Microsoft Obliquely Acknowledges Windows 0-day Bug Published on Twitter (arstechnica.com) 66
A privilege escalation flaw in Windows 10 was disclosed earlier this week on Twitter. From a report: The flaw allows anyone with the ability to run code on a system to elevate their privileges to "SYSTEM" level, the level used by most parts of the operating system and the nearest thing that Windows has to an all-powerful superuser. This kind of privilege escalation flaw enables attackers to break out of sandboxes and unprivileged user accounts so they can more thoroughly compromise the operating system. Microsoft has not exactly acknowledged the flaw exists; instead it offered a vague and generic statement: "Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. Our standard policy is to provide solutions via our current Update Tuesday schedule." So, if the flaw is acknowledged (and it's certainly real!) then the company will most likely fix it in a regular update released on the second Tuesday of each month.
Re:Microsoft OS is insecure (Score:4, Interesting)
As soon as Adobe makes a Linux build of their suite I'll switch over. Might as well call up SolidWorks and Pro/E while you're at it.
Re: (Score:3)
and AutoDesk and MasterCAM, let's move the whole industry over
Re: (Score:2)
I never understood why these companies do not simply write their software using Qt so that it will work across the operating systems, it makes financial sense to maintain just one code base that will run on all OSs.
Re: (Score:3)
So switch to Mac, there is a build of their suite available there.
Re: (Score:2)
I think my next build is going to be ESXI based so I can run OSX without too many hardware headaches. Keep a Windows VM for when you need it.
Re: (Score:2)
Exactly. Nerds need to learn that users care about applications not the OS. It's why so many are fine with ChromeOS despite it being "not real Linux" which is only of concern to dorks.
Re: (Score:3, Interesting)
Everyone loves ChromeOS. And then they ask "so how do i install outlook?" And then they ask "How do I allow this ActiveX control?" And then they ask "How do I install this printer?" And then they ask "is it too late to return these?"
The only business users who can effectively use Chormebooks are ones where no one is working (i.e. kids using Slack).
Re: (Score:1)
The only business users who can effectively use Chormebooks are ones where no one is working (i.e. kids using Slack).
Where in my post did I say anything about business users? And nowhere did I say all users would be fine with ChromeOS. Lastly, all those things you mention are application-layer programs which feeds into my point that the user couldn't care less about the OS when its the programs they want to use that matter. The applications drive what OS they use not the other way around. Which is why users are willing to continue to put up with Windows despite many people disliking it.
Re: (Score:2)
And then they ask "How do I allow this ActiveX control?"
Who still uses ActiveX? Do you live in Korea?
Re: (Score:2)
Banks. Yes. I agree with your look of horrified realization.
Re:Microsoft OS is insecure (Score:5, Interesting)
I work in IT.
Everyone loves ChromeOS. And then they ask "so how do i install outlook?" And then they ask "How do I allow this ActiveX control?" And then they ask "How do I install this printer?" And then they ask "is it too late to return these?"
The only business users who can effectively use Chormebooks are ones where no one is working (i.e. kids using Slack).
I work in IT too, and I found an excellent use for ChromeBooks. Remote access.
Both remote desktop and our VPN client are available on the chrome store.
Full laptop form factor chromebooks run $300, compared to a full fledged windows laptop from HP closer to $1000
Once VPNed in, you can remote to your desktop or VM instance and do everything you would in the office, except perhaps full multi-monitor support.
No one asks how to install Outlook because they already have it.
No one really asks for ActiveX controls either, as the local apps using them have those controls pushed out to IE already, and anything else likely will gain a "no" reply.
Same for the printers, office printers are installed with clicking a link on our intranet site, and home printers connected to the chromebook are forwarded over remote desktop to print to.
Plus there are no worries about a windows laptop offsite being joined to the domain.
No stupid syncing group policy except while logged in, no windows update errors due to not finding the WSUS server, no downloading updates over the VPN when it can find the WSUS server, no locally stored data to secure or backup or worry about being lost, no worries that Windows will expire the local SAM cache and tell the user they can't login to the laptop until after they login to the laptop and VPN in...
They also have much lower end and simpler chromebook hardware in the $100-200 range.
Not quite laptop form factor fully, but at a price point to be almost disposable.
Maybe your infrastructure doesn't allow for this type of setup, and I can only vouch for the Cisco AnyConnect VPN client, but that doesn't mean there are no business use cases for the things.
Re: (Score:1)
You have just proved why no respectable IT organization owns ChromeBooks en masse.
Re: (Score:3)
And also a lot more secure, if a remote user connects them to a random free wifi network the chance of them being compromised and becoming a foothold on your corporate network is massively reduced.
A corporate windows (or macos to a lesser degree) laptop connecting to a third party wireless network often leaks a LOT of information at the network level (eg it tries to perform dns lookups for your internal domain), and often contains a lot of data that can be extracted. A chromebook will do none of these thing
Re: (Score:2)
A lot of corporate users use outlook web access, which works fine in chromeos...
A lot of users use gmail, which works fine in chromeos.
Very few activex controls are still out there, i've not encountered any of that crap for years...
If you're going to buy a chromebook, you buy a compatible printer to go along with it, assuming you actually need to print something. Most consumer printers are cheap and disposable and regularly replaced because they fail or become incompatible with the latest os updates.
There a
Re: (Score:1)
Most people care as much about the OS as they do about the brand of their stove.
A kitchen isn’t a kitchen unless there’s Smeg on every appliance. I’m not alone in my opinion, we see lots of Gordon Ramsey’s Smeg on TV. And from experience, nothing smells quite like home made bread baked in the Smeg. Seriously, if you don’t think it matters you’ve never had a Smeg.
Re: (Score:1)
All people that use OSS says the code is better looked, all bugs are corrected on the fly....etc....etc.
That was definitely what is claimed but one only has to look at the OpenSSL and X.Org codebases to know those claims were false. Both are dumpster fires of poorly written, insecure code.
Re: (Score:1)
Remember Windows does a lot more. Linux kernel + all drivers + X Windows + GNU Userland + Open SSL + KDE/GNOME project + package management systems + other misc xwindows tools (xdm, xterm etc) + backwards compatibility layers is the rough equivalent of a typical Windows desktop installation.
Of COURSE the Linux kernel has a lot less bugs than all that code. Same as the Windows Kernel has a lot less bugs in it than WIndows as a whole.
Re: (Score:2)
A typical linux distro on the other hand comes with a lot more tools than windows does...
The Linux kernel also does a lot more than the windows kernel, it has many more features, runs on a much wider array of hardware and includes drivers for a lot more hardware (windows drivers are typically provided by third parties).
Re: (Score:2)
There would still be problems, but security would still be better because you'd be starting from a better base...
Windows has a lot of bad legacy design, and then lots of cruft bolted on top trying to implement security alongside a system that was never designed with it in mind (im referring to windows specifically and all the crap thats been inherited from dos and win3x/9x, not NT which although a more sensible design has had the aforementioned cruft bolted on top of it).
You have massive complexity, design
Headline misleading (Score:3)
Unless there's more than is in the summary, the headline should read "Microsoft does not Acknowledge Windows 0-day Bug Published on Twitter".
Re: Headline misleading (Score:2)
Re: (Score:1)
No, this [slashdot.org] is New Here.
Microsoft Obliquely accepts LInux (Score:1)
I mean, if we're going to spin words here...
This person got sick of MSFT bug submission (Score:3)
If you see the comments and write up in the documents and demo he released. It's fairly easy to exploit, in lay terms: the Task Scheduler read/writes to a location as SYSTEM and you can ask it to write any permissions to that file. Since the location of that file is publicly accessible for everyone, you could replace a job file with a DLL and then the system will write permissions for it to be executable as SYSTEM.
Another HUGE Windows 10 problem. (Score:3)
Basically, if there is a monthly charge for Windows 10, Microsoft will make more money if there are more bugs in updates. They will apparently fix the bugs only for those who are paying monthly.
Re: (Score:3, Interesting)
The Microsoft Managed Desktop which is what those articles discuss willnot be forced on to anyone and are specifically being targeted to business users. Nowhere in the Mary Jo Foley article does it say that anyone will be forced into the service. What your spreading is actual fake news.
Questions: 1) Charging later? 2) No control? (Score:3)
1) Do you think Microsoft won't begin charging everyone later? That's what Adobe Systems did after releasing Creative Suite version 6. It is now Adobe Creative Cloud.
2) Will "business users" want Microsoft to have more control over their computers?
Re: (Score:2)
Basically, if there is a monthly charge for Windows 10, Microsoft will make more money if there are more bugs in updates. They will apparently fix the bugs only for those who are paying monthly.
I find this interesting as essentially this is what most companies already do with software, though on a different scale - annual maintenance charges that provide bug-fixes and updates. Many are moving to monthly fees so that the user has "more flexibility" around how much of a service they want to consume.
Oops, your monthly charge is usually a fair bit more than an annual charge divided by 12 months. You've got all that extra flexibility remember?
Anyone need full time access? Coincidentally your month
More complete vulnerability description (Score:1)
This is /. so you don't have to oversimplify. .job file in the Tasks folder. Since the task scheduler runs under the system account, it should impersonate the caller when doing so, since otherwise when setting the permissions, the kernel will check if system, rather than the caller, is allowed to
What's actually going on is that the task scheduler has an API that allows you to set the DACL (discretionary access control list, the list of permissions for various user accounts or groups) for a task's folder and