How to Report a Bug to Microsoft

[Villeroy]

http://www.schveiguy.com/blog/2017/05/h ... microsoft/

[henke54]

Yep, "money makes the world go round"

Microsoft is reported to give the NSA special security tip-offs that it could use to crack into Windows computers.

Also enjoying strong protection from liability over the cyber attack is the U.S. National Security Agency, whose stolen hacking tool is believed to be the basis for WannaCry.
.........................
Microsoft itself is unlikely to face legal trouble over the flaw in Windows being exploited by WannaCry, according to legal experts.

Microsoft patched 'NSA hack' Windows flaws before leak

'God's eye'

Whisteblower Edward Snowden had previously leaked documents in 2013 that alleged the NSA had carried surveillance of the Brussels-based Society for Worldwide Interbank Financial Telecommunication (Swift) for several years, but did not specify how.

Swift allows the world's banks to send payment orders and other messages about large financial transactions in a "secure and reliable" manner.

It is used by about 11,000 financial institutions. The allegation is that third parties - known as Swift Service Bureaus - that provide access to Swift's network were targeted by the NSA, rather than Swift itself.

"If Shadow Brokers' claims are indeed verified, it seems that the NSA sought to totally capture the backbone of [the] international financial system to have a God's eye [view] into a Swift Service Bureau - and potentially the entire Swift network," blogged security researcher Matt Suiche after the latest leak.

"If the US had a specific target in the region's financial system, NSA penetration offers [an alternative to] merely relying upon good faith compliance procedures, standard diplomatic requests, or collaborating with Swift."

Swift has not confirmed it was compromised.

"We have no evidence to suggest that there has ever been any unauthorised access to our network or messaging services," it said in a statement on Friday.

The BBC has not been able to verify the authenticity of the Shadow Brokers' claims, and the NSA has not provided comment.

Microsoft provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix, according to two people familiar with the process. That information can be used to protect government computers and to access the computers of terrorists or military foes.

Washington-based Microsoft and other software or internet security companies have been aware that this type of early alert allowed the US to exploit vulnerabilities in software sold to foreign governments, according to two US officials. Microsoft didn’t ask and couldn’t be told how the government used such tip-offs, said the officials, who asked not to be identified because the matter was confidential.

Frank Shaw, a spokesman for Microsoft, said those releases occurred in co-operation with multiple agencies and were designed to give the government “an early start” on risk assessment and mitigation.

Some US telecoms companies willingly provided intelligence agencies with access to facilities and data offshore that would require a judge’s order if it were done in the US, one of the four people said.

In these cases, no oversight is necessary under the Foreign Intelligence Surveillance Act, and companies are providing the information voluntarily.

[Villeroy]

What I do not understand is: https://www.samba.org/samba/security/CVE-2017-7494.html
How can a new implementation of the SMB protocoll (Samba) inherit the same bugs as the original MS implementation?

[henke54]

What I do not understand is: https://www.samba.org/samba/security/CVE-2017-7494.html
How can a new implementation of the SMB protocoll (Samba) inherit the same bugs as the original MS implementation?

Because of cross-platform tools like Samba, network security holes due to SMB and Windows file sharing services aren’t unique to the Windows platform.

In fact, it turns out that there’s been a remote code execution hole in Samba’s SMB implementation for several years, too.

In theory, this latest hole, dubbed CVE-2017-7494, could be used for what’s known as a “wormable attack” – that’s the jargon name for an intrusion that can be automated so that a compromised computer automatically looks for new victims, attacks them, breaks into them in turn, and so on.

Greatly simplified, the CVE-2017-7494 hole can be exploited by starting off something like this:

Find a writable network share on a vulnerable Samba server.
Copy a special sort of Linux/Unix program called a shared object (a .so file) into that writable share.

At this point, if you’re a crook with a maliciously crafted .so program file, you have already introduced your malware to the victim’s system.

But that is a far cry from actively infecting the target, because the malware is merely sitting there in a file, doing nothing.

Because of the CVE-2017-7494 bug, however, a crook operating remotely may be able to trick the Samba server into loading and running the just-uploaded .so file:

Guess the local filename of the uploaded file on the server you are attacking. (The remote name via the share might be \\SERVER\SHARE\dodgy.so; that file might end up in the server’s local directory tree as, say, /var/samba/share/dodgy.so.)
Send Samba a specially-malformed IPC request (interprocess communication, or computer-to-computer message) that identifies the local copy of the malware by full path name.

The malformed IPC request tricks the server into loading and running the locally-stored program file, even though that file came from an untrusted external source.

Bingo – RCE, or Remote Code Execution.

[henke54]

Microsoft itself is unlikely to face legal trouble over the flaw in Windows being exploited by WannaCry, according to legal experts.

Microsoft held back a free WannaCry patch, report says

The repair would have slowed down the ransomware, but customers running older software were charged for protection.

Microsoft could have slowed the devastating spread of ransomware WannaCry to businesses, the Financial Times reports.

Instead, it held back a free repair update on machines running older software like Windows XP.

Microsoft wanted hefty fees of up to $1,000 a year from businesses for "custom" support and protection against attacks like WannaCry, which locks your computer unless you pay the hackers in bitcoin, said the publication.

Ironically enough ? ...