back to article It's 2018, and a webpage can still pwn your Windows PC – and apps can escape Hyper-V

Microsoft and Adobe have patched a bunch of security bugs in their products that can be exploited by hackers to commandeer vulnerable computers, siphon people's personal information, and so on. Redmond emitted 68 patches alone, 21 rated critical and at least two being actively exploited in the wild. There are browser and …

  1. Anonymous Coward
    Anonymous Coward

    Reading through, the problem reported by Avanan is worse than described (Watch the demo video on their site). Basically, hackers take known attacks and make them into zero-day. Microsoft admits it bypasses ALL their security layers, including the premium services - Advanced Threat Protection, Safelinks, etc...

    When we moved our company's email to O365, I remember my surprise when the Microsoft salesperson claimed they have the best security. I guess we really wanted to believe it. Afte 2y of non-stop phishing attacks and compromised accounts, I'm back to where I started - I don't trust Microsoft with Security.

    1. Anonymous Coward
      Anonymous Coward

      Curious about Office 365

      What did it offer you that Exchange + good old offline Office couldn't, and compelled you to switch?

      1. td97402

        Re: Curious about Office 365

        Small Business Server shops didn’t get a choice. Microsoft took away the Exchange feature after the 2011 release.

      2. Anonymous Coward
        Anonymous Coward

        Re: Curious about Office 365

        "What did it offer you that Exchange + good old offline Office couldn't, and compelled you to switch?"

        The same version of offline Office, but updated more regularly with more features and not having to own the tin or run it. And a predictable rental model with costs that scale up and down by user. And it actually costs us less than buying Office + Exchange + Server licences + support.

        1. Anonymous Coward
          Anonymous Coward

          Re: Curious about Office 365

          Umm there are other collaboration systems that cost a fraction. Marketing hey. Don't get suckered!

          1. Anonymous Coward
            Anonymous Coward

            Re: Curious about Office 365

            "Umm there are other collaboration systems that cost a fraction. "

            Like what that you could realistically use to replace MS Office in an enterprise? The option from Google is more expensive per user, has far fewer features, has no local install option and in comparison is limited in many ways.

        2. CrazyOldCatMan Silver badge

          Re: Curious about Office 365

          And it actually costs us less than buying Office + Exchange + Server licences + support.

          But at the cost of having all your end-user data living on someone elses computer and under someone elses control. In effect, you have outsourced your security to someone else - someone who only cares about you continuing to pay them..

          You might feel comfortable with that but I'm not.

    2. sz

      I don't trust Microsoft with Security.

      I'll let you in on the BEST mitigation for phishing attacks... wait for it... user education.

      You can have all the fancy security appliances in the world, but at the end of the day if a link gets through, the end user's thought process on if it's safe to click is the deciding factor around if they get popped or not.

      1. tfewster
        Facepalm

        Re: I don't trust Microsoft with Security.

        My company has been sending staff fake phishing emails as part of the training. They're very convincing, and hard to spot - much better than the usual ones you see. Even though I work in InfoSec and was aware that a training email was due, I've been close to clicking.

        1. Sgt_Oddball

          Re: I don't trust Microsoft with Security.

          We got that too... the worst of it was spotting a spoof but then hearing that those who succumbed got an interesting internal site that piqued my curiosity. Still resisted, mind and got a nice, if condescending email explaining I wasn't an idiot for clicking.

    3. Anonymous Coward
      Anonymous Coward

      "Afte 2y of non-stop phishing attacks and compromised accounts, I'm back to where I started - I don't trust Microsoft with Security."

      There will always be zero day exploits. If you are getting hit by phishing attacks then you need to enable Advanced Threat Protection in O365 which pretty much eliminates those. Sounds like you don't have it turned on.

      1. J. Cook Silver badge
        FAIL

        The APT is apparently a hidden feature or a 'premium' feature with an additional charge or something- We've gotten quite a few phish/malware-laden emails here at [RedactedCo] from compromised O365 accounts, and it's a pisser every time having to explain to the infosec people "if I block the servers that are sending these, we'll lose revenue from *many* partners and other companies."

        fail icon because Microsoft.

        1. Anonymous Coward
          Anonymous Coward

          " The APT is apparently a hidden feature or a 'premium' feature with an additional charge or something"

          It's certainly not hidden - they promote it everywhere. However it is most definitely a premium feature. It's included with E5 or it's £2 per user per month on lower plans. Good luck getting anything similar for less.

          "We've gotten quite a few phish/malware-laden emails here at "

          Then you need APT, Mimecast, Messagelabs, etc. That users get their accounts hacked isn't particularly Microsoft's fault.

    4. anonymous boring coward Silver badge

      "I remember my surprise when the Microsoft salesperson claimed they have the best security"

      You were surprised by a salesperson making some claim, most likely taken out of the air?

    5. N2

      I don't trust Microsoft with Security

      Never have & never will.

      Thankfully, I retired from this nonsense a few years ago & I must say, it's great to be a spectator.

  2. Anonymous Coward
    Anonymous Coward

    Holy Fuck!

    I thought being a policeman / compliance officer was a thankless job. Who wants to work in IT administration and have to be forever patching this kind of shit! Plus so much for VM's caging Malware. Wow talk about nightmares!

    1. Anonymous Coward
      Anonymous Coward

      Re: Holy Fuck!

      It is a turd sandwhich every month... no several times a month now, office 2016 gets more updates each month, GBs each time to every client. What a fucknut.

    2. Anonymous Coward
      Anonymous Coward

      Re: Holy Fuck!

      " Who wants to work in IT administration and have to be forever patching this kind of shit!"

      It just took me a few seconds to select this months patches, and a couple of clicks to send them to all our UAT and test systems. Hardly any effort at all.

      We use SolarWinds MSP for that although there are plenty of other solutions that also make it simple. WSUS is pretty easy to use for instance.

      1. Anonymous Coward
        Anonymous Coward

        Re: It just took me a few seconds

        Do you mind? We're in full on outrage mode here! There is no need for relevant, thoughtful posts from people who actually USE ms products....

  3. Mikel

    So glad I don't have to work with this any more.

    1. Anonymous Coward
      Anonymous Coward

      Dont worry, all fixed by August ish

      At this rate of bug finding and fixing all the bugs will be fixed by August, then there will be nothing for it staff to do, we can just twiddle our fingers.

  4. Mark 85

    I wish they would unbundle the updates.

    I think what is really a pisser is that all the patches are bundled so it's all or nothing. With MS's history of patch problems lately, this makes the decisions on what to install (all or nothing) really problematical. So I guess tomorrow, it will be walk into the lab, fire up a sacrificial PC, install the bundled patch and find a hardcore user out on the floor to test it for us. Lately, we've started deploying to one user after we spend a few days looking for the obvious. Then 2 or 3 more the following day and continue for a week before passing it to the whole company. It beats the hell out of suddenly having to re-image our PC's when a faulty patch bricks the machine. It's only happened once so we learned our lesson.

    Before they bundled this stuff, we could deploy small groups of patches (each bundle being different) and see what was breaking us. Not any more.

    1. Someone Else Silver badge

      Re: I wish they would unbundle the updates.

      NOOOOooooo! They couldn't do that! How else would they be able to de-install all the meticulously crafted defenses against their non-stop data slurp? After all, we wouldn't want your machine to work the way you want it to, now would we?

  5. macjules

    .. lest a malicious Flash file hijack your system

    We call that the "Adobe Flashplayer Installer".

  6. David Roberts
    Coat

    Flatulence?

    For some reason this sprang immediately to mind when I read the phrase "Microsoft’s back end cloud".

  7. mark l 2 Silver badge

    Given that Adobe arent actively developing Flash any more and are planning to EOL in 2020 how are there still so many security holes in this turd?

    There are still lots of websites that you can't use without installing it either, the catch up services from Channel 4, Channel 5 and UKTV still need Flash installed to stream videos. These site also don't work with the Linux version of Flash either even though Linux now get the same version as Windows, the sites will only work under Windows, so the sooner we can ditch flash the better.

    1. Laughing Gravy

      Channel 4, Channel 5 and UKTV? Oh well no great loss then

    2. Florida1920

      Given that Adobe arent actively developing Flash any more and are planning to EOL in 2020 how are there still so many security holes in this turd?
      When it goes EOL, they will stop patching it. That's when the fun will begin! Their final act should be to override users' settings and send out a "patch" that kills the thing once and for all.

  8. Hans 1
    Linux

    However, Windows 10 is affected by CVE-2018-8170, a privilege escalation in Windows' image processing system – if an application throws a dodgy snap at the kernel, it can gain admin access over the machine.

    I am not sure if you refer to image as in photo/picture (snap), or binary program, as MS likes to use the term. My parser got stuck in an endless loop trying to understand the above ... WTF does a kernel do with a pic ?

    Reading https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8170

    To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application.

    The security update addresses the vulnerability by ensuring the Windows kernel image properly handles objects in memory.

    So image => program -> much less of a problem

    1. Michael Wojcik Silver badge

      CVE-2018-8170

      The actual text of the CVE says "Windows kernel image". Nothing about "image processing". Technical details are still hard to come by, but I think the image-processing idea is a misapprehension by Chris.

      So if you want a trivial remote compromise out of this batch you'll have to use CVE-2018-8174, I'm afraid.

  9. anonymous boring coward Silver badge

    "An attacker could also embed an ActiveX control marked 'safe for initialization' in an application or Microsoft Office document that hosts the IE rendering engine.

    Hang on! ActiveX? I vaguely remember that word.. Wasn't that crap from day one, and it's still around?

  10. SVV

    Deus ex Machina

    "Applications running within guest virtual machines on Microsoft's Hyper-V hypervisor can escape to the host machine and execute malicious code on it."

    I am guessing it's this bit :

    "Virtual drivers and Hypervisor-aware Kernel - Allows the guest operating system to communicate directly with the parent partition over the VMBus when accessing devices and making I/O requests, thereby increasing performance of the guest operating system."

    So basically trading security of host OS for performance of VM OS by executing code that should be running in the VM on the host. Not such an incomprehensible nightmare really, more a case of monumentally stupid insecurity by design. I believe the marketing term for this is "fully integrated, high performance".

    I bet this sort of thng is running all over Azure too, and they must be patching like mad, as the consequences of it being exploited would be too horrendous to contemplate. But will patching each new exploit that can be launched due to this ability be sufficient for such a fundamental design cockup?

    1. Anonymous Coward
      Anonymous Coward

      Re: Deus ex Machina

      "I bet this sort of thing is running all over Azure too"

      I cant remember any previous issues like this on Azure / Hyper-V - but there have certainly been many occasions when Amazon have been desperately patching similar holes in Xen.

  11. Anonymous Coward
    Anonymous Coward

    Apparently this update breaks RDP/Remote App.

    You have to update your server farms first or create a GPO for your workstations.

    1. Anonymous Coward
      Anonymous Coward

      Apparently this update fucks your dog.

    2. Anonymous Coward
      Anonymous Coward

      "Apparently this update breaks RDP/Remote App."

      Not if you RTFM first. It increases security to fix a potential MITM attack.

    3. Anonymous Coward
      Anonymous Coward

      Breakage

      I'm seeing a number of reports from customers about this month's update breaking all sorts of unexpected things. Processes loaded from SMB shares failing in Winsock calls, for example. Looks like the Unintended Consequences are strong in this one.

  12. Pascal Monett Silver badge

    Oh my GOD Stop the Presses !

    "The VBScript Engine can be exploited [..] The Chakra Scripting Engine in Edge can also be exploited"

    Oh Dear God No ! Don't tell me that IE and Edge are vulnerable to hacks ! Please no ! Say it ain't so ! What is the world coming to ? Oh wait, same as usual ? Oh. All right then, carry on . .

  13. David Gillies

    When Flash is finally retired they need to seal the source code in an Inconel block, with suitable biohazard stickers, and get one of Elon Musk's BFRs to fire it into the Sun.

  14. Tom Paine

    This is basically a nightmare scenario for hypervisor developers and administrators.

    Point of order, Chair...

    A vulnerability that can be fixed by applying the monthly patch, which has probably been releasedm,any weeks before the earliest practical weaponised exploit is written, would barely rate a half-awake stirring and re-fluffing of the duvet among any but the least imaginative of hypervisor developers and administrators. It's just another update to apply.

    The real problem is that so few of the above mentioned classes of IT persons were working in the late 90s,

    1. Michael Wojcik Silver badge

      the monthly patch, which has probably been released [many] weeks before the earliest practical weaponised exploit is written

      It's good to know that wild optimism still exists in the world of IT.

      It's depressing to see that it's being applied to IT security.

  15. elvisimprsntr

    1. Who in their right mind is still running Flash, on any platform?

    2. Glad I excommunicated Microsoft from my home a decade ago, except for a Windows 7 VM running on a QNAP NAS. Otherwise, it's macOS, Linux, LibreOffice, etc.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like