back to article Microsoft patches critical remote-code-exec hole in Exchange Server and others

Microsoft has addressed 71 security flaws, including three critical remote code execution vulnerabilities, in its monthly Patch Tuesday update. The IT giant is confident none of the bugs have been actively exploited.  One of those critical RCEs is in Microsoft Exchange Server, and labeled CVE-2022-23277. It can be exploited by …

  1. ShadowSystems Silver badge

    That's it. Enough already.

    We should stop all this faffing about with obviously insecure code & switch to the known perfection of good old Commodore Basic. Nothing ever went wrong when coding in Basic.

    *Inserts a giant, neon, glowing, 99point type, underlined, italicized, bold, blinking, scrolling marquis SARCASM tag*

    =-)p

    1. b0llchit Silver badge
      Coat

      Re: That's it. Enough already.

      You mean, using Commodore Basic would magically make all programmers program FizzBuzz in under 3 minutes and do it correctly at the same time? I kinda like those odds.

      Agreed, kill all newfangled systems and we go back to Commodore Basic. The future awaits us with new security.

      My blinking sarcasm tag may be smaller, but it surely is programmed correctly.

      10 SIN

      20 GOTO HELL

      1. AMBxx Silver badge

        Re: That's it. Enough already.

        Are we going to return to the arguments about the merits of 'Repeat Until' vs 'While Wend'. Makes a change from Apple vs Android.

        1. b0llchit Silver badge
          Joke

          Re: That's it. Enough already.

          You misunderstand. The argument is not "'Repeat Until' vs 'While Wend'".

          The argument is Repeat While Until Wend. After some time all programmers are so looped that GOTO no longer is considered harmful.

      2. Danny 14

        Re: That's it. Enough already.

        ahh good old dixons

        10 print "dixons smells"

        20 goto 10

        The youth of yesterday.

    2. Sandtitz Silver badge
      Happy

      Re: That's it. Enough already.

      We should stop all this faffing about with obviously insecure code & switch to the known perfection of good old Commodore Basic.

      You do know that Microsoft was behind Commodore Basic?

  2. John Brown (no body) Silver badge
    Facepalm

    HEVC "data" files contain executable code?

    Surely this is yet again a case of lessons NOT being learned. Malicious JPeG image files anyone?

    Why does *any* data file need to contain *any* executable code? I mean files which any normal person would expect to be data, not complex script operated spreadsheets etc. That's a separate can of worms.

    Does an HEVC encoder or decoder include some sort of scripting interpreter or VM and has access to the underlying OS? After all, the same HEVC file is expected to play on Windows, Linux, Apple, Android etc.

    1. diodesign (Written by Reg staff) Silver badge

      Re: HEVC "data" files contain executable code?

      No, they're not supposed to contain arbitrary code.

      What happens is, with these kinds of bugs, is that there is a payload of instructions carefully placed within the multimedia file that is otherwise just data. When the file is parsed, the vulnerability in the parser is exploited to allow the payload to eventually execute.

      There are steps in between to get around the OS's security defenses.

      C.

      1. John Brown (no body) Silver badge
        Thumb Up

        Re: HEVC "data" files contain executable code?

        Ah, I see. Not a direct attack then, just part of a multi-step. A variation on the buffer overflow. Get code into RAM and trick the system into executing it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022