
I like the way they separated the Edge bugs from the IE bugs. Same CVEs though. Whatever could that mean?
Microsoft has released 14 sets of software patches to address critical security vulnerabilities in Windows, Office, Internet Explorer, and Edge. Yes, even Edge: Microsoft's supposedly whizzbang super-secure web browser. Users and sysadmins should apply August's Patch Tuesday fixes as soon as possible: the bugs can be exploited …
I like the way they separated the Edge bugs from the IE bugs. Same CVEs though. Whatever could that mean?
It means you will soon see yet another Redmond marketing troll claiming that Windows has only got xx problems, but Linux?OSX/FreeBSD (etc etc) have more, because that's how they sell this abomination to their golf buddies.
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.10240
Despite the fact that it identifies as pretty much everything else as well for compatibility, Edge identifies as version "12.10240", which I see as an internal admission of its being IE12, even if "About this app" identifies it as Microsoft Edge 20.10240.16384.0.
Or CPM?
Maybe not browser bugs but I did once write a virus for CP/M when I was at polytechnic in the mid 80s. Purely as an intellectual exercise of course. Plus I wrote it on an Amstrad CPC 6128 which used 3" floppy discs so it didn't really have much opportunity to infect the wider world :)
One of the fixed security bugs (mentioned in the release notes) was:
* sshd(8): Portable OpenSSH only: Fixed a use-after-free bug related to PAM support that was reachable by attackers who could compromise the pre-authentication process for remote code execution. Also reported by Moritz Jodeit.
Sounds like a remotely exploitable bug that may not need a local account. Anyone know the details?
.. they clearly need more days in the week than just one to keep up.
I wonder what sort of effort MS management undergoes to remove their ability to be embarrassed about the quality of what they sell. Is it reprogramming à la Scientology, or maybe surgery? Whatever it is, it must be pretty major.
This post has been deleted by its author
This post has been deleted by its author
I don't know, the cynic in me says that list of remote execution bugs sounds like a carefully crafted set of NSA bugs inserted by someone on the inside. However, the realist in me says "shit coding".
I no longer have any inclination as to which of those two possibilities is the more likely!.. Meanwhile the pragmatist in me is shouting "WHY CAN'T THEY BE A COMBINATION OF THE TWO? IT'S PROBABLY BOTH, IT'S PROBABLY BOTH"
Calmly considering all the factors, I think the pragmatist is probably correct. ;)
no longer have any inclination as to which of those two possibilities is the more likely!.. Meanwhile the pragmatist in me is shouting "WHY CAN'T THEY BE A COMBINATION OF THE TWO? IT'S PROBABLY BOTH, IT'S PROBABLY BOTH"
Well done, you have just found an argument why the code has to be at least of *some* quality - can't afford a crash when it's sending off your data to the NSA now, can it?
"Now how many of these vulnerabilities exist in the win2k and win2k3 code bases and therefore remain unpatchable by the laggards?"
Patches were released for some of these on Win2K3 if you have an extended support agreement. The agreement prevents publically providing any further details...
"Using OSX"
Errm - but that's on well over 2,000 known vulnerabilities now - way more insecure than even Windows XP.
Oh hello Redmond marketing department, really? You really want to try and spin that one here, and really right now? You did read what the main article was about, no? And you do realise that most people reading *this* forum are fairly adept at detecting manipulated statistics and selective quoting from facts, no?
I know you're paid to peddle this myth but you really ought to come up with something new, like actual facts. Ah, no, sorry, that's exactly the problem, isn't it? If you remained with the facts it would all get even more embarrassing, wouldn't it? Don't you think that your time and the company would not be better spent on coding an OS that is actually suitable for a 21st century IT environment instead of still being so deficient that only someone suffering from insanity (or a serious degree of masochism) would hook up a raw box to the Internet, whereas NO other modern OS has any problems with that out of the box?
You see, it is exactly the fact that you cannot acknowledge that is a frankly piss poor performance of a supposedly modern OS that stops you from fixing it. Stop pretending that it is even NEAR beta quality and produce something that is decent for a change. I know it would be a total shock to the system, but especially now you're seeking to entrap people into a subscription model it would be good demonstrated that people actually get something for their money because on raw ROI Windows has been performing badly for quite some time, and this latest debacle is not exactly helping if I start adding up all the resources and FTEs I'd need to keep this anywhere near safe to use.
"I know you're paid to peddle this myth but you really ought to come up with something new, like actual facts"
I see we have another deluded Apple user. The facts are from Secunia and NIST among others and the links to the vulnerability lists have been posted here plenty of times before.
See for instance https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_vendor=cpe%3a%2f%3aapple&cpe_product=cpe%3a%2f%3aapple%3amac_os_x&cve_id=
Everything you say applies even more to OS-X.
...more insecure than even Windows XP.
Seriously.
You want to use that argument.
In a comments thread on an article that talks about USB STICKS INFECTING WINDOWS IN 2015!!!
How fucked in the head do you have to be to still defend them after all this crap? Doesn't the shame and self-disgust make you want to end your life in some fittingly painful manner? Surely even MS could not pay someone enough to lower themselves to such a point as to actually defend them after something as bad as this?
I guess the reason you haven't ended your own life is evident though - you obviously are seriously mentally deficient, which begs the question how did you escape from hospital?
It defies belief that a "brand new" browser, aka Edge, has so many flaws less than a month from the release of Windows 10. It makes you wonder just how much of Edge was really a re-write / build from scratch. I'm thinking it shares a lot of IE's codebase hence the vulnerabilities.
And to think that Vista was supposed to the be best tested OS ever.....
>It defies belief that a "brand new" browser, aka Edge, has so many flaws
No. It really doesn't.
Meanwhile at Hobbes Towers we've just discovered that Wurd 2013 on Win 8/10 uses the same rendering engine as IE11, which means text looks like jagged crap.
MS took out a feature that worked in Win 7 and replaced it with crap code that everyone who uses Wurd has to look at every day.
That's how awesome MS is.
" It makes you wonder just how much of Edge was really a re-write / build from scratch."
Where did you get that idea? I thought Edge was fairly clearly presented as "Starting from the IE codebase, we took out all the backwards compatibility hacks.". The idea is that it will then be easier to maintain the less-hacked-about codebase. I'm not aware of anyone claiming that it was a completely new engine. (As you hint, given previous and completely discredited claims of a "total re-write" regarding Windows itself, any such claim for Edge would have been laughable.)
Shitty devs!! Go ahead and start your thumb-downs, whatever! When are these asshats gonna be let go...... or the hiring managers?
These bottom feeders continue to put everyone at risk .... they get their check then check out. Not an ounce of pride of ownership. Case in point .... I was told we still use flash because "HTML5 is too hard." Yeah, too hard .... as they use Slack to access Jira so they don't have to VPN. FIRED - 2 PEOPLE ..... the person that choose to pay for Slack, and the fuck that chose to spend the time to integrate Slack + Jira instead of fixing the critical vulns that have been pointed out .... that they don't understand. But no!!! "We appreciate their creativeness. " What the fuck ever!
That "goat" devices be deployed which appear to contain vulnerabilities and interesting-but-useless information such as credit *s with limited funds and dummy datasheets, spreadsheets etc.
Should be possible to emulate a typical out of date patched Windows b0xen on an Arduino and this could log number of attacks on a small display for training purposes etc.
They are called honeypots, anon.
However, these too need maintenance. I suppose even more than the real stuff.
The sad real-life situation is that even the real stuff does not get the maintenance it needs ("You need to maintain this server? But Microsoft is issuing patches regulary, what do you need to do? Don't be a weasel!")
They are called honeypots, anon.
That's a later development. It sort of started with Fred Cohen's Deception Toolkit (DTK), created just before we got distracted by Y2K. The DTK does more or less what the OP described.
I find it useful to go back to origin of ideas, because you find that later developments tend to cherry pick aspects of it and discard others that may have value in their own right.
An example of that is referring to the novel "1984" where what you really ought to do is go back to the whole Jeremy Bantham "panoptikon" theory, because you then also pick up that this is about advanced, long term mental manipulation and, more importantly, that that idea was meant for prisoners...
I thought that the mind numbing sloth was just a Vista update thing, Windows 10 was slow in the early morning but not glacial but I see a Win 7 machine waiting, waiting, waiting but not getting anywhere at the moment. I slightly suspect that they are queuing machines as the download itself is not too terribly slow once you get the list of updates. Interestingly, on a windows 7 machine the only update ticked was the one for Windows 10. I had to make a manual 'tick all' and remove the windows 10 tick to preserve user sanity and domestic peace.
The Windows 10 update fails anyway unless run from media not the download.
<quote>After 15 minutes spinning its wheels in "checking for updates" mode ....</quote>
Which is one thing I really like about the Synaptic Package Manager. You can get it to show the progress of both the download, and the application of the packages (should you choose to do so) in an attempt to be assured that your b0x isn't frozen.
Can't say that about WindblowZE.
"Adobe has posted an update to fix 34 CVE-listed vulnerabilities in Flash Player."
Nope. 35 CVEs. I counted twice, just to be sure. Only two of them currently have descriptions up on Mitre.org. But Adobe provides a list of general problems and associated CVEs in their new Flash/AIR security bulletin:
https://helpx.adobe.com/security/products/flash-player/apsb15-19.html
This post has been deleted by its author
This post has been deleted by its author
I'm gloating because I made the correct and educated choice which has saved me from a large percentage of such headaches over the last decade or so.
You are imagining headaches and people running around like crazy.
In real life, these type of events are frequent enough that there are well established processes for dealing with them and they are taken comfortably in stride. It's virtually a non event.
If people can't handle these things easily then they are incompentent and just having OpenBSD isn't going to help much.
I really misread that. I thought you were complaining that your OpenBSD boxes didn't flush.
Maybe he meant that their performance was crap?
Note the icon - I know I started out to run BSD for my first server but somehow ended up with Debian, can't remember why. I've never actually run BSD but I do expect that it would be an experience that would have me (again) scratching my head and saying "why do people still run that MS shiteware?]
Would simpler CPU's be less powerful? Would simpler OS's make life difficult for the user?
I thought the Z80 with 55 thousand transistors was a complicated enough design. I wonder if it would be possible 64 bit CPU that used only 250,000 transistors and had simple floating point or Unum. http://insidehpc.com/2015/03/slidecast-john-gustafson-explains-energy-efficient-unum-computing/
I always want to do things the simple way but everyone else is up for flowery elaboration. I can't win!
Well bloody f#@King hell!
First, I second RRs sentiment in spades. We cannot fight what we cannot see, Situational awareness is a first essential step.
The broader issue is that the background update process goes on continuously, from multiple vendors. At least some of these, according to the information the third party vendors provide, may include bug fixes and updates unrelated to the security vulnerability fix. The code is considered proprietary.
The bottom line is that the users, including large entities who operate ISP/Hosting services, government data bases and now the everlovin' f--ing cloud, have no visibility into what the actual system configuration looks like and what the code actually does.
Security demands situational awareness. And we have none.
Problems often present in that worst of forms. . . intermittent.
I live in a third world county in Virginia, USA, and am limited to satellite internet. The closest nodes in the internet are in the Richmond--DC--Baltimore corridor. And, I'm using W8.1 What could possibly go wrong.
I spent the better part of day earlier this week trying to track down why nine out of ten of my e-mails were timing out on the outgoing server. The answer from my ISP was, we know there's a problem, we just haven't been able to track it down. I know of a similar situation with a DoD site. It refuses to deliver pages to certain users. The service desk has been able to confirm have these users have authorized access that the system is recognizing and accepting. The answer--we know this happens for some number of users, we don't know why. In this case, reality rises to bite us in the butt. The guv needs for a contractor to fix the problem. There is no contract.
In the meantime, users get to piss away countless hours and money trying to troubleshoot problems that may, or may not, be on their system.
As a user, with a lot of history but waning chops in this technology, I find this insane.
For the Register, we of British heritage, are a proud lot. Please speak (or write) the language. Just because some fumble fingered jackass makes a typing error, doesn't mean that it needs to be adapted as the queen's English. All the jargon and geek (or in this case leetspeak) does is force us crotchety old men to look the damned term up. The technical jargon that is over my head, I don't mind. Smarter folks than I are communicating important things to one another. But pwn? Olease!
NB. pwn may, in fact, not be due to fumble fingers. The writer may be stuck with the version of the MS ergonomic keyboard I'm using--which for my convenience has changed the size and repostioned keys relative to the MS ergonomic keyboard it replaced.
It is to weep.
We cannot fight what we cannot see, Situational awareness is a first essential step.
Not if you're Microsoft. If it was too visible just how much patching is happening it is possible you could be motivated to search for alternatives, and executives would look stupid for making that choice. Especially the latter admitting they made a mistake is what keeps Windows firmly entrenched, so don't expect any help soon to make it easier to identify the costs and threat to your company.
Sorry, but I cannot agree.
What keeps Windows so firmly entrenched is the fact that 95% of the market have been using it since it started, and are so used to it that they cannot change. That is why TIFKAM was such a disaster - it went against user habits.
It is for that reason that Microsoft keeps so strongly away from "rebuilding from scratch". The only thing that keeps Microsoft on the market is the fact that their OS remains compatible with legacy applications.
The day that compatibility dies is the day Microsoft folds, because companies - especially the Fortune 1000, are very ready to change for a free OS if they have no choice. So Microsoft stays compatible with legacy so as to give them no choice.
"Nobody has brought up the fact that if someone nefarious has physical access to your computer you are pwned. "
Not if the PC runs Windows with Secure Boot and Bitlocker with Microsoft recommended settings for a domain member, and is powered down when not in use. No known way round that so far.
Not if the PC runs Windows with Secure Boot and Bitlocker with Microsoft recommended settings for a domain member, and is powered down when not in use. No known way round that so far.
Hmm.. Secure boot.. You mean that thing that Lenovo has recently shown is broken beyond belief, because windows will bend over and take any code loaded in the right place in the BIOS without so much as a cursory AV check before execution?
Haven't tried Bitlocker yet (and never will), but given MS's past approaches to security I am quite certain that someone soon will find that a) there is a hard-coded backdoor and b) the key to that backdoor is "passw0rd". Probably a secondary backdoor in case the first one fails - "12345".
As to the "domain" bullshit.. How many home users are set for that?
Want security? Don't run Windows.
I know I know.. Don't feed the trolls.. That reminds me, I'm fresh out of rat poison..
MS15-085: One CVE-listed flaw in Windows Vista through Windows 10 allows an attacker to gain administrator-level access if they plug in an evil USB device. "The vulnerability could allow elevation-of-privilege if an attacker inserts a malicious USB device into a target system. An attacker could then write a malicious binary to disk and execute it," according to Microsoft.
So when a member of staff plugs their mobile into a secure PC on a secure network where IT are still testing if these patches are safe to install, one does wonder if the phone could have been converted into an evil USB device by the playing of some free game.
Most PC's allow booting directly from a USB thumb drive. So: as long as there's physical access to the machine, one could then boot Ubuntu (or whatever operating system) completely independent from the installed operating system, then copy over whatever files might be of interest. That's provided Bitlocker or other encryption has not been enabled.
Bitlocker is enabled by default in Windows 10. Not with the most secure possible settings mind you, but it's still on which makes accessing a disk via booting from USB somewhat more challenging...
That's a bit of a stupid move from a data recovery POV. Is it clearly explained to users before being done that unless they have regular backups (which experience tells me less than 1% of computer users do) then they're all-but guaranteed to lose their data?
I understand the reasoning behind full disk encryption[1], but forcing it on people could be a problem because users simply do not grasp the need for backups. They see machines run for year after year with few if any problems, they have no concept how quickly disks can fail when something does go wrong.
I hope MS makes a decent effort to educate people about backups, and get a nice simple system back like that which was in XP, not sure on 7 but the one on 8 was nasty from a computer illiterate home user POV.
[1]The servers that handle customer databases and other customer data/files are completely encrypted and as secure as we can make them. Outside of these and a few other things that handle people's data, I do not myself use any encryption. For most people it's simply another level of unnecessary complexity.
"Most PC's allow booting directly from a USB thumb drive."
Most PCs? Most domestic ones?
I suppose if the admins had left the BIOS settings unprotected by password, and not disabled boot from devices other than C: then such an oversight would leave you open to more attacks than just this one.
But I've not used a corporate PC that has that left open, or indeed not fully encrypted for years, its near the top of the sysadmin to do list.