back to article It's November 2018, and Microsoft's super-secure Edge browser can be pwned eight different ways by a web page

Microsoft and Adobe have delivered the November edition of Patch Tuesday with another sizable bundle of security fixes to install as soon as you're able to. The trick is to test and deploy the fixes before exploits are developed to leverage the vulnerabilities. BitLocker bugs and TFTP troubles for Redmond This month, …

  1. danR2

    I'm tired of making this response as well

    I've been making it now and then or something akin for the past ~5 years over the interwebz. I've never seen any in-depth article, and preferably article series, address it front and center:

    For every flaw, vulnerability, zero-day, Beijing's army of coders, hackers, and software scientists almost certainly find two. And China doesn't participate in the international community of flaw-exposers. On the contrary: public disclosure of a weakness is regarded as an offense. And not to keep Microsoft safe. Or Android, or iOS, or OSX.

    A flaw is part of a body of assets to be exploited. John Bolton, and Dotus himself, might want to think about that.

    1. Shadow Systems

      Re: I'm tired of making this response as well

      I heard my screen reader say "John Bolton" but for some reason thought "Michael Bolton" instead & wondered WTF a shitty musician had to do with MS. Then I realized "MS sucks worse than Michael Bolton!" & it all made sense.

      I should get some sleep now, I think my dried frog pills have worn off...

      1. Peter X

        Re: I'm tired of making this response as well

        Damn it.. now I'm thinking about Office Space:

        https://youtu.be/_BaMx_n2_hM

        Why don't you just go by Mike instead of Michael?

        No way. Why should I change, he's the one who sucks!

    2. GnuTzu

      Re: I'm tired of making this response as well -- Hell

      One day there will be no more vulnerabilities -- and then Hell will freeze over. But, they've been asked just to try a little harder for way to damn long. Maybe they'd try a little harder--to get Hell to freeze over--if they were subjected to a bit of Hell fire.

    3. John Brown (no body) Silver badge

      Re: I'm tired of making this response as well

      "I've been making it now and then or something akin for the past ~5 years "

      Only 5 years? You must be a newbie :-)

    4. Michael Wojcik Silver badge

      Re: I'm tired of making this response as well

      What exactly is your point?

      All competent national governments have infosec agencies that actively seek vulnerabilities in common software. The larger governments are, of course, quite good at it; they have the resources to throw at the problem.

      Everyone in the infosec community is perfectly aware of that. It's a commonplace. There doesn't need to be an article discussing it, just as there's no need to have an article arguing that access controls are a good thing, or that cryptography can improve data confidentiality.

      If you're arguing against public disclosure, I don't see how your claim supports that thesis. If you're arguing something else, then, frankly, I don't see what your thesis is at all.

  2. bombastic bob Silver badge
    Mushroom

    if an open source project had MAJOR flaw rates like this

    oh wait. they don't. That's because the source is OPEN, and can be reviewed directly by security researchers and quality-minded people, who would THEN flame the HELL out of the developers for releasing the kind of low-quality code that would make people like Linus have a complete meltdown over.

    Micro-shaft, on the other hand, apparently had to re-re-re-write things FROM SCRATCH meaning that the perceived bugs of old, which would naturally be weeded out over time and development, have been REPLACED with NEW undiscovered bugs, which we're just now getting around to seeing.

    There _IS_ something to be said about EVOLUTIONARY code development, instead of REVOLUTIONARY "here it is" "cram it up our asses" "this is all you get" "and updates are MANDATORY" *CRAP* code that Micro-shaft has turned into a "product" that's bound to become a "service", sooner than anyone wants.

    Right?

    And BSD is certainly some of the OLDEST code out there... just sayin'.

    1. Pascal Monett Silver badge

      Re: if an open source project had MAJOR flaw rates like this

      Microsoft has never re-written anything from scratch (well, not since 95) because if it had, we wouldn't have seen the same bugs affect everything from 7 to 1 0 including effing Vista.

      Microsoft has said that all those versions were written "from the ground up", but that is simply bullshit.

      1. Charlie Clark Silver badge

        Re: if an open source project had MAJOR flaw rates like this

        Microsoft has never re-written anything from scratch (well, not since 95)

        Since when was Windows 95 a rewrite? It was mainly DOS + MFC. However, Windows NT was basically a rewrite of OS/2 with some ideas from VMS thrown in.

        1. Michael Wojcik Silver badge

          Re: if an open source project had MAJOR flaw rates like this

          Since when was Windows 95 a rewrite? It was mainly DOS + MFC.

          Not really. Win95 was mainly W4WG (Win 3.11) plus a push to use MFC (which was introduced in '92). For Windows/386 in Enhanced mode and later - so including W4WG - DOS was used only as a bootloader; Windows was in fact the OS once the system got running.

          Windows 3.1 introduced win32s, a subset of the 32-bit NT APIs. It was substantially different from Windows 3.

          So while I'll agree that Win95 was not a ground-up rewrite, it wasn't "DOS + MFC", either.

        2. Version 1.0 Silver badge
          Pint

          Re: if an open source project had MAJOR flaw rates like this

          Face it, MSDOS 1.1 was last fresh code that Microsoft saw and that was a re-write of the CP/M operating system for the 8086. Since then it's all been re-writes ... you can argue that NT was fresh but it had a long pre-history too and really just seems to be VMS cobbled into Intel land based on MSDOS.

          Linux? That was a re-write too - I remember reading Linus's original advert looking for coding help...

          OK - I'm old, it feels like it's beer o'clock ...

      2. stiine Silver badge

        Re: if an open source project had MAJOR flaw rates like this

        re: Microsoft

        Do you mean to tell me that cut-and-paste isn't the same as writing new code?

        What does this really say about the Chakra Core?

        1. Charlie Clark Silver badge

          Re: if an open source project had MAJOR flaw rates like this

          What does this really say about the Chakra Core?

          That, as relatively new code, it probably has yet to be detected vulnerabilities? The "I didn't expect that to happen sort" that are almost unavoidable with C languages. Would be interesting to know whether Mozilla's shift to Rust for some stuff has brought them the improved security they were hoping for.

          1. JohnFen

            Re: if an open source project had MAJOR flaw rates like this

            "The "I didn't expect that to happen sort" that are almost unavoidable with C languages."

            Why specify C-like languages for this, when your statement is true for all languages?

            1. Charlie Clark Silver badge

              Re: if an open source project had MAJOR flaw rates like this

              Why specify C-like languages for this, when your statement is true for all languages?

              C-like languages seem to suffer from some problems more than others. There are reasons for this, of course, and the problems are really with the programmers rather than the language. Some languages have attempted to avoid some of the pitfalls associated with C which is why I mentioned Rust. I think that Firefox uses it for handling CSS but I could be wrong. Would in any case be useful to know whether it has been as useful as they hoped.

              1. JohnFen

                Re: if an open source project had MAJOR flaw rates like this

                "C-like languages seem to suffer from some problems more than others."

                Naturally. The sorts of programming errors that are easy to make varies from language to language. My point, however, is that all programming languages make it easy to make errors. So, singling one out for making it easy to write code that has unexpected consequences is not supportable. They all do that.

                "Some languages have attempted to avoid some of the pitfalls associated with C which is why I mentioned Rust."

                Yes, but that's just shifting deck chairs. In other words, it's just shifting from one set of "most likely" issues to another.

                I'm a graybeard and have been in this industry for a very long time. Different languages have different benefits and drawbacks, but I've yet to see one that is objectively superior to another in a broad sense. That's why it's important to choose the proper language for the task at hand -- you want to pick a language so that its benefits really help you in that task and the drawbacks don't hurt so much.

                I know that it's fashionable to consider C-like languages as too dangerous to use, but that's always been and continues to be utter bullshit.

                1. onefang

                  Re: if an open source project had MAJOR flaw rates like this

                  "I know that it's fashionable to consider C-like languages as too dangerous to use, but that's always been and continues to be utter bullshit."

                  This graybeard agrees with you, and I've used more languages than most. It must have been one of those fashionable ones that downvoted you.

        2. Anonymous Coward
          Anonymous Coward

          Chakra-Chakra-Chakra-Core. Chakra-Core. Chakra-Core.

          > "What does this really say about the Chakra Core?"

          Well, "I Feel for You" and "I'm Every Woman" are good songs, but I don't think she's particularly highly-regarded as a computer security expert.

      3. JohnFen

        Re: if an open source project had MAJOR flaw rates like this

        "Microsoft has never re-written anything from scratch (well, not since 95)"

        Windows 95 was not rewritten from scratch, either.

        And to be honest, not rewriting code is a good thing. All else being equal, it's better to keep using code that has been in use (and therefore tested in real-world conditions and had bunches of bugs fixed) than to rewrite everything so that it's fresh code guaranteed to have numerous new problems. Rewriting large and complex codebases is an act of desperation.

        What Microsoft has consistently done wrong on this issue is that they kept claiming their stuff was rewritten "from the ground up" when that was obviously a lie, and a weird lie at that, as (if true) it would indicate that the code is less reliable.

    2. Anonymous Coward
      Anonymous Coward

      Re: if an open source project had MAJOR flaw rates like this

      Yeah, because no major flaws have ever been found in open source software, right?

      1. big_D Silver badge
        Paris Hilton

        Re: if an open source project had MAJOR flaw rates like this

        Funny how I get dozens of security updates on my Linux boxes every week.

        Those must be Microsoft patches for Linux, right? Oh, wait...

        1. Anonymous Coward
          Anonymous Coward

          Re: if an open source project had MAJOR flaw rates like this

          Funny how I get dozens of security updates on my Linux boxes every week.

          Wait, you mean you don't have to wait a whole month for the patches on Linux? They just come out when they're needed?

          Who ever allowed such nastiness!

          Next thing you'll tell me Linux patches don't routinely 'brick' your hardware, or knock out your networking, or........

    3. Charlie Clark Silver badge
      FAIL

      Re: if an open source project had MAJOR flaw rates like this

      That's because the source is OPEN, and can be reviewed directly by security researchers and quality-minded people

      What a load of cock! While I like open source and contribute to it, the idea that making the source available automatically guarantees quality let alone security has been debunked long ago. Not just the infamous flaws in openssl but also, if memory serves, backdoors planted in my favourite unix.

      The kind of static code analysis that open source provides is also a poor guide for security. So, unless projects are actively being tested for vulnerabilities, and contrary to your assertion, there is not an army of expert penetration testers out there constantly scrutinising open source projects (largely because no one is paying them to do so) so lots of known vulnerabilities will remain blissfully undetected.

      1. Michael Wojcik Silver badge

        Re: if an open source project had MAJOR flaw rates like this

        the idea that making the source available automatically guarantees quality let alone security has been debunked long ago

        Yes. There's broad agreement in the infosec community that the "many eyes" theory does not hold water. While it's certainly useful to security researchers to have access to the source, and while there have been some quite successful static- and dynamic-scanning projects run against large open-source codebases, the assumption that public source automatically leads to improved software security is simply not supported by the evidence.

      2. Anonymous Coward
        Anonymous Coward

        Re: if an open source project had MAJOR flaw rates like this

        What a load of cock! While I like open source and contribute to it, the idea that making the source available automatically guarantees quality let alone security has been debunked long ago.

        But with source code in hand anyone can fix it even long after the original developers or company has ceased to exist.

        1. big_D Silver badge

          Re: if an open source project had MAJOR flaw rates like this

          @AC

          But with source code in hand anyone can fix it even long after the original developers or company has ceased to exist.

          Okay, I'll bite. How many open source projects do you go through each week, looking at and correcting security bugs?

          1. Anonymous Coward
            Anonymous Coward

            Re: if an open source project had MAJOR flaw rates like this

            Okay, I'll bite. How many open source projects do you go through each week, looking at and correcting security bugs?

            I don't, I'm not a security researcher as that's above my pay grade but if I were or I was employed by a company that uses OSS and the producer went out of existence then I'm merely pointing out I would have that ability to fix problems far easier than it would be to reverse engineer obfuscated binary code.

          2. Anonymous Coward
            Anonymous Coward

            Re: if an open source project had MAJOR flaw rates like this

            @AC

            But with source code in hand anyone can fix it even long after the original developers or company has ceased to exist.

            Okay, I'll bite. How many open source projects do you go through each week, looking at and correcting security bugs?

            None for a while now.

            But some time back I did exactly what the original AC mentioned. With a program that needed some tweaking to get it to work, and an out-of-existance original provider, I altered the code to make the program do what I want. I've actually done that several times.

            It's a lot easier to do with the source code available than without the source, closed or open-source software (yes, I've handled lots of closed-source code in my time as well).

          3. JohnFen

            Re: if an open source project had MAJOR flaw rates like this

            "How many open source projects do you go through each week, looking at and correcting security bugs?"

            When I'm considering installing a new piece of software that is internet-facing, I do a security audit of it. This includes run-time testing as well as desk-checking the source. I won't pretend that my audit is anything like comprehensive, but I do occasionally find and fix security problems as a result.

            This is certainly not a weekly thing, as I (intentionally) avoid installing new software if I can. But I'm guessing that it happens a half dozen times a year.

      3. Teiwaz

        Re: if an open source project had MAJOR flaw rates like this

        the idea that making the source available automatically guarantees quality

        Well maybe not 'Guarantees', but you've a better chance of it being spotted and fixed than the oft proprietary path of ignore it until it becomes public knowledge then deny for a bit then finally throw in a fix that breaks some other stuff and Goto ignore.

      4. Chaotic Mike

        Re: if an open source project had MAJOR flaw rates like this

        so lots of UNknown vulnerabilities will remain blissfully undetected

        FTFY. You're welcome!

    4. Chaotic Mike
      Megaphone

      Re: if an open source project had MAJOR flaw rates like this

      Downvote for SHOUTING. It isn't necessary.

  3. Mark 85

    <cough> Were the patches tested or not? <cough> Lately, I daresay anyone downloading and installing in something other than a test box must have huge gonads and is either incredibly brave or incredibly gullible.

    1. N2
      Trollface

      <cough> Were the patches tested or not? <\cough>

      Mary Jo Foley says it's fine, so passed all testing and QA

  4. John Smith 19 Gold badge
    Unhappy

    Never mind the flaw, look at the *pattern*.

    Are these patterns of code never, ever, seen before in the 70 year history of software development?

    Are they f**k.

    And yet near the end of the 2nd decade of the 21st century we still make them.

    Here's a legal question.

    If you released a de-compiled version of a corporations software, that let anyone look for bugs in it, would it be illegal. Not "Violating the EULA, " which I understand is basically BS, but actually illegal?

    1. Pascal Monett Silver badge

      Re: Never mind the flaw, look at the *pattern*.

      I'm guessing yes. It's not your code to release, it is Microsoft's and MS has the copyright to prove it.

      Try that and you'll have Microsoft lawyers all over you. Probably literally.

    2. big_D Silver badge

      Re: Never mind the flaw, look at the *pattern*.

      Given that one of the licensing terms is that you can't reverse engineer or decompile software, then yes.

      Then, in the USA, you have the DCMA which would also be infringed in the case you propose.

      1. A.P. Veening Silver badge

        DMCA

        That DMCA isn't worth the paper it is printed on. Besides that, it isn't universal but restricted to the USA, the country where the computer network of the ministry of defense is solely protected by a law stating it is illegal to access that network if you aren't allowed on it instead of a good firewall and intrusion detection.

      2. JohnFen

        Re: Never mind the flaw, look at the *pattern*.

        "Given that one of the licensing terms is that you can't reverse engineer or decompile software, then yes."

        That doesn't make it illegal (criminal), that makes it a contract violation (civil).

      3. JohnFen

        Re: Never mind the flaw, look at the *pattern*.

        "Then, in the USA, you have the DCMA which would also be infringed in the case you propose."

        No.

        Reverse engineering is perfectly legal in the US, and the DMCA did not change that. However, if you have to bypass an access control (such as DRM), then that is a violation of the DMCA.

        But, really, even that doesn't really matter too much outside of certain circumstances. Pretty much everyone in the hacking community rightfully ignores the DMCA's anti-circumvention clause.

    3. Charlie Clark Silver badge

      Re: Never mind the flaw, look at the *pattern*.

      If you released a de-compiled version of a corporations software, that let anyone look for bugs in it, would it be illegal.

      Depends largely on the jurisdiction. In many countries reverse engineering of software is illegal. We largely have the DMCA to thank for that.

    4. Anonymous Coward
      Anonymous Coward

      Re: Never mind the flaw, look at the *pattern*.

      I don't look at the pattern, I look at the name "Chakra" - that tells me a lot where and by whom is designed and developed - and it hints not at the best developers of the world, but at the cheapest ones...

    5. Lee D Silver badge

      Re: Never mind the flaw, look at the *pattern*.

      If you violate the EULA, you lose the right to utilise the copy-right for the software.

      Thus anything past that point is illegal usage of the software, because you don't have a licence to use it (and you can argue until the cows come home, but usage of software is legally classed under "making a copy of").

      No different to how the GPL is enforced - if the software is only licensed under the GPL, and you violate the GPL, you violate the only agreement that gives you any rights whatsoever to the software. Hence, you have no rights to the software. Hence you've broken the law.

      The only people who can change that are the ones who licensed it to you in the first place - by choosing to offer you another licence, another chance, overlooking your violations, etc. or otherwise giving you explicit permission to continue using the software.

      Software use is a right (literally, a "copy-right") given to you by the creators of the software that describe how you may use it. If you fail to abide by their rules, or don't agree with them - then you have as many rights to the software as anyone else does... zero. The "purchase" and acceptance of an EULA is the only thing that gives you the right to use/copy the software in the first place.

      There are complications (e.g. unfair contract terms, having to execute code in order to accept the agreement, etc.) which make what a lawyer would call "interesting questions" (i.e. gimme a few grand and I'll think about how I'd argue it in court, no guarantee of success). But pretty much you abide by the EULA or you literally have no right to the software whatsoever.

      Don't believe the hype that EULAs are unenforceable either. It's not that simple. It's like saying that a tiny flaw in one particular huge contract makes the whole concept of contracts unenforcable. It's not true. And pretty much there's a clause that says "If one thing in this contract isn't allowed, all the rest still apply anyway" (and, amazingly, it doesn't even NEED to say that... that's very much a "your statutory rights are not affected" statement... of course they're not... they're STATUTORY rights...).

      1. stiine Silver badge

        Re: Never mind the flaw, look at the *pattern*.

        re: If you violate the EULA, you lose the right to utilise the copy-right for the software

        So? You simply take that dvd, scribble Do Not Use on it, drop it in your safe and buy a 2nd copy. fuck the eula from dvd #1, you're using dvd #2.

      2. Anonymous Coward
        Anonymous Coward

        Re: Never mind the flaw, look at the *pattern*.

        Don't believe the hype that EULAs are unenforceable either. It's not that simple. It's like saying that a tiny flaw in one particular huge contract makes the whole concept of contracts unenforcable.

        Downvoted but with an explanation (I know, I'm probably going to be banned from El Reg for this)

        I'm not a contract lawyer so I'm just regurgitating what I remember reading elsewhere in many places, including in El Reg Fora.

        Contracts need to be negotiated for a start, where clauses can be agreed to or disagreed to and both parties can add or remove stuff.

        Where EULAs have "subject to change without notice" and "using the software after changes means you agree to said terms", that too is quite an issue under contract law. I could put in a clause saying I now own your business. You've agreed to it, you used the software after I made the change. An extreme case maybe, but I'm pretty sure it's within the bounds of possibility.

        There's a great deal of mess that is in EULAs and many other website (and even company) T&C documents that cannot be enforced, but they are there because people ignore them and no one challenges them.

    6. JohnFen

      Re: Never mind the flaw, look at the *pattern*.

      The real question isn't "would that be legal?" (it probably wouldn't, but I'm no lawyer). The real question is "could I afford to defend myself in court?". The landscape is littered with people who were on solid legal ground, but lost in the end anyway because they ran out of money for legal defense.

    7. Mark 85

      @John Smith 19 -- Re: Never mind the flaw, look at the *pattern*.

      If you released a de-compiled version of a corporations software, that let anyone look for bugs in it, would it be illegal. Not "Violating the EULA, " which I understand is basically BS, but actually illegal?

      You could probably get away with it IF (big if) you moved to China.

  5. A.P. Veening Silver badge

    Correct update for Flash player

    The only correct update for Flash player is uninstall, please release it from our suffering.

    1. Charlie Clark Silver badge

      Re: Correct update for Flash player

      What is there to uninstall? It's baked into most desktop browsers: Chrome, Firefox, Edge even if it is now deactivated by default.

      1. Dan 55 Silver badge

        Re: Correct update for Flash player

        It is not part of Firefox.

  6. LenG

    Easy fix to some of this

    Don't use Edge.

    Wait, does anyone actually use Edge? I'd like to simply delete the thing.

    So possibly an even easier fix is don't use MS or Adobe applications?

    1. A.P. Veening Silver badge

      Using Edge

      I've been known to use it ... to download a browser.

      1. onefang

        Re: Using Edge

        Keep a copy of Portable Apps on a USB stick, then you wont even need to use Edge to download a browser.

  7. Inventor of the Marmite Laser Silver badge

    "to leverage the vulnerabilities"

    You are an out of work HR consultant and I claim my £5

  8. JimmyPage Silver badge
    Linux

    Meanwhile ...

    my Mint 18.3 system chugs along, not having needed any zero-day patches since ... well since never ?

    Not saying Linux is perfect, or FOSS is better than proprietary ... and at least all these MS bugs keep someone in a job. But you have to wonder.

    I think the worst bug Linux has faced, that affected me has been the SSH flaws. And they were patched pretty quickly, and didn't trash my system.

  9. Rich 2 Silver badge
    WTF?

    WOW!

    I wonder how many CRITICAL flaws have been found in M$ various browser versions, Word, and Excel over the years.

    It's got to be approaching something like the number of atoms in the universe by now. As for Adobe's crapware - they've got to be approaching infinity I would t think.

    Software bugs is one thing, but I am genuinely intrigued how it's possible to write ANY software with that many critical faults. I mean, you must have to put REAL effort in to do that. It's staggering

  10. Anonymous Coward
    Anonymous Coward

    how it's possible to write ANY software with that many critical faults.

    Shall I count the ways:

    1) people rolling their own code rather than looking for a tried and tested routine. Especially if there's a saving to be made (how many telephone number or postcode "validation" routines have you seen ?)

    2) People extending tried and tested code, rather than creating a new module from scratch.

    3) What's the easiest way to silence compiler grumblings ? Check the code ? Nah, let's just direct warnings > \dev\null

    4) shitty testing regime

    but all of that is trumped by the fact that with no liability for it's products functioning, and no credible rival, MS can do what it likes, and you can pay for the privilege of sucking it up.

  11. Howard Hanek
    Stop

    Another Example of Male Oppression

    Your depiction of a MALE turkey is all the proof I require that the misogynists at El Reg require reeducation. Plucking turkeys for the poor or something.....

  12. Anonymous Coward
    Anonymous Coward

    ho hum.

    Drat they built in 10, what happened to the other 2 ?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like