back to article It's September 2017, and .NET lets PDFs hijack your Windows PC

While much of the tech world is still fixating on Apple's $1,000 face-reading iPhone, administrators are going to be busy testing and deploying this month's Patch Tuesday load. Microsoft, Adobe, and Google have all released patches to mark the second Tuesday of the month. The updates include fixes for Flash, Edge, Internet …

  1. FF22

    It's September 2017...

    ... and Shaun Nichols still doesn't get it, that it's virtually impossible to create flawless software, and that because of that there will be always new vulnerabilities discovered in them, especially if they're as widespread, as large and their development is as fast-paced, as is Windows'.

    1. Anonymous Coward
      Mushroom

      Re: It's September 2017...

      > development is as fast-paced, as is Windows

      Surely you meant development is as crappy and untested as is Windows?

      FTFY.

      I can think of a few operating systems currently in use - not Windows obviously - that don't allow the whole system to be pwned by a PDF.

      On the plus side, the Windows pwnage headlines are fun to read.

      1. Dan 55 Silver badge

        Re: It's September 2017...

        It's September 2017 and you didn't know you're supposed to offload input validation to a process with restricted rights.

    2. Anonymous Coward
      Anonymous Coward

      Re: It's September 2017...

      So Google managed to have as many flaws in one limited OS as Microsoft did in every single supported product!

      1. Anonymous Coward
        Anonymous Coward

        Re: It's September 2017...

        "So Google managed to have as many flaws in one limited OS as Microsoft did in every single supported product!"

        To be fair, quarter of 'Google's' vulns were actually third party drivers according to TFA. And 39 out of 81 vulns supporting remote execution is pretty bad for MS. Not sure on the severity of Google's ones though as that wasn't detailed. Shame on them too if they are have such a high proportion of RCX bugs.

    3. Anonymous Coward
      Anonymous Coward

      Re: It's September 2017...

      It's September 2017...

      ... and Shaun Nichols still doesn't get it, that it's virtually impossible to create flawless software

      Strangely enough, if you avoid code made by Microsoft and Adobe, your exposure to idiotic bugs drops dramatically. Ergo it IS possible, only MS and Adobe cannot be bothered. That's what you get when profit comes before quality but it appears that Microsoft Vista's episode of launching code that wasn't even good enough for an alpha release was apparently not enough of a heads up.

      Oh well.

      1. Anonymous Coward
        Anonymous Coward

        Re: It's September 2017...

        "Strangely enough, if you avoid code made by Microsoft and Adobe, your exposure to idiotic bugs drops dramatically"

        Or maybe not:

        https://nvd.nist.gov/vuln/search/statistics?adv_search=true&form_type=advanced&results_type=statistics&cpe_vendor=cpe%3a%2f%3aapple

        https://nvd.nist.gov/vuln/search/statistics?adv_search=true&form_type=advanced&results_type=statistics&cpe_vendor=cpe%3a%2f%3aredhat

        https://nvd.nist.gov/vuln/search/statistics?adv_search=true&form_type=advanced&results_type=statistics&cpe_vendor=cpe%3a%2f%3agoogle

  2. This post has been deleted by its author

    1. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      Re: Never mind PDF

      "Name is Oleg"

      Or maybe they hacked his PC....

    3. veti Silver badge

      Re: Never mind PDF

      Newsflash: "whois" data is not always 100% infallibly accurate. People can and do write all kinds of bullshit in domain registrations, daily. If you want to "fight Russian hackers", you're going to need - and probably going to get, fairly shortly now - a crash course in validating your data.

      And why exactly is this relevant to - well, anything - anyway?

      1. TheElder

        Re: Never mind PDF

        Too many other things I checked match perfectly. CSIS will be getting back to me. We shall see but it looks like it is locked tight. It helps a lot that I am totally invisible on line. So is my main work partner. Even if you check my IP address it has a radius of about seven kilometres. That includes about 80,000 people. I also live behind a virtual wall. Even my address with the online accounts does not lead directly to me. What I have resembles a post office box.

        1. Pascal Monett Silver badge

          Re: "I am totally invisible on line"

          Glad you're so sure of that.

          By the way, have you made any purchases online lately ? Because if you have, you're less invisible than you think.

          Do you use a Javascript blocker ? Because if you don't, you're totally not invisible, even if you do use a VPN.

        2. Nolveys

          Re: Never mind PDF

          @TheElder

          I like to trade my Thorazine for bath salts too.

  3. joed

    MS follows in Equifax footsteps

    To read the details of CVE (the pdf related link) one has to accept MS' ToS. Really. I only have so much time to burn on their sites but I have not intent to just blindly accept whatever they've come up with. What's next? Sign in with MS account? Not even while I'm not using their own browser (under no condition I'm risking converting my local user account). I bet they'd like to enforce Chinese government real name policy?

  4. rmullen0

    Just say no to software developed using unsafe languages like C/C++

    I wonder when people are going to wake the f--- up and stop developing software in languages that don't have array bounds checking and as a result, have lots of buffer overflows in them. Something needs to change. This isn't working. Buffer overflows aren't the only exploit, but, they do account for a large percentage of them. Maybe if these companies were held liable for the bugs, then we would see real change. As it stands now, it is just the same old same old. Completely insecure untrustworthy code. Furthermore, Microsoft should open source Windows. Until they do so, I don't see how anyone can trust their software. And also, as always Microsoft is more interested in creating cheesy new features than creating a secure operating system. Evidence of this is how the firewall works with Windows Store apps. It constantly opens up access to the apps on all ports. This is even for apps that aren't even listening on ports. This behavior is ridiculous and unacceptable. Again, how does Microsoft expect anyone to trust their software? And why do they bundle Flash with Windows? The fact that Microsoft also worked with the NSA when designing Windows Vista is also telling. Does anyone think that the NSA was helping Microsoft fix security holes? No, they were building their own treasure trove of bugs that they could use to exploit and spy on people.

    1. Dan 55 Silver badge

      Re: Just say no to software developed using unsafe languages like C/C++

      Very nice rant, but .Net uses the CLR so C/C++ is not the scapegoat you're looking for.

    2. bazza Silver badge

      Re: Just say no to software developed using unsafe languages like C/C++

      ...and what does he think Java, .Net, Linux, WindowsNT kernel, web servers, etc are all written in?!

    3. bombastic bob Silver badge
      Headmaster

      Re: Just say no to software developed using unsafe languages like C-pound and ".Not"

      fixed it for ya

    4. david 12 Silver badge

      Re: Just say no to software developed using unsafe languages like C/C++

      >I wonder when people are going to wake<

      Not anytime soon judging by the voting pattern here...

  5. Anonymous Coward
    Anonymous Coward

    Yawn

    Just that.

  6. colinb

    Wrong, Its not PDF its an RTF parsing bug

    If you check FireEye they detail the bug as a SOAP WSDL parser code injection vulnerability when parsing an RTF file (extension might be .doc also)

    PDF, RTF both end in F so close i guess but i suspect Shaun would be a buggy developer with such a lack of precision.

  7. Mystic Megabyte
    FAIL

    Still nope

    Two days ago was asked to help someone with a pdf that had been emailed to them from their publisher. They just needed to do some minor edits. They had a brand-new Lenovo laptop running Windows 10. The pdf displayed perfectly in their browser but Microsoft Word could not detect what encoding it had. What looked like a Win 3.1 dialogue box opened, asking whether it was DOS, Albanian or Chinese etc. (none of the options worked, WTF!) Libre Office would open it but the formatting was off and it was almost frozen. (A cunning plan by Microsoft no doubt!)

    On my Ubuntu box the pdf opened perfectly in Evince, but still no joy in Libre Office. I used pdffonts to get some info, downloaded and installed the correct font. Now it displayed slightly better in Libre Office so I installed the same font into Win 10. No change, Win 10 is a POS!

    1. CliveS
      FAIL

      Re: Still nope

      "No change, Win 10 is a POS!"

      PDF displayed perfectly in browser, so not a browser or OS issue there. Word couldn't detect encoding, so possible Word issue. Libre Office opened but messed formatting, so possible Libre Office issue. Evince on Ubuntu opened perfectly so not an issue with Evince or Ubuntu there. Libre Office on Ubuntu had issues, improved, but not resolved by downloading font, so possible Libre Office or font management issue. Installed font on Windows 10, didn't bother to say which app you tried to open it with, but no change.

      And after all that - where it displayed perfectly in a browser on Windows 10 and in Evince on Ubuntu and your conclusion is that Win 10 is a POS? Amazing, given that the common factors for failure appear to lie with trying to edit the document in either Word or Libre Office on both Ubuntu and Win 10.

      Plenty of reasons to diss Win 10, but this isn't one of them. Good display of confirmation bias though.

    2. TheVogon

      Re: Still nope

      " but Microsoft Word could not detect what encoding it had."

      "Libre Office would open it but the formatting was off and it was almost frozen."

      Sounds like a non standard encoding PDF to me as both had issues. Is the source by any chance a non western country?

      "so I installed the same font into Win 10. No change, Win 10 is a POS!"

      if the issue was Windows 10 encoding support, then you would likely have needed to install the relevant language support - for instance Russian, Chinese, Arabic, etc, not a font. However I suspect this is simply that Word doesn't recognise the encoding. See https://support.office.com/en-us/article/Choose-text-encoding-when-you-open-and-save-files-60D59C21-88B5-4006-831C-D536D42FD861

  8. Tom 7

    Every time someone re-invents the wheel

    we go through the whole gamut of rotation based fuckups again.

  9. Anonymous Coward
    Anonymous Coward

    Give code editors a performance score card

    Like CISO`s i think maybe we should demand a performance score card approach to hold code editors accountable for the code they right that way, people are help accountable to there performance. If the coder is put under pressure to deliver something fast with lack of quality they can decide if they want to continue work for an unethical company as it would effect the performance score card.

    I think CISO`s should have the same performance indicators assigned to them under there watch. I see this approach as being similar to a NFL or socer football manager.

  10. Anonymous Coward
    Anonymous Coward

    Windows, Windows, Windows...

    They should call the next edition "Open Windows" lol. It's not just PDFs that tear you a new one, it's the entire OS. It's designed to scoop up as much of your data as possible and to send it to MS servers for "processing" (to make Cortana smarter, of course!).

    I'm feeling old, like I do not belong in this world, because I still value my privacy. All my friends love publishing every single aspect of their lives, believing everyone else is interested (I for one, have no interest at all in what others are doing, and I find it too time consuming trying to read through everyone's social media posts).

    I've had enough. I'm installing Linux, will harden it as much as possible, install that thing called TOR browser, and will delete ALL of my social media accounts. As convenient as some of these proprietary OSes may be, I'm no longer going to be subjugated by likes of Microsoft, especially when time and time again they put their users at risk.

    End of rant.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like