back to article It's 2017... And Windows PCs can be pwned via DNS, webpages, Office docs, fonts – and some TPM keys are fscked too

Microsoft today released patches for more than 60 CVE-listed vulnerabilities in its software. Meanwhile, Adobe is skipping October's Patch Tuesday altogether. Among the latest holes that need papering over via Windows Update are three vulnerabilities already publicly disclosed – with one being exploited right now by hackers to …

  1. Roger Ramjet

    By the time I read this, it was waiting to be installed.

    1. Anonymous Coward
      Anonymous Coward

      And that's the last we'll see of you for a few hours.

    2. elDog

      And there'll be a bunch of new zero-days to deal with

      Just applying patches seems to trigger the vultures to unleash their latest.

      Who's really driving this train? It doesn't seem to be the engine or pilot - it seems to be some of the secret passengers who are hoping for a crash.

    3. Anonymous Coward
      Anonymous Coward

      Crap by (lack of) design.

      1. oiseau Silver badge
        Facepalm

        Future headlines

        You don't have to be a future telling savant to know that one of the prominent Microsoft related headlines appearing in The Register in the next few years will continue to be:

        "It's 20XX... And Windows PCs can be pwned via DNS, webpages, Office docs, fonts – and some TPM keys are fscked too"

        It *will* save a lot of work for the editor, mind you.

        Just has to copy/paste and then replace XX with the proper number.

        In any case, just like with this one headline, absolutely no one will be surprised and (uncanny beyond beief) quite a few members of the ElReg readership will be wondering why it takes so long to patch their (still) vulnerable MS install.

        Cheers.

        1. Scott 53

          Re: Future headlines

          2XXX

          FTFY

          1. Ken Hagan Gold badge

            Re: 2XXX

            No way will we need that third X. Microsoft have no new products that look capable of sustaining their historic position within the industry. They've given up on "devices" and they've largely lost on servers. They survive on desktops on the strength of their ability to run programs from a decade or so ago, but the result of *that* is that the current version of Windows is almost crushed under its own weight of back-compat crap.

            They aren't dead yet, but in 2025 we may look back at 2017 and say "Yeah, the signs were already there.".

            And to the naysayers who point to the cash pile I say just that it is all virtual money and another company (probably not Apple, Google or Amazon, although they are probably big enough) will eventually have a big enough pile of its own to *buy* Microsoft for its IP and promptly shut down the day-to-day operation as an act of mercy.

            1. bombastic bob Silver badge
              Unhappy

              Re: 2XXX

              "They survive on desktops on the strength of their ability to run programs from a decade or so ago"

              for now. Until they decide to abandon Win32 support and go "UWP only".

              just wait. they'll do it. they've got their foot targeted, and are ready to pull the trigger...

    4. Anonymous Coward
      Anonymous Coward

      By the time I read this, it was waiting to be installed.

      Yeah, it's always nice when I can start the day with doing paperwork because my work system is wasting power and bandwidth performing yet-another-f*cking-update. Thank God we haven't managed the paperless office yet or I'd be sitting there for a couple of hours.

      I can recall the days when someone was selling us a Windows update with the statement that it would increase our productivity. I note with interest that they're very careful to avoid that argument now.

      1. Roland6 Silver badge

        >Windows update ... increase our productivity.

        Perhaps MS have quietly gone into reverse, with all the claims that people are spending too much glued to their computers, MS, through the Windows Update service, are providing opportunities for people to take breaks and do other stuff...

    5. Anonymous Coward
      Anonymous Coward

      My IT department will roll this out in the next 3 months or so, totally oblivious that windows security is total dogshite, actually believing there is some security benefit rushing into a windows 10 rollout that end users hate.

  2. Anonymous Coward
    Anonymous Coward

    Disgorge

    Microsoft spew again in to the bucket that is Windows. No wonder it smells, 30 ( THIRTY ) years of vomit needs one big malodorous bucket.

    Running Windows is negligent, maybe the next big hack "victim" will sue MS as their crap no doubt will feature prominently in the corporate rampage.

    Feel free to down vote lemmings, but be sure to open your eyes less you press the up vote icon.

    1. wallaby

      Re: Disgorge

      "Microsoft spew again in to the bucket that is Windows. No wonder it smells..................................... etc. etc. etc.etc.etc."

      Soooooooooooooooooooooooooo Tedious

      you need to up the dosage mate

      1. Kiwi Silver badge
        Linux

        Re: Disgorge

        Soooooooooooooooooooooooooo Tedious

        Not as tedious as the MS fanbois etc defending something that should be indefensible.

        In 1995, when the net was just starting to come to life, this stuff might have been forgiveable. But by now any decent SW company knows not to write code that allows the opening of a document to take control of a computer.

        you need to up the dosage mate

        Would love to know what you're taking that lets you sleep at night while you're defending this garbage.

        (Oh, seems to set you off so : mickey$oth, windoze, losedoze, microsucks, M$ etc etc etc... Hope you have a padded cell nearby...)

  3. Sorry that handle is already taken. Silver badge
    Devil

    Exploitable flaws in TPM

    Delicious

    1. LDS Silver badge

      Re: Exploitable flaws in TPM

      Just look at all the bugs and design flaws in SSL...

      1. oldcoder

        Re: Exploitable flaws in TPM

        Over the years... the average is 0.something per year.

  4. TReko
    Flame

    Old vs New Bugs

    Every new patch from MS recently seems to break something else.

    We spend the days after patching fixing or reverting machines.

    I get the feeling that they do not test as thoroughly as they used to.

    1. Anonymous Coward
      Thumb Down

      Re: Old vs New Bugs

      I get the feeling that they do not test as thoroughly as they used to…

      That’s your job now, as a customer. Welcome to Agile.

    2. Anonymous Coward
      Anonymous Coward

      Re: Old vs New Bugs

      I get the feeling that they do not test as thoroughly as they used to.

      FIFY :)

    3. Michael Habel Silver badge

      Re: Old vs New Bugs

      Blame the lack of interest in Windows X for that... After all that's where most of the Alpha / ßeta team now sit. Saving M$ undoubtedly countless ¥€$ on internally testing their Software.

    4. oldcoder

      Re: Old vs New Bugs

      Testing?

      Microsoft laid off the quality control section about 3 years ago.

      Not that there was all that much quality to start with.

    5. bombastic bob Silver badge
      Unhappy

      Re: Old vs New Bugs

      "I get the feeling that they do not test as thoroughly as they used to."

      they don't test at all. they fired their testing staff 2 years ago, during the insider program for Win-10-nic. They're entirely relying on 'insiders' and people who get the first run of patches. that's why there are forced updates, to make SURE they get their patches tested by the unfortunate saps who risk bricking their new, shiny machines that came with Win-10-nic.

  5. Anonymous Coward
    Anonymous Coward

    "scripting engine in Internet Explorer and Edge"

    Same shitty browser, different icon.

  6. Anonymous Bullard

    It's 2017....

    And this is still news.

  7. Captain DaFt

    Nice sub-title

    -But at least there's no Flash update (not this week, anyway)-

    But a bit optimistic. It's only the middle of the week! ☺

  8. FozzyBear
    Stop

    Another week and get to go through the same ol' dance steps. Test, install, fix again, then it's the start of a new week.

    Oh look, a new set of critical patches for Windows.

    <Sigh>

  9. Carl D

    The NeverEnding Story Continues...

    I was watching George Pal’s 1960 movie of H.G. Wells’ The Time Machine the other day and I couldn’t help but wonder if we’ll still be patching Windows security issues in the year 802,701 A.D.?

    Not as far fetched as it may seem, in my opinion.

    1. MacroRodent Silver badge

      Re: The NeverEnding Story Continues...

      but wonder if we’ll still be patching Windows security issues in the year 802,701 A.D.?

      That is one job the morlocks do. But you know the price...

      1. Brian Miller
        Linux

        Re: The NeverEnding Story Continues...

        Yeah, but they're eating Windows users.

      2. Teiwaz Silver badge

        Re: The NeverEnding Story Continues...

        That is one job the morlocks do. But you know the price...

        Windows 'ate' finally popular.

    2. tempemeaty

      Re: The NeverEnding Story Continues...

      And it will still be the same Windows from today with continued updates. Microsoft isn't ever going to write a completely new OS. LOL.

      1. Kiwi Silver badge
        Coat

        Re: The NeverEnding Story Continues...

        And it will still be the same Windows from today with continued updates. Microsoft isn't ever going to write a completely new OS. LOL.

        At least they're consistent.

    3. Michael Habel Silver badge

      Re: The NeverEnding Story Continues...

      Hopefully MicroSoft would have rolled over by then.

    4. John 110
      Facepalm

      Re: The NeverEnding Story Continues...

      "I couldn’t help but wonder if we’ll still be patching Windows security issues in the year 802,701 A.D."

      Of course we will, it might not be Windows, but every operating system needs patched and will do into infinity (and beyond)

    5. bombastic bob Silver badge
      Trollface

      Re: The NeverEnding Story Continues...

      "wonder if we’ll still be patching Windows security issues in the year 802,701 A.D."

      WIn-10-nic, the Morlock version

      1. Kiwi Silver badge
        Coat

        Re: The NeverEnding Story Continues...

        "wonder if we’ll still be patching Windows security issues in the year 802,701 A.D."

        WIn-10-nic, the Morlock version

        Is that a contraction of "More Lock" as in "even more M$ lock-in"?

  10. Joe Werner Silver badge

    Fonts and Windows..

    I had the error message "a TrueType font caused a general protection fault in the module setup.exe" when installing Windows once. Must have been Win98 (SE?).

    1. wallaby

      Re: Fonts and Windows..

      "I had the error message "a TrueType font caused a general protection fault in the module setup.exe" when installing Windows once. Must have been Win98 (SE?)."

      I had similar to that that installing Win 98 last year ..... after a failed hard drive trashed the disk and the backup of it had been lost under a deluge of sea water 2 years previously..... it was the fish in the open backup safe that did it.

  11. Ken Moorhouse Silver badge

    force regeneration of previously created weak TPM keys

    So these updates come with some extra homework.

    1. Wensleydale Cheese
      Joke

      Re: force regeneration of previously created weak TPM keys

      "So these updates come with some extra homework."

      Please, Miss, Windows ate my homework.

  12. SVV Silver badge

    Who designed this then?

    "visiting a website or opening a file with a specially crafted embedded font can cause malware within the font data to run and hijack the PC."

    How the hell did you design an OS that lets programmers embed code in a FONT?

    1. Teiwaz Silver badge

      Re: Who designed this then?

      How the hell did They design an OS that lets programmers embed code in a FONT?

      also

      Why the hell did They design an OS that lets programmers embed code in a FONT?

      1. Anonymous Coward
        Anonymous Coward

        Re: Who designed this then?

        Why the hell did They design an OS that lets programmers embed code in a FONT?

        The TrueType engine contains an interpreter that executes its own instruction set to adjust how fonts are rendered at different sizes on different resolutions. It's a complex process. The 8 x 8 grid of bits is long gone!

        https://www.microsoft.com/en-us/Typography/SpecificationsOverview.aspx

        ☐☐☐☐☐☐☐☐

        ☐☐◼︎◼︎◼︎◼︎☐☐

        ☐◼︎◼︎☐☐◼︎◼︎☐

        ☐☐☐☐◼︎◼︎☐☐

        ☐☐☐◼︎◼︎☐☐☐

        ☐☐☐☐☐☐☐☐

        ☐☐☐◼︎◼︎☐☐☐

        ☐☐☐☐☐☐☐☐

    2. LDS Silver badge

      Re: Who designed this then?

      That's what needed to have nice looking fonts able to scale on any output device, unluckily. People would complain about bitmap fonts enlarged for their 4K display, I'm afraid.

      Anyway, in fonts like TrueType the culprits are both Apple and Microsoft - actually the hinting engine was an Apple patent. But other font rendering engines are not that different.

      The real issue is not that font have code inside - it's how safe the rendering engine processing that code is. And still, the rendering pipeline must be very fast, or people will complaining if font rendering is slow.

    3. oldcoder

      Re: Who designed this then?

      Not just a font.. but the processing of that font was a kernel function.

      Microsoft IS supposed to have moved it out of the kernel... finally, but it may still have privileges...

    4. Jonathan 27 Silver badge

      Re: Who designed this then?

      Blame Von Neumann's stored program concept, if computers had totally separate data and executable storage this wouldn't be a problem. But as such, all the data on you computer MIGHT be a program.

      1. Anonymous Coward
        Anonymous Coward

        "if computers had totally separate data and executable storage"

        Actually, x86 protected mode can define what memory segments are for (executable, readable, writable....) - just no mainstream OS ever used them because of the complexity. AMD even removed the feature in x64. Just, it was what it is needed now to write secure systems.

        Anyway, fonts today are a sort of program - its execution should be strictly controlled, though. Again, the Intel four ring model would allow for better separation of privileges, but again nobody used it, because most CPUs had only two rings (and anyway, ring transitions are costly).

        In a four ring model you could have the true kernel running at ring 0, for example, while I/O could work at ring 1. It could still directly access the hardware (with a proper IOPL setting), but would not be able to access and modify ring 0 data.

        One day those features will be sold as a new, great breakthrough in computer security.... just like the cloud mainframe model looks so "disruptive"...

        1. Anonymous Coward
          Anonymous Coward

          Re: "if computers had totally separate data and executable storage"

          The most complex problem the next generation of developers can get their heads around is what sort of beard oil to apply. They're screwed. We're screwed.

        2. bombastic bob Silver badge
          Happy

          Re: "if computers had totally separate data and executable storage"

          "AMD even removed the feature in x64"

          you sure about that? I'm pretty certain that x64 has executable and non-executable page flags...

          edit: found this quote on wikipedia

          "The No-Execute bit or NX bit (bit 63 of the page table entry) allows the operating system to specify which pages of virtual address space can contain executable code and which cannot. An attempt to execute code from a page tagged "no execute" will result in a memory access violation, similar to an attempt to write to a read-only page. This should make it more difficult for malicious code to take control of the system via "buffer overrun" or "unchecked buffer" attacks. A similar feature has been available on x86 processors since the 80286 as an attribute of segment descriptors; however, this works only on an entire segment at a time."

          https://en.wikipedia.org/wiki/X86-64

          thought so

          1. Anonymous Coward
            Anonymous Coward

            " I'm pretty certain that x64 has executable and non-executable page flags.."

            It was a stopgap introduced when it became clear the flat model was risky, but is much inferior to the segment protection model. All it can do is mark some memory pages as non-executable. You can still modify executable ones, and read and modify memory everywhere.

            A segment could be executable without even being readable. That means the CPU can load and execute the instruction, but a process - without high privileges to create an alias segment - can't read (or worse, write) the segment contents - i.e. to setup a ROP chain. You could have read-only segments - no way for a process to modify its contents.

            One issue is compiler have the bad habit to mix instructions and some static data (and sometimes even non-static), while using properly the segmentation model would require segments for code, segments for constants, segments for variable data. Also, because segments have a size limit - which is checked when accessing the contents, any buffer overrun or the like could be limited.

            It could be a model non suited for interpreters (especially for highly dynamic languages) and VMs, where code is delivered as data - these should be sandboxed because they are inherently less secure than compiled code.

            The price to pay was a far more complex model, and loading segments and calling among them was slow exactly because of all the security checks involved.

            Instead of removing all the protection layers to speed up the CPU, the path should have been to speed up the protection mechanism. We'll return there, because it's one of the few ways to make systems more robust.

            1. Roland6 Silver badge

              Re: " I'm pretty certain that x64 has executable and non-executable page flags.."

              One issue is compiler have the bad habit to mix instructions and some static data (and sometimes even non-static)

              Don't remember having that problem with PL/M, but then PL/M did require the programmer to have some knowledge of segmentation, thus it was the programmer's decision to mix instructions, static data and dynamic data.

              I suspect the compiler problem is down to people wanting to use high-level languages and hence their compilers to solve everything, rather than accept that there are times where assembler (and hence some understanding of machine/platform architecture) is the right choice.

              1. Anonymous Coward
                Anonymous Coward

                Re: " I'm pretty certain that x64 has executable and non-executable page flags.."

                Compilers are a need - assembly is too CPU-specific. Only, for a long time compilers have been implemented to optimize speed and size - never security.

        3. Captain Badmouth
          Unhappy

          Re: "if computers had totally separate data and executable storage"

          "In a four ring model you could have the true kernel running at ring 0, for example, while I/O could work at ring 1."

          Instead of which we have a four ring circus.

      2. Mike 16 Silver badge

        VN Blaming.

        Von Neumann gets both too much credit ("accidentally" circulating a group report with only his name) and too much blame. For two reasons:

        1) The machine described in the (in)famous paper was to an extent "tagged". That is, each word had a bit (the setting of which was left as an exercise to the reader, but was part of the program loading process) to distinguish instructions from data. Not some modern sort of "throw an exception far enough up that the code that finally catches it knows sod-all about the context", but "If you store to an instruction, only allow the address part to be modified" and "If you execute data, treat it as a 'load immediate'". Instruction modification was needed because B-Boxes had not yet been invented in the UK, nor (as index registers) patented by IBM in the US.

        2) Even doing a stronger separation of code and data (e.g. the NX bit fixing the elision of segment-based control on the way to pages) gets you only so far. Your JVM may be immutable code, but it will be interpreting "data" (byte-codes) from who knows where, manipulating other data, probably all in one bit-soup "for efficiency".

        If you want _real_ separation, look into the Fairchild Symbol Computer. Even the compiler was "hardware".

      3. bombastic bob Silver badge

        Re: Who designed this then?

        "if computers had totally separate data and executable storage this wouldn't be a problem"

        harvard architecture. common for microcontrollers.

        in the x86 world, proper memory management would prevent writing anything that's executable. there are flags for that. I guess Win-10-nic isn't using them enough.

    5. Tom Paine

      Re: Who designed this then?

      You write it in C/C++ of course. Keep up.

    6. bombastic bob Silver badge
      Unhappy

      Re: Who designed this then?

      "How the hell did you design an OS that lets programmers embed code in a FONT?"

      you stupidly make font files DLL's with an executable section that runs on load...

  13. Dan 55 Silver badge

    Putting aside the usual monthly MS clusterfuck...

    ... the stock photo is nice but I think it could be a bit edgier, like one from here.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020