I only know about CVE-2013-3900 (WinVerifyTrust) which allows modified files to pass signature check unless you tweak registry to enable patches.

I think there must be other instances like this where Microsoft won’t fix vulnerability or chooses insecure defaults, is there a list?

  • privsecfoss
    link
    fedilink
    English
    arrow-up
    4
    arrow-down
    1
    ·
    edit-2
    1 year ago

    Don’t know precisely, but hear from time to time that Microsoft is notorious for not patching in time in many cases, leaving vulnerabilities for months and sometimes years. I am pretty sure that MS just kinda gave up on the vulnerabilities MimiKatz exploits, so if the bad guys are on your network and you use MS infra it’s pretty much a question of time before they get admin credentials.