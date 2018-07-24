Microsoft Security Shambles
In the opaque world of government hacking, private firms grapple with allegiances
According to the employee, these disclosures sometimes happened before anyone informed the victim. In many cases, the activity was never publicly detailed. Microsoft is a well-known partner of U.S. law enforcement.
[...]
When CyberScoop asked Microsoft to elaborate on the tech accord, the company refused to respond. Instead, the company sent a series of unrelated links to Microsoft’s software vulnerability disclosure policy. The disclosure policy does not answer whether Microsoft has informed or currently informs the U.S. government about cyber-espionage operations that it doesn’t publicly document.
DHS: Russian hackers [sic] got into control rooms of US utilities [iophk: "Microsoft Windows TCO + Windows mentality"]
Department of Homeland Security (DHS) officials told the Journal that hackers [sic] working for a state-sponsored group known as Dragonfly or Energetic Bear were able to get inside the networks of U.S. utilities to the point that they could have disrupted power service and caused blackouts.
Microsoft Pulls July .NET Framework Patches Following App Failures
Microsoft acknowledged that some organizations were adversely affected by the .NET Framework monthly updates that were released almost two weeks ago on "update Tuesday" (July 10).
If at first you, er, make things worse, you're probably Microsoft: Bug patch needed patching
A remote code execution vulnerability in the Windows VBScript engine was left open for exploitation for two months after it was supposedly patched.
In fact, the fix made things even worse by introducing another remotely exploitable bug in VBScript.
This is all according to researchers at Qihoo 360, who today claimed a security hole in the scripting engine was only partially resolved in Redmond's May Patch Tuesday, and was only permanently patched in this month's batch of fixes.
Designated CVE-2018-8174, the flaw was a use-after-free() vulnerability in the scripting engine that could be exploited by a booby-trapped web page, when opened with Internet Explorer, or a malicious document, when opened by Office, to execute arbitrary devilish code with the current user's rights.
