"Microsoft Bug Bounty Program's (MSRC) response was poor: Initially, they misjudged and dismissed the issue entirely."
I recently ran into a similar issue with MSRC. I reported two exactly similar(near perfect) heap overflows exploitable from a local perspective with some time in between. The first report was awarded the maximum payout, and patched as 'Important'.
Meanwhile, MSRC changed its rules related local exploitation. Now, to obtain that, one needs to show the exploit working in the most hardened sandbox processes on the system. From my perspective this is quite unfair, both bugs are reported with the same severity to Microsoft's own customers. Both breach about 3 defined security boundaries (process, session and user). So, my communication stayed the same (all technical details), Microsoft's communication with _their_ customers stayed the same (important severity issue, 7.8 cvss), the only thing changed was my reward...(reason: ohh, it's not a sandboxed process, to we don't care.).
The only way to obtain the maximum payout is this even more stringent, and new, requirement of 'sandboxed process' -> 'other user' boundary. As if there are not a hundred thousand organizations sharing machines between users using Citrix and terminal and other similar technologies...
In any case, given that it takes close to a year, with hundreds of hours invested to uncover such a bug... I'm going to take my submissions elsewhere...
https://zerodium.com/, the going rate for a full exploit there (and I assume, one that works quickly & leaves little trace, i.e. a high quality exploit, never dealt with them before) is 80k.
Under the old rules that's already 4x as much as MS, but the warm fuzzies made up for that I suppose. Under the new rules, 40x as much, and no warm fuzzies are worth that imo.
Selling to Zerodium is not equivalent to getting a bounty from MSFT. Selling exploit code hurts people. Microsoft will patch the vuln to protect its customers. Selling exploits to Zerodium is very bad. Be a force for good in this world.
The logic of business would imply that a vendor of exploit code is going to make significantly more money reselling the exploit than the author of the exploit code. 100k for an exploit to the author? The exploit vendor will sell it for millions. Who has deep pockets enough that they are willing to buy exploit code for millions? A software vendor can engineers for many years for this cost.
Yeah, I don't like windows either, but its not the point. Billions rely on the security of Windows today, our entire global economy is dependent on reliability of our information systems.
One either helps maintain the security of our systems globally, or they seek to disrupt it for a pay day. I get quite upset when people enter with the mindset of 'the actual vendor wont pay me enough, ill sell it to shady exploit market'. It is not a simple pay day.
This way of thinking really reflects poorly on security professionals. They should care out of a sense of professional ethics or personal morals. Selling a bug to be fixed by a vendor or to be weaponized by one of Zerodium’s customers are not equivalent morally or ethically. They also aren’t the only two options: he could just sit on the bug. Someone else will likely discover it but he at least wouldn’t be complicit in the erosion of the security of the software ecosystem.
Let’s not pretend selling to private buyers is anything other than financially motivated. I don’t think security researchers who sell their vulnerabilities to private buyers are not acting to “motivate” Microsoft in a roundabout way. Even if we assume that is their motivation, such an arrangement is obviously unethical because vulnerabilities sold in this way are weaponized to do harm against others.
> Unless you work for free, you don't get to criticize others for getting paid for their work.
This is completely ridiculous. By this reasoning we shouldn’t criticize corrupt politicians or anyone whose chosen profession means they get paid to make the world a worse place to live. I don’t think we’ll see eye to eye on any of this, I simply can’t understand any of the arguments you’ve presented to justify getting paid to make the world a more dangerous place.
We're not going to see eye-to-eye because you think that other folks should work for free to make Microsoft products more secure.
I think that when security problems in Microsoft products are Microsoft's responsibility and no one else's. By insisting that other people work for free to improve that security, you're arguing that other people are responsible for said security problems.
That's a curious position. You think that someone who isn't paid is responsible, but not Microsoft, who is paid.
I understand why Microsoft would like that arrangement, but why do think that anything else is wrong?
"Microsoft Bug Bounty Program's (MSRC) response was poor: Initially, they misjudged and dismissed the issue entirely. After our appeal, the issue was classified as "Critical, RCE", but only 10% of the bounty advertised for its classification was awarded ($5k vs $50k). The patch they came up with after 5 months failed to properly address the underlying argument injection (which is currently also still present on Windows 11)"
So they wrote a protocol-handler bound on every Win10 machine which arbitrarily runs a command if you can convince the user to click one message box.
> One of the largest IT Company on this planet, with software running on billions of devices, even in critical infrastructure, would like you to sell exploits to their programs to the open market instead of their bug bounty program.
> We discovered a drive-by code execution vulnerability on Windows 10 via IE11/Edge Legacy and MS Teams, triggered by an argument injection in the Windows 10/11 default handler for ms-officecmd: URI
> Exploitation through other browsers requires the victim to accept an inconspicuous confirmation dialog.
No confirmation needed with Windows 10 and IE11 or Edge Legacy
Microsoft is teaching bounty seekers to look elsewhere and honestly that is a very stupid decision for such a deep pocketed company. It is only making their software less safe.
Don't all protocol handlers invoke some execution? Like http goes to my browser (only Edge) and that other windows internal one which also goes to Edge (and resets my registered http handler)
> Don't all protocol handlers invoke some execution?
Sure, but you don't expect arbitrary code execution. The important distinction is whether the attacker can control what is executed. So if you click on a HTTPS link, you should be safe to assume that it opens a new browser tab, and not open a command prompt like in that example.
Nobody said URL handlers should offer any security guarantees. There is no clear amount of things that a clicked URL should be able to do. In some circumstances, the full permissions of the logged in user would be appropriate.
The security onus really ought to be on the application which sourced the URL - it knows where it came from.
The problem is twofold - the sourcing application should tell you which protocol handler is being invoked (this is where IE/Edge fails) - but the protocol handler itself should also not do anything unexpected. When you open a https://.... link, you know it's not going to run a local application. Similarly, ms-officecmd:... should open some sort of Office application, and nothing else. I think that's the minimum of a security guarantee you can expect from any program.
This is one of those bugs that really should never happen, and one wonders how Microsoft could have missed it and failed to take it seriously.
This isn't a particularly sophisticated or novel attack vector, difficult as it was to find; it's the sort of injection attack caused by string interpolation that should have been caught long before anything was shipped.
I've used Windows since 3.1, but I think this new direction is the beginning of the end for Windows. Combining an OS that relies heavily on remote services, with engineers that don't understand security, is a recipe for disaster. At the drop of a hat your OS can break because some remote service breaks[1], or worse, your system gets compromised because the attack surface has grown to size of a small country. I don't want to be one of the inevitable victims. I'm switching to Linux for my next build.
It's really wild that Windows is essentially becoming a big web app. I guess they just realized that ChromeOS, not MacOS or Linux, is their main competitor. Whoever wants macos/linux will get it, but schools and offices are systematically turning to ChromeOS for simplicity and that just won't do.
Scheme handlers are like cruise-control for CVEs on every OS, you should avoid using them at all costs, and if you have to, be *extremely* strict on what you allow them to do. Minimizing attack surface is your #1 goal.
Likewise, every Electron app needs to scan its own command-line arguments and refuse to start if...basically anything... is set. It is Unfortunate that Electron in its default configuration allows so many plainly unsafe parameters (--proxy-server also an insanely dangerous one).
Is it just me or is $50k USD a terrible offer for an exploit like this one.
Usually, if you successfully exploit a smart contract or DAO, you make multiple 100k sometimes even millions for disclosing.
To see how it works on your machine, simply paste
ms-officecmd:
into your browser and then see what happens.
In MS Edge you _might_ see a popup window
This site is trying to open LocalBridge.
A website wants to open this application. <open><cancel>
Other forms of URI in Windows 10 taken from
https://www.tenforums.com/tutorials/78214-settings-pages-lis...
So paste the below into your Browser
ms-settings:nightlight
In MS Edge you will see a popup saying
This site is trying to open Settings.
A Website wants to open this application. <Open><Cancel>
Not knocking the research effort was this found using some automation fuzzing? And are many people still using IE11/Edge Legacy ?
A lot of people have purposefully mangled windows to stop Windows Update which stopped the automatic upgrade from EdgeHTML edge to Chrome-based, and a lot of people do just use whatever browser comes with Windows.
You would need Teams installed AND an application that opens the malicious link. IE11 and Edge Legacy do that without prompting the user, other browsers display a confirmation dialog.
There is a patch addressing the specific exploit path via MS Teams.
The underlying argument injection in LocalBridge.exe (which is the binary processing the JSON payload) is still present, which can be exploited to open other office apps with injected command line arguments.
Someone might find another way to run arbitrary code using command line switches other than --gpu-launcher
>having teams installed (which is default in windows)
Teams is not default in Windows (at least my install) - I don't have it and when I have to do meetings in Teams and I am on my Windows machine I just open the meeting in Chrome.
Teams was installed without my approval on my private unmanaged laptop running Windows 10 Professional.
If you don't have Teams yet, you are either in another rollout, you have done something to prevent it or your PC is managed by someone who have prevented it somehow. I think that covers all.
As for why I only use Windows now and then and since I have had a habit of supporting others I keep my personal Windows PCs as plain as possible so I can see what others suffer (obviously I remove nagware like McAfee and make sure spyware like Chrome isn't set as default browser but I have gone as far as to voluntarily run my PC with Norwegian language).
Sorry for the misunderstanding I created. The link between those two are how far I have gone to be able to help end users.
It is a bit tongue in cheek (since I am Norwegian) but only a bit since it is an extra hassle to try to mentally translate what translaters read in English when they created the unsearchable phrases that show up in a localized Windows version.
it needs edge or ie11 and teams. It doesn't appear to be a zero click without the use of edge or ie11 so just avoid both of those and you should be okay.
For a moment, I thought it was yet another research from the people at Positive Technologies (ptsecurity.com), the company that had sanctions from USG. I'm not sure if intentional but you must have gotten that a few times over the last year ? I'm not sure it's the best idea to compete on brand, in the same domain, as a ~1000 people, 20 years old company.
It's me, I have technical knowledge and prefer to use Windows. I've shipped production apps that are used by millions of people every day (including probably you) on every desktop operating system. Ask Me Anything about my Brain
At home, I want to game and I want to use photoshop.
Both kinda leave me stuck with windows. I could go windows at work and mac at home. But that would require me learning mac, trying to game on mac, replacing a self-build PC with either an M1 chip in a mac-mini / imac. Or with an actual laptop when I only really need a desktop.
All whilst I really like linux. I am stuck using either Windows or Windows and Mac.
I don't know about photoshop, but gaming scene has gotten really good. My last odd experience was with using Lutris to run a Blizzard launcher ( didn't work for me, but it worked for a buddy with similar setup ). The experience is not a 100%, but is not bad.
edit: I was super lazy and didn't want to troubleshoot that day so I just ran Windows in VM insted.
Gaming on linux would be fine. Its photoshop that blocks linux for me at home. And whilst alternatives to photoshop might exist, I am simply too used to its interface to switch. Besides that lightroom for photo organization is even harder to replace.
If anything, gaming blocks a mac more than it blocks linux for me.
Except for when you want to play certain games or use Microsoft Office to view proprietary .DOCX documents. I would say don't connect Windows to the Internet, but some games need Internet access to run, so you would be at a loss there. Messing with Office documents can be done offline however :)
With very few exceptions nowadays if a game doesn't run on Linux it's multiplayer based and due to developer choice as both EAC and Battleye supports Linux.
I recently ran into a similar issue with MSRC. I reported two exactly similar(near perfect) heap overflows exploitable from a local perspective with some time in between. The first report was awarded the maximum payout, and patched as 'Important'.
Meanwhile, MSRC changed its rules related local exploitation. Now, to obtain that, one needs to show the exploit working in the most hardened sandbox processes on the system. From my perspective this is quite unfair, both bugs are reported with the same severity to Microsoft's own customers. Both breach about 3 defined security boundaries (process, session and user). So, my communication stayed the same (all technical details), Microsoft's communication with _their_ customers stayed the same (important severity issue, 7.8 cvss), the only thing changed was my reward...(reason: ohh, it's not a sandboxed process, to we don't care.).
The only way to obtain the maximum payout is this even more stringent, and new, requirement of 'sandboxed process' -> 'other user' boundary. As if there are not a hundred thousand organizations sharing machines between users using Citrix and terminal and other similar technologies...
In any case, given that it takes close to a year, with hundreds of hours invested to uncover such a bug... I'm going to take my submissions elsewhere...