Microsoft Hid Known Vulnerability According to Senator

scottalanmiller

@Dashrender said in Microsoft Hid Known Vulnerability According to Senator:

@scottalanmiller said in Microsoft Hid Known Vulnerability According to Senator:

@Carnival-Boy said in Microsoft Hid Known Vulnerability According to Senator:

What do you mean they "hid" the known vulnerability?

It's not ME that said it, it was the senator. But by using closed source and not disclosing a known vulnerability. That's hiding. Had the source or the vulnerability been made public, it would not have been hidden. They use licensing, contracts, and company policy to keep the information from reaching their vulnerable customers.

the article I just read said it was disclosed, in 2017... just not highly prioritized on fixing/monitoring....
And here is an article dated 2017 talking about the article's golden saml
https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps

Microsoft hid it by saying it wasn't flagged by civilian agencies. But here's one in 2017 flagging it and mentioning them:

https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps

scottalanmiller

Microsoft claimed that their services were not at fault. But the claim is that MS's 2FA was disabled by the attack. Had 2FA been in place (not claimed, but actually in place) Golden SAML would not be enough. But many vendors make the 2FA not required under certain conditions and that's the claim that Golden SAML worked in this case because the 2FA turned off.

https://www.cyberark.com/resources/threat-research-blog/golden-saml-revisited-the-solorigate-connection

Dashrender

@scottalanmiller said in Microsoft Hid Known Vulnerability According to Senator:

@Dashrender said in Microsoft Hid Known Vulnerability According to Senator:

@scottalanmiller said in Microsoft Hid Known Vulnerability According to Senator:

@Carnival-Boy said in Microsoft Hid Known Vulnerability According to Senator:

What do you mean they "hid" the known vulnerability?

It's not ME that said it, it was the senator. But by using closed source and not disclosing a known vulnerability. That's hiding. Had the source or the vulnerability been made public, it would not have been hidden. They use licensing, contracts, and company policy to keep the information from reaching their vulnerable customers.

the article I just read said it was disclosed, in 2017... just not highly prioritized on fixing/monitoring....
And here is an article dated 2017 talking about the article's golden saml
https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps

Microsoft hid it by saying it wasn't flagged by civilian agencies. But here's one in 2017 flagging it and mentioning them:

https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps

Exactly - so it's hidden how?

scottalanmiller

@Dashrender said in Microsoft Hid Known Vulnerability According to Senator:

@scottalanmiller said in Microsoft Hid Known Vulnerability According to Senator:

@Dashrender said in Microsoft Hid Known Vulnerability According to Senator:

@scottalanmiller said in Microsoft Hid Known Vulnerability According to Senator:

@Carnival-Boy said in Microsoft Hid Known Vulnerability According to Senator:

What do you mean they "hid" the known vulnerability?

It's not ME that said it, it was the senator. But by using closed source and not disclosing a known vulnerability. That's hiding. Had the source or the vulnerability been made public, it would not have been hidden. They use licensing, contracts, and company policy to keep the information from reaching their vulnerable customers.

the article I just read said it was disclosed, in 2017... just not highly prioritized on fixing/monitoring....
And here is an article dated 2017 talking about the article's golden saml
https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps

Microsoft hid it by saying it wasn't flagged by civilian agencies. But here's one in 2017 flagging it and mentioning them:

https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps

Exactly - so it's hidden how?

Did MS tell YOU that your 2FA would not be 2FA? I doubt it. People expected these security mechanisms to remain in place. Claiming that it wasn't flagged, when it was. These are attempts to hide the info.

Dashrender

Now I'm lost - MS claimed it wasn't flagged? or the senator claimed that?

I posted a link where it was publicly known, a link that you reposted, now that said, I didn't read the link, only saw that it talked about the golden saml.

scottalanmiller

@Dashrender said in Microsoft Hid Known Vulnerability According to Senator:

Now I'm lost - MS claimed it wasn't flagged? or the senator claimed that?

Microsoft's lobbyist said it to congress: "In a response to Wyden’s written questions on Feb. 10, a Microsoft lobbyist said the identity trick, known as Golden SAML, “had never been used in an actual attack” and “was not prioritized by the intelligence community as a risk, nor was it flagged by civilian agencies.”"

Dashrender

@scottalanmiller said in Microsoft Hid Known Vulnerability According to Senator:

@Dashrender said in Microsoft Hid Known Vulnerability According to Senator:

Now I'm lost - MS claimed it wasn't flagged? or the senator claimed that?

Microsoft's lobbyist said it to congress: "In a response to Wyden’s written questions on Feb. 10, a Microsoft lobbyist said the identity trick, known as Golden SAML, “had never been used in an actual attack” and “was not prioritized by the intelligence community as a risk, nor was it flagged by civilian agencies.”"

So the lobbyist was wrong, at least on the last one.

scottalanmiller

@Dashrender said in Microsoft Hid Known Vulnerability According to Senator:

@scottalanmiller said in Microsoft Hid Known Vulnerability According to Senator:

@Dashrender said in Microsoft Hid Known Vulnerability According to Senator:

Now I'm lost - MS claimed it wasn't flagged? or the senator claimed that?

Microsoft's lobbyist said it to congress: "In a response to Wyden’s written questions on Feb. 10, a Microsoft lobbyist said the identity trick, known as Golden SAML, “had never been used in an actual attack” and “was not prioritized by the intelligence community as a risk, nor was it flagged by civilian agencies.”"

So the lobbyist was wrong, at least on the last one.

Saying "the lobbyist" to make it not sound like Microsoft saying it is a marketing ploy. Microsoft's paid spokesperson representing them in the most significant way during an investigation, made this statement.

Dashrender

@scottalanmiller said in Microsoft Hid Known Vulnerability According to Senator:

@Dashrender said in Microsoft Hid Known Vulnerability According to Senator:

@scottalanmiller said in Microsoft Hid Known Vulnerability According to Senator:

@Dashrender said in Microsoft Hid Known Vulnerability According to Senator:

Now I'm lost - MS claimed it wasn't flagged? or the senator claimed that?

Microsoft's lobbyist said it to congress: "In a response to Wyden’s written questions on Feb. 10, a Microsoft lobbyist said the identity trick, known as Golden SAML, “had never been used in an actual attack” and “was not prioritized by the intelligence community as a risk, nor was it flagged by civilian agencies.”"

So the lobbyist was wrong, at least on the last one.

Saying "the lobbyist" to make it not sound like Microsoft saying it is a marketing ploy. Microsoft's paid spokesperson representing them in the most significant way during an investigation, made this statement.

Whatever - that wasn't my point.. thanks for assuming it was.

Fine - So MS was wrong - you're saying that they can't ever be wrong in their releases?

scottalanmiller

@Dashrender said in Microsoft Hid Known Vulnerability According to Senator:

@scottalanmiller said in Microsoft Hid Known Vulnerability According to Senator:

@Dashrender said in Microsoft Hid Known Vulnerability According to Senator:

@scottalanmiller said in Microsoft Hid Known Vulnerability According to Senator:

@Dashrender said in Microsoft Hid Known Vulnerability According to Senator:

Now I'm lost - MS claimed it wasn't flagged? or the senator claimed that?

Microsoft's lobbyist said it to congress: "In a response to Wyden’s written questions on Feb. 10, a Microsoft lobbyist said the identity trick, known as Golden SAML, “had never been used in an actual attack” and “was not prioritized by the intelligence community as a risk, nor was it flagged by civilian agencies.”"

So the lobbyist was wrong, at least on the last one.

Saying "the lobbyist" to make it not sound like Microsoft saying it is a marketing ploy. Microsoft's paid spokesperson representing them in the most significant way during an investigation, made this statement.

Whatever - that wasn't my point.. thanks for assuming it was.

Fine - So MS was wrong - you're saying that they can't ever be wrong in their releases?

Okay, if that's not your point, what IS your point?

DustinB3403

@Dashrender said in Microsoft Hid Known Vulnerability According to Senator:

Fine - So MS was wrong - you're saying that they can't ever be wrong in their releases?

In my opinion for a company as large as Microsoft, their recent releases have caused more issues than anything that I can recall going back a long ways and that for the kind of money that is spent on their product offerings that issues like this shouldn't be so common.

scottalanmiller

@Dashrender said in Microsoft Hid Known Vulnerability According to Senator:

you're saying that they can't ever be wrong in their releases?

No, I'm saying that whether right or wrong is irrelevant. That it happened is what matters. Deciding if it happened accidentally or on purpose is a different discussion. Things that happen on accident doesn't make them not have happened.

DustinB3403

@scottalanmiller said in Microsoft Hid Known Vulnerability According to Senator:

@Dashrender said in Microsoft Hid Known Vulnerability According to Senator:

you're saying that they can't ever be wrong in their releases?

No, I'm saying that whether right or wrong is irrelevant. That it happened is what matters. Deciding if it happened accidentally or on purpose is a different discussion. Things that happen on accident doesn't make them not have happened.

Like teen pregnancy....

scottalanmiller

@DustinB3403 said in Microsoft Hid Known Vulnerability According to Senator:

@scottalanmiller said in Microsoft Hid Known Vulnerability According to Senator:

@Dashrender said in Microsoft Hid Known Vulnerability According to Senator:

you're saying that they can't ever be wrong in their releases?

No, I'm saying that whether right or wrong is irrelevant. That it happened is what matters. Deciding if it happened accidentally or on purpose is a different discussion. Things that happen on accident doesn't make them not have happened.

Like teen pregnancy....

LOL, exactly.