The Intel info was next to useless. A dozen notices requiring users to know every piece of hardware and software on their machines before they can even begin to determine which patch applies.
It is with a heavy heart that we must report that your software has bugs and needs patching: Microsoft, Adobe, SAP, Intel emit security fixes
Microsoft, Adobe, Intel, and SAP have all emitted their latest Patch Tuesday batch of security fixes. Users and admins are encouraged to test and install the updates as soon as humanly possible. For those running Windows and Windows Server, you'll be interested in as many as 88 CVE-listed flaws that need addressing in …
COMMENTS
-
-
Wednesday 12th June 2019 18:19 GMT Mark 85
The Intel info was next to useless.
That seems to be pretty normal for them. Tracking a given processor through their maze is almost impossible. It's a pity they don't have some tool to identify the process and then call for the appropriate patch. It would save everyone a bundle of time.
In a separate issue rant, homeusers never, ever (for the most part) hear of these patches and then have a clue what to do.
-
Wednesday 12th June 2019 02:48 GMT Anonymous Coward
can not repro "certutil.exe" hang with "modinv.pem" from project-zero info page
Can anyone repro the "certutil.exe" process hang with the "modinv.pem" download from the Project Zero info page on the bug?
https://bugs.chromium.org/p/project-zero/issues/detail?id=1804
Win7sp1: certutil modinv.pem does not hang
Win 2016 Server 1607: certutil modinv.pem does not hang
-
Wednesday 12th June 2019 05:21 GMT BebopWeBop
And the phone calls “Hello I’m from Intel/microsoft/adobe, you have probably seen the press comments about dangerous bugs, but we are putting in enormous efforts to help people fix them, just go to this web site’ will ramp up. Not that I think making people aware of the need to patch is unimportant, just groaning in anticipation of the reaction from some ne’er do wells.
-
Wednesday 12th June 2019 05:37 GMT deadlockvictim
I make use of them as educational tools. I put the person from "Microsoft" on speakerphone, call my daughter over and tell her that this is a phisher. That they are people who are trying to get you to install malicious software onto your computer so that they can access it. We then go through the pre-written spiel until they hang up.
They are starting to either use or spoof numbers from the U.K. (0044) these days. I miss the Indian numbers (0091).
-
-
Wednesday 12th June 2019 13:22 GMT Anonymous Coward
Ditto in Belgium and the Netherlands, and sometimes they even try to spoof the local dialling codes.
That said, they haven't worked out yet that an in-country number never shows the country prefix :). If I'm in the Netherlands and a number comes up as 0031, I know it's spoofed.
The problem is that the swines are starting to interfere with our emergency numbers. Of course, someone will always answer because that's their function, but they get in the way of clients with emergencies which can have dire implications.
-
-
Wednesday 12th June 2019 19:37 GMT N2
I put the person from "Microsoft" on speakerphone
I used to get them here in France who seemed surprised when I spoke back in French, I keep them on the line as long as possible but eventually they'd give up trying to explain my PC had some sort of virus, despite not owning one.
Then we got a callblocker and strangely they seem to have 'gone away'
-
-
-
Wednesday 12th June 2019 07:10 GMT big_D
Why Google?
Why the arbitrary 90 days, without taking in feedback. If there are extenuating circumstances, surely it is better to keep a lid on the issue, until it is resolved. I mean, look at Meltdown and Spectre, they kept a lid on that for a year, until everybody, including Google, was ready to release patches. Why didn't Google go public 9 months earlier?
If Microsoft hadn't responded, I could understand Google going public.
If Microsoft had responded, but was still working on it and Google discovered an active exploit, I could understand Google going public.
If Microsoft has responded, is actively working on a fix, but requires another 30 days to properly test the fix doesn't cause other issues, I don't see why Google can't wait 30 days to release their information.
Google actually makes the situation worse in these circumstances. There is a fix in the works, but now Google has given malware developers a heads up to where to look, whilst the systems are still vulnerable.
-
Wednesday 12th June 2019 07:52 GMT RyokuMas
Re: Why Google?
Why? This is typical Google strategy: try to paint themselves as the good guys - "we're doing this because we care about the end users' security!" - while acting in a manner that is ultimately self-serving, be it attacking a competitor or excusing their hoovering up yet more data.
The 90 days notice is merely to be able to avoid any claims of anti-competitive behaviour.
-
-
Wednesday 12th June 2019 14:39 GMT RyokuMas
Re: Why Google?
Wait, what???
"The idea Tavis is part of some Google conspiracy to attack Microsoft isn't even wrong." - well that's obvious enough, given that his response to Betjlich is pretty much an ad hominem against FireEye, as opposed to an addressing of a legitimate concern or a rebuttle as to why the disclosure was reasonable.
So how exactly am I mistaken when I say that Google have a track record of selling self-serving actions under the guise of being "for the good of the users"?
-
-
-
Wednesday 12th June 2019 07:53 GMT Anonymous Coward
"they kept a lid on that for a year"
Sure, because they were at risk too.
Google is using vulnerability disclosures against (some) competitors - especially those that don't put themselves at risk. They would never do something like that against Apple, since many at Google use Apple systems.
That's irresponsible disclosure.
-
Wednesday 12th June 2019 09:03 GMT Tom Paine
Re: "they kept a lid on that for a year"
Welcome to ChoppedLiver 2.0
https://www.google.com/amp/s/gizmodo.com/googles-project-zero-team-releases-details-on-high-seve-1833052225/amp
The 90 day deadline (which has nothing to do with anti-trust laws, of course) is the same for every vendor. Release is automatic.
-
Wednesday 12th June 2019 16:48 GMT Anonymous Coward
Re: "they kept a lid on that for a year"
LOL. There's been several instances when Google delayed disclosures. Usually when its own butts were at stake. Google is weaponising vulnerability disclosures. And nobody ever put Google in a position to decide what is good or not. Really hope one day they will die by the same sword.
-
-
-
-
Wednesday 12th June 2019 07:17 GMT Maelstorm
WTF?
WTF Google!?!?
Google reported the vulnerability privately to Microsoft with a 90-day deadline to fix it. Redmond planned to release a fix this month, within Google's time limit, then pushed the update back to July for more testing, thus missing the deadline. And so Google went full disclosure today.
I'll bet if it was a bug in their software, they would keep their mouths shut until it was patched. Nice going there screwing the Windows users.
-
-
Wednesday 12th June 2019 08:47 GMT Dan 55
Re: WTF?
I think "it's in QA" is a pretty valid reason. What do MS do now, rush it out without full testing and increase the chances of hosing computers (which admittedly is par for the course from MS these days) or get accused of allowing a month for a zero-day to be exploited?
Google's an 800lb gorilla throwing its weight around when perhaps it should be concentrating on its own problems with Android.
-
Wednesday 12th June 2019 10:08 GMT iGNgnorr
Re: WTF?
"Google's an 800lb gorilla throwing its weight around when perhaps it should be concentrating on its own problems with Android."
I may be wrong here, but Microsoft, last time I looked, was also an 800lb gorrilla. I think they can take care of themselves. Google/Travis aren't picking on some tiny organisation which has very limited resources.
-
Wednesday 12th June 2019 12:40 GMT Anonymous Coward
Re: WTF?
"I think "it's in QA" is a pretty valid reason. What do MS do now, rush it out without full testing and increase the chances of hosing computers (which admittedly is par for the course from MS these days)"
Maybe if they hadn't ditched a lot of their QA team a couple of years back things like this wouldn't be an issue.
-
-
-