a broken Chakra Scripting Engine?
That's not very Zen of them now is it? =-)p
*Runs away before someone uses their Karma to run over my Dogma*
Microsoft has delivered another epic Patch Tuesday, dropping fixes for more than 100 security bugs, and Adobe and Intel have added their dose of misery and security too. April showers from Redmond The April edition of Patch Tuesday sees the release of fixes for 113 CVE-listed bugs. Four really important ones are already being …
Mmmmm two 0 days targeting Windows 7 not patched...how many companies have had to delay retiring the last of them...plus the odd 2008 or 2008 R2 Server.
Let me guess Microsoft's ESU services (very expensive licence to get updates for EoL products) is about to get a bumper boost of Sales :)
"The massive patch load is no accident, say experts" - I'm no writer, but this sentence doesn't seem to fit with anything around it. Have they been saving the patches up? Are a large quantity of patches usually accidents? Granted the bugs are (in theory) accidents, but it sounds like this is only half of what the "experts" said.
This post has been deleted by a moderator
Right now, for us ActiveX gives us an easy way to communicate between the browser (if you can call IE a browser...) and an application installed on the client machine. We're currently doing this for Chrome (because telling potential clients "IE only" got old a few years ago) and it's a load of work.
You wouldn't be banned for that. The Register is very liberal in its naughty word policies, and a product, especially one that is essentially dead, cannot sue for libel. If you named and shamed the developers, that could be different.
Unfortunatley for most orgs reliant on legacy software, MS now considers IE is no longer a browser, and classifies it as a "compatability solution."
Although getting the likes of Custom ERP systems built by certain companies associated with the colours Blue and Red to work on anything resembling a browser is easier said than done
"ActiveX will be probably be painfully around as long as you, BB, but once was useful..."
Anyone who is bored and wants some idle amusement could while away the time by making a list of products whose names could be substituted for "ActiveX" without reducing the truth of the sentence.
Indeed, it could be the standard epitaph for all old software... which, unfortunately, is not dead even after it has been buried.
For the same reason your "beloved" Win32 is still out there, Bob - because some organisations are either too scared to upgrade, or do not see any profit in replacing something that "works for them", even if it is a security concern.
You know, it's basically prioritising money above safety - kind of like your attitude towards COVID-19.
"something that "works for them", even if it is a security concern"
How valid is the assumption that newer is more secure, given the burgeoning torrent of "security updates" affecting newer systems as well? The bugs you should be most afraid of are the ones not yet discovered.
There are many perfectly valid reasons for staying with something that "works for them" - not least the almost universal (and I'm sure intentional) forcing of obsolescence. Many engineering workshops have massive investment in CNC that can only be driven by an "obsolete" OS; many hospitals have critical diagnostic equipment likewise. This would cost possibly millions to replace in order to run a "current" version of windows, so economic realism is a key factor. Furthermore, if properly segregated, a system can survive intact despite vulnerabilities.
Good risk decision making is essentially based on cost/benefit assessment, so "basically prioritising money above safety" is not a fair generalisation, even if some businesses do get it wrong (and they do indeed).
"This would cost possibly millions to replace"
Indeed. We have a machine at work that runs on top of DOS. It's a highly complex mission critical device. The manufacturers no longer exist (haven't for ages) and the hardware is a set of custom ISA boards stuffed full of programmable logic chips.
I'm not sure we could even find somebody willing to take that on. Probably would be cheaper to have a new machine designed and built. And that's a large seven digit number.
Usefully, the IT guys did think to copy the software to floppies, and one of them is, in his spare time, trying to work out because they're coming on top a quarter century old. Though, connected via UPS, the machine has never failed or shut down once in all the time that I've seen it. That's probably more than can be said for most modern systems which would be vastly more complex for absolutely no discernible benefit.
I'd have commissioned a replacement already, whilst you still have the mission critical machine as both back up device and regression testing benchmark
Yeah.. but when the machine is the north side of 10 million quid and you're up against the beancounters (and the bank* ) , things aint that easy, especially if you're not a dedicated IT shop, and the machine's manufacturer has long since gone bankrupt or is playing the tune "Buy this new one for 20 million quid"
Air gap , remove DVD drive, and glue up the USB slots works wonders.
*Bank.. heres a sample of what its like to deal with the bank
Us: Can we borrow £250 000 for new machines for our new product line, we've always made a profit and always paid off our loans on time
Bank: get lost
Us(sometime later): we have new and disruptive agile tech born out of our blue sky thinking and revoluntionary out of the box development that will catalyse the market for our stuff.
Bank: How much do you need? 10 million cover it?
The fundamental problem is the doomed attempt to combine an industry that uses software for productive purposes with another industry that makes and sells software for profit.
The first industry would benefit from stability, while the second profits hugely from constant innovation and never allowing stability to settle in.
Ironically, as the second industry is more (obviously) profitable, it always wins in any clash of wills.
This post has been deleted by its author
So much for the sandbox...
For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely. For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
... it seems you can create new users and install programs in it.
It is just amazing what incredibly craptastic code MS and Adobe wrote (and continue to write). It shows that they employ junior programmers with zero experience, no oversight and no code reviews get done either. It also shows that their bug fixes are equally craptastic. If it was me, I would start by auditing the libraries and provide macro wrappers to avoid common mistakes, then recompile the whole can of worms.
Fonts are about as non-innocuous as file formats can get. They have code embedded in them for hinting which font rendering engines often have to run. There is a long history of RCE vulnerabilities in font parsing and rendering software (on all platforms as far as I can remember). NoScript bans custom web fonts in its default configuration because NoScript's authors think they're a plausible vector for drive-by malware.
"Fonts are about as non-innocuous as file formats can get"
That's ridiculous. Obviously there are more non-innocuous file format - like every single executable binary file for a start. The vulnerability is in the renderer not the font file. A text file can become harmful if the renderer has a bug that can insert executable code into a certain memory space.
It would be nice if there were some option to completely disable TrueType hinting instructions. I wonder how much benefit they really give on the latest high-DPI displays.
And that code needs to be fast because you don't want weird rendering effects users will notice. Once it was mostly code run by RIPs when printing, now has to be done in real time while displaying the text on high-dpi devices.
Maybe, time to develop a SecureType font engine and format....
MS Windows dwarfs in terms of usage other operating systems in government, enterprise, education, and household, contexts. Therefore a degree of passive immunity to general, not specifically targeted, attack arises from deploying a less commonly used operating system; this by virtue of criminals and mischief makers' anticipating greater return on their efforts by concentrating on attacking the most prevalent operating system.
OTOH, some mischief makers concentrate on computers and software made by a company known to be favored by folks with more money than the average bear. A company that lately seems hell-bent on achieving parity with MSFT in the "how much damage can we do with an update" contest.
Biting the hand that feeds IT © 1998–2022