A security vulnerability report arrived that went roughly like this:
An attacker can bypass security policies by modifying the following registry keys to disable ⟦security feature 1⟧ and ⟦security feature 2⟧.
The statement is true, but what they don’t mention is that administrator privileges are required to modify those keys. This is like saying that a door lock is insecure because you can open the door from the inside. If you are inside, then you have already gotten past the door!
Indeed, the purpose of those keys is to define the security policy in the first place! So it boils down to “It’s a security vulnerability that an administrator can change a security policy.”
What the security researcher found was that if your system has been compromised, the first guy who gets into your inner sanctum can make your system even more vulnerable.¹ If you assume that the attacker has full control, then it’s not surprising that they control everything.
¹ Isn’t this the plot to half of the sci-fi movies ever made? The plucky hero sneaks behind enemy lines in order to disable the bad guys’ shields long enough to let the rest of the team in. This isn’t a security flaw in the shields. It’s a security flaw in whatever was supposed to protect the switch that turns off the shields.
The sci-fi movie analogy would be “If we can get to the switch that turns off the shields, then we can turn them off!”
Well, yeah. The hard part is getting into the room that has the switch.
It rather involved being on the other side of this airtight hatchway.
Bonus chatter: This is a repeat of It rather involved being on the other side of the airtight hatchway: Disabling a security feature as an administrator, but this type of bogus vulnerability report happens so much, I wrote it up again before I realized that it was a duplicate.
google AI search results for the phrase, only briefly note that it’s a line from Hitchiker’s Guide — the bulk of the summary text describes how the metaphor applies to cybersecurity
Heh, I wonder if that’s been influenced by how long Raymond has used the phrase on this blog, explicitly to refer to cybersecurity stuff.
Is this type of “vulnerability” reported by real security researchers, or self-proclaimed “security researchers”?
Probably the second, but from Microsoft’s PoV, it doesn’t matter.
The same amount of resources has to be dedicated to triaging it regardless of the credentials of the reporter.
@Chris Iverson I wonder if they get a lot more AI generated “reports” these days that equally make 0 sense. And have to triage it with the same number of trained people.