ML
    • Register
    • Login
    • Search
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups

    Microsoft Hid Known Vulnerability According to Senator

    IT Discussion
    microsoft security azure solarwinds
    4
    18
    459
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      Carnival Boy last edited by

      What do you mean they "hid" the known vulnerability?

      scottalanmiller 1 Reply Last reply Reply Quote 0
      • scottalanmiller
        scottalanmiller @Carnival Boy last edited by

        @Carnival-Boy said in Microsoft Hid Known Vulnerability According to Senator:

        What do you mean they "hid" the known vulnerability?

        It's not ME that said it, it was the senator. But by using closed source and not disclosing a known vulnerability. That's hiding. Had the source or the vulnerability been made public, it would not have been hidden. They use licensing, contracts, and company policy to keep the information from reaching their vulnerable customers.

        Dashrender 1 Reply Last reply Reply Quote 0
        • Dashrender
          Dashrender @scottalanmiller last edited by

          @scottalanmiller said in Microsoft Hid Known Vulnerability According to Senator:

          @Carnival-Boy said in Microsoft Hid Known Vulnerability According to Senator:

          What do you mean they "hid" the known vulnerability?

          It's not ME that said it, it was the senator. But by using closed source and not disclosing a known vulnerability. That's hiding. Had the source or the vulnerability been made public, it would not have been hidden. They use licensing, contracts, and company policy to keep the information from reaching their vulnerable customers.

          the article I just read said it was disclosed, in 2017... just not highly prioritized on fixing/monitoring....
          And here is an article dated 2017 talking about the article's golden saml
          https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps

          scottalanmiller 1 Reply Last reply Reply Quote 0
          • scottalanmiller
            scottalanmiller @Dashrender last edited by

            @Dashrender said in Microsoft Hid Known Vulnerability According to Senator:

            @scottalanmiller said in Microsoft Hid Known Vulnerability According to Senator:

            @Carnival-Boy said in Microsoft Hid Known Vulnerability According to Senator:

            What do you mean they "hid" the known vulnerability?

            It's not ME that said it, it was the senator. But by using closed source and not disclosing a known vulnerability. That's hiding. Had the source or the vulnerability been made public, it would not have been hidden. They use licensing, contracts, and company policy to keep the information from reaching their vulnerable customers.

            the article I just read said it was disclosed, in 2017... just not highly prioritized on fixing/monitoring....
            And here is an article dated 2017 talking about the article's golden saml
            https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps

            Microsoft hid it by saying it wasn't flagged by civilian agencies. But here's one in 2017 flagging it and mentioning them:

            https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps

            Dashrender 1 Reply Last reply Reply Quote 0
            • scottalanmiller
              scottalanmiller last edited by

              Microsoft claimed that their services were not at fault. But the claim is that MS's 2FA was disabled by the attack. Had 2FA been in place (not claimed, but actually in place) Golden SAML would not be enough. But many vendors make the 2FA not required under certain conditions and that's the claim that Golden SAML worked in this case because the 2FA turned off.

              https://www.cyberark.com/resources/threat-research-blog/golden-saml-revisited-the-solorigate-connection

              1 Reply Last reply Reply Quote 0
              • Dashrender
                Dashrender @scottalanmiller last edited by

                @scottalanmiller said in Microsoft Hid Known Vulnerability According to Senator:

                @Dashrender said in Microsoft Hid Known Vulnerability According to Senator:

                @scottalanmiller said in Microsoft Hid Known Vulnerability According to Senator:

                @Carnival-Boy said in Microsoft Hid Known Vulnerability According to Senator:

                What do you mean they "hid" the known vulnerability?

                It's not ME that said it, it was the senator. But by using closed source and not disclosing a known vulnerability. That's hiding. Had the source or the vulnerability been made public, it would not have been hidden. They use licensing, contracts, and company policy to keep the information from reaching their vulnerable customers.

                the article I just read said it was disclosed, in 2017... just not highly prioritized on fixing/monitoring....
                And here is an article dated 2017 talking about the article's golden saml
                https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps

                Microsoft hid it by saying it wasn't flagged by civilian agencies. But here's one in 2017 flagging it and mentioning them:

                https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps

                Exactly - so it's hidden how?

                scottalanmiller 1 Reply Last reply Reply Quote 0
                • scottalanmiller
                  scottalanmiller @Dashrender last edited by

                  @Dashrender said in Microsoft Hid Known Vulnerability According to Senator:

                  @scottalanmiller said in Microsoft Hid Known Vulnerability According to Senator:

                  @Dashrender said in Microsoft Hid Known Vulnerability According to Senator:

                  @scottalanmiller said in Microsoft Hid Known Vulnerability According to Senator:

                  @Carnival-Boy said in Microsoft Hid Known Vulnerability According to Senator:

                  What do you mean they "hid" the known vulnerability?

                  It's not ME that said it, it was the senator. But by using closed source and not disclosing a known vulnerability. That's hiding. Had the source or the vulnerability been made public, it would not have been hidden. They use licensing, contracts, and company policy to keep the information from reaching their vulnerable customers.

                  the article I just read said it was disclosed, in 2017... just not highly prioritized on fixing/monitoring....
                  And here is an article dated 2017 talking about the article's golden saml
                  https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps

                  Microsoft hid it by saying it wasn't flagged by civilian agencies. But here's one in 2017 flagging it and mentioning them:

                  https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps

                  Exactly - so it's hidden how?

                  Did MS tell YOU that your 2FA would not be 2FA? I doubt it. People expected these security mechanisms to remain in place. Claiming that it wasn't flagged, when it was. These are attempts to hide the info.

                  1 Reply Last reply Reply Quote 0
                  • Dashrender
                    Dashrender last edited by

                    Now I'm lost - MS claimed it wasn't flagged? or the senator claimed that?

                    I posted a link where it was publicly known, a link that you reposted, now that said, I didn't read the link, only saw that it talked about the golden saml.

                    scottalanmiller 1 Reply Last reply Reply Quote 0
                    • scottalanmiller
                      scottalanmiller @Dashrender last edited by

                      @Dashrender said in Microsoft Hid Known Vulnerability According to Senator:

                      Now I'm lost - MS claimed it wasn't flagged? or the senator claimed that?

                      Microsoft's lobbyist said it to congress: "In a response to Wyden’s written questions on Feb. 10, a Microsoft lobbyist said the identity trick, known as Golden SAML, “had never been used in an actual attack” and “was not prioritized by the intelligence community as a risk, nor was it flagged by civilian agencies.”"

                      Dashrender 1 Reply Last reply Reply Quote 0
                      • Dashrender
                        Dashrender @scottalanmiller last edited by

                        @scottalanmiller said in Microsoft Hid Known Vulnerability According to Senator:

                        @Dashrender said in Microsoft Hid Known Vulnerability According to Senator:

                        Now I'm lost - MS claimed it wasn't flagged? or the senator claimed that?

                        Microsoft's lobbyist said it to congress: "In a response to Wyden’s written questions on Feb. 10, a Microsoft lobbyist said the identity trick, known as Golden SAML, “had never been used in an actual attack” and “was not prioritized by the intelligence community as a risk, nor was it flagged by civilian agencies.”"

                        So the lobbyist was wrong, at least on the last one.

                        scottalanmiller 1 Reply Last reply Reply Quote 0
                        • scottalanmiller
                          scottalanmiller @Dashrender last edited by

                          @Dashrender said in Microsoft Hid Known Vulnerability According to Senator:

                          @scottalanmiller said in Microsoft Hid Known Vulnerability According to Senator:

                          @Dashrender said in Microsoft Hid Known Vulnerability According to Senator:

                          Now I'm lost - MS claimed it wasn't flagged? or the senator claimed that?

                          Microsoft's lobbyist said it to congress: "In a response to Wyden’s written questions on Feb. 10, a Microsoft lobbyist said the identity trick, known as Golden SAML, “had never been used in an actual attack” and “was not prioritized by the intelligence community as a risk, nor was it flagged by civilian agencies.”"

                          So the lobbyist was wrong, at least on the last one.

                          Saying "the lobbyist" to make it not sound like Microsoft saying it is a marketing ploy. Microsoft's paid spokesperson representing them in the most significant way during an investigation, made this statement.

                          Dashrender 1 Reply Last reply Reply Quote 0
                          • Dashrender
                            Dashrender @scottalanmiller last edited by

                            @scottalanmiller said in Microsoft Hid Known Vulnerability According to Senator:

                            @Dashrender said in Microsoft Hid Known Vulnerability According to Senator:

                            @scottalanmiller said in Microsoft Hid Known Vulnerability According to Senator:

                            @Dashrender said in Microsoft Hid Known Vulnerability According to Senator:

                            Now I'm lost - MS claimed it wasn't flagged? or the senator claimed that?

                            Microsoft's lobbyist said it to congress: "In a response to Wyden’s written questions on Feb. 10, a Microsoft lobbyist said the identity trick, known as Golden SAML, “had never been used in an actual attack” and “was not prioritized by the intelligence community as a risk, nor was it flagged by civilian agencies.”"

                            So the lobbyist was wrong, at least on the last one.

                            Saying "the lobbyist" to make it not sound like Microsoft saying it is a marketing ploy. Microsoft's paid spokesperson representing them in the most significant way during an investigation, made this statement.

                            Whatever - that wasn't my point.. thanks for assuming it was.

                            Fine - So MS was wrong - you're saying that they can't ever be wrong in their releases?

                            scottalanmiller DustinB3403 3 Replies Last reply Reply Quote 0
                            • scottalanmiller
                              scottalanmiller @Dashrender last edited by

                              @Dashrender said in Microsoft Hid Known Vulnerability According to Senator:

                              @scottalanmiller said in Microsoft Hid Known Vulnerability According to Senator:

                              @Dashrender said in Microsoft Hid Known Vulnerability According to Senator:

                              @scottalanmiller said in Microsoft Hid Known Vulnerability According to Senator:

                              @Dashrender said in Microsoft Hid Known Vulnerability According to Senator:

                              Now I'm lost - MS claimed it wasn't flagged? or the senator claimed that?

                              Microsoft's lobbyist said it to congress: "In a response to Wyden’s written questions on Feb. 10, a Microsoft lobbyist said the identity trick, known as Golden SAML, “had never been used in an actual attack” and “was not prioritized by the intelligence community as a risk, nor was it flagged by civilian agencies.”"

                              So the lobbyist was wrong, at least on the last one.

                              Saying "the lobbyist" to make it not sound like Microsoft saying it is a marketing ploy. Microsoft's paid spokesperson representing them in the most significant way during an investigation, made this statement.

                              Whatever - that wasn't my point.. thanks for assuming it was.

                              Fine - So MS was wrong - you're saying that they can't ever be wrong in their releases?

                              Okay, if that's not your point, what IS your point?

                              1 Reply Last reply Reply Quote 0
                              • DustinB3403
                                DustinB3403 @Dashrender last edited by

                                @Dashrender said in Microsoft Hid Known Vulnerability According to Senator:

                                Fine - So MS was wrong - you're saying that they can't ever be wrong in their releases?

                                In my opinion for a company as large as Microsoft, their recent releases have caused more issues than anything that I can recall going back a long ways and that for the kind of money that is spent on their product offerings that issues like this shouldn't be so common.

                                1 Reply Last reply Reply Quote 0
                                • scottalanmiller
                                  scottalanmiller @Dashrender last edited by

                                  @Dashrender said in Microsoft Hid Known Vulnerability According to Senator:

                                  you're saying that they can't ever be wrong in their releases?

                                  No, I'm saying that whether right or wrong is irrelevant. That it happened is what matters. Deciding if it happened accidentally or on purpose is a different discussion. Things that happen on accident doesn't make them not have happened.

                                  DustinB3403 1 Reply Last reply Reply Quote 0
                                  • DustinB3403
                                    DustinB3403 @scottalanmiller last edited by

                                    @scottalanmiller said in Microsoft Hid Known Vulnerability According to Senator:

                                    @Dashrender said in Microsoft Hid Known Vulnerability According to Senator:

                                    you're saying that they can't ever be wrong in their releases?

                                    No, I'm saying that whether right or wrong is irrelevant. That it happened is what matters. Deciding if it happened accidentally or on purpose is a different discussion. Things that happen on accident doesn't make them not have happened.

                                    Like teen pregnancy....

                                    scottalanmiller 1 Reply Last reply Reply Quote -2
                                    • scottalanmiller
                                      scottalanmiller @DustinB3403 last edited by

                                      @DustinB3403 said in Microsoft Hid Known Vulnerability According to Senator:

                                      @scottalanmiller said in Microsoft Hid Known Vulnerability According to Senator:

                                      @Dashrender said in Microsoft Hid Known Vulnerability According to Senator:

                                      you're saying that they can't ever be wrong in their releases?

                                      No, I'm saying that whether right or wrong is irrelevant. That it happened is what matters. Deciding if it happened accidentally or on purpose is a different discussion. Things that happen on accident doesn't make them not have happened.

                                      Like teen pregnancy....

                                      LOL, exactly.

                                      1 Reply Last reply Reply Quote 0
                                      • First post
                                        Last post