Windows 0-day pops up out of nowhere Twitter

Re: Gone

Nice to pack it in a format that could trigger vulnerabilities like CVE-2018-10115

Who is SandboxEscaper?

I'm pretty certain SandboxEscaper is not Satoshi Nakamoto.

> For me, that is the bigger story, who is this guy? What is his beef with reporting through channels? Why did he just throw it out on Twitter and not report responsibly?

Sounds like previous bad experience.

"What is his beef with reporting through channels?"

I don't know about him in particular, but bepending on the company, reporting through channels can be a very frustrating and risky experience. He isn't the only one to give up on it entirely.

Why did he just throw it out on Twitter and not report responsibly?

While responsible disclosure is certainly more common than it was, say, a decade ago (and much more common than when Rain Forest Puppy published the original RFPolicy back in, oh, 2000?), it's hardly unknown for people to just throw vulnerabilities out on Twitter or other media. This one just attracted some extra attention because it came with a PoC and is fairly serious.

But subscribe to VULN-DEV, for example, and you'll see plenty of potential 0-days flowing by as people discuss whether there's something exploitable in a failure they've run across.

Responsible disclosure has costs, even if they're mostly cognitive load and opportunity costs; that's one reason why many companies have bug bounties. And working with PSIRTs and other disclosure-handlers can be irritating. I'm on a PSIRT myself, and we put a lot of effort into being polite and receptive. But not everyone does. I've dealt with some PSIRT types who are abrasive and dismissive.

I would bet he used unofficial channels to make a bigger buck, and was crossed.. auf!

So you have given up on multiuser systems?

In the majority of use cases, especially on Windows, "keeping honest people honest" is generally enough.

An administrator would usually have some level of trust before granting access, and their would be some level of accountability.

"But it doesn't look like Microsoft is able to get any developer buy-in on that idea"

I don't want that as an end-user, either. Optional sandboxing? Fine. Automatic sandboxing? Not fine, unless I can disable it.

"a little better if applications were all automatically sandboxed"

It does work on phones because the applications are still quite limited and mostly used in isolation by a single user. On a server or desktop PC where multiple different applications need to access, share and exchange data, it would become quite an issue.

Windows 8 attempted it - UWP apps are sandboxed, but are also more limited.

And still, bugs that allow to escape sandboxes do exist - in some ways "elevation of privileges" one are alike - user mode processes should be "sandboxed" by their limited privileges.

Re: "unaware of a practical solution to this problem"

There's only one program we can prove MS re-wrote from the ground up...it is the one they "lost" the source code to when they had a little "anti trust" issue.

"and their dog being able to use the Administrator account"

Tell developers who stubbornly kept on - and some still do today - writing in system directories and local machine registry keys... and those aren't the worst behaviour some application can show.

Re: first windows LPE that I remember

I hate to break this to you, but anyone can use root. It wouldn't be a very useful account if it couldn;'t be used, would it?

Now, if you're talking about bad operational practices in GIVING users admin accounts... that's hardly Microsoft's fault, is it now?

Re: More cloud anyone?

I believe they intended to write a "μ" (lowercase Greek Mu character - the metric notation for "micro" meaning 10^-6) instead of the English letter "U." The dollar sign "$" substitutes for an English "S" because some people still think that's clever in 2018.

With that in mind, it is pretty obvious that they are talking about Google.

Re: More cloud anyone?

"U$oft "

Another of those convoluted ad hominem attempts at an insult. I presume they meant to use the greek letter "μ" (mu), which is used in measurement systems to indicate the prefix 'micro'. The dollar sign because that has been standard parlance.

I'd give it a 8/10 for creativity, but a 1/10 for readability.

Besides, to whose benefit is this? The vast majority of people commenting here are already quite familiar with Microsoft being greedy assholes and aren't going to argue with you about it. And its not like you have to obfuscate their name, Microsoft has much better things to do than to cruise a forum like this trolling for people that aren't fans...