[Karellen]

> I don't even know who else to blame for this.

The people who told them that deleting system binaries would fix their problems?

> I have been pointed to responses on the Microsoft site answers.microsoft.com done by “helpful volunteers” that specifically recommend removing the curl.exe executable as a fix.

Don't trust strangers on the internet with advice you don't understand the implications of. Even if they are sincere and mean well, they can still be wrong.

[phpisthebest]

The problem here is that if they understand the implications they probably would not be on awnsers.microsoft.com in the first place

[lodonnell9213]

But that's the problem, the people doing this do not understand what curl is/does so want it gone because its got a CVE and some outlet somewhere has said its worse than what it is.

if that's the case we should just delete the entire OS as there are vulns all over it.

[remram]

> The people who told them that deleting system binaries would fix their problems?

If you are responsible for the security posture and compliance in your organization, reading and acting on security assessments, and yet you do random changes based on random comments on forums, you deserve the blame.

I don't think we're not talking about individual end-users here. Those do not scan their systems for CVEs and do not have a requirement to get to 0 alerts.

[mschuster91]

> If you are responsible for the security posture and compliance in your organization, reading and acting on security assessments, and yet you do random changes based on random comments on forums, you deserve the blame.

It's not as easy. Of course experienced sysadmins know it's bullshit. The problem is that cybersecurity insurance policies require "immediate action" on alerts and no one, even assuming a competent CTO, wants to be stuck with the bill should a security incident arise and the insurance say "audit says no of your machines had mitigated issue xyz, claim denied". Deleting a flagged binary is evidence of mitigation.

The amount of utter bullshit, not to mention the literal spyware that is insurance-compliant antivirus solutions, that insurances force clients to comply with is insane.

The core problem is that insurances don't have the time to actually do deep dives to check if their clients have decent or no IT security. Hell, I'd wager everyone here knows of "that one server that never got updates, was in no inventory or whatever, and once the last disk failed suddenly everything else came crashing down". And so, insurances go with a 12 pound hammer to which everything is a nail, as it is the best way for them to be able to underwrite policies with the insane amount of coverage that GDPR and friends expose the clients to.

[remram]

Agreed! And when people like that go to random forums asking for solutions to fix that CVE now, and are told to just override it with latest curl, that is the optimal solution given their (bullshit) constraints and I wouldn't blame the random forums.

[Karellen]

> I don't think we're not talking about individual end-users here.

Are you sure about that? From TFA:

> Lots of Windows users everywhere runs security scanners on their systems with regular intervals in order to verify that their systems are fine. At some point after December 21, 2022, some of these scanners started to detect installations of curl that included the above mentioned CVE. Nessus apparently started this on February 23.

> This is not helpful.

> Lots of Windows users everywhere then started to panic when these security applications warned them about their vulnerable curl.exe.

That sounded like it included individual end-users to me.

Anectodally, I know a few Windows users who don't trust Microsoft to do security well, but can't bring themselves to move off Windows for whatever reason, so run 3rd party AV and security tools to help protect themselves.

[remram]

The compliance madness I can understand, but for an individual with no legal or management-mandated constraints...

Either you're security-conscious or you do random changes based on anonymous forum posts, I just don't really see an overlap.

In any case, I don't think it's fair to blame the forums for giving you the solution given your whacky requirements.

[Karellen]

> Either you're security-conscious or you do random changes based on anonymous forum posts, I just don't really see an overlap.

I think there's going to be a not-totally-insignificant minority of people out there who are both worried about security, but just don't have great technical knowledge. (They sometimes show up on r/privacy if you need convincing they even exist.) Even if it's a really small percentage of users, given how large the Windows install base is, that's still going to be a fair amount of people looking for any kind of fix for the "problem" that their security scanner has warned them about.