[cookiengineer]

From a security standpoint that's debatable.

Multiple RCEs and critical CVEs cannot be fixed because Microsoft "lost" the source code. So they disclosed those RCEs but without any solution or fix.

(Not kidding, sadly, look it up, there also have been occasional binary patches because of the same reason)

[1] https://msrc.microsoft.com/update-guide

[echoangle]

Do you have a link for the „lost sourcecode so we won’t patch“ claim? The link you gave just gives me a long list of patches.

[cookiengineer]

CVE-2017-11882 and the NTLM relay attack come to mind, for example. Down the line they weren't actually fixed, and are continuously being used by a lot of ransomware / malware campaigns.

I remember some Windows Fax Service related CVEs and some Wi-Fi drivers that couldn't be fixed directly, too, but don't remember the CVE or whether that was related to the Broadcom driver/module sideloading fuckup.

> The link you gave just gives me a long list of patches.

The link I gave you is the only disclosure/advisory page that Microsoft offers, don't blame me for them not offering a better UI. Ask them to do better.

- https://nvd.nist.gov/vuln/detail/CVE-2017-11882

- https://blog.0patch.com/2017/11/did-microsoft-just-manually-...

- https://cert.europa.eu/publications/security-advisories/2022...

[will4274]

> CVE-2017-11882 and the NTLM relay attack come to mind, for example. Down the line they weren't actually fixed, and are continuously being used by a lot of ransomware / malware campaigns.

Your own sources indicate CVE-2017-11882 was fixed in November of 2017. The title of the blob.0patch.com article is

> Did Microsoft Just Manually Patch Their Equation Editor Executable? Why Yes, Yes They Did. (CVE-2017-11882)

clearly indicating that Microsoft fixed the issue, contrary to your statement that they 'weren't actually fixed". The body content is consistent.

> NTLM relay attack

NTLM is bad, no question. It's based on a bad threat model - it assumes network admins can secure their corporate networks. Microsoft also fixed most of the issues in NTLM with NTLMv2 back in the Windows Vista and Windows 7 era. And Microsoft announced they will disable all NTLM versions by default within the Win11 lifetime. The biggest problem (unsurprisingly) is non-Microsoft software which has hardcoded the use of NTLM. It's fair to criticize Microsoft here for making available a technology that required so much from corporate network admins and leaving it available (and with use in Microsoft products) for so many years. At the same time, it's misleading to characterize these problems as "weren't actually fixed" - concrete issues with NTLM within its security model _were_ fixed and new technologies were created with better security models.

- https://techcommunity.microsoft.com/blog/windows-itpro-blog/...

> The link I gave you is the only disclosure/advisory page that Microsoft offers, don't blame me for them not offering a better UI. Ask them to do better.

You're mistaken. Microsoft has deep links for each CVE.

- https://msrc.microsoft.com/update-guide/vulnerability/CVE-20...

[cookiengineer]

Your definition of "fixed" seems to be different than mine. Can't fix a broken architecture if Microsoft is not willing to replace it while also deprecating the old ways. If you want to move the goal post to "my computer is connected to the internet, so it's my fault" then sure, whatever. I still think that Microsoft didn't fix the issues at hand, and kerberoast problems and NTLM problems alone are beyond human knowability. That's why they are so feasible as an attack surface, especially on Azure with its cross-tenant problems, which kind of implies that Microsoft themselves cannot manage NTLM correctly.

I'll just leave this here, a month old (Oct 2024) because you seem to critize my old examples [1]. You can also google for "malware NTLM relay attack" and you'll find plenty of other examples.

PS: I also want to add that I won't collect 100s of CVEs for some random person online. I got better things to do than to convince people to ditch Windows. If you want a dossier and analysis, pay us and we'll make a contract for it.

If you want a better vulnerability database, we'll have that available as a product :)

[1] https://www.bleepingcomputer.com/news/security/exploit-relea...

[meiraleal]

> From a security standpoint that's debatable.

still not incompetence if what they gain from it is bigger than what their customers lose, unfortunately.