Apple was recently involved in a security problem where hackers could potentially access a Mac. The company was fast to react, but caused other problems. While Cupertino worked quickly, it seems Microsoft’s Windows platform was similarly affected. Worse, Microsoft has not been as proactive in attempting to fix the problem.
In Apple’s case, a bug in MacOS High Sierra allowed the platform to ship without a root password. In theory, anybody with enough knowledge could log in to a locked Mac. Cupertino issued a rapid patch, which promptly broke file sharing features on the OS. The company returned with another patch, which was then undone by updates.
The point here is Apple failed miserably to solve the issue, but did try. In Microsoft’s case, the security vulnerability was different, and so was the way the company dealt with it. ITNews reports software developer Matthias Gilwka discovered a flaw in the wildcard transport layer security (TLS) certificate.
This included a private key when building a sandboxed test environment for Microsoft Customer Relationship Manager, Enterprise Resource Planning, and Dynamics 365. Exporting the key would give attackers the ability to decrypt traffic and impersonate the server.
“Since the attacker can use the original TLS certificate, there’s no warning or error on the client side” Gilwka notes. “Just the green padlock indicating a secure connection. The users of this user acceptance (sandbox) systems are high-value targets. They are usually in key positions at the respective organization and have access to valuable information.”
While the vulnerability is worrying, it is not the most concerning aspect of this incident. Unfortunately, breaches and flaws happen. This means users are at the mercy of companies and how they react to such problems.
Microsoft’s Slow Reaction
As mentioned, Apple acted quickly and ultimately botched it. Microsoft’s response was no better, and arguably worse. Gliwka reported the flaw to Microsoft Security Response Centre (MSRC) in August. However, Microsoft says the problems did not meet “the bar for security servicing”.
The company reasoned an attacker would need admin credentials, so the vulnerability was not a big problem. Gliwka took the incident public in October with a tweet to Microsoft. Needless to say, the company swiftly promised a fix.
Despite this promise, Microsoft continued to drag its feet, with two Patch Tuesday coming and going. Indeed, the company only fixed the issue last week. That means it took Redmond 100 days from first report to fix.