back to article New old Windows bug emerges, your 'strong' password is anything but, plus plenty more

Here is a brief look at some of the other security stories floating around right now. Ruby gem strong_password tarnished Earlier this month, an alert went out to Ruby on Rails developers after it was discovered that a popular package had been hijacked and injected with malicious code. Tute Costa was going through the gems …

  1. Anonymous Coward
    Anonymous Coward

    It is all data slurping

    Wondering why "telemetry" has become synonymous with "surveillance"?

    To the average user both mean that data from their machine is being sent somewhere.

    Because Microsoft has not revealed what data is in their so called 'telemetry' messages it is easy to see why people think rightly or wrongly they are being spied on by Redmond.

    Then because you can't turn it off without going through a huge number of hoops that impression is reinforced 1000%.

    I do not use Windows 10 any more. W10 was the last straw for me. After six months of fighting with it (Windows 7 is a pussycat in comparison) the nannying approach that MS has adopted won the day and I deserted to Linux and MacOS.

    I have one Server 2008 system that is only connected to the Internet 2-3 times a year. I think it will be ok for a while longer as the applications it runs don't need to be connected or phone home every few minutes to check on their licensing status. When that hardware dies that's it for me with MS.

    Keep on mollycoddling your user base MS, I'm sure that when you introduce subsctiptions it will make you Billions but at what cost eh?

    1. Mage Silver badge
      Devil

      Re: It is all data slurping

      ""telemetry" has become synonymous with "surveillance"

      Yes, it mostly is.

      Hence without independent 3rd party audit I turn crash reporting off. Have done for years. Even Mozilla can't be trusted. Amazon. Microsoft, Google and Apple can't be.

      1. Pascal Monett Silver badge

        Agreed

        And the fact that there are people who think it is perfectly normal to gather data without consent, even with the Best Of Intentions (TM) is what started the whole problem in the first place.

        I don't care that you have the means, you need to check that you have the right.

      2. NoneSuch Silver badge
        Mushroom

        Re: It is all data slurping

        "Wondering why "telemetry" has become synonymous with "surveillance"?

        These are not at all the same thing."

        Yes they effing are for the same reasons "ethnic cleansing" and "genocide" are used interchangeably. Calling an action by something more palatable does not undo the action itself.

        Surveillance is defined as "close watch kept over someone or something." I call it data rape.

  2. Sorry that handle is already taken. Silver badge
    Meh

    The vulnerable version of win32k.sys is only present in Windows 7 SP1 or earlier. This means anyone running Windows 10, Windows 8, or Windows 7 SP2 is in no danger.

    Where do I go to get SP2 for Windows 7?

    1. tfewster

      Not sure if you're joking, but from: https://answers.microsoft.com/en-us/windows/forum/windows_7-update/how-to-obtain-and-install-windows-7-sp2/c2c7009f-3a10-4199-9c89-48e1e883051e

      In 2016, Microsoft decided to package 5 years worth of updates (2011-2016) into a single update, called the "convenience update" (although you and I can just call it Service Pack 2 because that's exactly what it is).

      .

      .

      Note: Installing the update won't affect the version of Windows listed in system properties. It will remain listed as Service Pack 1.

      1. Sorry that handle is already taken. Silver badge
        Happy

        I wasn't joking, but thanks. As you say, fully patched Windows 7 still reports itself as being SP1.

  3. Dan 55 Silver badge
    Alert

    KB2952664

    It says in the notes it replaces KB2952664, which is the update that everyone who decides to avoid Windows 10 because of telemetry and stick with Windows 7 tries to avoid.

    So, this needs disabling too because it's the same thing.

    1. Tree

      Re: KB2952664

      If they want to move me onto Windows 10, is that so I can be tracked? I do not trust anyone who sells my info to get money. Gurgle and FaceBUTT are both evil and I don't think anybody should use them. What is Microsoft storing in its computers about me? That's a secret.

  4. Anonymous Coward
    Anonymous Coward

    "In other words, relax nerds."

    Er, nope.

    Regardless of the placating words of some random security outfit's CEO (which amount to 'What's the problem? Everyone's doing it'), it is yet again Microsoft abusing the definition of 'Security Update' to slip in telemetry that they know people have been actively avoiding.

    So no, I won't be relaxing thanks.

    1. Anonymous Coward
      Anonymous Coward

      Re: "In other words, relax nerds."

      Exactly!

      I don't know what "security" firm would think this is okay.

      One person's Bug Report is another person's Key to the Kingdom.

      1. Tom Paine
        Boffin

        Re: "In other words, relax nerds."

        Katie Moussouris' contributions to the security community are considerable, and I don't doubt her personal integrity. However it's worth noting she had a senior security role at Microsoft (founded their bug bounty programme, for instance.)

        https://en.wikipedia.org/wiki/Katie_Moussouris#Microsoft

    2. Blazde Silver badge

      Re: "In other words, relax nerds."

      She is right on one point, crash report enabling *is* a good example of data collection which privacy conscious people are wary of too.

  5. Anonymous Coward
    Anonymous Coward

    "Wondering why "telemetry" has become synonymous with "surveillance"?"

    Because:

    1) It's hidden and forced

    2) User are not asked to opt-in, and often can't even opt-out

    3) Gathers data that can be private and sensitive and send them to a third party (and anyway I may want no data to be gathered)

    4) Doesn't disclose what data are sent, when and why

    5) Steal user bandwidth

    An AV that fully works locally and doesn't send anything outside without my consent is not surveillance, if it does IS surveillance. An IDS is a form of surveillance - would you trust your unencrypted traffic going through an IDS managed by a third party who could make a profit from that data?

    1. Anonymous Coward
      Anonymous Coward

      Re: "Wondering why "telemetry" has become synonymous with "surveillance"?"

      6) And even if it is benign or portrayed as benign at present, at some point in the future it is likely to start sending more information that changes it from "telemetry" to "surveillance"

    2. Anonymous Coward
      Anonymous Coward

      Re: "Wondering why "telemetry" has become synonymous with "surveillance"?"

      Exactly. If they want me to beta test their software, they can pay me.

      1. whitepines
        WTF?

        Re: "Wondering why "telemetry" has become synonymous with "surveillance"?"

        People also keep forgetting what is in a crash dump. Wouldn't it be a shame if part of your password file, or a cryptographic key, or your plaintext password and snippets of keyboard input around it were "accidentally" sent to Microsoft? Where does Microsoft indemnify you against misuse or leakage of this data? All it takes is a bug in the password validation routines, or somewhere in Microsoft's botched Kerberos implementation, or in Chrome's password autofill and presto, Microsoft has some fairly sensitive data in their "crash dump" reporting across millions of systems worldwide.

  6. Anonymous Coward
    Anonymous Coward

    I don't need to worry about the telemetry. I'm still running XP. I do have a win 7 key however I don't trust MS They might stick the slurp in updates.

    1. Halfmad

      Bragging that you are running an out of date operating systems is like bragging you drive without insurance. It's stupid.

      Moving to Linux would make far more sense at this point for you rather than whinging about an out of data OS even MS don't want to touch.

    2. Carpet Deal 'em
      Facepalm

      Unless your application needs WMA/WMV support, anything supporting XP will run fine under Wine. You lose nothing by not upgrading to Linux(Mint and POP!_OS seem to be the current newbie-friendly recommendations).

      1. fiskrond

        MX-Linux worth a look.... and I really am a Linux noob.

        Install is not as simple as others which simply ask 'Install alongside Windows'... so use something like Partition Wizard (free) to create partition first, presuming yer going for dual-boot.

        After that, it's all good.... whack Vivaldi and LibreOffice on it and yer good to go!

        If you have a spare HDD to install to, all the better while you suss it out.... use Windows to download and burn to a dvd (I've yet to make a bootable USB that doesn't end up fekd... DVD's work just fine for me!).. unplug all other HDD's and install... have a fiddle with it... then start questioning loyalty to Windows...

        I haven't yet left Windows7.. (8 & 10.. pfft!).. but the day is coming

      2. Dan 55 Silver badge

        Add Zorin OS for newbie friendly.

    3. Wayland

      It probably is time you ran Linux. If you use a decent PC you can run XP in VirtualBox as I do.

    4. Loyal Commenter Silver badge

      Did the bot-net that your PC is undoubtedly part of (if it's running XP and is connected to the internet) make that post for you?

  7. Anonymous Coward
    Anonymous Coward

    Microsoft, so much for the idea of cumulative monthly roll-up update patches...{Facepalm}

    July 9, 2019—KB4507449 (Monthly Rollup)

    "Administrators should ensure that any one or more of the Monthly rollups released between April 10, 2018 (KB4093118) and March 12, 2019 (KB4489878) have been installed prior to installing April 2019 and later updates."

    1. Mpeler
      Pint

      Re: Microsoft, so much for the idea of cumulative monthly roll-up update patches...{Facepalm}

      Great catch.

      Meet the new bug,

      Same as the old bug...

      So, Satya, how's those $4.00/hr programmers worrking out for you?????

  8. Daedalus

    How wonderfully anitquated!

    In these modern times, with often a squiggly line appearing to show you that, yes Virginia, there is a spelling error, it is a delight to see that mispronts and hwolers can still appear in a Reg article.

    1. Daedalus

      Re: How wonderfully anitquated!

      Even better, they occasionally get the attention they need....

  9. adam 40

    Call that aniquated?

    I note that the Windoze exploit mentioned only affects 2007 and 2008 Server.

    So if we're running XP, NT , 3.11 or Windoze 2000 it's all good....

    1. Mpeler
      Paris Hilton

      Re: Call that aniquated?

      Exactly!

      I prefer the concrete approach.

      WIndows CE, ME, (and) NT.

      A great foundation for building applications and systems ;)

      Paris, because she sees men(t) wherever she goes...

  10. Pirate Dave Silver badge
    Pirate

    Telemetry

    Relax, it's fine. Really, it's nothing to worry about. Microsoft has said it's nothing to worry about, so there's nothing to worry about. Besides, everybody is doing it now, so it's fine, there's nothing to worry about. So stop worrying, because Microsoft says it's fine.

  11. Anonymous Coward
    Anonymous Coward

    advised to update to version 0.0.8 or downgrade to version 0.0.6

    So, then, 007 is the secret agent?

    1. Anonymous Coward
      Anonymous Coward

      Re: advised to update to version 0.0.8 or downgrade to version 0.0.6

      So, then, 007 is the secret agent?

      Just an unfortunate coincidence, Mr Bond... Or is it?

  12. Snake Silver badge

    Surprise!

    The world found out about KB2952664, so Microsoft goes on and makes a (hidden) substitute. Well color me surprised!

    At least it is easier to kill than '664.

  13. Kiwi
    Holmes

    "But telemetry already comes with modern OSes, AV, IDS, etc.

    Crash report enabling is an example"

    I chose to turn that on or off depending on my liking of and trust in the developer. If I think they're OK and want to help them find bugs, I'll turn that on. Or eg with Firefox 'send' a crash report when asked - if I am feeling nice towards them and the crash is happening often enough (which is rare).

    If a security update inserts telemetry without asking, then trust is breached. On discovery I'd roll back and prevent future updating, and just use the machine more carefully to protect it (probably from a VM behind a pihole - the stuff I work with is document editing and the odd picture)

    And before you speak of losing security by not updating - they've proven that their update is untrustworthy so any claims to security is gone. I deal with sensitive personal data for some people, I can't have my systems infested with "telemetry reporting" that includes open or recently opened files. Perhaps the victim won't care/mind/be capable of comprehending what has happened. Perhaps the other end won't read or store that data. Perhaps unicorns riding 8-legged monkeys will fly out my arse while watching airborne pigs mate with 767s.. Legally I am supposed to protect data, not let it out of my hands without certain restrictions. By using W10 or an updated W7 I am in breach of private data laws.

    I'm longing to see some big government organisations get taken for using Windows and breaching data laws. (Don't tell me MS will never 'accidentally' sneak telemetry into the enterprise versions!)

  14. Anonymous Coward
    Facepalm

    Wondering why "telemetry" has become synonymous with "surveillance"?

    Congratulations to the winner of the Naive IT Idiot award of 2019. Your prize is working bug-free copy of Windows 10.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like