If only there was some kind of database where we could reference the most common vulnerability and exposure incidents, such as this one, and then ranked them based on their criticality, for everyone to be well informed.
Idk who went for the down vote here - such a mythical system sounds lovely (and someone clearly hasn’t read the news)
We should name it something like Common Vulnerabilities Index or something like that.
Shoot, it takes longer for me to wait for the user access window to run a command as an admin.
How would one do this?..
300ms refers to the window of time that the vulnerable DLL has elevated privileges and therefore the window that an attacker has to exploit it.
It doesn’t mean that the whole compromise from the start of an exploit chain takes 300ms. Badly written (clickbait) headline.
Sounds like a quicker way to login to me. What’s the downside?
Before you answer “security”, need I remind you that Windows has to my knowledge not ever been secure, unless you count when it’s still on the installation media and not yet inserted into the machine … yes, I too have used packs of Windows floppy disks in the past. I might still have a few hundred in a drawer somewhere.
9x was not secure. User credentials were only used to load a user profile, but there was no functionality to deny access to anything, and you did not need to log on with credentials.
NT and 2000 forward have been secure®, with actual permissions (file/folder, registry, services, etc) applied to user accounts.
Much of the crying about windows not being secure stems from people using admin-level accounts to do day-to-day things, and then getting tricked into clicking things they shouldn’t. Microsoft kind of mitigated this with UAC prompts, but the everyday user is “annoyed” by those, so people figure out how to turn UAC off, or just blindly click through the warnings. Hell, remember when the first UAC prompts out of Vista were “so annoying” that Microsoft had to scale back their frequency, because people didn’t like it?
This particular security situation is not any of the above. It stems from an actual code exploit. Which, by my reading, has been fixed?
Anyway - a vast majority of the “Windows is not secure” is a direct result of users running as root. Which you can do on any operating system.
To me it just sounds llike someone’s never hardened an enterprise and locked down windows machines effectively through cis alignment and some normal suite of tools, xdr, etc.
It’s easy to pick on windows because of Microsoft decisions over the years, but it’s also not impossible to lock it down effectively.
