Hacker News new | ask | show | jobs
by kevin_morrill 2002 days ago
Why would this actually be true? If it’s easier to find in source, Microsoft probably would have found it. Ever single feature there goes through multiple security reviews and there is tons of code linting. All the penetration testers I have met don’t even bother looking at source. They just start trying things they think will flummox the software.
2 comments
hguant 2002 days ago
>They just start trying things they think will flummox the software.

This works...until you go against a target that's heard of fuzzing before and has the time and money to do it to their own code.

The really interesting Windows exploits require a combination of "throwing stuff that will flummox the software" and a deep level understanding of structures hidden to the average developer. Look at Yardin Shafir's really wonderful blog post about developing a kernel bug to a PoC - there's a lot of moving parts and security checks in modern windows, and having the source is a HUGE help.

link
muricula 2002 days ago
Yardin Shafir's excellent blog post started with a bug found purely through fuzzing by an MS employee security researcher.
link
kevinarpe 2001 days ago
I tried Googling to find this blog post. Did you mean to write Yarden Shafir? If yes, maybe it was this blog post? https://windows-internals.com/printdemon-cve-2020-1048/

I also found another hint about their findings in this PDF written by Yarden's co-researcher Alex Ionescu: https://www.usenix.org/system/files/woot20_slides_ionescu.pd.... One of the slides specifically mentions the use of fuzzing tools to find these issues.

If there are other, better links I don't know about, please kindly share. :)

link
muricula 1994 days ago
Forgot to check for replies. In particular, I was thinking of this blog post: https://windows-internals.com/exploiting-a-simple-vulnerabil... Thanks for the correction, sorry I typoed her name.

Here's a tweet from the original finder: https://twitter.com/gabe_k/status/1330966182543777792?s=20

Yarden & Ionescu's work are both really top notch. Also anything by Google Project Zero if you want to do a deep dive on the subject.

link
Razengan 2001 days ago
> If it’s easier to find in source, Microsoft probably would have found it.

Umm sir, have you somehow missed seeing the quality of Microsoft products in the last few decades.

link