In which case they may be nice enough to block some of | their software for you | https://www.techrepublic.com/article/microsoft-blocks- | major-... | coldtea wrote: | Yeah, because other companies or FOSS have a better track | record. | | E.g. we can drop Exchange for email for a safe alternative | like Sendmail. | boogies wrote: | Maybe I'm in a filter bubble, but I've never heard of | anyone else assigning such low priority to exploits like | this. | jacquesm wrote: | Yes, Google has a better track record. You brought open | source and - totally unrelated - sendmail into it. | coldtea wrote: | > _Yes, Google has a better track record._ | | Do they? This is just from last month: | https://www.zdnet.com/article/google-patches-second- | chrome-z... | | > _You brought open source and - totally unrelated - | sendmail into it._ | | No, you brought the totally unrelated "Avoid Microsoft | for stuff that is important, and don't install their | software on your machines if you can help it." as if | Microsoft is the only place to ever had a RCE... | jacquesm wrote: | That's Chrome, not meet. | | As for bringing in unrelated stuff, no that was still | within the context of Microsoft's meeting software. It | was someone else that brought in the OS. | roel_v wrote: | Or wuftpd. I once accidentally dropped my keyboard, and | it turned out that the keypresses that generated were a | remote root exploit for wuftpd. | jacquesm wrote: | What are the chances of that happening, that's pretty | neat! | 35fbe7d3d5b9 wrote: | With wuftpd? P(x)=1 | roel_v wrote: | Eh, at first I thought so too, but then it turned out my | neighbours nan once accidentally hacked the US Navy that | way, so after that I didn't feel all that special any | more :( | jacquesm wrote: | Hehe, that's hilarious. | dylan604 wrote: | Reminds me of the old joke: VirusScanner: We found a virus | on your machine called Windows. You you like to remove it? | pjmlp wrote: | Starting by anything running on top of Electron. | samblogs wrote: | I am very unfamiliar with electron and security in general. But | generally I understand electron as a browser-like sandbox for | desktop applications. | | Can someone please explain how the "electronSafeIpc" might be | implemented? Naively this functionality seems to be the very | dangerous part of this exploit, and seems to be a workaround of | electron's intent to sandbox your application? | gorbypark wrote: | Electron uses an IPC to communicate between processes. Each | process is like a thread, but really it's more like a chrome | tab. Most apps have at least two processes, main and renderer. | The IPC passes JSON events between them. "ElectronSafeIpc" | appears to be a Microsoft implemented function that is wrapping | up the native IPC functions and is assumingly providing some | sort of safety checks. I gather the safety checks weren't good | enough, so once one process is taken over, the researcher has | managed to use the IPC to access the main process. That's still | sandboxed usually but... | jstsch wrote: | Unbelievably lax response. However, I've encountered a similar | response with Microsoft 365 login phishing sites being hosted | with a nice windows.net SSL certificate. Sites remained up for | more than a week after reporting through official channels | (CERT). Never received a response. | thesimon wrote: | Just for comparison: I reported a Facebook phishing site to | Netlify, it was taken down within 9 minutes. | x86_64Ubuntu wrote: | It seems like 365 has so many problems whether they are | security or uptime related. I'm glad my company hasn't moved | over to it yet. | segfaultbuserr wrote: | It's zero-click, not "xero-click". @dang, please fix the title. | vanderZwan wrote: | I honestly wondered if this was some printer-driver based | attack for a second | skocznymroczny wrote: | I thought it's one of those named bugs like Heartbleed, | Shellshock etc. | stevesimmons wrote: | The accounting platform Xero would like this fixed! | _JamesA_ wrote: | I was wondering why Xero had a wormable RCE involving | Microsoft Teams and exactly what the "click" product was. | geococcyxc wrote: | Maybe add that it's a "zero-click, wormable, cross-platform | remote code execution in Microsoft Teams" :) | based2 wrote: | https://www.wired.co.uk/article/microsoft-teams-meeting-data... | timvisee wrote: | This essentially allows you to infect all (online) machines | running Teams in some timespan, because of the wormability, if I | understand this correctly. There are 115 million daily active | users. | | The absurdly low rating by Microsoft is horrendous. | bogwog wrote: | I wonder if the team giving these ratings is the same team | responsible for introducing the bug in the first place? I could | see why someone in that situation would be incentivized to | downplay the severity of a bug report like this. | kerng wrote: | There is only one rating higher at Microsoft I think. So | important is actually pretty bad, but agreed it should get | their critical rating according to their own scale. | Havoc wrote: | hmm...seems a bit counterproductive trying to build good will by | offering a bounty program and promptly nuking said good will with | questionable ratings decisions. | | Immediate money saved, long term rep damage incurred. | varispeed wrote: | Isn't that from one of the CIA books? | darksaints wrote: | Too bad this vulnerability couldn't infect every teams | installation and cause them to uninstall and then make it's way | all the way back to the original source code and make it self | destruct. Teams is a fucking nightmare of a piece of software. | When your shitbarf architecture makes Slack look like a | reasonably good performer, you should just fire everybody and | start over from scratch. | ArtDev wrote: | Well, I already use the web version of Teams because the native | Linux version is a RAM hog. | prussian wrote: | These are some of the reasons why I refuse to use the desktop | application and on Linux at least, it isn't hard to define a | shortcut that works like one; path | ~/.local/share/applications/ms-teams.desktop | [Desktop Entry] Version=1.0 Name=Microsoft Teams | Comment=Teams without Electron GenericName=Teams | Exec=/usr/bin/chromium-browser --user-data- | dir=/home/prussian/.config/ms-teams | --app=https://teams.microsoft.com/_#/conversations/General | Terminal=false X-MultipleArgs=false Type=Application | Icon=ms-teams Categories=Network;InstantMessaging; | Keywords=teams;messaging;internet; X-Desktop-File-Install- | Version=0.23 | arendtio wrote: | I do similar things, but a few weeks ago I had to learn, that | many of the issues I had with the online Spotify Player (slow | loading times, incomplete pages, not playing music) were caused | by the included ServiceWorker. Gladly I could disable it in my | Firefox Profile and now everything works just fine. | | Maybe the local version wouldn't have had that problem. | tambourine_man wrote: | I want to see IT people of bigCorp justifying that you must use | Teams because of security. | emerongi wrote: | Can someone explain why the nullbyte disables the expression | filtering? | ds wrote: | Whats the reason to even participate in most bug bounties for | serious shit like this knowing you could get 10-100x more | submitting to Zerodium? Is it the hope of getting on some 'hall | of fame' which might land a job offer? | | Like, If I found a exploit for something random like | skype/slack/etc.. that let you run code on any targets machine | with zero interaction, there is zero chance my first stop would | be the bug bounty program. For serious exploits, I believe you | can get up to 2 million bucks with zerodium. Just seems like a no | brainer. | | Now that said, I would definitely use the bug bounty program for | boring/low impact stuff like XSS and whatnot that has limited | value/impact as nobody else would likely ever buy it for that | much higher of a price. | eightysixfour wrote: | Maybe some people are ethically against selling to an | organization that then resells the zero day to governments | instead of, you know, fixing the problem. | hundchenkatze wrote: | Then those researchers need to stop complaining when they get | screwed over by Big Corp. I'm definitely not saying that the | researchers shouldn't be rewarded appropriately, but we've | seen countless times that, even with official bounty | programs, these companies don't care about the researcher at | all. | | If someone still wants to put in all the work, that's great, | submit the vuln and reap the good karma but they shouldn't | expect more, even if the org they're reporting it to promises | otherwise. | mdbug wrote: | One should never stop complaining about bad things. It is | important that everyone knows it and is reminded of it | regularly. Especially now that it seems to be common | knowledge that Microsoft got rid of their bad past with | Ballmer and is now one of the good ones with their great | new "Microsoft <3 Open Source" approach. | smarx007 wrote: | Wow, https://zerodium.com/program.html literally places | router RCE at the bottom. I mean I never trusted my home | router router vendors but this is like an ice cold shower. | varispeed wrote: | So Zerodium claims their customers are mainly government | organisations. I find it amusing and sad. Wouldn't be more | efficient to just force vendors to implement backdoors? Why | maintain a lie, that citizens enjoy privacy and vendors are | required to keep their data safe? Why the charade? | hezag wrote: | The hope of not letting thousands of people being easily | attacked by some shady organization, maybe? | bouke wrote: | > Microsoft accepted this chain of bugs as "Important" | (severity), "Spoofing" (impact) in O365 cloud bug bounty program. | That is one of the lowest in-scope ratings possible. | | This is beyond believe: a RCE classified as "Spoofing". | johnwalkr wrote: | Well, somehow I'm happy if they keep this lower priority than | fixing broken notifications. | lucideer wrote: | The RCE isn't classed as "Spoofing". The RCE is in a product | for which Microsoft don't have any bug bounty product at all | (they only run a bug bounty for a very limited number of | products, and Microsoft Teams Desktop is not one of them). | Hence the RCE falls outside of the classification. | | The technicality is still absurd and beyond belief, but I'd say | the responsibility for that absurdity falls with company | policy, not with the MS security staffer's classification. | lhoff wrote: | The reason is probably to safe money. The bug bounty for a | critical RCE would be between 10k$ and 20k$ depending on the | quality of the report. Important Spoofing is rated for 3k$ and | 500$. | | So that is basically a giant middle finger to the security | researchers. | | Source: https://www.microsoft.com/en-us/msrc/bounty-microsoft- | cloud | dane-pgp wrote: | Companies offering bug bounties should allow appeals of the | amounts/severities they determine by an independent body that | is qualified to make these assessments. (Perhaps a respected | team of security researchers would be happy to take on this | responsibility). | | To prevent the appeals process being abused, the appellant | should have to pay for the time spent by the independent | researchers verifying their complaint. For a successful | appeal, the company offering the bounty should have to pay | that extra cost, encouraging them not to be stingy with the | awards they give out in the first place. | Enginerrrd wrote: | Won't the market just correct them here? If others are | willing to pay more for the RCE 0-day, and are more | reliable, they'll stop getting the reports and end up | scrambling a few times trying to catch up to the curve | until they get the message. | netsec_burn wrote: | I'm in a good position to answer your question. I've been | involved with making both bug bounty and zeroday | companies, and I have experience selling zerodays to | bounties and independent buyers alike. | | The truth is that the exploit acquisition market has many | legal issues. Zerodium, who is often thought to be the | leading buyer, publishes misleading guides and has had | unusual timing in between the initial disclosure and | hacking attempts on the researcher themselves. Other | buyers have non-negotiable sale (not license!) contracts | that may result in your zeroday being misused, and you | may find yourself in a conspiracy. And those are the | reputable and responsible buyers, there are others | outside the US that are fronts for Israel/UAE/China. The | market has plenty of room for correction, but there's a | shortage of ethical buyers. | | If you could easily sell an exploit outside of a bug | bounty program for more money, you'd see more people | doing it regardless of the ethics (see: the NSA doing a | bulk of the hiring in infosec, noone I spoke with that | applied cared about the illegal surveillance disclosures | and said they chose it because they offered 100k+). So | the researchers currently have no choice, and the bounty | programs take advantage of that. When the pendulum swings | the other direction, you'll see bounty programs becoming | more fair/lucrative. | AsyncAwait wrote: | > The market has plenty of room for correction, but | there's a shortage of ethical buyers. | | I wonder whom you'd consider an ethical buyer apart from | the software maker for a closed source software since no | one else can realistically patch it? | p410n3 wrote: | The only company you can get bug bounty money from is the | company that makes the software. If you sell your | findings elsewhere you're selling an exploit. Which is | probably more lucrative in most cases but also far less | ethical. | | So there isn't much choice here | [deleted] | ocdtrekkie wrote: | The market still kind of works: Who is going to bother | looking for vulnerabilities in your software if the pay | is so much better elsewhere? There may be only one place | you can sell a bug, but the security researchers have | better places to spend their time. | gruez wrote: | I think most bug bounty programs are so pitiful in terms | of time/effort vs reward that almost nobody is dedicating | research on the basis of it. a $10k bounty works out to | less than a week's of work for a cybersecurity consultant | (at consulting rates), and it's not even guaranteed (both | in terms of not finding a bug, and the company offering | the bounty marking it as invalid/duplicate). Not to | mention, that the black market will pay far more for a | 0day than the companies offering the bounties. | netsec_burn wrote: | I've successfully completed bounty programs for Google, | MasterCard, Dropbox, Pinterest, and some others I can't | quite remember. I did the math each time for dollars | earned over time spent, and the resulting figure is | always _under minimum wage_. This is for critical | vulnerabilities only (P1). | Xenoamorphous wrote: | My first thought is that this has nothing to do with money | and the truth is probably that some team wants nice metrics | to show their bosses (see? zero critical vulnerabilities!). | throwaway201103 wrote: | Save money? $20K to Microsoft is like $0.02 (if even that) to | you and me. Even $200K would be a drop in the bucket compared | to the damage from a widely exploited Teams vulnerability. | deathanatos wrote: | I was curious how accurate that was... | | MSFT has a market cap of $1.62T. A quick Google says "The | median net worth of the average U.S. household is $97,300." | That works out to 0.1C/. | pradn wrote: | These payouts don't come from the grand central corporate | treasury, but from the budget of a director or a VP. They | might have a small amount of discretionary funds after | their headcount and other expenses are accounted for. | varispeed wrote: | It's probably why they have so much money. It only goes one | way. They are greedy and unethical just as any other big | co, what's worse about them however is that they are trying | to wear that deceptive image of them being changed now and | embracing open source blah blah, but it is the same greedy | Micro$oft it has always been. | [deleted] | randomfool wrote: | $20k to reward the amount of security analysis that went into | finding this bug is an absolute deal for Microsoft. | Seriously- a single FTE security researcher is going to be | costing MS >$400k a year (salary, bonus, health care, office | space, etc). | | I work at a BigCo as a recipient of some of these XSSs and | I'm awed by the amount of work that goes into them. I always | try to overstate the impact to boost the reward- it's not | just the bug that they found, but how much of the system they | had to look at before they found this. The security folks at | BigCo that I interact with are badasses, but it's just so | hard to get this level of attention. | netsec_burn wrote: | It wouldn't be the first time Microsoft has screwed over | independent security researchers. There's a Twitter thread of | a researcher who was accepted into the Azure bounty program, | found a lot of important zeroday vulnerabilities, and was | paid nothing. In fact he expected to be paid for his | findings, and then had trouble with his basic living | expenses. Anyone who has worked with bug bounties should know | to stay far away from them since you can't get assurance | you'll be paid (and companies are not incentivized to pay | security researchers). | toyg wrote: | One thing I don't understand is why security folks still | bother with public bounty programs, when I hear that the | market for software reviews is massive and very profitable. | Is there a gap in the market for something that can | matchmake skilled people with companies at reasonable | rates...? | jalbertoni wrote: | This is a bit of a guess since this kind of security | research is but a hobby to me, but if with reviews you | cannot publicly post your results after they're fixed, | the best way to build a portfolio would be public bounty | programs. And without a good portfolio, you don't get | hired for reviews. | netsec_burn wrote: | Most of us _don 't_ bother with bounties anymore. There | are a lot of types of software review so I'm not quite | sure which one you're referring to. If you're talking | about matchmaking for pentests then you're essentially | describing a bounty program, the only difference is that | bounty programs don't pay researchers for their time. If | you're referring to blog/publications on security then | this is the first time I've heard of that market. | toyg wrote: | I'm thinking of security-oriented code-reviews of various | enterprise software. One of my old clients commissioned | some last year over a piece of work I made, and | apparently they had to go "to hell and back" to source a | reputable (and very expensive) reviewer somewhere in | California, while I'm sure there must be plenty of UK | talent available. They then had someone else pentest it | as a blackbox, which is definitely easier to source | locally, although the quality can be very variable. I | understand it is a very sensitive area, maybe it needs | some sort of professional body to provide accreditation | and self-regulate and promote reputable members, I don't | know. | | I think bounties are an unbalanced system; as you say, | pentesters don't get paid for their time and often don't | get paid at all, like in this case. There must be a | better way, where an independent third-party can judge | actual severity of the hole and sanction payments. | tester34 wrote: | It would be ridiculous, I don't think that's the case here | lhoff wrote: | Whats your interpretation. The even acknowledged that the | bug is an critical RCE on the desktop app. Coincidentally | the desktop app is not part of the bug bounty programm. | | To be fair the impact on the desktop app is higher since it | also has access to the OS and the attacker is not stuck | inside the browser sandbox. But from my understanding it | still is possible to steal the SSO token. When i think | about O365 setups with OneDrive for Business and Sharepoint | that means the attacker would have access to all files | stored there. That usually means all company related files | that person has. Additionally the attacker would have | access to all emails and messages of the user. | | How is that not critical? | | And according to the Bug Bounty side, Spoofing bugs "do not | qualify for this severity category". | jtbayly wrote: | "from my understanding it still is possible to steal the | SSO token" | | Isn't that precisely what spoofing is? | lhoff wrote: | I wasn't arguing the spoofing part but the important vs. | critical part. The same bug for ankther platform is | ranked as critical. | | The thing is that according to Microsoft critical | spoofing is not possible. | oskarsv wrote: | Yeah, although technically it's "out of scope", I think there | are times when you should stop debating the technicalities and | consider the business impact. | | I mean, do you look at that demo and think "yeah, that's | technically just 'important' let's fix it in 2 months"? | aitchnyu wrote: | Tangential, but how is the RCE situation for past few years for | Windows, Mac and Linux, especially for unsafe languages? | arnaudsm wrote: | It's because of behavior like this that future Microsoft RCEs may | be sold on the black market instead. | robocat wrote: | An ethical way of dealing with it in this case would be to | publish that you found a security flaw (without actually | disclosing the exact details) and maybe have some trusted third | party verify it e.g. another white hat organisation like Google | zero? | | Then the clients of Microsoft will put pressure to get it paid | for and fixed - because they are the ones that bear the true | cost of security violations (Microsoft only has indirect | costs). | ciarannolan wrote: | Microsoft only grossed $100,000,000,000 last year. What makes | you think they can afford more than $500 for a bug bounty? | tartrate wrote: | Everyone, literally everyone working on exploits right now will | see this and potentially be influenced by how Microsoft chose | to handle it. | otterley wrote: | Flagging because headline incorrectly implies the vulnerability | still exists. | | Mods, can you please update the title? | SigmundA wrote: | Is Teams still using an older version of Electron? Also looks | like they are still using Angular, thought Teams was being moved | to React, although not sure if that would help here in any way. | coldtea wrote: | > _!! That 's it. There is no further interaction from the | victim. Now your company's internal network, personal documents, | O365 documents/mail/notes, secret chats are fully compromised. | Think about it. One message, one channel, no interaction. | Everyone gets exploited._ | | Yeah, so? He makes it sound like some novel nightmare, but that | has been the case with 0-day, RCE bugs for half a century, and we | have had tons of those... | scinerio wrote: | I mean, the impact varies per organization but can be pretty | severe in certain contexts. I'm considering the fact that many | organizations have the majority of their proprietary data | living on things like Sharepoint, OneDrive, and so on (as | opposed to sparse data stored locally). | | I would consider this a bit more unique. | PieUser wrote: | Microsoft this is terrible! | baq wrote: | > Sooo, after around 3 months it ended as-is: "Important, | Spoofing" and that the desktop client - remote code execution - | is "out of scope". | | literally unbelievable. wow. | [deleted] | lhoff wrote: | Its out of scope because the scope microsofts bug bounty | programm is limited to web applications and endpoints. | staticassertion wrote: | Honestly, for a severe finding like this in their product I | think they should have: | | a) Paid out a bonus anyways for the finding (bug bounties do | this often, certainly we did at Dropbox) | | b) Made this scoping issue more explicit somewhere | Closi wrote: | This certainly isn't something that is listed on their bug | bounty page, and would also be a ridiculous limitation in | reality considering the scope of Microsoft's services. | lhoff wrote: | Are we looking at the same page? | | Here https://www.microsoft.com/en-us/msrc/bounty-microsoft- | cloud is a header "IN-SCOPE DOMAINS AND ENDPOINTS" with | alist of domains and that is described with the following: | "Only the following domains and endpoints are eligible for | bug bounty awards." | | I couldn't find something that would match the Teams app on | general bug bounty website either | (https://www.microsoft.com/de-de/msrc/bounty) | thrower123 wrote: | This is incredibly believable for Teams development and bug | fixing timelines. | haolez wrote: | Microsoft Teams is clearly a product worrying about user base | growth and nothing else. There are bugs, quirks and performance | issues everywhere, and then - out of nowhere - you get an update | about its new "AI Real-time Speech Translation for Your Calls!". | | They are just pushing new features in and hoping that everything | will hold together until they dominate the market. I'm not saying | that this is wrong, just that this is a fact for anyone that uses | Teams on a daily basis. | tester34 wrote: | I hope somebody can clarify this | imdsm wrote: | Title says Xero, repo says zero, misleadingly made me think it | was associated with Xero. | billpg wrote: | Exactly how terrified should I be right now? | Wowfunhappy wrote: | The vulnerability was patched, so not too terrified. You | should, however, be concerned about MS's overall nonchalant | attitude towards a very serious vulnerability. | frederikvs wrote: | A clear timeline would be useful to have. When was this | originally reported to Microsoft, when did they reply, how much | back-and-forth was involved, was a proof-of-concept of the attack | sent to Microsoft, when was the fix released, and what version | has the fix? | gchokov wrote: | Teams is the biggest crap I've seen in the recent years. | Unbelievable. | oskarsv wrote: | I wrote this. This is one of five similar reports for MS Teams. | | Even outside RCE, just consider the impact of access to SSO | tokens and wormability :) | tclancy wrote: | Is there any tell-tale sign this happened to you? I had a | really weird experience on Mac last week: I opened up my | machine and when I focused on teams I got a security alert | saying something called Endgame from Elastico was demanding | permissions. Never downloaded it but there it was in | Applications. | oskarsv wrote: | no, as you can see in the first demo it could be completely | silent. | | not saying you are safe - I don't know :) | gnfargbl wrote: | Is this a work Mac? If so then it is likely managed through | some kind of MDM system (JAMF etc), and it wouldn't be | unreasonable for the owner of the hardware to be pushing down | an endpoint agent like Elastic Endgame. Check in with your | security team and ask them. | hundchenkatze wrote: | If you're using an employer provided computer then they've | likely installed Endgame[0] which is an endpoint (it runs on | each device) security tool. Endgame was acquired by | Elastic[1] last year | | [0] https://en.wikipedia.org/wiki/Endgame,_Inc. | | [1] https://en.wikipedia.org/wiki/Elastic_NV | sigotirandolas wrote: | Fixed link: https://en.wikipedia.org/wiki/Endgame,_Inc%2E | eqvinox wrote: | It is technically never possible to guarantee tell-tale signs | of an RCE. At the point where you're running compromised | code, that code could in most cases be constructed as to | erase its own tracks. There might be some visible sign at the | moment of exploitation, but after that it's kinda over. | | (Yes this assumes the RCE escalates to a reasonably high | privilege, but that's just a matter of chaining. You can try | to go for things like sealed logs, but ultimately arbitrary | code can put your machine in an arbitrary state.) | | Particularly insidious for this would be the case of data | theft. The RCE might load some code to upload your company | secrets and keep itself strictly in RAM, and then erase | itself when done. With enough blackhat craftiness you'd never | be able to pinpoint the exact location of the leak. | ROARosen wrote: | There is, however, _some_ consolation in the fact that only an | individual who is already connected to you in Teams can run | this. | | That's not to say - of course - it's not abuse-able, it just | gives some context to the fact threat MS calls this "Spoofing", | since presumably, your Teams contact is someone you trust. So | the bad actor is "spoofing" as someone trustable within your | org (or outside it). But is does prob need some social- | engineering for a bad actor to truly exploit this. | | But the threat is still sever since the above logic only holds | up to the point-of-entry, once the worm has infected someone | the people forwarding it around are truly trusted. | aardvarkr wrote: | That's pretty scary tbh. All you need is a single employee to | fall for a phishing attack or other social hacking attempt | and that's game over. Everyone from the CEO down is | compromised. Zero click wormability with remote code | execution on a platform the entire company uses gives the | exploit unlimited reach within a company. This makes this one | of the most effective hacking/corporate espionage tools I've | heard of. | oskarsv wrote: | sure, add guest accounts to that and we are almost on the | same page. | | I can't call this "spoofing" as there are many many things | you can do wih it | varispeed wrote: | Imagine a bad actor starting work at large corp having all | confidential information up for grabs from colleagues on | Teams. It is especially scary during these times where a lot | of companies moved completely to working from home. Some | health organisations also use Teams for group support | meetings. Imagine someone being able to rummage through your | documents during an appointment. | csnover wrote: | One of my health care providers use Microsoft Teams as their | telehealth solution. My city government uses Microsoft Teams | for some public meetings. The idea that folks are only using | Teams to connect with other trusted parties is comforting, | but false. | noir_lord wrote: | > Microsoft Teams as their telehealth solution | | That sounds..interesting. | | I suspect with the on-going pandemic lots of tools are | getting used in interesting ways they where never really | designed for just to keep things _going_. | csnover wrote: | It's bad, but it's mostly bad because Teams is bad. It's | still better than Amwell, which somehow manages to have | multi-second latencies and requires me to manually mute | my video preview to stop it looping back my own audio. | | The old P2P Skype had better video quality and latency, | even when talking to people 4000 miles away, than every | video product I've used in the last year. Probably not | coincidentally, every video product I've used in the last | year has been web-based. WebRTC is an enormous | disappointment. | kritiko wrote: | Microsoft advertises Teams for telehealth: | | https://www.microsoft.com/en-us/microsoft-365/microsoft- | team... | Isthatablackgsd wrote: | Teams as their telehealth solution? What is wrong with | Doxy.me? It is HIPAA compliant and privacy-orientated for | telehealth than Teams. | elpakal wrote: | believe Teams is also used for the NBA virtual fan thing, | so there are... a lot of people connecting there... | edwintorok wrote: | Could you clarify the "one of five" statement please? Are the | other 4 vulnerabilities still unfixed, or they are fixed but a | write-up is still pending? If there are still 4 unfixed RCE | bugs in Teams I'd rather people uninstall Teams than wait for | the fix... | artjomb wrote: | Could you provide a disclosure timeline and the version or | indication of the version which has fixed this issue? | oskarsv wrote: | you can find both disclosure dates and versions in the | report. | | As for when it was fixed - I have no idea, as they never told | me, one day it just was. | GekkePrutser wrote: | Thank you for reporting it and not selling it on the black | market! | | I agree the categorisation is very bad. | | I hope raising this here will help you getting rewarded | properly. | driverdan wrote: | > Thank you for reporting it and not selling it on the | black market! | | I disagree. If MS is going to treat major issues like | this then researchers should be selling them to the | highest bidder. Maybe that way they'll actually treat | disclosures properly. | SkyPuncher wrote: | "Locks can be picked so everyone should break into homes | to proved a point" | | Lol, no. | the8472 wrote: | That most locks are pickable is _common knowledge_ and | that is why high-risk targets invest in additional | security beyond locks. | | That crufty electron apps are a security risk is not. So | yes, you do need someone to run out into the streets and | yell that the emperor has no clothes. Otherwise common | knowledge will not be established. | mwcampbell wrote: | > researchers should be selling them to the highest | bidder | | But what about all of the innocent people who would be | harmed by such a callous approach? I'm glad some | researchers have a conscience. | iforgotpassword wrote: | > But what about all of the innocent people who would be | harmed by such a callous approach? | | They should then think again about their choice of using | teams. Why should Microsoft rake in money from a shabby | product while volunteers have to fix their shit? | | Assigning a ridiculously low score to significantly lower | the bounty as a billion dollar company is disgusting. | namdnay wrote: | There are lots of vulnerabilities in most door locks, | does that mean we should go around stealing things | because Chubb have made money selling insecure locks? | untog wrote: | > They should then think again about their choice of | using teams. | | What percentage of Teams users do you think have a choice | in their use of Teams? | the8472 wrote: | If it's on their work machines then it primarily | endangers their employer's data, much less their own. | airstrike wrote: | And then when the company loses business from the | disruption, do you think employees walk away scot-free? | the8472 wrote: | I consider that inherent risk. Not getting a raise | because the company made business decisions that turned | out suboptimal (such as gaining short-term profits by not | investing IT security) is a risk that any employee faces. | If you want a more stable environment you go for a more | risk-averse employer, perhaps even public sector jobs. | airstrike wrote: | That's a silly proposition. If my field of expertise is | inherently private, I don't have that choice. Also I | can't solve for _every_ variable when searching for jobs. | I choose among the ones I get an offer for, and obviously | their IT decisions aren 't top of my list (nor do I know | what those are prior to hitting the desk) | the8472 wrote: | You may not see yourself as having a choice but that | wasn't really my point. What I was getting at is that | being an employee in general comes with a diffuse risk of | many factors that can result in not getting a raise or | the company even going bankrupt. Many of them are outside | your direct responsibility or influence and yet you take | up the whole risk package when joining that company. The | company getting ransomwared is just one more factor. It's | not special. Well, one issue with it is that it requires | criminal activity so it's dragging us down to a worse | equilibrium where more resources have to be spent on | countermeasures. But arguably that cat is out of the bag, | so the next best thing that we can do is to make security | best practices easy. And microsoft wasn't doing its part | here. | mwcampbell wrote: | > They should then think again about their choice of | using teams. | | Try saying that to a student who is using Teams on a | school-issued laptop, by no choice of their own. | | I'm not in any way defending how Microsoft handled this. | Frankly, I'm ashamed of my former employer (though I | worked in a completely different division). But your | outrage toward the company should not extend to its | unwitting users. | ethanwillis wrote: | There wouldn't be very many unwitting users if their | software had a serious reputation for being a serious | security risk. | kjs3 wrote: | Microsoft has had a serious reputation for being a | serious security risk for the 30 or so years I've been in | IT. It's one of the oldest jokes in the industry. People | and the world in general clearly do not work the way you | apparently think they do. | edoceo wrote: | Bullshit. Currently there are millions of children who | are obligated to use Teams for their publicly funded | education. | | And thinking these huge metrics get changed by selling | black hat exploits to what? Teach Microsoft a lesson? | While harming an already vulnerable population (not just | children are obligated to use Teams). As if the long term | goal of educating "unwitting" users is advanced at all by | blackhat behaviour. | torgard wrote: | Windows XP is still seen in the wild. | SkyBelow wrote: | To what extent should the blame for any harm fall on | Microsoft? They are the ones relying on effectively free | labor to protect the innocent. In such a case blaming the | free labor instead of blaming the ones relying on free | labor seems to create some very bad incentives. | | Personally I would prefer just having all new | vulnerabilities immediately disclosed once found. No | selling, but letting people decide for themselves if they | want to continue to use a product after someone has found | a vulnerability. I also think the incentives this creates | would mean that Microsoft and similar shops would put | more effort into testing their own software because they | would no longer have the safety net of a grace period | when someone finds a problem. | MrDresden wrote: | While I get your sentiment, I must disagree. | | Profiting from the very likely unethical use of the | exploit would be unethical. | | Instead this mishandling by M$ should rather cause | researchers to publicly announce the vulnerabilities | which would hopefully cause M$ to change their ways in | future dealings. | | It is ofcourse easy for me to say this, not being a | researcher who lives off of the discoveries made. | Zenbit_UX wrote: | Pretty bold to advocate for blackhat behavior on one of | the most schoolboy vanilla places on the internet, but I | can't say I necessarily disagree with your sentiment, big | tech needs a lesson but is this really the vulnerability | we want? 115 million DAU on teams... | | The amount of damage the NSA or some other state | sponsored actor could do with this... It would be very | bad to say the least. How bad depends on which state | acquires it. | | If a script kiddy got it they would likely do a mass | randomware infection, hospitals would get hit, people | would die. Millions in crypto would be lost to | unencrypted wallets found on the vulnerable machines (yes | people do that..), this could cause some to lose their | life savings... People have commit suicide for less. | | My point is its important to look past FAANG being cheap | and look at 2nd and 3rd order effects from something this | powerful and widespread. | woodruffw wrote: | Governments around the world _already_ regularly trade in | exploits that are as or more severe than this one. | | That isn't to advocate for brokering to a government, | just to say that the market already exists and contains | comparable exploits. It's only a matter of time until we | see the next EternalBlue to WannaCry lifecycle. | mistrial9 wrote: | > look at 2nd and 3rd order effects .. which FOSS | engineers have spent their lives on, while FAANG | acumulates patent and SSL money across international | borders? forcing TEAMS kool-aid with surveillance built- | in, down your desktop with the help of C-Suite and their | attorneys? | coldtea wrote: | Yeah, that will show 'em... | | Then people will move to some understuffed FOSS | alternative with 5 people working part-time on it, with | as severe bugs that nobody notices (remember Heartbleed | and countless others?)... | rndgermandude wrote: | Thing is, we don't know if this was found before by | malicious actors and sold and/or abused. | | This thing sounds like it is mostly pretty straight | forward to find once you start looking - "you" being | somebody experienced in this field of research, that is. | At least you don't have to construct fancy weird machines | (with type confusion, heap spraying and all those | shenanigans). It comes down to finding something that can | perform code execution in their internal API (here: | "electronSafeIpc") and then finding a way to get there | (here: angular escape bypass/not-properly-sanitized user | provided data) and you can do both in javascript and | don't have to read tons of machine code. | | Given that Teams is a great target because of it's large | and often corporate user base, I'd be surprised if none | of the usual industrial espionage suspects (e.g. China, | NSA, etc) had a look at Teams before. And I'd think the | chance of them having found the same bug, or a related | bug, once they looked is pretty good too. | | From what I am hearing even the (US) military uses Teams | sometimes... If that isn't incentive to look at this | thing for "interested parties", then I don't know. | oskarsv wrote: | please check out how much code MS Teams actually has, | before statements like this :) | | (it's more than 30MB of compressed JS) | trasz wrote: | 30MB of hand-written JS? For what's basically a glorified | chat client? | | With that much code I'd expect an AI to talk to people so | I don't have to. | rndgermandude wrote: | I didn't want to belittle your work, if you think that | was the case. It's still outstanding to find things like | that on your own, and a lot of work goes into it. Sorry | if I gave the wrong impression. | | I have analyzed foreign code bases of similar dimensions | in the past myself and found critical bugs. The size | doesn't say much, it comes down to identifying the | "interesting" bits (like the electronSafeRpc in this | case), which can be hard and tedious, but greatly reduces | the code you have to look at in detail. My assertion is | that if your name is e.g. China then you will not be | turned off by that. | oskarsv wrote: | that electronSafeIpc API is actually not that interesting | and a completely standard way to do things for ElectronJS | apps. | | No, I do agree - from my perspective C/C++ class bugs are | more difficult. Maybe they see this as magic as well. | | Still, it was painstaking work and in either case | CountryX will easily surpass those difficulties. | robocat wrote: | > This thing sounds like it is mostly pretty straight | forward to find once you start looking | | Most security bugs with 20/20 hindsight are "obvious" | when explained well. Personally, I think that is an | insulting and immature thing to say IMHO. | Wowfunhappy wrote: | Aside from the harm this could inflict on innocent users, | I'm not actually convinced it would cause vendors to | change their behavior. | | From a business perspective, the reason exploits are bad | for companies is because they generate bad press, right? | Well, it's not obvious to me that an exploit which was | being used in the wild gets significantly worse press | than one which was not. There's also the possibility the | buyer will reserve an exploit for super-targeted attacks, | and the public won't find out at all until year later. | csnover wrote: | Sorry if I am just obtuse but I don't see a timeline in the | linked report on GitHub. All I can see is that you tested | against a version of Teams from 2020-08-31. Being able to | see the complete timeline of communication with MS from | discovery to public disclosure is not necessary but would | give a more complete picture of how this went down, and I'd | like to see it too if it's not such a hassle. | oskarsv wrote: | There is no timeline besides when I reported it and now | minus 2wks. They never told me when the fix was deployed. | | There is little value in going through the email chains | to note each date:(. Final decision was made 2020-11-19 | politelemon wrote: | Could you put that in the README, is what we're asking, | as vague as it may be. | | At the moment the 'has been fixed' is the only clue to | this in terms of resolution, and it's tucked away; | without it it looks like most of the README is attempting | to capitalize on the shock/outrage factor. | | Edit: Thanks, author has added some dates. | | https://github.com/oskarsve/ms-teams- | rce/commit/35eac619fdef... | jacquesm wrote: | Thank you for making the internet slightly better. | thawab wrote: | Have you been tempted to build a worm and click send? not to | brake anything, just a text popup with an optimistic optimistic | quote. | [deleted] | oskarsv wrote: | only as a thought exercise. the ability to 'switch off the | internet' (115 million daily active big corp users) is | tempting, but no, not really :) | throwaway201103 wrote: | Google Robert Morris to find out how that goes. | thawab wrote: | From his wikipedia: | | _He is a longtime friend and collaborator of Paul Graham. | Graham dedicated his book ANSI Common Lisp to Morris. | Graham lists Morris as one of his personal heroes, saying | "he's never wrong."_ | | to be friends with Paul Graham, i should make a worm. Got | it. | xyzzy123 wrote: | Ehh in 1988 that worm was like an alien artifact from the | cyberpunk future. | | First "real" worm code, multi-platform, multiple | payloads, "staging", first practical buffer overflow | exploit and it does credential brute-forcing. | | Heck it was not until nearly a decade later that people | were really doing buffer overflows, and there were a LOT | of easy overflows to be found. | | I'd make the case rtm didn't just "make a worm" he | foreshadowed the next few decades of computer | exploitation. | | Took a whole bunch of research and ideas, synthesised | them, built an actual working "product" a decade or two | ahead of its time and released it in a transgressive way. | | If you are the kind of person who can do that I'm sure | _lots_ of people would like to be friends with you. | web007 wrote: | In case people don't know already, he's one of the YC | founders: https://www.ycombinator.com/people/ | centimeter wrote: | If a company responds poorly to bug reports, you should sell the | bugs instead of reporting them. | foobarbecue wrote: | xero? | shallowthought wrote: | Is spelling "zero" as "xero" a pun I don't get? | Denvercoder9 wrote: | More likely a typo, considering that "z" and "x" are next to | each other on the keyboard. | shallowthought wrote: | DVORAK users might have something to say about that, you | insensitive clod! | Denvercoder9 wrote: | Really, the assumption that QWERTY is the most used | keyboard layout is the hill you decide to die on? | Sharlin wrote: | And QWERTZ and AZERTY users, which I'm pretty sure far | outnumber Dvorak users. | therealx wrote: | I came here hoping for an answer on this and got none. | A4ET8a8uTh0 wrote: | Fun. What is interesting to me is that my work computer just got | unannounced update that included MS Teams pop up. I get that my | IT team dropped the ball by just allowing this to show willy | nilly, but I don't think we can take MS off the hook for | installing, promoting their own solution in user's face ( along | with telling me snip tool is moving away, resetting all file | associations, and making pdf default to IE.. ). | | Whatever happened to user agency? | ipostonthisacc wrote: | read the report fully - RCE is "out of scope", however the impact | from stored XSS itself is crazy! | rakoo wrote: | Out of scope for the bounty, but it's still very valid | jacquesm wrote: | I refuse to install this junk, it's Google Meet or bust for us | and so far that has served us well. Zoom, MS and lots of others | besides have all had their share of vulnerabilities to the point | that I'm not happy discussing anything under NDA on one of those | channels. For now Google seems to have their act together on | this. | cogman10 wrote: | Which is pretty despicable for a chat application. | | I blame the constant bloat of unwanted features. Each comes | with it's own inherent risk of vulnerability, yet it seems like | these companies can help themselves but to add "integrations" | that nobody wants or asks for from a chat application. | blntechie wrote: | I just today switched to Google Chat from Teams and find it | severely lacking. I don't see a way to call or screenshare with | another person/group unless I generate a Meet url and paste it | in the chat? Is it meant to be that way or our admin has not | enabled something? | magicalhippo wrote: | If you can chat with them, you should be able to initiate a | call from the chat window (handset symbol top right). Screen | sharing is to the left of it. | | At least that's what I can do, and I'm in multiple orgs. | jacquesm wrote: | Meet links are all over the place in what until-recently-was- | called-Gsuite, for instance, in the calendar and in the chat | (the little camera icon). Usability could be better, that's a | fact, but it worked flawless for me over the last 8 months or | so and if people are used to MS/whereby/zoom/whatever then we | typically get comments halfway into an interview day that the | video hasn't crashed yet, that the audio still doesn't lag by | 5 minutes and that nobody has been booted out for no | particular reason yet. That's how used people are to these | glitches. | | I'm not a big fan of Google, but the video meeting software | (and the little pc that you can buy with a dedicated setup | including super good echo cancellation) is at the moment best | of the litter. | Yizahi wrote: | It's not a vulnerability when the private info goes to the | Google itself :) | jacquesm wrote: | That too is a problem, but at least one that I can factor in. | eitland wrote: | Reported information leaking from password fields back in Windows | 8 days. | | I was even busier back then than now and found no application | besides getting information about an already filled in password, | but I was still massively underwhelmed by the response which | basically boiled down to "that's funny, thanks, bye". | | Last year I found a really ugly glitch were you can easily get | files unencrypted past an older (but still available) version of | Azure Information Protection tooling. | | This time I haven't bothered to report it yet. | jwiley wrote: | This reminds me of finding and trying to report a bug in Internet | Explorer 5.5 20+ years ago (not a difficult task). To report a | bug, I had to pay. Yes that's right, I had to put in a credit | card, and pay $100. | | If it turned out it was deemed to be a real bug, I would be | refunded my $100 money. If it wasn't, well that should teach me | for wasting their time. | | Guess the folks running the bug program got promoted. | gregjw wrote: | Thats ridiculous | spoonjim wrote: | Haha. I couldn't even invent something that stupid. I guess | they had a lot of cranks reporting bugs? The $100 would make | sense if there was a large reward on the other end. Like, if it | was deemed to be a real bug, you'd get $10K or $100K. | mjcl wrote: | It sounds like the normal Microsoft support (aka PSS) when | you don't have a support agreement. If the problem you are | reporting is solved by a hotfix or update, then MS refunds | the support fee. | oconnor663 wrote: | I'm assuming that policy was designed for general bug reports, | rather than specifically for security bugs? Especially if this | was 20 years ago. | MaxBarraclough wrote: | I presume you declined to pay? | jwiley wrote: | The company I worked for at the time decided to pay since it | was affecting users and we had to do an annoying work around. | If I remember correctly we got the $100 back a month or so | later, with a one liner reply saying something to the effect | of "this will be fixed in a service pack at some point, | godspeed." | kasajian wrote: | I had the same reaction to this when I was told by Microsoft, | however this description seems intentionally misleading. | Microsoft Support accepts calls for support and bug reports. | There's a fee for the support. If it turns out that the issue | is a defect, then you won't pay for the support call. | | Unfortunately, this was the only way to report a bug at the | time. | jwiley wrote: | Yeah thats definitely possible, I may be misremembering the | specifics. I think for us the end result was the same: it | made us a lot less likely to help them improve their product. | Spooky23 wrote: | We did the opposite. With premier support, you used to buy | a bucket of hours. We had a few folks that learned the | lingo and basically was able to attach a product defect to | almost any call we made, billable to the product group. | | We'd end up with a surplus of hours, and leverage the | threat of slashing those hours to get the execs on the | support side to push for concessions from the other parts | of the business. Premier was basically a revenue generator | for us :) | hutzlibu wrote: | But sadly not enough to break their desktop monopoly. | jiveturkey wrote: | 20 years ago you needed that kind of filter. | 1vuio0pswjnm7 wrote: | Microsoft vulnerabilties are now being disclosed on a Microsoft | subsidiary website, Github, Inc. | qz2 wrote: | Oh that's nothing. | | When they introduced IE7, they broke ClickOnce launchers all | around the globe due to the new download prompting. I raised a | defect with my MS Partner support dude and normal MS support. | All they managed was a registry fix shipped out to turn an old | flag on that was removed from the UI but was still in the code | inside IE. I did the diagnostic work to get that far. | | After arguing for months with various support people at | Microsoft I managed to get hold of people on both the IE and | CLR teams and they both pointed at each other and refused to | fix anything blaming the other team. | | They called me every 6 months to ask me to close the ticket and | I denied it because it wasn't fucking fixed. Eventually they | stopped calling when Microsoft Connect was shut down. I wonder | how many millions of issues they solved at that time! | | Oh no wait, the issue still exists in IE11. They fixed it in | old Edge. | | This was a manual registry fix we had to deploy to 20,000 users | at over 500 companies for 10 years. | | Eventually we rewrote the software so it didn't use ClickOnce, | instead passing context to the application via a shell protocol | handler (much like Slack does). | | Incidentally we're no longer an MS Gold partner and have no | certified staff any more. This is not a coincidence. They did a | shitty job and like hell we were paying any further. Amazon got | our business in the end. | | The issue? | | You can't set window.location.href=""; to a clickonce | activation link because of a race condition in the download bar | in IE. | arthurcolle wrote: | > You can't set window.location.href=""; to a clickonce | activation link because of a race condition in the download | bar in IE. | | I don't even... _shakes head in dismay_ | qz2 wrote: | It's even worse when you realise I spent ten years | convincing tens of large angry enterprises why they needed | to deploy a registry fix to make our web based software | work. | | I put the cost of this bug for us just in the $100k range. | arthurcolle wrote: | Were these deployed on prem on Windows servers? | qz2 wrote: | No - web deployed click once applications. Straight to | desktop from browser. Signed and whitelisted. | antman wrote: | Last month they broke integration with PowerBI service with | directquery, marked it "info" without estimated resolution | time, posted a windows server specific solution, and ten days | later silently fixed it for the rest of the platforms including | Azure SQL. | tw3d6624e6dd83 wrote: | IMO the best situation _for customers_ would be for researchers | to sell their discoveries in an open market, one in which MS is | free to pay "market price" (they certainly have the funds). | | In the short-term, MS buying these discoveries would allow them | to close vulnerabilities, ensure researchers are compensated | appropriately, and establish a clear financial cost to poor | security. The long-term effects would be increased security | research, shorter windows of vulnerability, and more secure | software. | whoopdedo wrote: | And on the same day Microsoft announces they're enabling guest | access by default. | tonyedgecombe wrote: | In case anybody else was wondering about this: | https://tomtalks.blog/2020/12/important-microsoft-teams-chan... ___________________________________________________________________ (page generated 2020-12-07 23:00 UTC)