This is important so if you care about cyber security, you'll want to take a few moments to earnestly read this in its entirety.
Microsoft (, Google, the U.S. Elections, the Russians) and an Unpatched Critical Zero-Day Vulnerability
On Oct 21, 2016, Google's Threat Analysis Group reported 2 critical zero-day (i.e. previously unknown) vulnerabilities, one to Adobe and to Microsoft. Adobe acted swiftly and patched the vulnerability in its Flash software on Oct 26, i.e. within 5 days.
On Oct 28, 2016, after 7 days of having reported it to the appropriate vendors, per its published policy for actively exploited critical vulnerabilities, Google publicly disclosed this vulnerability. As of Oct 28, Microsoft had not yet patched this vulnerability.
Publicly disclosing a critical unpatched vulnerability in Windows (versions 7,8,8.1 and 10*), especially one that is being actively exploited, could potentially impact security globally, and just 10 days before the world's most important election, i.e. the U.S election, also possibly impact the future of mankind. (But wait, don't arrive at any conclusions yet; please read this entire post.)
* Customers using Microsoft Edge on Windows 10 Anniversary Update are known to be protected from versions of this attack observed in the wild.If there's one thing the world has learnt this year, it is that in today's world, hacking and its impact can undoubtedly influence an election. The second thing the world has learnt this year is the ease with which purportedly Russian hackers have been able to engage in political hacking to compromise the cyber security of various U.S. entities including the DNC and Mr. John Podesta.
With just days left before the election, publicly disclosing a critical unpatched vulnerability in Windows could potentially empower many more malicious entities, including those widely believed to have already done so, to engage in further hacking in their attempt to further influence the election. If by any chance, U.S voting booth machines happen to be running an impacted version of Windows, and hackers are able to compromise them by exploiting this unpatched vulnerability, __ <you can fill in the blanks.>
By the same token, so could Microsoft not doing everything it can to immediately patch this critical vulnerability. In other words, in light of the possibilities shared above, like Adobe did, ideally Microsoft should have patched this without any delay.
It appears Google felt that it should be patched immediately. It appears the $ 500B Microsoft did not. You can be the judge.
(Instead of patching this immediately, what does Microsoft do and say?! Its astonishing, so please keep reading...)
Microsoft, are you Serious ?
Since Google probably took Microsoft by surprise by, per its published policy for actively exploited critical vulnerabilities, publicly disclosing this vulnerability 7 days after reporting it to Microsoft, Microsoft was likely left with no choice but to public defend itself and issue a statement, and instead of patching it immediately, it did a most astonishing thing (; see "But it was.." part below.)
On Nov 01, in a short blog post paradoxically titled Our commitment to our customers’ security, written by an Executive Vice President in the Windows and Devices group, it in effect said that an activity group called STRONTIUM conducted a low-volume spear phishing campaign to target a specific set of customers by leveraging this unpatched vulnerability, and that Microsoft is coordinating with Google and Adobe to investigate the campaign and create a patch, which they plan to release on Nov 08.
Excuse me Microsoft, but by then the election would have been over, and by not releasing a patch immediately, you left a 7-day window (no pun intended) of opportunity that who knows how many malicious entities, including those widely believed to have already done so, could use to engage in further hacking in their attempts to possibly further influence this historic U.S. election.
But it was the very next sentence in the blog post that was unbelievably astonishing and I quote - "To address these types of sophisticated attacks, Microsoft recommends that all customers upgrade to Windows 10, the most secure operating system we’ve ever built, complete with advanced protection for consumers and enterprises at every layer of the security stack."
Microsoft, are you kidding us?
This could potentially further impact the most important election in mankind's history, and instead of the $ 500 Billion Microsoft Corp immediately fixing the critical zero-day vulnerability, which they themselves are saying may have been used by purported Russian hackers in enacting the recent political hacks (, and which they should have ideally found before the STRONTIUMs of the world do/did so in the first place), they're using (even) this to pitch the latest version of Windows! That's just unbelievable!
Oh, and by the way, in that same blog entry, Microsoft goes on to say, and I quote "Microsoft has attributed more 0-day exploits to STRONTIUM than any other tracked group in 2016." Er, here's a simple question for Microsoft - "How come STRONTIUM is able to find so many 0-day exploits, and if so, how come you, a $ 500 Billion company are not able to find and patch them before STRONTIUM or for that matter anyone else can?" Perhaps Microsoft could take a petty $ Billion from its Cloud marketing budget and use it to assemble a team dedicated to finding and fixing such vulnerabilities in their foundational Windows software.
Speaking of Trust (Actions Speak Louder Than Words)
Microsoft if you are truly committed to your customers' security and to Trustworthy Computing, and I believe you are, please back your words with appropriate and responsible actions because to your customers your actions speak louder than words.
I believe that not immediately releasing a patch for a serious unpatched vulnerability in Windows that is currently being exploited to inflict great harm, especially days before the world's most important election that has already been influenced by the impact of such hacks, was not responsible. Further, ill-using this situation to pitch your latest version of Windows to customers was not responsible. Neither was not educating customers for 16 years about something so vital to their security (; context in next para.)
Just last week, I had to publicly take Microsoft to Active Directory Security School, because over the last 16 years, across the entirety of security guidance (whitepapers, blogs, videos etc.) they have released on Active Directory Security, they have not once mentioned the most important and cardinal aspect of Active Directory security - Active Directory Effective Permissions.
In my professional opinion, in not having done so, even if unknowingly, they may have left over 85% of the world to deal with a massive cyber security challenge, a prime example of which is the sheer lethal power of Mimikatz DCSync made possible by a certain talented Mr. Benjamin Delpy, and for which Microsoft has no solution to offer to the world today. (None whatsoever.)
In fairness to them, they might say that they don't have to have a solution to every problem, because they have a huge partner ecosystem that helps address many such problems. They may be right, but they don't even seem to know that this problem is so difficult to solve that out of thousands of partners in their ecosystem, not one of them has a solution to this Trillion $ problem (; except one, and that's only because behind it, is one of their own i.e. a passionate former Microsoft cyber security expert.)
Microsoft is spending billions of dollars to become a dominant player in the Cloud, and to persuade IT executives at the world's biggest public and private organizations to move to their Cloud. However, they need to understand that if they want the world to move large parts of their IT infrastructures and IT assets into their cloud, especially the Keys to these Kingdoms (i.e. Domain Controllers), they're going to have to demonstrate trustworthiness and EARN trust, and that's done by actions, not mere words.
By the way, the "mere talk is cheap" saying applies to everyone, including us; behind my talking is decade of industrious action.
I.e., this is coming from someone who loves Microsoft, cares deeply about cyber security and who's persevered for a decade to solve arguably the world's most difficult cyber security problem for Microsoft and the world, and whose work today uniquely helps secure and defend the foundational cyber security of so many prominent organizations across six continents worldwide, including the United States Government.
Along with great power, comes great responsibility.
Best wishes,
Sanjay
PS: Satya, in August I said someday I'll tell you what the most valuable thing in life is. It's Trust; followed by love, faith & time.
