It seems that the database containing descriptions of critical and unfixed bugs and/or vulnerabilities in some of the most widely used software in the world, including the Windows operating system, was hacked back in 2013. This database is basically gold for any security researcher, regardless of the color of their hat. To know which programs fail and the preconditions for that to happen is half an exploit right there.
Microsoft discovered the database breach in early 2013 after the highly skilled hacking group Morpho a.k.a. Butterfly a.k.a. Wild Neutron broke into computers at a number of major tech companies, including Apple, Facebook, and Twitter. The group exploited a flaw in the Java programming language to penetrate employees’ Apple Macintosh computers and then use them as pivots into the company internal network.
Official sources say that the Microsoft bug database was poorly protected, with access possible via little more than a password. Four years later, we have official confirmation that it happened. To measure the breach impact, Microsoft started a study to correlate the potential flaws in their databases and subsequent attacks. The study found that the flaws in the stolen database were actually used in cyber attacks, but Microsoft argued the hackers could have obtained the information elsewhere, and that there’s “no evidence that the stolen information had been used in those breaches.”
There is really no way to know besides asking the actual hacking group, which will most likely not happen… unless they are HaD readers, in this case they can feel free to comment.
[via Reuters]
“This database is basically gold for any security researcher, regardless of the color of their hat. To know which programs fail and the preconditions for that to happen is half an exploit right there.”
Just think of all the damage an accessible open-source bug-tracking database would cause?
Hence what M$ should have been doing from the beginning if the truely valued their customers.
I don’t think you’ll find critical and unfixed bugs and/or vulnerabilities in open source bug databases either, that would be reckless.
What is worrying is that they have sat on the bugs and on the fact that they were stolen for so long. Why do that???
Why? Money.
Just think how much it’ll cost to fix all those known bugs at once, instead of their usual response of releasing a fixes as and when needed.
Admitting it now, they can just say “Oh, those bugs only affect older, now unsupported versions, so please don’t hold your breath waiting for a fix” and their execs can give themselves a pat on the back for saving money.
So very typical of a company like micro$haft. Either deny deny deny, or tie the other party up in red tape and lawyers until they go broke. I don’t regret ditching them a long LONG time ago one little bit.
There could have been a secret FISA court order gagging any public response to allow the NSA/CIA to keep on using the bugs.
I don’t think that would hold up in court (so far).
Nor that they would try that, it’s a bit too extreme+tricky, even for Obama’s crowd.
In a FISA court ?
Maybe we should club together and buy Hackaday a dictionary / grammar checker.
I think the biggest news is that Microsoft actually HAS a bug tracker.
–It had to be said.–
Didn’t even know they had, a link or experience anyone?
And “fell free”, should probably be “feel free”.
“…to penetrate employees’ Apple Macintosh computers…”
Awesome, someone hacked an Apple to gain access to Microsoft’s database. That irony is priceless.
On many levels.
Nor that they would strain that, it’s a scrap too extreme+tricky, even for Obama’s gang.
What is distressful is that they sustain sat on the bugs and on the fact that they were stolen for so long.