back to article April 2020 and – rest assured – your Windows PC can still be pwned by something so innocuous as an unruly font

Microsoft has delivered another epic Patch Tuesday, dropping fixes for more than 100 security bugs, and Adobe and Intel have added their dose of misery and security too. April showers from Redmond The April edition of Patch Tuesday sees the release of fixes for 113 CVE-listed bugs. Four really important ones are already being …

  1. Shadow Systems

    a broken Chakra Scripting Engine?

    That's not very Zen of them now is it? =-)p

    *Runs away before someone uses their Karma to run over my Dogma*

    1. robidy

      Re: a broken Chakra Scripting Engine?

      Mmmmm two 0 days targeting Windows 7 not patched...how many companies have had to delay retiring the last of them...plus the odd 2008 or 2008 R2 Server.

      Let me guess Microsoft's ESU services (very expensive licence to get updates for EoL products) is about to get a bumper boost of Sales :)

    2. Doctor Syntax Silver badge

      Re: a broken Chakra Scripting Engine?

      Is that the strange case of the dogma that didn't bark in the night?

  2. MatthewSt

    "The massive patch load is no accident, say experts" - I'm no writer, but this sentence doesn't seem to fit with anything around it. Have they been saving the patches up? Are a large quantity of patches usually accidents? Granted the bugs are (in theory) accidents, but it sounds like this is only half of what the "experts" said.

    1. J. Cook Silver badge

      No, it means that people are devoting more effort to finding and exploiting bugs.

      1. LDS Silver badge

        And there are more and more automated ways to find "interesting" code.

      2. Timmy B

        "No, it means that people are devoting more effort to finding and exploiting bugs."

        Well people have stuff all to do at the moment... Oh hang on I'm guessing they wouldn't be the kind to spend that much time outdoors...

  3. This post has been deleted by a moderator

    1. Anonymous Coward
      Anonymous Coward

      Re: An attacker could also embed an ActiveX control marked 'safe for initialization'

      ActiveX will be probably be painfully around as long as you, BB, but once was useful, and patches can be attempted for it.

      Much love

      1. Throatwarbler Mangrove Silver badge
        Alien

        Re: An attacker could also embed an ActiveX control marked 'safe for initialization'

        I once asserted that bob's programming would be more convincing someday. Unfortunately, that day appears to be somewhere in the future with quantum computing and fusion energy.

      2. robidy

        Re: An attacker could also embed an ActiveX control marked 'safe for initialization'

        BB provides entertainment, not sure what ActiveX provides but ongoing pain to Administrators, bit like Flash, Silverlight, and AdobeAir they all need taking out the back.

        1. baud

          Re: An attacker could also embed an ActiveX control marked 'safe for initialization'

          Right now, for us ActiveX gives us an easy way to communicate between the browser (if you can call IE a browser...) and an application installed on the client machine. We're currently doing this for Chrome (because telling potential clients "IE only" got old a few years ago) and it's a load of work.

          1. Anonymous Coward
            Anonymous Coward

            Re: An attacker could also embed an ActiveX control marked 'safe for initialization'

            "...if you can call IE a browser.."

            That's certainly not what I call it. As I don't want to be banned, I shan't record what I do call it.

            1. Anonymous Coward
              Anonymous Coward

              Re: An attacker could also embed an ActiveX control marked 'safe for initialization'

              You wouldn't be banned for that. The Register is very liberal in its naughty word policies, and a product, especially one that is essentially dead, cannot sue for libel. If you named and shamed the developers, that could be different.

          2. EnviableOne Silver badge

            if you can call IE a browser...

            Unfortunatley for most orgs reliant on legacy software, MS now considers IE is no longer a browser, and classifies it as a "compatability solution."

            Although getting the likes of Custom ERP systems built by certain companies associated with the colours Blue and Red to work on anything resembling a browser is easier said than done

      3. Anonymous Coward
        Anonymous Coward

        Re: An attacker could also embed an ActiveX control marked 'safe for initialization'

        "ActiveX will be probably be painfully around as long as you, BB, but once was useful..."

        Anyone who is bored and wants some idle amusement could while away the time by making a list of products whose names could be substituted for "ActiveX" without reducing the truth of the sentence.

        Indeed, it could be the standard epitaph for all old software... which, unfortunately, is not dead even after it has been buried.

    2. Gene Cash Silver badge

      Re: An attacker could also embed an ActiveX control marked 'safe for initialization'

      You're preaching yelling to the choir.

    3. RyokuMas Silver badge
      FAIL

      Re: An attacker could also embed an ActiveX control marked 'safe for initialization'

      For the same reason your "beloved" Win32 is still out there, Bob - because some organisations are either too scared to upgrade, or do not see any profit in replacing something that "works for them", even if it is a security concern.

      You know, it's basically prioritising money above safety - kind of like your attitude towards COVID-19.

      1. Mike 137 Silver badge

        Re: An attacker could also embed an ActiveX control marked 'safe for initialization'

        "something that "works for them", even if it is a security concern"

        How valid is the assumption that newer is more secure, given the burgeoning torrent of "security updates" affecting newer systems as well? The bugs you should be most afraid of are the ones not yet discovered.

        There are many perfectly valid reasons for staying with something that "works for them" - not least the almost universal (and I'm sure intentional) forcing of obsolescence. Many engineering workshops have massive investment in CNC that can only be driven by an "obsolete" OS; many hospitals have critical diagnostic equipment likewise. This would cost possibly millions to replace in order to run a "current" version of windows, so economic realism is a key factor. Furthermore, if properly segregated, a system can survive intact despite vulnerabilities.

        Good risk decision making is essentially based on cost/benefit assessment, so "basically prioritising money above safety" is not a fair generalisation, even if some businesses do get it wrong (and they do indeed).

        1. heyrick Silver badge

          Re: An attacker could also embed an ActiveX control marked 'safe for initialization'

          "This would cost possibly millions to replace"

          Indeed. We have a machine at work that runs on top of DOS. It's a highly complex mission critical device. The manufacturers no longer exist (haven't for ages) and the hardware is a set of custom ISA boards stuffed full of programmable logic chips.

          I'm not sure we could even find somebody willing to take that on. Probably would be cheaper to have a new machine designed and built. And that's a large seven digit number.

          Usefully, the IT guys did think to copy the software to floppies, and one of them is, in his spare time, trying to work out because they're coming on top a quarter century old. Though, connected via UPS, the machine has never failed or shut down once in all the time that I've seen it. That's probably more than can be said for most modern systems which would be vastly more complex for absolutely no discernible benefit.

          1. John H Woods Silver badge

            Re: mission critical machine

            <teaching_grandma_to_suck_eggs>

            I'd have commissioned a replacement already, whilst you still have the mission critical machine as both back up device and regression testing benchmark

            </...>

            1. Boris the Cockroach Silver badge

              Re: mission critical machine

              Quote

              <teaching_grandma_to_suck_eggs>

              I'd have commissioned a replacement already, whilst you still have the mission critical machine as both back up device and regression testing benchmark

              </...>

              Yeah.. but when the machine is the north side of 10 million quid and you're up against the beancounters (and the bank* ) , things aint that easy, especially if you're not a dedicated IT shop, and the machine's manufacturer has long since gone bankrupt or is playing the tune "Buy this new one for 20 million quid"

              Air gap , remove DVD drive, and glue up the USB slots works wonders.

              *Bank.. heres a sample of what its like to deal with the bank

              Us: Can we borrow £250 000 for new machines for our new product line, we've always made a profit and always paid off our loans on time

              Bank: get lost

              Us(sometime later): we have new and disruptive agile tech born out of our blue sky thinking and revoluntionary out of the box development that will catalyse the market for our stuff.

              Bank: How much do you need? 10 million cover it?

          2. cdrcat

            Re: An attacker could also embed an ActiveX control marked 'safe for initialization'

            ISA bus factor = 1: when the wrong board fails on your “highly complex mission critical device”, your mission stops and everyone finds a new job.

        2. Anonymous Coward
          Anonymous Coward

          Re: An attacker could also embed an ActiveX control marked 'safe for initialization'

          The fundamental problem is the doomed attempt to combine an industry that uses software for productive purposes with another industry that makes and sells software for profit.

          The first industry would benefit from stability, while the second profits hugely from constant innovation and never allowing stability to settle in.

          Ironically, as the second industry is more (obviously) profitable, it always wins in any clash of wills.

  4. This post has been deleted by its author

  5. skeptical i
    Devil

    the revenge of Comic Sans

    What makes you think the font code was targeted and not issuing invitations?

    Call me the worst font ever, eh? I'll show you ....

    1. Doctor Syntax Silver badge

      Re: the revenge of Comic Sans

      I've been going over the originals of some books which are now out of print and are going to be redistributed as PDFs. Where the authors wanted to pick out names in bold for some reason they used Comic Sans. That has to go.

  6. redpawn Silver badge

    Ready Fire Ai...

    No, it's just Fire and more Fire. There is no Aim.

  7. Dan 55 Silver badge
    WTF?

    Windows 10

    So much for the sandbox...

    For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely. For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

    ... it seems you can create new users and install programs in it.

    1. J27

      Re: Windows 10

      It's not like there are any apps that support the sandbox in Windows anyway. Everyone's still shipping Win32/64 API apps.

  8. herman Silver badge

    It is just amazing what incredibly craptastic code MS and Adobe wrote (and continue to write). It shows that they employ junior programmers with zero experience, no oversight and no code reviews get done either. It also shows that their bug fixes are equally craptastic. If it was me, I would start by auditing the libraries and provide macro wrappers to avoid common mistakes, then recompile the whole can of worms.

  9. TeeCee Gold badge
    Mushroom

    ...an ActiveX control marked 'safe for initialization'

    You do know that if you write "Dud" in marker pen on the side of a nuclear warhead, it'll still work? Right?

    1. Zippy´s Sausage Factory

      Given my experience of ActiveX controls, looking at it the wrong way is enough to stop it working.

      (Cue eye twitch while remembering "business critical" support requests...)

  10. RichardBarrell

    Fonts aren't innocuous

    Fonts are about as non-innocuous as file formats can get. They have code embedded in them for hinting which font rendering engines often have to run. There is a long history of RCE vulnerabilities in font parsing and rendering software (on all platforms as far as I can remember). NoScript bans custom web fonts in its default configuration because NoScript's authors think they're a plausible vector for drive-by malware.

    1. Anonymous Coward
      Anonymous Coward

      Re: Fonts aren't innocuous

      "Fonts are about as non-innocuous as file formats can get"

      That's ridiculous. Obviously there are more non-innocuous file format - like every single executable binary file for a start. The vulnerability is in the renderer not the font file. A text file can become harmful if the renderer has a bug that can insert executable code into a certain memory space.

      No-script bans web fonts mainly because they are thrid-party hosted and therefor provide a viable way to track users around the web. If every website uses 'cool font' from 'cool company' as their header font then 'cool compnay' knows every site you have visited. Worries about malware are not the reason although anything launched from a third party site is deemed possible to compromise, however a third party hosted javascript has way, way more potential to be menacing without even having a vulnerability in its renderer.

      1. I am the liquor

        Re: Fonts aren't innocuous

        Anything that runs any sort of program instructions is a risk, whether it's ActiveX, JavaScript, Office macros or TrueType hinting functions. Believe it or not TrueType fonts do contain executable programs so they're not in the same class as renderers for purely static data like text or images.

        In some ways they're more of a risk than JavaScript, because the interpreter they run in is likely not as well hardened as JS runtimes are nowadays. Depending on OS design, your font rendering engine might be running at a higher privilege level than a browser as well.

        It would be nice if there were some option to completely disable TrueType hinting instructions. I wonder how much benefit they really give on the latest high-DPI displays.

    2. LDS Silver badge

      "They have code embedded in them for hinting"

      And that code needs to be fast because you don't want weird rendering effects users will notice. Once it was mostly code run by RIPs when printing, now has to be done in real time while displaying the text on high-dpi devices.

      Maybe, time to develop a SecureType font engine and format....

  11. Long John Silver
    Pirate

    Better to be an outlier?

    MS Windows dwarfs in terms of usage other operating systems in government, enterprise, education, and household, contexts. Therefore a degree of passive immunity to general, not specifically targeted, attack arises from deploying a less commonly used operating system; this by virtue of criminals and mischief makers' anticipating greater return on their efforts by concentrating on attacking the most prevalent operating system.

    1. Mike 16 Silver badge

      Re: Better to be an outlier?

      OTOH, some mischief makers concentrate on computers and software made by a company known to be favored by folks with more money than the average bear. A company that lately seems hell-bent on achieving parity with MSFT in the "how much damage can we do with an update" contest.

    2. cdrcat

      Re: Better to be an outlier?

      iOS and Android dwarf Windows usage in a household context. And they are critical for security in a business context (they are often literally the keys to the bank and infrastructure in small to medium businesses).

  12. Anonymous Coward
    Anonymous Coward

    PoS

    What a veritable PoS

    ...no, I’m not referring to point of sale...

  13. Anonymous Coward
    Anonymous Coward

    Using windows is gross negligence.

    There will eventually be a high stakes court case.

  14. Anonymous Coward
    Anonymous Coward

    MS used to be pretty poor, now they're garbage

    Windows XP 741 CVE in 19 years

    Windows 7 1283 CVE in 11 years

    Windows 10 1111 CVE in 5 years

  15. Anonymous Coward
    Anonymous Coward

    I call Windows $h1td0ze.

    On a scale of 1 - 10, how funny am I?

    1. WolfFan Silver badge

      -100. Possibly less.

      1. Anonymous Coward
        Anonymous Coward

        That's a positive step change from last year.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022