> Of course you patch it, but you don’t assume that every system affected by this 0-day got exploited.

Uhh, what? Of course you do. Why give the benefit of the doubt to hackers who hacked you with malicious intentions? That's the type of security nonsense that I'd expect from... Well, Microsoft lol

So every time a 0day is released you buy a net new device? Cause there are 0days like... every day.

If you find yourself owned by, and not only from a 0-day, then yes, you wipe everything clean and re-build with mitigations in place from the start as to not get reinfected in the process.

That's pretty much the only option if you safeguard valuable data for your customers. Yes, it's expensive to get breached, so take precautions to make it a rare event and contain it as much as possible when it happens.

I don't think the article is unreasonable. This is cloud infrastructure sold to companies with defense industry contracts where breaches are taken seriously.

I mean, yes, obviously, you have malware on a box you rotate that box. They had keys and they rotated the keys. But the implication here is that the attacker could have done anything and therefor they have to destroy everything, which is unreasonable.

Rotating keys are far from enough. If your keys are compromised, you need to revoke everything. Then you need to assess what the impact is and wipe anything the compromised keys had access to during the period.

This is not theoretical. When the openssl fiasco hit, I worked in a place under financial regulation. Not even the defense sector, which is under much stricter rules. We had to go through all logs to ascertain customer data was intact, and since leaking private keys did not leave a trace in the logs we then wiped clean all systems these keys secured.

This was a massive undertaking to coordinate and minimize downtime for customers but it was deemed necessary to comply with security regulations. To hear that a big juggernaut such as Microsoft doesn't even do this without facing much consequences is mind boggling. I can not understand how that would ever pass an audit.

Revoke everything? Everything?

I have literally done incident response I am well aware of what the investigation process is like.

Everything a potentially compromised key has signed, yes. What are we discussing here? This is standard procedure by every compliance processes I have ever had the misfortune to work with, but for quite good reasons. Hope alone won't pass an audit.

OK but "everything" and "everything the key may have signed" are obviously so insanely different.

> I mean, yes, obviously, you have malware on a box you rotate that box.

"The box" in this case is their entire org.

Evertime a 0day thar granted privilege escalation was found on installed bins/libs, we ran a script that looked at setsuids on anything and everything and did a report on what was found. We managed to find a crypto miner once.

Obviously I won't run it on my personal computer, but i'm not renting my pc to anyone.

Literally no one is suggesting that they don't perform a thorough investigation.

It's one thing if it's your laptop, but another if it's a system with billions of users.

A released 0day is an oxymoron..

I have a 0 day. I release it. I released the 0 day.

Hehe pedant but after that action, it's no longer a 0day...

It's named so because you have "0 days" to patch it; it's not referring to the age of the vuln.

Yes it is.