It's September 2018, and Windows VMs can pwn their host servers by launching an evil app Admins will again be working overtime as Microsoft and Adobe have posted their monthly scheduled security updates for September. This month's Patch Tuesday bundle includes critical fixes for Windows, SQL Server, and Hyper V, as well as Flash and Cold Fusion. Rude guests and ugly images menace Microsoft In total, Microsoft …
CVE-2018-8475 description from Microsoft, "To exploit the vulnerability, an attacker would have to convince a user to download an image file."
I assume (the vulnerability description doesn't say other than "when Windows does not properly handle specially crafted image files") that simply downloading the file to the file system is not sufficient to cause a problem either. The phrase, "convince the user to view a web page containing a specially crafted image", carries more threat.
seems that the details for this are being hidden or something...
best I can figure, it's a problem in the kernel.
Ok, Microsoft, *WHY* are image files loaded up (and apparently parsed) within the kernel again?
I was hoping it was an IE/Edge-only flaw so I could snark all over it.
There are a lot of 'bang your head against a brick wall' moments when dealing with Microsoft and how they made their Operating Systems work.
Over the years, they cut corner after corner, applied bodge after bodge etc just to get a small performance improvement and now a lot of those decisions are going to come back and bite them, hard.
Sadly a lot of the people who made those decisions are still in place inside MS.
The world moves on but apparently MS does not or in the case of Windows 10, IMHO, goes backwards a long, long way.
{shugs shoulders}
No sense in complaining too loudly about it though as dealing their 'stuff' is keeping me in work until the time comes to retire in 2020.
Posting AC as my PHB reads this site and has no idea that I'm out the door in 15 months time.
> *WHY* are image files loaded up (and apparently parsed) within the kernel again?
To speed up rendering else there's too much of a performance hit switching from kernel mode to user mode, hence any defect in the code can crash the entire system or lead to a security violation
KB4093111: Windows 10 April 2018 Security Update
I count thirteen memory violation errors, that's where the majority of security violations reside, in the Memory Management Unit?
For the most part you can trust that the site itself didn't get hacked, because that gets noticed very quickly.
Pretty much all of the drive-by attacks come from adverts, because most workplaces already block "dodgy" sites based on a blacklist provided "by others".
Presumably it wouldn't be too difficult to add all the adslingers to said blacklist.
Skype was serving up dodgy adverts for a while just last week.
"A bitmap image should just be data, and not contain anything executable."
That's not how the real world works though. You may well not supposed to have anything executable inside of a pure data file, but it's not like you can _prevent_ malicious actors from putting some in there; and the thing is, any piece of data needs to be processed by executable code in order to make use of it - and if that code contains just the right kind of bugs, a properly crafted bit of data it was only supposed to process as data can trip it into glitching execution over to that malicious piece of "data". Should we be past this sort of thing in 2018? Definitely. Is it still a thing nonetheless? Hell yes, unfortunately...
"Open the wrong image – even through a web browser – and code executes, making this a browse-and-own scenario,
Can't see to find much info on this. I am assuming that this is only going to be a problem if your web browser is IE or Edge that using Windows's internal image handling rather than using a third party browser than handles image rendering internally? As I would assume that Outlook and the Windows Mail client would use the internal windows image handling as well which means you could get owned from an email with an attached image?
Still this flaw is present in all Windows versions from 7 upwards, probably in XP and Vista too but since those are out of support they won't release details for those versions anyway.
with respect to 'safe surfing' practices, how many times have _I_ been DOWN voted for saying things like this?
With respect to CVE-2018-8475 at least:
a) do NOT surf the web logged in with admin or root credentials
b) do NOT use a Micro-shaft browser
c) if possible, do NOT surf the web with a MICROSOFT OS
e) do NOT view mail "as HTML", and especially do NOT preview images 'inline'.
(see? see? see????)
e) run 'noscript' or other script blocker BY DEFAULT
f) never "just open" the attachment to an e-mail [even if you know the sender]
and so on.
I ALSO expect that ad servers, image-related blog sites, spam mail with images embedded in them, and even web pages on places like 'deviantart' and 'imgur' and so forth can become VECTORS for the exploit.
And it's very difficult to get *DETAILS* on this one, meaning it's probably VERY bad, enough that search engines are maybe DELIBERATELY keeping us from [easily] finding those places where it's properly explained... [my 'google fu' is usually pretty good, but not with THIS, not THIS time]
yeah a little paranoia, and a *BIG* *FAT* "see I told you so" on the SAFE SURFING!!! because, even if they SAY it is patched, what OTHER similar vulnerabilities are STILL THERE waiting to be found???
[sloppy coding is as sloppy coding does]
@bombastic bob
You neglected to mention routinely web browse with images turned off (handy for performance as well as security, also v. good to use at work in case a web page pushes an image that could be in violation of work policies on what constitutes offensive image (plenty of sites scrape legit innocuous content and game search engines to be in top few results - a click on what seems legit content for a work related query could expose you to adult or other content that could be a workplace disciplinary issue ) )
Only enable images on web sites where you really, really need to see images.
One of the more noteworthy of those bugs is CVE-2018-8475, a remote code flaw that can be triggered simply by viewing an image file in Windows.
FFS, it is 2018 and windows can be owned by viewing an image file ....
As Krebs warns:
According to security firm Ivanti, prior to today bad guys got advance notice about three vulnerabilities in Windows targeted by these patches. (emphasis mine)
And guess what ? This CVE-2018-8475 beauty is one of them ....
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
