I like the way they separated the Edge bugs from the IE bugs. Same CVEs though. Whatever could that mean?
It's 2015, and someone can pwn Windows PCs by inserting a USB stick
Microsoft has released 14 sets of software patches to address critical security vulnerabilities in Windows, Office, Internet Explorer, and Edge. Yes, even Edge: Microsoft's supposedly whizzbang super-secure web browser. Users and sysadmins should apply August's Patch Tuesday fixes as soon as possible: the bugs can be exploited …
COMMENTS
-
-
Wednesday 12th August 2015 14:17 GMT Anonymous Coward
I like the way they separated the Edge bugs from the IE bugs. Same CVEs though. Whatever could that mean?
It means you will soon see yet another Redmond marketing troll claiming that Windows has only got xx problems, but Linux?OSX/FreeBSD (etc etc) have more, because that's how they sell this abomination to their golf buddies.
-
Wednesday 12th August 2015 22:49 GMT Jordan Davenport
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.10240
Despite the fact that it identifies as pretty much everything else as well for compatibility, Edge identifies as version "12.10240", which I see as an internal admission of its being IE12, even if "About this app" identifies it as Microsoft Edge 20.10240.16384.0.
-
-
Tuesday 11th August 2015 21:44 GMT AndrueC
Re: Can I please go back to PC-DOS?
Or CPM?
Maybe not browser bugs but I did once write a virus for CP/M when I was at polytechnic in the mid 80s. Purely as an intellectual exercise of course. Plus I wrote it on an Amstrad CPC 6128 which used 3" floppy discs so it didn't really have much opportunity to infect the wider world :)
-
-
-
Tuesday 11th August 2015 22:09 GMT Anonymous Coward
OpenSSH remote execution bug?
One of the fixed security bugs (mentioned in the release notes) was:
* sshd(8): Portable OpenSSH only: Fixed a use-after-free bug related to PAM support that was reachable by attackers who could compromise the pre-authentication process for remote code execution. Also reported by Moritz Jodeit.
Sounds like a remotely exploitable bug that may not need a local account. Anyone know the details?
-
Tuesday 11th August 2015 22:13 GMT Anonymous Coward
No wonder patch Tuesday had to go..
.. they clearly need more days in the week than just one to keep up.
I wonder what sort of effort MS management undergoes to remove their ability to be embarrassed about the quality of what they sell. Is it reprogramming à la Scientology, or maybe surgery? Whatever it is, it must be pretty major.
-
-
This post has been deleted by its author
-
This post has been deleted by its author
-
Wednesday 12th August 2015 13:43 GMT Anonymous Coward
Re: No wonder patch Tuesday had to go..
I don't know, the cynic in me says that list of remote execution bugs sounds like a carefully crafted set of NSA bugs inserted by someone on the inside. However, the realist in me says "shit coding".
I no longer have any inclination as to which of those two possibilities is the more likely!.. Meanwhile the pragmatist in me is shouting "WHY CAN'T THEY BE A COMBINATION OF THE TWO? IT'S PROBABLY BOTH, IT'S PROBABLY BOTH"
Calmly considering all the factors, I think the pragmatist is probably correct. ;)
-
Wednesday 12th August 2015 14:20 GMT Anonymous Coward
Re: No wonder patch Tuesday had to go..
no longer have any inclination as to which of those two possibilities is the more likely!.. Meanwhile the pragmatist in me is shouting "WHY CAN'T THEY BE A COMBINATION OF THE TWO? IT'S PROBABLY BOTH, IT'S PROBABLY BOTH"
Well done, you have just found an argument why the code has to be at least of *some* quality - can't afford a crash when it's sending off your data to the NSA now, can it?
-
-
-
-
-
Wednesday 12th August 2015 12:25 GMT Anonymous Coward
Re: Holdouts
"Now how many of these vulnerabilities exist in the win2k and win2k3 code bases and therefore remain unpatchable by the laggards?"
Patches were released for some of these on Win2K3 if you have an extended support agreement. The agreement prevents publically providing any further details...
-
-
-
-
-
Wednesday 12th August 2015 14:03 GMT Anonymous Coward
Re: All versions on windows.... again
"Using OSX"
Errm - but that's on well over 2,000 known vulnerabilities now - way more insecure than even Windows XP.
Oh hello Redmond marketing department, really? You really want to try and spin that one here, and really right now? You did read what the main article was about, no? And you do realise that most people reading *this* forum are fairly adept at detecting manipulated statistics and selective quoting from facts, no?
I know you're paid to peddle this myth but you really ought to come up with something new, like actual facts. Ah, no, sorry, that's exactly the problem, isn't it? If you remained with the facts it would all get even more embarrassing, wouldn't it? Don't you think that your time and the company would not be better spent on coding an OS that is actually suitable for a 21st century IT environment instead of still being so deficient that only someone suffering from insanity (or a serious degree of masochism) would hook up a raw box to the Internet, whereas NO other modern OS has any problems with that out of the box?
You see, it is exactly the fact that you cannot acknowledge that is a frankly piss poor performance of a supposedly modern OS that stops you from fixing it. Stop pretending that it is even NEAR beta quality and produce something that is decent for a change. I know it would be a total shock to the system, but especially now you're seeking to entrap people into a subscription model it would be good demonstrated that people actually get something for their money because on raw ROI Windows has been performing badly for quite some time, and this latest debacle is not exactly helping if I start adding up all the resources and FTEs I'd need to keep this anywhere near safe to use.
-
Wednesday 12th August 2015 17:42 GMT Anonymous Coward
Re: All versions on windows.... again
"I know you're paid to peddle this myth but you really ought to come up with something new, like actual facts"
I see we have another deluded Apple user. The facts are from Secunia and NIST among others and the links to the vulnerability lists have been posted here plenty of times before.
See for instance https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_vendor=cpe%3a%2f%3aapple&cpe_product=cpe%3a%2f%3aapple%3amac_os_x&cve_id=
Everything you say applies even more to OS-X.
-
-
Monday 17th August 2015 05:35 GMT Kiwi
Re: All versions on windows.... again @ MS shill AC
...more insecure than even Windows XP.
Seriously.
You want to use that argument.
In a comments thread on an article that talks about USB STICKS INFECTING WINDOWS IN 2015!!!
How fucked in the head do you have to be to still defend them after all this crap? Doesn't the shame and self-disgust make you want to end your life in some fittingly painful manner? Surely even MS could not pay someone enough to lower themselves to such a point as to actually defend them after something as bad as this?
I guess the reason you haven't ended your own life is evident though - you obviously are seriously mentally deficient, which begs the question how did you escape from hospital?
-
-
-
-
-
Wednesday 12th August 2015 01:09 GMT steamnut
Bugs in Edge? Really?
It defies belief that a "brand new" browser, aka Edge, has so many flaws less than a month from the release of Windows 10. It makes you wonder just how much of Edge was really a re-write / build from scratch. I'm thinking it shares a lot of IE's codebase hence the vulnerabilities.
And to think that Vista was supposed to the be best tested OS ever.....
-
Wednesday 12th August 2015 13:57 GMT TheOtherHobbes
Re: Bugs in Edge? Really?
>It defies belief that a "brand new" browser, aka Edge, has so many flaws
No. It really doesn't.
Meanwhile at Hobbes Towers we've just discovered that Wurd 2013 on Win 8/10 uses the same rendering engine as IE11, which means text looks like jagged crap.
MS took out a feature that worked in Win 7 and replaced it with crap code that everyone who uses Wurd has to look at every day.
That's how awesome MS is.
-
Wednesday 12th August 2015 14:53 GMT Ken Hagan
Re: Bugs in Edge? Really?
" It makes you wonder just how much of Edge was really a re-write / build from scratch."
Where did you get that idea? I thought Edge was fairly clearly presented as "Starting from the IE codebase, we took out all the backwards compatibility hacks.". The idea is that it will then be easier to maintain the less-hacked-about codebase. I'm not aware of anyone claiming that it was a completely new engine. (As you hint, given previous and completely discredited claims of a "total re-write" regarding Windows itself, any such claim for Edge would have been laughable.)
-
Wednesday 12th August 2015 03:17 GMT Anonymous Coward
Every one of these has one thing in common .....
Shitty devs!! Go ahead and start your thumb-downs, whatever! When are these asshats gonna be let go...... or the hiring managers?
These bottom feeders continue to put everyone at risk .... they get their check then check out. Not an ounce of pride of ownership. Case in point .... I was told we still use flash because "HTML5 is too hard." Yeah, too hard .... as they use Slack to access Jira so they don't have to VPN. FIRED - 2 PEOPLE ..... the person that choose to pay for Slack, and the fuck that chose to spend the time to integrate Slack + Jira instead of fixing the critical vulns that have been pointed out .... that they don't understand. But no!!! "We appreciate their creativeness. " What the fuck ever!
-
Wednesday 12th August 2015 04:07 GMT Anonymous Coward
I suggest
That "goat" devices be deployed which appear to contain vulnerabilities and interesting-but-useless information such as credit *s with limited funds and dummy datasheets, spreadsheets etc.
Should be possible to emulate a typical out of date patched Windows b0xen on an Arduino and this could log number of attacks on a small display for training purposes etc.
-
Wednesday 12th August 2015 06:18 GMT Anonymous Coward
Re: I suggest
They are called honeypots, anon.
However, these too need maintenance. I suppose even more than the real stuff.
The sad real-life situation is that even the real stuff does not get the maintenance it needs ("You need to maintain this server? But Microsoft is issuing patches regulary, what do you need to do? Don't be a weasel!")
-
Wednesday 12th August 2015 09:03 GMT Anonymous Coward
Re: I suggest
They are called honeypots, anon.
That's a later development. It sort of started with Fred Cohen's Deception Toolkit (DTK), created just before we got distracted by Y2K. The DTK does more or less what the OP described.
I find it useful to go back to origin of ideas, because you find that later developments tend to cherry pick aspects of it and discard others that may have value in their own right.
An example of that is referring to the novel "1984" where what you really ought to do is go back to the whole Jeremy Bantham "panoptikon" theory, because you then also pick up that this is about advanced, long term mental manipulation and, more importantly, that that idea was meant for prisoners...
-
-