LandzDown Forum

"The best workaround available at the time of writing this is to wait Microsoft to release a security patch, due to the complexity of this vulnerability," explained Naceri.

Plus, practice safe computing.  Due to the upcoming Thanksgiving holiday, I have the feeling we won't see an "Out of Band" update and may have to wait until December 14th (the next "Patch Tuesday").

When BleepingComputer asked Naceri why he publicly disclosed the zero-day vulnerability, we were told he did it out of frustration over Microsoft's decreasing payouts in their bug bounty program.

So in other words, the crybaby disclosed the zero-day vulnerability totally out of greed because his reward would only be $1,000 instead of the $10,000 he thought he deserved. 

What a brat.

Let's not forget how this particular vulnerability may be exploited. The bad guy must have "limited access to a compromised device". That is, the bad guy must have physical access to the machine. How likely is that to happen and go unnoticed?

And then he or she must somehow be able to log into that Standard account. How? With the username "standard" and password, "12345678"?  It is not like a hacker in N. Korea or Iran can suddenly gain admin privileges on our systems with a couple clicks of his mouse.

"Security researcher"? Yeah right! He's a hacker. And not a white hat hacker either.

I would be more worried about slack remote connection policies.

This is true. And I am not trying to minimize the severity of that vulnerability. And certainly, Microsoft needs to patch it quickly. But realistically, how worried are you that this might happen with one of your computers? Or the computers belonging to your family, friends and clients?

That is, how many users do you know even have remote access set up? That is, to allow access from outside their own network? I think I know two, and both are IT professionals. How many users do you know leave their computers out, unattended and exposed where strangers or untrustworthy users can sit down at that computer and exploit this vulnerability?

So I think that illustrates my point, but from a different angle. That "security researcher"   had his little puerile tantrum because his reward was not as big as he greedily thought it should be. Yet we have to wonder, how serious, or rather how likely is it that this vulnerability will be exploited? How many users are likely to be victimized? I have to think it would be very few.

Now I don't know about others, or that security researcher, but a $1000 "reward" is not chump-change to me. This guy is not a Microsoft employee. He didn't risk his life or his own security. He was not hired by or contracted by Microsoft to find security flaws in Windows.

He did not selflessly sacrifice anything! And yet he's so mad at Microsoft because they wouldn't give him $10,000, that he selfishly and recklessly put others at risk!